ViotSOC: Controlling Access to Dynamically Virtualized IoT Services using Service Object Capability

Virtualization of Internet of Things(IoT) is a concept of dynamically building customized high-level IoT services which rely on the real time data streams from low-level physical IoT sensors. Security in IoT virtualization is challenging, because with the growing number of available (building block) services, the number of personalizable virtual services grows exponentially. This paper proposes Service Object Capability(SOC) ticket system, a decentralized access control mechanism between servers and clients to effi- ciently authenticate and authorize each other without using public key cryptography. SOC supports decentralized partial delegation of capabilities specified in each server/- client ticket. Unlike PKI certificates, SOC’s authentication time and handshake packet overhead stays constant regardless of each capability’s delegation hop distance from the root delegator. The paper compares SOC’s security bene- fits with Kerberos and the experimental results show SOC’s authentication incurs significantly less time packet overhead compared against those from other mechanisms based on RSA-PKI and ECC-PKI algorithms. SOC is as secure as, and more efficient and suitable for IoT environments, than existing PKIs and Kerberos

Assessment of attribute-based credentials for privacy-preserving road traffic services in smart cities

Smart cities involve the provision of advanced services for road traffic users. Vehicular ad hoc networks (VANETs) are a promising communication technology in this regard. Preservation of privacy is crucial in these services to foster their acceptance. Previous approaches have mainly focused on PKI-based or ID-based cryptography. However, these works have not fully addressed the minimum information disclosure principle. Thus, questions such as how to prove that a driver is a neighbour of a given zone, without actually disclosing his identity or real address, remain unaddressed. A set of techniques, referred to as Attribute-Based Credentials (ABCs), have been proposed to address this need in traditional computation scenarios. In this paper, we explore the use of ABCs in the vehicular context. For this purpose, we focus on a set of use cases from European Telecommunications Standards Institute (ETSI) Basic Set of Applications, specially appropriate for the early development of smart cities. We assess which ABC techniques are suitable for this scenario, focusing on three representative ones—Idemix, U-Prove and VANET-updated Persiano systems. Our experimental results show that they are feasible in VANETs considering state-of-the-art technologies, and that Idemix is the most promising technique for most of the considered use cases.This work was supported by the MINECO grant TIN2013-46469-R (SPINY: Security and Privacy in the Internet of You); the CAM grant S2013/ICE-3095 (CIBERDINE: Cybersecurity, Data, and Risks) and by the MINECO grant TIN2016-79095-C2-2-R (SMOG-DEV - Security mechanisms for fog computing: advanced security for devices). Jose Maria de Fuentes and Lorena Gonzalez were also supported by the Programa de Ayudas para la Movilidad of Carlos III University of Madrid

Improving privacy in identity management systems for health care scenarios

Privacy is a very complex and subjective concept with different meaning to different people. The meaning depends on the context. Moreover, privacy is close to the user information and thus, present in any ubiquitous computing scenario. In the context of identity management (IdM), privacy is gaining more importance since IdM systems deal with services that requires sharing attributes belonging to users’ identity with different entities across domains. Consequently, privacy is a fundamental aspect to be addressed by IdM to protect the exchange of user attributes between services and identity providers across different networks and security domains in pervasive computing. However, problems such as the effective revocation consent, have not been fully addressed. Furthermore, privacy depends heavily on users and applications requiring some degree of flexibility. This paper analyzes the main current identity models, as well as the privacy support presented by the identity management frameworks. After the main limitations are identified, we propose a delegation protocol for the SAML standard in order to enhance the revocation consent within healthcare scenarios.Proyecto CCG10-UC3M/TIC-4992 de la Comunidad Autónoma de Madrid y la Universidad Carlos III de Madri

Spartan Daily, April 8, 1983

Volume 80, Issue 42https://scholarworks.sjsu.edu/spartandaily/7024/thumbnail.jp

Protection of Information and Communications in Distributed Systems and Microservices

Distributed systems have been a topic of discussion since the 1980s, but the adoption of microservices has raised number of system components considerably. With more decentralised distributed systems, new ways to handle authentication, authorisation and accounting (AAA) are needed, as well as ways to allow components to communicate between themselves securely. New standards and technologies have been created to deal with these new requirements and many of them have already found their way to most used systems and services globally. After covering AAA and separate access control models, we continue with ways to secure communications between two connecting parties, using Transport Layer Security (TLS) and other more specialised methods such as the Google-originated Secure Production Identity Framework for Everyone (SPIFFE). We also discuss X.509 certificates for ensuring identities. Next, both older time- tested and newer distributed AAA technologies are presented. After this, we are looking into communication between distributed components with both synchronous and asynchronous communication mechanisms, as well as into the publish/subscribe communication model popular with the rise of the streaming platform. This thesis also explores possibilities in securing communications between distributed endpoints and ways to handle AAA in a distributed context. This is showcased in a new software component that handles authentication through a separate identity endpoint using the OpenID Connect authentication protocol and stores identity in a Javascript object-notation formatted and cryptographically signed JSON Web Token, allowing stateless session handling as the token can be validated by checking its signature. This enables fast and scalable session management and identity handling for any distributed system

HUC-HISF: A Hybrid Intelligent Security Framework for Human-centric Ubiquitous Computing

制度:新 ; 報告番号:乙2336号 ; 学位の種類:博士(人間科学) ; 授与年月日:2012/1/18 ; 早大学位記番号:新584

Foundations of secure computation

Issued as Workshop proceedings and Final report, Project no. G-36-61

An Event Driven Hybrid Identity Management Approach to Privacy Enhanced e-Health

Credential-based authorization offers interesting advantages for ubiquitous scenarios involving limited devices such as sensors and personal mobile equipment: the verification can be done locally; it offers a more reduced computational cost than its competitors for issuing, storing, and verification; and it naturally supports rights delegation. The main drawback is the revocation of rights. Revocation requires handling potentially large revocation lists, or using protocols to check the revocation status, bringing extra communication costs not acceptable for sensors and other limited devices. Moreover, the effective revocation consent—considered as a privacy rule in sensitive scenarios—has not been fully addressed.This paper proposes an event-based mechanism empowering a new concept, the sleepyhead credentials, which allows to substitute time constraints and explicit revocation by activating and deactivating authorization rights according to events. Our approach is to integrate this concept in IdM systems in a hybrid model supporting delegation, which can be an interesting alternative for scenarios where revocation of consent and user privacy are critical. The delegation includes a SAML compliant protocol, which we have validated through a proof-of-concept implementation. This article also explains the mathematical model describing the event-based model and offers estimations of the overhead introduced by the system. The paper focus on health care scenarios, where we show the flexibility of the proposed event-based user consent revocation mechanism.This work was partially founded by the Spanish Ministry of Science and Innovation under the project TEC2010-20572-C02-01 (CONSEQUENCE) and by the State of Madrid (Spain) under the contract number S2009/TIC-1650 (e-Madrid). Moreover, the authors would like to thank to the anonymous referees for comments and recommendations for the paper improvement