509 research outputs found
Zero-Knowledge Proof-of-Identity: Sybil-Resistant, Anonymous Authentication on Permissionless Blockchains and Incentive Compatible, Strictly Dominant Cryptocurrencies
Zero-Knowledge Proof-of-Identity from trusted public certificates (e.g.,
national identity cards and/or ePassports; eSIM) is introduced here to
permissionless blockchains in order to remove the inefficiencies of
Sybil-resistant mechanisms such as Proof-of-Work (i.e., high energy and
environmental costs) and Proof-of-Stake (i.e., capital hoarding and lower
transaction volume). The proposed solution effectively limits the number of
mining nodes a single individual would be able to run while keeping membership
open to everyone, circumventing the impossibility of full decentralization and
the blockchain scalability trilemma when instantiated on a blockchain with a
consensus protocol based on the cryptographic random selection of nodes.
Resistance to collusion is also considered.
Solving one of the most pressing problems in blockchains, a zk-PoI
cryptocurrency is proved to have the following advantageous properties:
- an incentive-compatible protocol for the issuing of cryptocurrency rewards
based on a unique Nash equilibrium
- strict domination of mining over all other PoW/PoS cryptocurrencies, thus
the zk-PoI cryptocurrency becoming the preferred choice by miners is proved to
be a Nash equilibrium and the Evolutionarily Stable Strategy
- PoW/PoS cryptocurrencies are condemned to pay the Price of Crypto-Anarchy,
redeemed by the optimal efficiency of zk-PoI as it implements the social
optimum
- the circulation of a zk-PoI cryptocurrency Pareto dominates other PoW/PoS
cryptocurrencies
- the network effects arising from the social networks inherent to national
identity cards and ePassports dominate PoW/PoS cryptocurrencies
- the lower costs of its infrastructure imply the existence of a unique
equilibrium where it dominates other forms of paymentComment: 2.1: Proof-of-Personhood Considered Harmful (and Illegal); 4.1.5:
Absence of Active Authentication; 4.2.6: Absence of Active Authentication;
4.2.7: Removing Single-Points of Failure; 4.3.2: Combining with
Non-Zero-Knowledge Authentication; 4.4: Circumventing the Impossibility of
Full Decentralizatio
On Constructing Persistent Identifiers with Persistent Resolution Targets
Persistent Identifiers (PID) are the foundation referencing digital assets in
scientific publications, books, and digital repositories. In its realization,
PIDs contain metadata and resolving targets in form of URLs that point to data
sets located on the network. In contrast to PIDs, the target URLs are typically
changing over time; thus, PIDs need continuous maintenance -- an effort that is
increasing tremendously with the advancement of e-Science and the advent of the
Internet-of-Things (IoT). Nowadays, billions of sensors and data sets are
subject of PID assignment. This paper presents a new approach of embedding
location independent targets into PIDs that allows the creation of
maintenance-free PIDs using content-centric network technology and overlay
networks. For proving the validity of the presented approach, the Handle PID
System is used in conjunction with Magnet Link access information encoding,
state-of-the-art decentralized data distribution with BitTorrent, and Named
Data Networking (NDN) as location-independent data access technology for
networks. Contrasting existing approaches, no green-field implementation of PID
or major modifications of the Handle System is required to enable
location-independent data dissemination with maintenance-free PIDs.Comment: Published IEEE paper of the FedCSIS 2016 (SoFAST-WS'16) conference,
11.-14. September 2016, Gdansk, Poland. Also available online:
http://ieeexplore.ieee.org/document/7733372
A trust-driven privacy architecture for vehicular ad-hoc networks
Vehicular Ad-Hoc NETworks (VANETs) are an emerging technology which aims to improve road safety by preventing and reducing traffic accidents. While VANETs offer a great variety of promising applications, such as, safety-related and infotainment applications, they remain a number of security and privacy related research challenges that must be addressed.
