5,433 research outputs found
Authentication Mechanism Based on Adaptable Context Management Framework for Secure Network Services
A system, which uses context information is a new trend in IT. A lot of researcherscreate frameworks, which collect some data and perform actions based on them. Recently, there havebeen observed more and more different security solutions, in which we can use context. But not eachworks dynamically and ensures a high level of user's quality of experience (QoE). This paper outlineswhat the context information is and shows a secure and user-friendly authentication mechanism for amail box in cloud computing, based on using contextual data
Security in Pervasive Computing: Current Status and Open Issues
Million of wireless device users are ever on the move, becoming more dependent on their PDAs, smart phones, and other handheld devices. With the advancement of pervasive computing, new and unique capabilities are available to aid mobile societies. The wireless nature of these devices has fostered a new era of mobility. Thousands of pervasive devices are able to arbitrarily join and leave a network, creating a nomadic environment known as a pervasive ad hoc network. However, mobile devices have vulnerabilities, and some are proving to be challenging. Security in pervasive computing is the most critical challenge. Security is needed to ensure exact and accurate confidentiality, integrity, authentication, and access control, to name a few. Security for mobile devices, though still in its infancy, has drawn the attention of various researchers. As pervasive devices become incorporated in our day-to-day lives, security will increasingly becoming a common concern for all users - - though for most it will be an afterthought, like many other computing functions. The usability and expansion of pervasive computing applications depends greatly on the security and reliability provided by the applications. At this critical juncture, security research is growing. This paper examines the recent trends and forward thinking investigation in several fields of security, along with a brief history of previous accomplishments in the corresponding areas. Some open issues have been discussed for further investigation
The simplicity project: easing the burden of using complex and heterogeneous ICT devices and services
As of today, to exploit the variety of different "services", users need to configure each of their devices by using different procedures and need to explicitly select among heterogeneous access technologies and protocols. In addition to that, users are authenticated and charged by different means. The lack of implicit human computer interaction, context-awareness and standardisation places an enormous burden of complexity on the shoulders of the final users. The IST-Simplicity project aims at leveraging such problems by: i) automatically creating and customizing a user communication space; ii) adapting services to user terminal characteristics and to users preferences; iii) orchestrating network capabilities. The aim of this paper is to present the technical framework of the IST-Simplicity project. This paper is a thorough analysis and qualitative evaluation of the different technologies, standards and works presented in the literature related to the Simplicity system to be developed
Adaptable Context Management Framework for Secure Network Services
Last decades the contextual approach became an important methodology of analysing information processes in the dynamic environment. In this paper we propose a context management framework suitable for secure network services. The framework allows tracking the contextual information from its origin, through all stages of its processing up to application in security services protecting the secure network application. Besides the framework's description, an example of its application in constructing secure voice call network service is given
Identity Management and Authorization Infrastructure in Secure Mobile Access to Electronic Health Records
We live in an age of the mobile paradigm of anytime/anywhere access, as the mobile device
is the most ubiquitous device that people now hold. Due to their portability, availability, easy
of use, communication, access and sharing of information within various domains and areas of
our daily lives, the acceptance and adoption of these devices is still growing. However, due to
their potential and raising numbers, mobile devices are a growing target for attackers and, like
other technologies, mobile applications are still vulnerable.
Health information systems are composed with tools and software to collect, manage, analyze
and process medical information (such as electronic health records and personal health records).
Therefore, such systems can empower the performance and maintenance of health services,
promoting availability, readability, accessibility and data sharing of vital information about a
patients overall medical history, between geographic fragmented health services. Quick access
to information presents a great importance in the health sector, as it accelerates work processes,
resulting in better time utilization. Additionally, it may increase the quality of care.
However health information systems store and manage highly sensitive data, which raises serious
concerns regarding patients privacy and safety, and may explain the still increasing number
of malicious incidents reports within the health domain.
Data related to health information systems are highly sensitive and subject to severe legal
and regulatory restrictions, that aim to protect the individual rights and privacy of patients.
Along side with these legislations, security requirements must be analyzed and measures implemented.
