551 research outputs found
Privacy-preserving PKI design based on group signature
Nowadays, Internet becomes a part of our life. We can make use of numerous services with personal computer, Lap-top, tablet, smart phone or smart TV. These devices with network make us enjoy ubiquitous computing life. Sometimes, on-line services request us authentication or identification for access control and authorization, and PKI technology is widely used because of its security. However the possibility of privacy invasion will increase, if We’re identified with same certificate in many services and these identification data are accumulated. For privacy-preserving authentication or anonymous authentication, there have been many researches such as Group signatures, anonymous credentials, etc. Among these researches, group signatures are very practical Because they provide unlinkability and traceability as well as anonymity. In this paper, we propose a privacy-preserving PKI based on group signature, with which users’ privacy can be Kept in services. Because of traceability, their identities can be traced if they abuse anonymity such as cybercrime. Moreover, we will also discuss open issues for further studies
Secure Identification in Social Wireless Networks
The applications based on social networking have brought revolution towards social life and are continuously gaining popularity among the Internet users. Due to the advanced computational resources offered by the innovative hardware and nominal subscriber charges of network operators, most of the online social networks are transforming into the mobile domain by offering exciting applications and games exclusively designed for users on the go. Moreover, the mobile devices are considered more personal as compared to their desktop rivals, so there is a tendency among the mobile users to store sensitive data like contacts, passwords, bank account details, updated calendar entries with key dates and personal notes on their devices.
The Project Social Wireless Network Secure Identification (SWIN) is carried out at Swedish Institute of Computer Science (SICS) to explore the practicality of providing the secure mobile social networking portal with advanced security features to tackle potential security threats by extending the existing methods with more innovative security technologies. In addition to the extensive background study and the determination of marketable use-cases with their corresponding security requirements, this thesis proposes a secure identification design to satisfy the security dimensions for both online and offline peers. We have implemented an initial prototype using PHP Socket and OpenSSL library to simulate the secure identification procedure based on the proposed design. The design is in compliance with 3GPP‟s Generic Authentication Architecture (GAA) and our implementation has demonstrated the flexibility of the solution to be applied independently for the applications requiring secure identification. Finally, the thesis provides strong foundation for the advanced implementation on mobile platform in future
Formal security analysis of registration protocols for interactive systems: a methodology and a case of study
In this work we present and formally analyze CHAT-SRP (CHAos based
Tickets-Secure Registration Protocol), a protocol to provide interactive and
collaborative platforms with a cryptographically robust solution to classical
security issues. Namely, we focus on the secrecy and authenticity properties
while keeping a high usability. In this sense, users are forced to blindly
trust the system administrators and developers. Moreover, as far as we know,
the use of formal methodologies for the verification of security properties of
communication protocols isn't yet a common practice. We propose here a
methodology to fill this gap, i.e., to analyse both the security of the
proposed protocol and the pertinence of the underlying premises. In this
concern, we propose the definition and formal evaluation of a protocol for the
distribution of digital identities. Once distributed, these identities can be
used to verify integrity and source of information. We base our security
analysis on tools for automatic verification of security protocols widely
accepted by the scientific community, and on the principles they are based
upon. In addition, it is assumed perfect cryptographic primitives in order to
focus the analysis on the exchange of protocol messages. The main property of
our protocol is the incorporation of tickets, created using digests of chaos
based nonces (numbers used only once) and users' personal data. Combined with a
multichannel authentication scheme with some previous knowledge, these tickets
provide security during the whole protocol by univocally linking each
registering user with a single request. [..]Comment: 32 pages, 7 figures, 8 listings, 1 tabl
Data Minimisation in Communication Protocols: A Formal Analysis Framework and Application to Identity Management
With the growing amount of personal information exchanged over the Internet,
privacy is becoming more and more a concern for users. One of the key
principles in protecting privacy is data minimisation. This principle requires
that only the minimum amount of information necessary to accomplish a certain
goal is collected and processed. "Privacy-enhancing" communication protocols
have been proposed to guarantee data minimisation in a wide range of
applications. However, currently there is no satisfactory way to assess and
compare the privacy they offer in a precise way: existing analyses are either
too informal and high-level, or specific for one particular system. In this
work, we propose a general formal framework to analyse and compare
communication protocols with respect to privacy by data minimisation. Privacy
requirements are formalised independent of a particular protocol in terms of
the knowledge of (coalitions of) actors in a three-layer model of personal
information. These requirements are then verified automatically for particular
protocols by computing this knowledge from a description of their
communication. We validate our framework in an identity management (IdM) case
study. As IdM systems are used more and more to satisfy the increasing need for
reliable on-line identification and authentication, privacy is becoming an
increasingly critical issue. We use our framework to analyse and compare four
identity management systems. Finally, we discuss the completeness and
(re)usability of the proposed framework
Identidade digital federada globaliD
Mestrado em Engenharia de Computadores e TelemáticaO presente texto propõe uma solução para a gestão de identidade digital
online tendo em conta a versatilidade, o anonimato, a privacidade, a
veracidade, a credibilidade e a responsabilidade do utilizador, recorrendo para
isso ao uso do Cartão de Cidadão Electrónico Nacional Português e a outros
meios de autenticação públicos usados diariamente pelos utilizadores. A
dissertação é composta pela apresentação do conceito de identidade e das
suas particularidades, por uma análise aos vários problemas da gestão da
informação pessoal online, uma análise aos vários modelos, mecanismos e
especificações existentes para gerir a identidade digital online (gestão de
identidade digital). Uma solução de gestão de identidade digital baseada no
modelo de identidade federada e associada ao Cartão do Cidadão Electrónico
Nacional Português é apresentada, descrita, analisada, avaliada e comparada
com outras soluções existentes.
