MoPS: A Modular Protection Scheme for Long-Term Storage

Current trends in technology, such as cloud computing, allow outsourcing the storage, backup, and archiving of data. This provides efficiency and flexibility, but also poses new risks for data security. It in particular became crucial to develop protection schemes that ensure security even in the long-term, i.e. beyond the lifetime of keys, certificates, and cryptographic primitives. However, all current solutions fail to provide optimal performance for different application scenarios. Thus, in this work, we present MoPS, a modular protection scheme to ensure authenticity and integrity for data stored over long periods of time. MoPS does not come with any requirements regarding the storage architecture and can therefore be used together with existing archiving or storage systems. It supports a set of techniques which can be plugged together, combined, and migrated in order to create customized solutions that fulfill the requirements of different application scenarios in the best possible way. As a proof of concept we implemented MoPS and provide performance measurements. Furthermore, our implementation provides additional features, such as guidance for non-expert users and export functionalities for external verifiers.Comment: Original Publication (in the same form): ASIACCS 201

Modelo de análisis forense en aplicaciones de mensajería instantánea para la obtención de evidencia digital

El uso de teléfonos móviles está creciendo constantemente a nivel global, según el informe de la evolución de los suscriptores asociados con teléfonos móviles de la empresa Ericsson. Este informe señala que, para finales del 2022, se estima alrededor de 6.6 billones de suscripciones y se prevé que alcance los 7.8 billones en 2028. Entre las aplicaciones más usadas por esa importante población de suscriptores, se ubican las de mensajería instantánea, según el informe “State of mobile 2023” de la empresa de IA de datos (data.ai). La información almacenada en este tipo de aplicación es variada, almacenan datos como: chats, audios, imágenes, etc. En consecuencia, las dimensiones de la cantidad de información que se pueden obtener de las aplicaciones de mensajería instantánea son gigantescas. En los últimos años, las principales aplicaciones de mensajería instantánea se han enfocado en el cifrado de extremo a extremo, como medida de prevención ante el ataque de los ciberdelincuentes. Según la empresa Kaspersky, en los teléfonos móviles con el sistema Android, se tiene una considerable cantidad de vínculos que contienen software malicioso que son transmitidos mediante aplicaciones de mensajería instantánea como WhatsApp y Telegram, entre otros. Debido a que la información almacenada por las aplicaciones de mensajería instantánea se está convirtiendo en evidencia crucial para obtención de información sobre incidentes de seguridad y en los procesos judiciales, se deben tomar medidas para salvaguardar dicha evidencia, como la cadena de custodia para mantener su trazabilidad e integridad, de manera tal que pueda ser usada. En esta tesis, se presenta un modelo de análisis forense en aplicaciones de mensajería instantánea para la obtención de evidencia digital. Adicionalmente, se muestran diversos marcos de trabajo y modelos, como referentes para la construcción del modelo propuesto. Este modelo tiene como fin conocer, diagnosticar y mejorar el nivel forense en aplicaciones de mensajería instantánea en organizaciones, entidades de estado, entre otras. Por último, también se presentan las prácticas que permitirían brindar mayor robustez a los procesos de las diferentes organizaciones con relación a la seguridad necesaria en el uso de los teléfonos móviles.The use of mobile phones is growing steadily globally, according to the Ericsson company's report on the evolution of subscribers associated with mobile phones. This report indicates that, by the end of 2022, it is estimated that there will be around 6.6 billion subscriptions and it is expected to reach 7.8 billion in 2028. Among the most used applications by this important population of subscribers are instant messaging applications, according to the “State of mobile 2023” report from the data AI company (data.ai). The information stored in this type of application is varied, they store data such as: chats, audios, images, etc. Consequently, the dimensions of the amount of information that can be obtained from instant messaging applications are huge. In recent years, the main instant messaging applications have focused on end-to-end encryption, as a prevention measure against attacks by cybercriminals. According to the company Kaspersky, on mobile phones with Android system, there is a considerable number of links that contain malicious software that are transmitted through instant messaging applications such as WhatsApp and Telegram, among others. Since the information stored in instant messaging applications is becoming crucial evidence for obtaining information about security incidents and in judicial processes, measures must be taken to safeguard said evidence, such as the chain of custody to maintain its traceability and integrity, so that it can be used. In this thesis, a forensic analysis model in instant messaging applications to obtain digital evidence is presented. Additionally, various frameworks and models are shown as references for the construction of the proposed model. The purpose of this model is to understand, diagnose and improve the forensic level in instant messaging applications in organizations, state entities, among others. Finally, the practices that would provide greater robustness to the processes of different organizations in relation to the necessary security in the use of mobile phones are also presented.Trabajo de investigació