A common approach to security issues widely adopted in VANETs is the use of Public Key Infrastructures (PKI) and digital certificates in order to enable authentication, authorization and confidentiality. These approaches usually rely on a large set of regional Certification Authorities (CAs). Despite the advantages of PKI-based approaches, there are two main problems that arise, i) the secure interoperability among the different and usually unknown- issuing CAs, and ii) the sole use of PKI in a VANET environment cannot prevent privacy related attacks, such as, linking a vehicle with an identifier, tracking vehicles Âżbig brother scenario" and user profiling. Additionally, since vehicles in VANETs will be able to store great amounts of information including private information, unauthorized access to such information should be carefully considered. This thesis addresses authentication and interoperability issues in vehicular communications, considering an inter-regional scenario where mutual authentication between nodes is needed. To provide interoperability between vehicles and services among different domains, an Inter-domain Authentication System (AS) is proposed. The AS supplies vehicles with a trusted set of authentication credentials by implementing a near real-time certificate status service. The proposed AS also implements a mechanism to quantitatively evaluate the trust level of a CA, in order to decide on-the-y if an interoperability relationship can be created. This research work also contributes with a Privacy Enhancing Model (PEM) to deal with important privacy issues in VANETs. The PEM consists of two PKI-based privacy protocols: i) the Attribute-Based Privacy (ABP) protocol, and ii) the Anonymous Information Retrieval (AIR) protocol. The ABP introduces Attribute-Based Credentials (ABC) to provide conditional anonymity and minimal information disclosure, which overcome with the privacy issues related to linkability (linking a vehicle with an identifier) and vehicle tracking (big brother scenario). The AIR protocol addresses user profiling when querying Service Providers (SPs), by relying in a user collaboration privacy protocol based on query forgery and permutation; and assuming that neither participant nodes nor SPs could be completely trusted.
Finally, the Trust Validation Model (TVM) is proposed. The TVM supports decision making by evaluating entities trust based on context information, in order to provide i) access control to driver and vehicle's private information, and ii) public information trust validation
Towards data grids for microarray expression profiles
The UK DTI funded Biomedical Research Informatics Delivered by Grid Enabled Services (BRIDGES) project developed a Grid infrastructure through which research into the genetic causes of hypertension could be supported by scientists within the large Wellcome Trust funded Cardiovascular Functional Genomics project. The BRIDGES project had a focus on developing a compute Grid and a data Grid infrastructure with security at its heart. Building on the work within BRIDGES, the BBSRC funded Grid enabled Microarray Expression Profile Search (GEMEPS) project plans to provide an enhanced data Grid infrastructure to support richer queries needed for the discovery and analysis of microarray data sets, also based upon a fine-grained security infrastructure. This paper outlines the experiences gained within BRIDGES and outlines the status of the GEMEPS project, the open challenges that remain and plans for the future
A study of the security implications involved with the use of executable World Wide Web content
Malicious executable code is nothing new. While many consider that the concept of malicious code began in the 1980s when the first PC viruses began to emerge, the concept does in fact date back even earlier. Throughout the history of malicious code, methods of hostile code delivery have mirrored prevailing patterns of code distribution. In the 1980s, file infecting and boot sector viruses were common, mirroring the fact that during this time, executable code was commonly transferred via floppy disks. Since the 1990s email has been a major vector for malicious code attacks. Again, this mirrors the fact that during this period of time email has been a common means of sharing code and documents. This thesis examines another model of executable code distribution. It considers the security risks involved with the use of executable code embedded or attached to World Wide Web pages. In particular, two technologies are examined. Sun Microsystems\u27 Java Programming Language and Microsoft\u27s ActiveX Control Architecture are both technologies that can be used to connect executable program code to World Wide Web pages. This thesis examines the architectures on which these technologies are based, as well as the security and trust models that they implement. In doing so, this thesis aims to assess the level of risk posed by such technologies and to highlight similar risks that might occur with similar future technologies. ()
Security Framework for the Web of IoT Platforms
Connected devices of IoT platforms are known to produce, process and exchange vast amounts of data, most of it sensitive or personal, that need to be protected. However, achieving minimal data protection requirements such as confidentiality, integrity, availability and non-repudiation in IoT platforms is a non-trivial issue. For one reason, the trillions of interacting devices provide larger attack surfaces. Secondly, high levels of personal and private data sharing in this ubiquitous and heterogeneous environment require more stringent protection. Additionally, whilst interoperability fuels innovation through cross-platform data flow, data ownership is a concern. This calls for categorizing data and providing different levels of access control to users known as global and local scopes. These issues present new and unique security considerations in IoT products and services that need to be addressed to enable wide adoption of the IoT paradigm.