Within the necessary security requirements to access health data, secure authentication,
identity management and access control are essential to provide adequate means to
protect data from unauthorized accesses. However, besides the use of simple authentication
models, traditional access control models are commonly based on predefined access policies
and roles, and are inflexible. This results in uniform access control decisions through people,
different type of devices, environments and situational conditions, and across enterprises, location
and time.
Although already existent models allow to ensure the needs of the health care systems, they still
lack components for dynamicity and privacy protection, which leads to not have desire levels
of security and to the patient not to have a full and easy control of his privacy. Within this
master thesis, after a deep research and review of the stat of art, was published a novel dynamic
access control model, Socio-Technical Risk-Adaptable Access Control modEl (SoTRAACE),
which can model the inherent differences and security requirements that are present in this
thesis. To do this, SoTRAACE aggregates attributes from various domains to help performing
a risk assessment at the moment of the request. The assessment of the risk factors identified
in this work is based in a Delphi Study. A set of security experts from various domains were
selected, to classify the impact in the risk assessment of each attribute that SoTRAACE aggregates.
SoTRAACE was integrated in an architecture with requirements well-founded, and based
in the best recommendations and standards (OWASP, NIST 800-53, NIST 800-57), as well based in
deep review of the state-of-art. The architecture is further targeted with the essential security
analysis and the threat model. As proof of concept, the proposed access control model was implemented within the user-centric
architecture, with two mobile prototypes for several types of accesses by patients and healthcare
professionals, as well the web servers that handles the access requests, authentication and
identity management.
The proof of concept shows that the model works as expected, with transparency, assuring privacy
and data control to the user without impact for user experience and interaction. It is clear
that the model can be extended to other industry domains, and new levels of risks or attributes
can be added because it is modular. The architecture also works as expected, assuring secure
authentication with multifactor, and secure data share/access based in SoTRAACE decisions.
The communication channel that SoTRAACE uses was also protected with a digital certificate.
At last, the architecture was tested within different Android versions, tested with static and
dynamic analysis and with tests with security tools.
Future work includes the integration of health data standards and evaluating the proposed system
by collecting usersâ opinion after releasing the system to real world.Hoje em dia vivemos em um paradigma mĂłvel de acesso em qualquer lugar/hora, sendo que
os dispositivos mĂłveis sĂŁo a tecnologia mais presente no dia a dia da sociedade. Devido Ă sua
portabilidade, disponibilidade, fåcil manuseamento, poder de comunicação, acesso e partilha
de informação referentes a vĂĄrias ĂĄreas e domĂnios das nossas vidas, a aceitação e integração
destes dispositivos Ă© cada vez maior. No entanto, devido ao seu potencial e aumento do nĂșmero
de utilizadores, os dispositivos mĂłveis sĂŁo cada vez mais alvos de ataques, e tal como outras
tecnologias, aplicaçÔes móveis continuam a ser vulneråveis.
Sistemas de informação de saĂșde sĂŁo compostos por ferramentas e softwares que permitem
recolher, administrar, analisar e processar informação mĂ©dica (tais como documentos de saĂșde
eletrónicos). Portanto, tais sistemas podem potencializar a performance e a manutenção dos
serviços de saĂșde, promovendo assim a disponibilidade, acessibilidade e a partilha de dados
vitais referentes ao registro médico geral dos pacientes, entre serviços e instituiçÔes que estão
geograficamente fragmentadas. O råpido acesso a informaçÔes médicas apresenta uma grande
importĂąncia para o setor da saĂșde, dado que acelera os processos de trabalho, resultando assim
numa melhor eficiĂȘncia na utilização do tempo e recursos. Consequentemente haverĂĄ uma
melhor qualidade de tratamento. PorĂ©m os sistemas de informação de saĂșde armazenam e
manuseiam dados bastantes sensĂveis, o que levanta sĂ©rias preocupaçÔes referentes Ă privacidade
e segurança do paciente. Assim se explica o aumento de incidentes maliciosos dentro do
domĂnio da saĂșde.
