Contributions to the privacy provisioning for federated identity management platforms

Identity information, personal data and user’s profiles are key assets for organizations and companies by becoming the use of identity management (IdM) infrastructures a prerequisite for most companies, since IdM systems allow them to perform their business transactions by sharing information and customizing services for several purposes in more efficient and effective ways. Due to the importance of the identity management paradigm, a lot of work has been done so far resulting in a set of standards and specifications. According to them, under the umbrella of the IdM paradigm a person’s digital identity can be shared, linked and reused across different domains by allowing users simple session management, etc. In this way, users’ information is widely collected and distributed to offer new added value services and to enhance availability. Whereas these new services have a positive impact on users’ life, they also bring privacy problems. To manage users’ personal data, while protecting their privacy, IdM systems are the ideal target where to deploy privacy solutions, since they handle users’ attribute exchange. Nevertheless, current IdM models and specifications do not sufficiently address comprehensive privacy mechanisms or guidelines, which enable users to better control over the use, divulging and revocation of their online identities. These are essential aspects, specially in sensitive environments where incorrect and unsecured management of user’s data may lead to attacks, privacy breaches, identity misuse or frauds. Nowadays there are several approaches to IdM that have benefits and shortcomings, from the privacy perspective. In this thesis, the main goal is contributing to the privacy provisioning for federated identity management platforms. And for this purpose, we propose a generic architecture that extends current federation IdM systems. We have mainly focused our contributions on health care environments, given their particularly sensitive nature. The two main pillars of the proposed architecture, are the introduction of a selective privacy-enhanced user profile management model and flexibility in revocation consent by incorporating an event-based hybrid IdM approach, which enables to replace time constraints and explicit revocation by activating and deactivating authorization rights according to events. The combination of both models enables to deal with both online and offline scenarios, as well as to empower the user role, by letting her to bring together identity information from different sources. Regarding user’s consent revocation, we propose an implicit revocation consent mechanism based on events, that empowers a new concept, the sleepyhead credentials, which is issued only once and would be used any time. Moreover, we integrate this concept in IdM systems supporting a delegation protocol and we contribute with the definition of mathematical model to determine event arrivals to the IdM system and how they are managed to the corresponding entities, as well as its integration with the most widely deployed specification, i.e., Security Assertion Markup Language (SAML). In regard to user profile management, we define a privacy-awareness user profile management model to provide efficient selective information disclosure. With this contribution a service provider would be able to accesses the specific personal information without being able to inspect any other details and keeping user control of her data by controlling who can access. The structure that we consider for the user profile storage is based on extensions of Merkle trees allowing for hash combining that would minimize the need of individual verification of elements along a path. An algorithm for sorting the tree as we envision frequently accessed attributes to be closer to the root (minimizing the access’ time) is also provided. Formal validation of the above mentioned ideas has been carried out through simulations and the development of prototypes. Besides, dissemination activities were performed in projects, journals and conferences.Programa Oficial de Doctorado en Ingeniería TelemáticaPresidente: María Celeste Campo Vázquez.- Secretario: María Francisca Hinarejos Campos.- Vocal: Óscar Esparza Martí

Security in Distributed, Grid, Mobile, and Pervasive Computing

This book addresses the increasing demand to guarantee privacy, integrity, and availability of resources in networks and distributed systems. It first reviews security issues and challenges in content distribution networks, describes key agreement protocols based on the Diffie-Hellman key exchange and key management protocols for complex distributed systems like the Internet, and discusses securing design patterns for distributed systems. The next section focuses on security in mobile computing and wireless networks. After a section on grid computing security, the book presents an overview of security solutions for pervasive healthcare systems and surveys wireless sensor network security

