71,120 research outputs found
Securing Controls Middleware of the Large Hadron Collider
The distributed control system of the Large Hadron Collider (LHC) presents many challenges due to its inherent heterogeneity and highly dynamic nature. One critical challenge is providing access control guarantees within the middleware. Role-based access control (RBAC) is a good candidate to provide access control. However, in an equipment control system transactions are often dependent on user context and device context. Unfortunately, classic RBAC cannot be used to handle the above requirements. In this paper we present an extended role-based access control model called CMW-RBAC. This new model incorporates the advantages of role-based permission administration together with a fine-grained control of dynamic context attributes. We also propose a new technique called dynamic authorization that allows phased introduction of access control in large distributed systems. This paper also describes motivation of the project, requirements, and overview of its main components: authentication and authorization
Gait-Based Identification Using Wearables in the Personal Fog
Wearables are becoming more computationally powerful, with increased sensing and control capabilities, creating a need for accurate user authentication. Greater control and power allow wearables to become part of a personal fog system, but introduces new attack vectors. An attacker that steals a wearable can gain access to stored personal data on the wearable. However, the new computational power can also be employed to safeguard use through more secure authentication. The wearables themselves can now perform authentication. In this paper, we use gait identification for increased authentication when potentially harmful commands are requested. We show how the relying on the processing and storage inherent in the personal fog allows distributed storage of information about the gait of the wearer and the ability to fully process this data for user authentication locally at the edge. While gait-based authentication has been examined before, we show an additional, low-power method of verification for wearables
A solution for secure use of Kibana and Elasticsearch in multi-user environment
Monitoring is indispensable to check status, activities, or resource usage of
IT services. A combination of Kibana and Elasticsearch is used for monitoring
in many places such as KEK, CC-IN2P3, CERN, and also non-HEP communities.
Kibana provides a web interface for rich visualization, and Elasticsearch is a
scalable distributed search engine. However, these tools do not support
authentication and authorization features by default. In the case of single
Kibana and Elasticsearch services shared among many users, any user who can
access Kibana can retrieve other's information from Elasticsearch. In
multi-user environment, in order to protect own data from others or share part
of data among a group, fine-grained access control is necessary.
The CERN cloud service group had provided cloud utilization dashboard to each
user by Elasticsearch and Kibana. They had deployed a homemade Elasticsearch
plugin to restrict data access based on a user authenticated by the CERN Single
Sign On system. It enabled each user to have a separated Kibana dashboard for
cloud usage, and the user could not access to other's one. Based on the
solution, we propose an alternative one which enables user/group based
Elasticsearch access control and Kibana objects separation. It is more flexible
and can be applied to not only the cloud service but also the other various
situations. We confirmed our solution works fine in CC-IN2P3. Moreover, a
pre-production platform for CC-IN2P3 has been under construction.
We will describe our solution for the secure use of Kibana and Elasticsearch
including integration of Kerberos authentication, development of a Kibana
plugin which allows Kibana objects to be separated based on user/group, and
contribution to Search Guard which is an Elasticsearch plugin enabling
user/group based access control. We will also describe the effect on
performance from using Search Guard.Comment: International Symposium on Grids and Clouds 2017 (ISGC 2017
VisTAS:Blockchain-based Visible and Trusted Remote Authentication System
The information security domain focuses on security needs at all levels in a computing environment in either the Internet of Things, Cloud Computing, Cloud of Things, or any other implementation. Data, devices, services, or applications and communication are required to be protected and provided by information security shields at all levels and in all working states. Remote authentication is required to perform different administrative operations in an information system, and Administrators have full access to the system and may pose insider threats. Superusers and administrators are the most trusted persons in an organisation. “Trust but verify” is an approach to have an eye on the superusers and administrators. Distributed ledger technology (Blockchain-based data storage) is an immutable data storage scheme and provides a built-in facility to share statistics among peers. Distributed ledgers are proposed to provide visible security and non-repudiation, which securely records administrators’ authentications requests. The presence of security, privacy, and accountability measures establish trust among its stakeholders. Securing information in an electronic data processing system is challenging, i.e., providing services and access control for the resources to only legitimate users. Authentication plays a vital role in systems’ security; therefore, authentication and identity management are the key subjects to provide information security services. The leading cause of information security breaches is the failure of identity management/authentication systems and insider threats. In this regard, visible security measures have more deterrence than other schemes. In this paper, an authentication scheme, “VisTAS,” has been introduced, which provides visible security and trusted authentication services to the tenants and keeps the records in the blockchain
Privacy Protection in Distributed Fingerprint-based Authentication
Biometric authentication is getting increasingly popular due to the
convenience of using unique individual traits, such as fingerprints, palm
veins, irises. Especially fingerprints are widely used nowadays due to the
availability and low cost of fingerprint scanners. To avoid identity theft or
impersonation, fingerprint data is typically stored locally, e.g., in a trusted
hardware module, in a single device that is used for user enrollment and
authentication. Local storage, however, limits the ability to implement
distributed applications, in which users can enroll their fingerprint once and
use it to access multiple physical locations and mobile applications
afterwards.