Os dados de saĂșde sĂŁo altamente sensĂveis e sĂŁo sujeitos a severas leis e restriçÔes regulamentares,
que pretendem assegurar a proteção dos direitos e privacidade dos pacientes, salvaguardando
os seus dados de saĂșde. Juntamente com estas legislaçÔes, requerimentos de segurança
devem ser analisados e medidas implementadas. Dentro dos requerimentos necessĂĄrios
para aceder aos dados de saĂșde, uma autenticação segura, gestĂŁo de identidade e controlos de
acesso são essenciais para fornecer meios adequados para a proteção de dados contra acessos
não autorizados. No entanto, além do uso de modelos simples de autenticação, os modelos
tradicionais de controlo de acesso sĂŁo normalmente baseados em polĂticas de acesso e cargos
prĂ©-definidos, e sĂŁo inflexĂveis. Isto resulta em decisĂ”es de controlo de acesso uniformes para
diferentes pessoas, tipos de dispositivo, ambientes e condiçÔes situacionais, empresas, localizaçÔes
e diferentes alturas no tempo. Apesar dos modelos existentes permitirem assegurar
algumas necessidades dos sistemas de saĂșde, ainda hĂĄ escassez de componentes para accesso
dinĂąmico e proteção de privacidade , o que resultam em nĂveis de segurança nĂŁo satisfatĂłrios e
em o paciente nĂŁo ter controlo directo e total sobre a sua privacidade e documentos de saĂșde.
Dentro desta tese de mestrado, depois da investigação e revisão intensiva do estado da arte,
foi publicado um modelo inovador de controlo de acesso, chamado SoTRAACE, que molda as
diferenças de acesso inerentes e requerimentos de segurança presentes nesta tese. Para isto,
o SoTRAACE agrega atributos de vĂĄrios ambientes e domĂnios que ajudam a executar uma avaliação
de riscos, no momento em que os dados são requisitados. A avaliação dos fatores de risco
identificados neste trabalho sĂŁo baseados num estudo de Delphi. Um conjunto de peritos de
segurança de vĂĄrios domĂnios industriais foram selecionados, para classificar o impacto de cada
atributo que o SoTRAACE agrega. O SoTRAACE foi integrado numa arquitectura para acesso a
dados médicos, com requerimentos bem fundados, baseados nas melhores normas e recomendaçÔes (OWASP, NIST 800-53, NIST 800-57), e em revisÔes intensivas do estado da arte. Esta
arquitectura é posteriormente alvo de uma anålise de segurança e modelos de ataque.
Como prova deste conceito, o modelo de controlo de acesso proposto Ă© implementado juntamente
com uma arquitetura focada no utilizador, com dois protótipos para aplicaçÔes móveis,
que providĂȘnciam vĂĄrios tipos de acesso de pacientes e profissionais de saĂșde. A arquitetura Ă©
constituĂda tambĂ©m por servidores web que tratam da gestĂŁo de dados, controlo de acesso e
autenticação e gestão de identidade. O resultado final mostra que o modelo funciona como esperado,
com transparĂȘncia, assegurando a privacidade e o controlo de dados para o utilizador,
sem ter impacto na sua interação e experiĂȘncia. Consequentemente este modelo pode-se extender
para outros setores industriais, e novos nĂveis de risco ou atributos podem ser adicionados
a este mesmo, por ser modular. A arquitetura também funciona como esperado, assegurando
uma autenticação segura com multi-fator, acesso e partilha de dados segura baseado em decisÔes
do SoTRAACE. O canal de comunicação que o SoTRAACE usa foi também protegido com
um certificado digital.
A arquitectura foi testada em diferentes versÔes de Android, e foi alvo de anålise eståtica,
dinùmica e testes com ferramentas de segurança.
Para trabalho futuro estĂĄ planeado a integração de normas de dados de saĂșde e a avaliação do
sistema proposto, através da recolha de opiniÔes de utilizadores no mundo real
Secure Vehicular Communication Systems: Implementation, Performance, and Research Challenges
Vehicular Communication (VC) systems are on the verge of practical
deployment. Nonetheless, their security and privacy protection is one of the
problems that have been addressed only recently. In order to show the
feasibility of secure VC, certain implementations are required. In [1] we
discuss the design of a VC security system that has emerged as a result of the
European SeVeCom project. In this second paper, we discuss various issues
related to the implementation and deployment aspects of secure VC systems.
Moreover, we provide an outlook on open security research issues that will
arise as VC systems develop from today's simple prototypes to full-fledged
systems
- âŠ