Dynamic trust negotiation for decentralised e-health collaborations

In the Internet-age, the geographical boundaries that have previously impinged upon inter-organisational collaborations have become decreasingly important. Of more importance for such collaborations is the notion and subsequent nature of security and trust - this is especially so in open collaborative environments like the Grid where resources can be both made available, subsequently accessed and used by remote users from a multitude of institutions with a variety of different privileges spanning across the collaboration. In this context, the ability to dynamically negotiate and subsequently enforce security policies driven by various levels of inter-organisational trust is essential. Numerous access control solutions exist today to address aspects of inter-organisational security. These include the use of centralised access control lists where all collaborating partners negotiate and agree on privileges required to access shared resources. Other solutions involve delegating aspects of access right management to trusted remote individuals in assigning privileges to their (remote) users. These solutions typically entail negotiations and delegations which are constrained by organisations, people and the static rules they impose. Such constraints often result in a lack of flexibility in what has been agreed; difficulties in reaching agreement, or once established, in subsequently maintaining these agreements. Furthermore, these solutions often reduce the autonomous capacity of collaborating organisations because of the need to satisfy collaborating partners demands. This can result in increased security risks or reducing the granularity of security policies. Underpinning this is the issue of trust. Specifically trust realisation between organisations, between individuals, and/or between entities or systems that are present in multi-domain authorities. Trust negotiation is one approach that allows and supports trust realisation. The thesis introduces a novel model called dynamic trust negotiation (DTN) that supports n-tier negotiation hops for trust realisation in multi-domain collaborative environments with specific focus on e-Health environments. DTN describes how trust pathways can be discovered and subsequently how remote security credentials can be mapped to local security credentials through trust contracts, thereby bridging the gap that makes decentralised security policies difficult to define and enforce. Furthermore, DTN shows how n-tier negotiation hops can limit the disclosure of access control policies and how semantic issues that exist with security attributes in decentralised environments can be reduced. The thesis presents the results from the application of DTN to various clinical trials and the implementation of DTN to Virtual Organisation for Trials of Epidemiological Studies (VOTES). The thesis concludes that DTN can address the issue of realising and establishing trust between systems or agents within the e-Health domain, such as the clinical trials domain