In this paper, we present a distributed authentication system that stores
fingerprint data in a server or cloud infrastructure in a privacy-preserving
way. Multiple devices can be connected and perform user enrollment or
verification. To secure the privacy and integrity of sensitive data, we employ
a cryptographic construct called fuzzy vault. We highlight challenges in
implementing fuzzy vault-based authentication, for which we propose and compare
alternative solutions. We conduct a security analysis of our biometric
cryptosystem, and as a proof of concept, we build an authentication system for
access control using resource-constrained devices (Raspberry Pis) connected to
fingerprint scanners and the Microsoft Azure cloud environment. Furthermore, we
evaluate the fingerprint matching algorithm against the well-known FVC2006
database and show that it can achieve comparable accuracy to widely-used
matching techniques that are not designed for privacy, while remaining
efficient with an authentication time of few seconds.Comment: This is an extended version of the paper with the same title which
has been accepted for publication at the Workshop on Privacy in the
Electronic Society (WPES 2019
Secure and Flexible Global File Sharing
Sharing of files is a major application of computer networks, with examples ranging from LAN-based network file systems to wide-area applications such as use of version control systems in distributed software development. Identification, authentication and access control are much more challenging in this complex large-scale distributed environment. In this paper, we introduce the Distributed Credential Filesystem (DisCFS). Under DisCFS, credentials are used to identify both the files stored in the file system and the users that are permitted to access them, as well as the circumstances under which such access is allowed. As with traditional capabilities, users can delegate access rights (and thus share information) simply by issuing new credentials. Credentials allow files to be accessed by remote users that are not known a priori to the server. Our design achieves an elegant separation of policy and mechanism which is mirrored in the implementation. Our prototype implementation of DisCFS runs under OpenBSD 2.8, using a modified user-level NFS server. Our measurements suggest that flexible and secure file sharing can be made scalable at a surprisingly low performance cost
Protection of Information and Communications in Distributed Systems and Microservices
Distributed systems have been a topic of discussion since the 1980s, but the adoption of microservices has raised number of system components considerably. With more decentralised distributed systems, new ways to handle authentication, authorisation and accounting (AAA) are needed, as well as ways to allow components to communicate between themselves securely. New standards and technologies have been created to deal with these new requirements and many of them have already found their way to most used systems and services globally.
After covering AAA and separate access control models, we continue with ways to secure communications between two connecting parties, using Transport Layer Security (TLS) and other more specialised methods such as the Google-originated Secure Production Identity Framework for Everyone (SPIFFE). We also discuss X.509 certificates for ensuring identities. Next, both older time- tested and newer distributed AAA technologies are presented. After this, we are looking into communication between distributed components with both synchronous and asynchronous communication mechanisms, as well as into the publish/subscribe communication model popular with the rise of the streaming platform.
This thesis also explores possibilities in securing communications between distributed endpoints and ways to handle AAA in a distributed context. This is showcased in a new software component that handles authentication through a separate identity endpoint using the OpenID Connect authentication protocol and stores identity in a Javascript object-notation formatted and cryptographically signed JSON Web Token, allowing stateless session handling as the token can be validated by checking its signature. This enables fast and scalable session management and identity handling for any distributed system
- …