Privacy-preserving Cross-domain Routing Optimization -- A Cryptographic Approach

Today's large-scale enterprise networks, data center networks, and wide area networks can be decomposed into multiple administrative or geographical domains. Domains may be owned by different administrative units or organizations. Hence protecting domain information is an important concern. Existing general-purpose Secure Multi-Party Computation (SMPC) methods that preserves privacy for domains are extremely slow for cross-domain routing problems. In this paper we present PYCRO, a cryptographic protocol specifically designed for privacy-preserving cross-domain routing optimization in Software Defined Networking (SDN) environments. PYCRO provides two fundamental routing functions, policy-compliant shortest path computing and bandwidth allocation, while ensuring strong protection for the private information of domains. We rigorously prove the privacy guarantee of our protocol. We have implemented a prototype system that runs PYCRO on servers in a campus network. Experimental results using real ISP network topologies show that PYCRO is very efficient in computation and communication costs

LCDMA: Lightweight Cross-domain Mutual Identity Authentication scheme for Internet of Things

With the widespread popularity of mobile terminals in the Internet of things (IoT), the demand for cross-domain access of mobile terminals between different regions has also increased significantly. The nature of wireless communication media makes mobile terminals vulnerable to security threats in cross-domain access. Identity authentication is a prerequisite for secure data transmission in cross-domain, and it is also the first step to guarantee the credibility of data sources. Most existing authentication schemes are based on bilinear pairing or public key encryption and decryption with high computation overhead, which are not suitable for the resource-limited mobile IoT terminals. Moreover, these schemes have some security drawbacks and cannot meet the security requirements of cross-domain access. In this paper, we propose a lightweight cross-domain mutual identity authentication (LCDMA) for mobile IoT environments. LCDMA uses symmetric polynomials instead of high-complexity bilinear pairing in the traditional schemes. We theoretically analyze the security performance under the random oracle model. Our results show that LCDMA not only resists common attacks but also preserves secure traceability while guaranteeing anonymity. Performance evaluation further demonstrates that our scheme has better performance in terms of computation and communication overhead, compared with other existing representative schemes

Reconfigurable Security: Edge Computing-based Framework for IoT

In various scenarios, achieving security between IoT devices is challenging since the devices may have different dedicated communication standards, resource constraints as well as various applications. In this article, we first provide requirements and existing solutions for IoT security. We then introduce a new reconfigurable security framework based on edge computing, which utilizes a near-user edge device, i.e., security agent, to simplify key management and offload the computational costs of security algorithms at IoT devices. This framework is designed to overcome the challenges including high computation costs, low flexibility in key management, and low compatibility in deploying new security algorithms in IoT, especially when adopting advanced cryptographic primitives. We also provide the design principles of the reconfigurable security framework, the exemplary security protocols for anonymous authentication and secure data access control, and the performance analysis in terms of feasibility and usability. The reconfigurable security framework paves a new way to strength IoT security by edge computing.Comment: under submission to possible journal publication

Authentication and authorisation in entrusted unions

This paper reports on the status of a project whose aim is to implement and demonstrate in a real-life environment an integrated eAuthentication and eAuthorisation framework to enable trusted collaborations and delivery of services across different organisational/governmental jurisdictions. This aim will be achieved by designing a framework with assurance of claims, trust indicators, policy enforcement mechanisms and processing under encryption to address the security and confidentiality requirements of large distributed infrastructures. The framework supports collaborative secure distributed storage, secure data processing and management in both the cloud and offline scenarios and is intended to be deployed and tested in two pilot studies in two different domains, viz, Bio-security incident management and Ambient Assisted Living (eHealth). Interim results in terms of security requirements, privacy preserving authentication, and authorisation are reported