Design and implementation of a secure wide-area object middleware

Tanenbaum, A.S. [Promotor]Crispo, C.B. [Copromotor

A Dynamic Validation Infrastructure for Interoperable Grid Services

Los encargados de recursos Grid pueden autorizar el acceso a sus elementos de cómputo por medio de procedimientos bien establecidos para los clientes, regularmente a través del uso de credenciales criptográficas que en su mayoría tienen un tiempo de vida definido.A pesar que la adopción de Autoridades de Certificación -AC- ha parcialmente resuelto el problema de identificación y autenticación entre entidades y, la tecnología PKI (Infraestructuras de Clave Pública) es bastante madura, no es posible hacer los mismos supuestos cuando existen dominios que no confían entre si. En los últimos años han proliferado las Organizaciones Virtuales -VOs- dentro del Grid, cada una instalando su propia Autoridad de Certificación y dando lugar a un gran número de diferentes dominios de seguridad, que efectivamente no confían entre si. Esto da lugar a un complejo escenario de interoperabilidad en Grid, que requiere mecanismos capaces de determinar si una credencial cliente puede ser confiada en un momento dado. Este proceso (llamado "validacion") ha sido tradicionalmente tratado via Listas de Revocación de Certificados (CRLs). Sin embargo, esta solución es ineficiente tanto para la ACs como para las aplicaciones Grid. En consecuencia son requeridos mecanismos mas eficientes que permitan conocer el estado de un certificado en tiempo real. Entre estas soluciones, el Online Certificate Status Protocol (OCSP) sobresale para los Grids. A pesar de su importancia para la seguridad, OCSP conlleva considerables retos para el Grid y de momento es incapaz para garantizar un grado seguro de interoperabilidad entre las ACs que participan en dicho ambiente.De momento la comunidad Grid ha resuelto el problema de interoperabilidad mediante el uso de "Policy Management Authorities" (PMAs), las cuales representan "Federaciones de Grid-PKIs" cuyas ACs miembros cumplen con niveles mínimos de seguridad. Estos requisitos mínimos forman el llamado "Perfil de Autenticación de la PMA". Actualmente el cumplimiento con el perfil de una cierta PMA se lleva a cabo a través de un proceso bien definido, pero manual, que se realiza una sola ocasión cuando una AC desea ser parte de dicha PMA. Esto se denomina "Proceso de Acreditación".Cualquier cliente invocando una operación de un servicio Grid, activa un proceso de autenticación que valida su certificado digital de acuerdo a un proceso llamado "Path Validation".Cuando las ACs participantes interoperan gracias a acuerdos explícitos de confianza, solamente se require un "Path Validation Básico": verificación criptográfica y chequeo del estado del certificado. Software Grid como el Globus Toolkit, provee mecanismos estáticos para dicho proceso. Esto sin embargo resulta inapropiado para VOs actuales.Asi pues, a pesar de la importancia que un proceso automático y "Extendido" de "Path Validation" tendría para construir relaciones de confianza dinámicamente en Grid-PKIs, a la fecha no existe ningún mecanismo para hacerlo.Esta tesis presenta una arquitectura novedosa para llevar a cabo el proceso "Extendido de Path Validation" en ambientes Grid para ACs que pertenecen a la misma PMA, gracias al uso de una Infraestructura de Validación basada en el Grid-OCSP y, una metodología de evaluación de políticas que compara las Políticas de Certificación de las ACs involucradas para asegurarse que cumplen con un Perfil de Autenticación y, que por lo tanto pueden interoperar entre ellas. La metodología de evaluación de políticas está basada en una propuesta de investigación de la "Universidad de Nápoles, Federico II" y la "Segunda Universidad de Nápoles". Un prototipo de la Infraestructura de Validación ha sido desarrollado durante nuestra investigación, y es ampliamente explicado en esta tesis.Grid Resource owners can authorize access to their computing elements by means of well established Authentication and Authorization processes for End-entities, through the use of cryptographic credentials that in most of the cases have a defined lifetime. Nevertheless, despite the fact that the adoption of Certification Authorities -CAs- has partially solved the problem of identification and authentication between the involved parties, and that Public Key Infrastructure -PKI- technologies are mature enough, we cannot make the same assumptions when untrusted domains are involved. In the last years a lot of Grid Virtual Organizations -VOs- have been proliferating, each one usually installing its own Certificate Authority and thus giving birth to a large set of different and possibly untrusted security domains. This brings a quite complex Grid interoperability scenario requiring mechanisms able to determine whether a particular end-entity's credential can be trusted at a given moment. This process is commonly named validation and traditionally it is performed via Certificate Revocation Lists (CRL). However this solution tends to be cumbersome for both, the CA and the application. In consequence, more efficient mechanisms to allow for the provision of real time certificate status information are required. Among these solutions, the Online Certificate Status Protocol (OCSP) stands out in the Grid community. Despite its importance for security, OCSP not only faces considerable challenges in the computational Grid but also, in its current form, this protocol is unable to guarantee a secure degree of interoperability among all the involved Grid-Certification Authorities. At the state of the art, the Grid community is circumventing the interoperability problem with the "Policy Management Authorities (PMAs)", which represent "Federations of Grid PKIs" whose CA members accomplish minimum levels of security. These minimum requirements comprise the PMA's Authentication Profile. In the case of the existing Grid PMAs, compliance with their respective authentication profile is given through a well-defined, but manual process involving a careful analysis of the applicant PKI's Certification Policy -CP-, performed just once, when a new CA wishes to be part of an existing PMA. This is known as the PMA's accreditation process.Any end-entity invoking a Grid Service's operation from the server, activates an authentication process that validates the end-entity's digital certificate according to the traditional path validation procedure.When involved CAs interoperate thanks to explicit trust agreements, only basic path validation is required: cryptographic verifications and status' checks over the involved certificates. State of the art Grid software like the Globus Toolkit, provides static mechanisms for the basic path validation. This is a cumbersome process in nowadays Virtual Organizations.Therefore, despite the importance that an automated and extended path validation process has got in order to build dynamic trust relationships among Grid PKI's, to date there is no mechanism to automatically obtain this information.This thesis presents a novel architecture for enabling extended path validation in Grid environments for CAs that are part of the same PMA, thanks to the use of a Validation Infrastructure based on a Grid-enabled Online Certificate Status Protocol and, a policy evaluation methodology that compares the involved CAs' Certificate Policies to assert that they fulfil with a particular Authentication Profile and that they can therefore interoperate among them. The policy evaluation technique is based on a formal methodology originally proposed by researchers of the "Università di Napoli, Federico II" and the "Seconda Università di Napoli". A working prototype of the proposed Validation Infrastructure was also developed during our research, and is widely explained along this thesis