This thesis presents a security and privacy framework for the Web of IoT platforms that addresses end-to-end security and privacy needs of the platforms. It categorizes platformsâ resources into different levels of security requirements and provides appropriate access control mechanisms
Pseudonymization and its Application to Cloud-based eHealth Systems
Responding to the security and privacy issues of information systems, we propose a novel pseudonym solution. This pseudonym solution has provable security to protect the identities of users by employing user-generated pseudonyms. It also provides an encryption scheme to protect the security of the usersâ data stored in the public network. Moreover, the pseudonym solution also provides the authentication of pseudonyms without disclosing the usersâ identity information. Thus the dependences on powerful trusted third parties and on the trustworthiness of system administrators may be appreciably alleviated. Electronic healthcare systems (eHealth systems), as one kind of everyday information system, with the ability to store and share patientsâ health data efficiently, have to manage in-formation of an extremely personal nature. As a consequence of known cases of abuse and attacks, the security of the health data and the privacy of patients are a great concern for many people and thus becoming obstacles to the acceptance and spread of eHealth systems. In this thesis, we survey current eHealth systems in both research and practice, analyzing potential threats to the security and privacy. Cloud-based eHealth systems, in particular, enable applications with many new features in data storing and sharing. We analyze the new issues on security and privacy when cloud technology is introduced into eHealth systems. We demonstrate that our proposed pseudonym solution can be successfully applied to cloud-based eHealth systems. Firstly, we utilize the pseudonym scheme and encryption scheme for storing and retrieving the electronic health records (EHR) in the cloud. The identities of patients and the confidentiality of EHR contents are provably guaranteed by advanced cryptographic algorithms. Secondly, we utilize the pseudonym solution to protect the privacy of patients from the health insurance companies. Only necessary information about patients is disclosed to the health insurance companies, without interrupting the cur-rent normal business processes of health insurance. At last, based on the pseudonym solution, we propose a new procedure for the secondary use of the health data. The new procedure protects the privacy of patients properly and enables patientsâ full control and clear consent over their health data to be secondarily used. A prototypical application of a cloud-based eHealth system implementing our proposed solution is presented in order to exhibit the practicability of the solution and to provide intuitive experiences. Some performance estimations of the proposed solution based on the implementation are also provided.Um gewisse Sicherheits- und Datenschutzdefizite heutiger Informationssysteme zu beheben, stellen wir eine neuartige Pseudonymisierungslösung vor, die benutzergenerierte Pseudonyme verwendet und die IdentitĂ€ten der Pseudonyminhaber nachweisbar wirksam schĂŒtzt. Sie beinhaltet neben der Pseudonymisierung auch ein VerschlĂŒsselungsverfahren fĂŒr den Schutz der Vertraulichkeit der Benutzerdaten, wenn diese öffentlich gespeichert werden. Weiterhin bietet sie ein Verfahren zur Authentisierung von Pseudonymen, das ohne die Offenbarung von BenutzeridentitĂ€ten auskommt. Dadurch können AbhĂ€ngigkeiten von vertrauenswĂŒrdigen dritten Stellen (trusted third parties) oder von vertrauenswĂŒrdigen Systemadministratoren deutlich verringert werden. Elektronische Gesundheitssysteme (eHealth-Systeme) sind darauf ausgelegt, Patientendaten effizient zu speichern und bereitzustellen. Solche Daten haben ein extrem hohes SchutzbedĂŒrfnis, und bekannte FĂ€lle von Angriffen auf die Vertraulichkeit der Daten durch Privilegienmissbrauch und externe Attacken haben dazu gefĂŒhrt, dass die Sorge um den Schutz