Por fim um protótipo de um provedor de identidades digitais federadas
baseado na solução de gestão de identidade digital proposta é apresentado.The following text provides a solution for the digital identity management on the
Web regarding the users’ versatility, anonymity, privacy, veracity,
trustworthiness and accountability by using the Portuguese National Electronic
Citizen Identity Card and other publicly available authentication mechanisms
users use daily. The dissertation consists of the presentation of the concept of
identity and its particularities, an analysis to the several problems of managing
personal information online, and an analysis to the several existing models,
mechanisms and specifications for the management of the digital identity online
(digital identity management). A solution for digital identity management based
on the federated identity model and associated to the Portuguese National
Electronic Citizen Identity Card is introduced, described, analyzed, evaluated
and compared to other several existing solutions. Last, a prototype of a
federated digital identity provider based on the purposed solution for digital
identity management is presented
Contributions to the privacy provisioning for federated identity management platforms
Identity information, personal data and user’s profiles are key assets for organizations
and companies by becoming the use of identity management (IdM) infrastructures a prerequisite
for most companies, since IdM systems allow them to perform their business
transactions by sharing information and customizing services for several purposes in more
efficient and effective ways.
Due to the importance of the identity management paradigm, a lot of work has been done
so far resulting in a set of standards and specifications. According to them, under the
umbrella of the IdM paradigm a person’s digital identity can be shared, linked and reused
across different domains by allowing users simple session management, etc. In this way,
users’ information is widely collected and distributed to offer new added value services
and to enhance availability. Whereas these new services have a positive impact on users’
life, they also bring privacy problems.
To manage users’ personal data, while protecting their privacy, IdM systems are the ideal
target where to deploy privacy solutions, since they handle users’ attribute exchange.
Nevertheless, current IdM models and specifications do not sufficiently address comprehensive
privacy mechanisms or guidelines, which enable users to better control over the
use, divulging and revocation of their online identities. These are essential aspects, specially
in sensitive environments where incorrect and unsecured management of user’s data
may lead to attacks, privacy breaches, identity misuse or frauds.
Nowadays there are several approaches to IdM that have benefits and shortcomings, from
the privacy perspective.
In this thesis, the main goal is contributing to the privacy provisioning for federated
identity management platforms. And for this purpose, we propose a generic architecture
that extends current federation IdM systems. We have mainly focused our contributions
on health care environments, given their particularly sensitive nature. The two main
pillars of the proposed architecture, are the introduction of a selective privacy-enhanced
user profile management model and flexibility in revocation consent by incorporating an
event-based hybrid IdM approach, which enables to replace time constraints and explicit
revocation by activating and deactivating authorization rights according to events. The
combination of both models enables to deal with both online and offline scenarios, as well
as to empower the user role, by letting her to bring together identity information from
different sources.
Regarding user’s consent revocation, we propose an implicit revocation consent mechanism
based on events, that empowers a new concept, the sleepyhead credentials, which
is issued only once and would be used any time. Moreover, we integrate this concept
in IdM systems supporting a delegation protocol and we contribute with the definition
of mathematical model to determine event arrivals to the IdM system and how they are
managed to the corresponding entities, as well as its integration with the most widely
deployed specification, i.e., Security Assertion Markup Language (SAML).
In regard to user profile management, we define a privacy-awareness user profile management
model to provide efficient selective information disclosure. With this contribution a
service provider would be able to accesses the specific personal information without being
able to inspect any other details and keeping user control of her data by controlling
who can access. The structure that we consider for the user profile storage is based on
extensions of Merkle trees allowing for hash combining that would minimize the need of
individual verification of elements along a path. An algorithm for sorting the tree as we
envision frequently accessed attributes to be closer to the root (minimizing the access’
time) is also provided.
Formal validation of the above mentioned ideas has been carried out through simulations
and the development of prototypes. Besides, dissemination activities were performed in
projects, journals and conferences.Programa Oficial de Doctorado en Ingeniería TelemáticaPresidente: María Celeste Campo Vázquez.- Secretario: María Francisca Hinarejos Campos.- Vocal: Óscar Esparza Martí
- …