A trust-driven privacy architecture for vehicular ad-hoc networks

Vehicular Ad-Hoc NETworks (VANETs) are an emerging technology which aims to improve road safety by preventing and reducing traffic accidents. While VANETs offer a great variety of promising applications, such as, safety-related and infotainment applications, they remain a number of security and privacy related research challenges that must be addressed. A common approach to security issues widely adopted in VANETs is the use of Public Key Infrastructures (PKI) and digital certificates in order to enable authentication, authorization and confidentiality. These approaches usually rely on a large set of regional Certification Authorities (CAs). Despite the advantages of PKI-based approaches, there are two main problems that arise, i) the secure interoperability among the different and usually unknown- issuing CAs, and ii) the sole use of PKI in a VANET environment cannot prevent privacy related attacks, such as, linking a vehicle with an identifier, tracking vehicles ¿big brother scenario" and user profiling. Additionally, since vehicles in VANETs will be able to store great amounts of information including private information, unauthorized access to such information should be carefully considered. This thesis addresses authentication and interoperability issues in vehicular communications, considering an inter-regional scenario where mutual authentication between nodes is needed. To provide interoperability between vehicles and services among different domains, an Inter-domain Authentication System (AS) is proposed. The AS supplies vehicles with a trusted set of authentication credentials by implementing a near real-time certificate status service. The proposed AS also implements a mechanism to quantitatively evaluate the trust level of a CA, in order to decide on-the-y if an interoperability relationship can be created. This research work also contributes with a Privacy Enhancing Model (PEM) to deal with important privacy issues in VANETs. The PEM consists of two PKI-based privacy protocols: i) the Attribute-Based Privacy (ABP) protocol, and ii) the Anonymous Information Retrieval (AIR) protocol. The ABP introduces Attribute-Based Credentials (ABC) to provide conditional anonymity and minimal information disclosure, which overcome with the privacy issues related to linkability (linking a vehicle with an identifier) and vehicle tracking (big brother scenario). The AIR protocol addresses user profiling when querying Service Providers (SPs), by relying in a user collaboration privacy protocol based on query forgery and permutation; and assuming that neither participant nodes nor SPs could be completely trusted. Finally, the Trust Validation Model (TVM) is proposed. The TVM supports decision making by evaluating entities trust based on context information, in order to provide i) access control to driver and vehicle's private information, and ii) public information trust validation

User-controlled access management to resources on the Web

PhD ThesisThe rapidly developing Web environment provides users with a wide set of rich services as varied and complex as desktop applications. Those services are collectively referred to as "Web 2.0", with such examples as Facebook, Google Apps, Salesforce, or Wordpress, among many others. These applications are used for creating, managing, and sharing online data between users and services on the Web. With the shift from desktop computers to the Web, users create and store more of their data online and not on the hard drives of their computers. This data includes personal information, documents, photos, as well as other resources. Irrespective of the environment, either desktop or the Web, it is the user who creates the data, who disseminates it and who shares this data. On the Web, however, sharing resources poses new security and usability challenges which were not present in traditional computing. Access control, also known as authorisation, that aims to protect such sharing, is currently poorly addressed in this environment. Existing access control is often not well suited to the increasing amount of highly distributed Web data and does not give users the required flexibility in managing their data. This thesis discusses new solutions to access control for the Web. Firstly, it shows a proposal named User-Managed Access Control (UMAC) and presents its architecture and protocol. This thesis then focuses on the User-Managed Access (UMA) solution that is researched by the User- Managed Access Work Group at Kantara Initiative. The UMA approach allows the user to play a pivotal role in assigning access rights to their resources which may be spread across multiple cloud-based Web applications. Unlike existing authorisation systems, it relies on a user’s centrally located security requirements for these resources. The security requirements are expressed in the form of access control policies and are stored and evaluated in a specialised component called Authorisation Manager. Users are provided with a consistent User Experience for managing access control for their distributed online data and are provided with a holistic view of the security applied to this data. Furthermore, this thesis presents the software that implements the UMA proposal. In particular, this thesis shows frameworks that allow Web applications to delegate their access control function to an Authorisation Manager. It also presents design and implementation of an Authorisation Manager and discusses its evaluation conducted with a user study. It then discusses design and implementation of a second, improved Authorisation Manager. Furthermore, this thesis presents the applicability of the UMA approach and the implemented software to real-world scenarios