von Gesundheitsdaten und PatientenidentitĂ€ten zu einem groĂen Hindernis fĂŒr die Verbreitung und Akzeptanz von eHealth-Systemen geworden ist. In dieser Dissertation betrachten wir gegenwĂ€rtige eHealth-Systeme in Forschung und Praxis hinsichtlich möglicher Bedrohungen fĂŒr Sicherheit und Vertraulichkeit der gespeicherten Daten. Besondere Beachtung finden cloudbasierte eHealth-Systeme, die Anwendungen mit neuartigen Konzepten zur Datenspeicherung und -bereitstellung ermöglichen. Wir analysieren Sicherheits- und Vertraulichkeitsproblematiken, die sich beim Einsatz von Cloud-Technologie in eHealth-Systemen ergeben. Wir zeigen, dass unsere Pseudonymisierungslösung erfolgreich auf cloudbasierte eHealth-Systeme angewendet werden kann. Dabei werden zunĂ€chst das Pseudonymisierungs- und das VerschlĂŒsselungsverfahren bei der Speicherung und beim Abruf von elektronischen GesundheitsdatensĂ€tzen (electronic health records, EHR) in der Cloud eingesetzt. Die Vertraulichkeit von PatientenidentitĂ€ten und EHR-Inhalten werden dabei durch den Einsatz moderner kryptografischer Algorithmen nachweisbar garantiert. Weiterhin setzen wir die Pseudonymisierungslösung zum Schutz der PrivatsphĂ€re der Patienten gegenĂŒber Krankenversicherungsunternehmen ein. Letzteren werden lediglich genau diejenigen Patienteninformationen offenbart, die fĂŒr den störungsfreien Ablauf ihrer GeschĂ€ftsprozesse nötig sind. SchlieĂen schlagen wir eine neuartige Vorgehensweise fĂŒr die Zweitverwertung der im eHealth-System gespeicherten Daten vor, die die Pseudonymisierungslösung verwendet. Diese Vorgehensweise bietet den Patienten angemessenen Schutz fĂŒr ihre PrivatsphĂ€re und volle Kontrolle darĂŒber, welche Daten fĂŒr eine Zweitverwertung (z.B. fĂŒr Forschungszwecke) freigegeben werden. Es wird ein prototypisches, cloudbasiertes eHealth-System vorgestellt, das die Pseudonymisierungslösung implementiert, um deren PraktikabilitĂ€t zu demonstrieren und intuitive Erfahrungen zu vermitteln. Weiterhin werden, basierend auf der Implementierung, einige AbschĂ€tzungen der Performanz der Pseudonymisierungslösung angegeben
Secure Connectivity With Persistent Identities
In the current Internet the Internet Protocol address is burdened with two roles. It serves as the identifier and the locator for the host. As the host moves its identity changes with its locator. The research community thinks that the Future Internet will include identifier-locator split in some form. Identifier-locator split is seen as the solution to multiple problems. However, identifier-locator split introduces multiple new problems to the Internet.
In this dissertation we concentrate on: the feasibility of using identifier-locator split with legacy applications, securing the resolution steps, using the persistent identity for access control, improving mobility in environments using multiple address families and so improving the disruption tolerance for connectivity.
The proposed methods achieve theoretical and practical improvements over the earlier state of the art. To raise the overall awareness, our results have been published in interdisciplinary forums.NykypÀivÀn InternetissÀ IP-osoite on kuormitettu kahdella eri roolilla. IP toimii pÀÀtelaitteen osoitteena, mutta myös usein sen identiteetinÀ. TÀllöin laitteen identiteetti muuttuu laitteen liikkuessa, koska laitteen osoite vaihtuu. Tutkimusyhteisön mielestÀ paikan ja identiteetin erottaminen on vÀlttÀmÀtöntÀ tulevaisuuden InternetissÀ. Paikan ja identiteetin erottaminen tuo kuitenkin esiin joukon uusia ongelmia.
TÀssÀ vÀitöskirjassa keskitytÀÀn selvittÀmÀÀn paikan ja identiteetin erottamisen vaikutusta olemassa oleviin verkkoa kÀyttÀviin sovelluksiin, turvaamaan nimien muuntaminen osoitteiksi, helpottamaan pitkÀikÀisten identiteettien kÀyttöÀ pÀÀsyvalvonnassa ja parantamaan yhteyksien mahdollisuuksia selviytyÀ liikkumisesta usean osoiteperheen ympÀristöissÀ.
VÀitöskirjassa ehdotetut menetelmÀt saavuttavat sekÀ teoreettisia ettÀ kÀytÀnnön etuja verrattuna aiempiin kirjallisuudessa esitettyihin menetelmiin. Saavutetut tulokset on julkaistu eri osa-alojen foorumeilla
- âŠ