Next Generation Business Ecosystems: Engineering Decentralized Markets, Self-Sovereign Identities and Tokenization

Digital transformation research increasingly shifts from studying information systems within organizations towards adopting an ecosystem perspective, where multiple actors co-create value. While digital platforms have become a ubiquitous phenomenon in consumer-facing industries, organizations remain cautious about fully embracing the ecosystem concept and sharing data with external partners. Concerns about the market power of platform orchestrators and ongoing discussions on privacy, individual empowerment, and digital sovereignty further complicate the widespread adoption of business ecosystems, particularly in the European Union. In this context, technological innovations in Web3, including blockchain and other distributed ledger technologies, have emerged as potential catalysts for disrupting centralized gatekeepers and enabling a strategic shift towards user-centric, privacy-oriented next-generation business ecosystems. However, existing research efforts focus on decentralizing interactions through distributed network topologies and open protocols lack theoretical convergence, resulting in a fragmented and complex landscape that inadequately addresses the challenges organizations face when transitioning to an ecosystem strategy that harnesses the potential of disintermediation. To address these gaps and successfully engineer next-generation business ecosystems, a comprehensive approach is needed that encompasses the technical design, economic models, and socio-technical dynamics. This dissertation aims to contribute to this endeavor by exploring the implications of Web3 technologies on digital innovation and transformation paths. Drawing on a combination of qualitative and quantitative research, it makes three overarching contributions: First, a conceptual perspective on \u27tokenization\u27 in markets clarifies its ambiguity and provides a unified understanding of the role in ecosystems. This perspective includes frameworks on: (a) technological; (b) economic; and (c) governance aspects of tokenization. Second, a design perspective on \u27decentralized marketplaces\u27 highlights the need for an integrated understanding of micro-structures, business structures, and IT infrastructures in blockchain-enabled marketplaces. This perspective includes: (a) an explorative literature review on design factors; (b) case studies and insights from practitioners to develop requirements and design principles; and (c) a design science project with an interface design prototype of blockchain-enabled marketplaces. Third, an economic perspective on \u27self-sovereign identities\u27 (SSI) as micro-structural elements of decentralized markets. This perspective includes: (a) value creation mechanisms and business aspects of strategic alliances governing SSI ecosystems; (b) business model characteristics adopted by organizations leveraging SSI; and (c) business model archetypes and a framework for SSI ecosystem engineering efforts. The dissertation concludes by discussing limitations as well as outlining potential avenues for future research. These include, amongst others, exploring the challenges of ecosystem bootstrapping in the absence of intermediaries, examining the make-or-join decision in ecosystem emergence, addressing the multidimensional complexity of Web3-enabled ecosystems, investigating incentive mechanisms for inter-organizational collaboration, understanding the role of trust in decentralized environments, and exploring varying degrees of decentralization with potential transition pathways

Putting the User at the Centre of the Grid: Simplifying Usability and Resource Selection for High Performance Computing

Computer simulation is finding a role in an increasing number of scientific disciplines, concomitant with the rise in available computing power. Realizing this inevitably re- quires access to computational power beyond the desktop, making use of clusters, supercomputers, data repositories, networks and distributed aggregations of these re- sources. Accessing one such resource entails a number of usability and security prob- lems; when multiple geographically distributed resources are involved, the difficulty is compounded. However, usability is an all too often neglected aspect of computing on e-infrastructures, although it is one of the principal factors militating against the widespread uptake of distributed computing. The usability problems are twofold: the user needs to know how to execute the applications they need to use on a particular resource, and also to gain access to suit- able resources to run their workloads as they need them. In this thesis we present our solutions to these two problems. Firstly we propose a new model of e-infrastructure resource interaction, which we call the user–application interaction model, designed to simplify executing application on high performance computing resources. We describe the implementation of this model in the Application Hosting Environment, which pro- vides a Software as a Service layer on top of distributed e-infrastructure resources. We compare the usability of our system with commonly deployed middleware tools using five usability metrics. Our middleware and security solutions are judged to be more usable than other commonly deployed middleware tools. We go on to describe the requirements for a resource trading platform that allows users to purchase access to resources within a distributed e-infrastructure. We present the implementation of this Resource Allocation Market Place as a distributed multi- agent system, and show how it provides a highly flexible, efficient tool to schedule workflows across high performance computing resources

Acesso remoto dinâmico e seguro a bases de dados com integração de políticas de acesso suave

The amount of data being created and shared has grown greatly in recent years, thanks in part to social media and the growth of smart devices. Managing the storage and processing of this data can give a competitive edge when used to create new services, to enhance targeted advertising, etc. To achieve this, the data must be accessed and processed. When applications that access this data are developed, tools such as Java Database Connectivity, ADO.NET and Hibernate are typically used. However, while these tools aim to bridge the gap between databases and the object-oriented programming paradigm, they focus only on the connectivity issue. This leads to increased development time as developers need to master the access policies to write correct queries. Moreover, when used in database applications within noncontrolled environments, other issues emerge such as database credentials theft; application authentication; authorization and auditing of large groups of new users seeking access to data, potentially with vague requirements; network eavesdropping for data and credential disclosure; impersonating database servers for data modification; application tampering for unrestricted database access and data disclosure; etc. Therefore, an architecture capable of addressing these issues is necessary to build a reliable set of access control solutions to expand and simplify the application scenarios of access control systems. The objective, then, is to secure the remote access to databases, since database applications may be used in hard-to-control environments and physical access to the host machines/network may not be always protected. Furthermore, the authorization process should dynamically grant the appropriate permissions to users that have not been explicitly authorized to handle large groups seeking access to data. This includes scenarios where the definition of the access requirements is difficult due to their vagueness, usually requiring a security expert to authorize each user individually. This is achieved by integrating and auditing soft access policies based on fuzzy set theory in the access control decision-making process. A proof-of-concept of this architecture is provided alongside a functional and performance assessment.A quantidade de dados criados e partilhados tem crescido nos últimos anos, em parte graças às redes sociais e à proliferação dos dispositivos inteligentes. A gestão do armazenamento e processamento destes dados pode fornecer uma vantagem competitiva quando usados para criar novos serviços, para melhorar a publicidade direcionada, etc. Para atingir este objetivo, os dados devem ser acedidos e processados. Quando as aplicações que acedem a estes dados são desenvolvidos, ferramentas como Java Database Connectivity, ADO.NET e Hibernate são normalmente utilizados. No entanto, embora estas ferramentas tenham como objetivo preencher a lacuna entre as bases de dados e o paradigma da programação orientada por objetos, elas concentram-se apenas na questão da conectividade. Isto aumenta o tempo de desenvolvimento, pois os programadores precisam dominar as políticas de acesso para escrever consultas corretas. Além disso, quando usado em aplicações de bases de dados em ambientes não controlados, surgem outros problemas, como roubo de credenciais da base de dados; autenticação de aplicações; autorização e auditoria de grandes grupos de novos utilizadores que procuram acesso aos dados, potencialmente com requisitos vagos; escuta da rede para obtenção de dados e credenciais; personificação de servidores de bases de dados para modificação de dados; manipulação de aplicações para acesso ilimitado à base de dados e divulgação de dados; etc. Uma arquitetura capaz de resolver esses problemas é necessária para construir um conjunto confiável de soluções de controlo de acesso, para expandir e simplificar os cenários de aplicação destes sistemas. O objetivo, então, é proteger o acesso remoto a bases de dados, uma vez que as aplicações de bases de dados podem ser usados em ambientes de difícil controlo e o acesso físico às máquinas/rede nem sempre está protegido. Adicionalmente, o processo de autorização deve conceder dinamicamente as permissões adequadas aos utilizadores que não foram explicitamente autorizados para suportar grupos grandes de utilizadores que procuram aceder aos dados. Isto inclui cenários em que a definição dos requisitos de acesso é difícil devido à sua imprecisão, geralmente exigindo um especialista em segurança para autorizar cada utilizador individualmente. Este objetivo é atingido no processo de decisão de controlo de acesso com a integração e auditaria das políticas de acesso suaves baseadas na teoria de conjuntos difusos. Uma prova de conceito desta arquitetura é fornecida em conjunto com uma avaliação funcional e de desempenho.Programa Doutoral em Informátic