eIDAS qualified trust services: serviço de preservação

Dissertação de mestrado em Engenharia InformáticaDe forma a uniformizar o mercado Europeu e conseguir mais confiança nas transações eletrónicas (sic Considerando 2º do Regulamento eIDAS (2014)), a União Europeia publicou o Regulamento UE nº 910/2014 (Regulamento eIDAS (2014)), também conhecido como Regulamento Eletronic Identification, Authentication and Trust Services (eIDAS). Este normativo legal pretende regular as assinaturas e selos electrónicos, a identificação eletrónica e os serviços de confiança dentro do Espaço Europeu. O objetivo deste regulamento é permitir transações seguras e eficazes entre negócios, pessoas e as autoridades públicas. Para atingir o seu objetivo, o Regulamento eIDAS introduziu o conceito de serviços de confiança qualificados. Os serviços de confiança qualificados permitem às assinaturas eletrónicas o efeito legal equivalente a uma assinatura manuscrita, quando baseadas num certificado qualificado de assinatura eletrónica emitido por uma entidade que está integrada na lista de confiança de um determinado Estado Membro. Estas assinaturas são intituladas de assinaturas eletrónicas qualificadas e são reconhecidas nos restantes Estados Membros. Tribunais (ou outros órgãos encarregados de procedimentos legais) não podem descartá-las como prova apenas porque são eletrónicas, têm de avaliá-las da mesma forma que fariam com o seu equivalente em papel. (sic Artigo 25º do Regulamento eIDAS (2014)) A necessidade de preservação de longo prazo de assinaturas eletrónicas é reconhecida no seio da União Europeia (UE). No Regulamento eIDAS, entre os serviços de confiança qualificados introduzidos, encontra-se o serviço de preservação qualificado. Um serviço de preservação qualificado tem como objectivo preservar o estado de validade de uma assinatura eletrónica qualificada ao longo do tempo. Esta dissertação tem o seu foco no desenvolvimento de uma Prova de Conceito do serviço de confiança qualificado de preservação de assinaturas e selos eletrónicos qualificados, que se antecipa que comece a ser utilizado massivamente nos próximos anos.In order to standardise the European market and achieve greater confidence in electronic transactions (sic Recital 2º eIDAS (2014), the European Union has developed EU Regulation No 910/2014, also known as eIDAS. This regulation aims to regulate electronic signatures and seals, electronic identification and trust services in Europe. The aim of this regulation is to enable secure and efficient transactions between businesses, individuals and public authorities. So as to achieve its objective, the eIDAS Regulation introduced the concept of qualified trust services. Qualified trust services allow subscribers and electronic signatures the legal effect equivalent to a handwritten signature when based on an electronic signature qualified certificate issued by an entity which is part of the trust list of a given Member State. These signatures are entitled qualified electronic signatures and are recognised in the other Member States. Courts (or other bodies in charge of legal proceedings) cannot discard them as evidence just because they are electronic, they have to assess them in the same way as they would for their paper equivalent. (sic Article 25º of the Regulation eIDAS (2014)) The need for long-term preservation of electronic signatures is recognised within the UE. In the Regulation eIDAS, among the qualified services of trust introduced, is the qualified preservation service. A qualified preservation service aims to preserve the validity status of a qualified electronic signature over time. This dissertation focuses on the development of a Proof of Concept for the qualified electronic signature and seal preservation trust service, which is expected to start to be used massively in the coming years

The concept of establishment of electronic archive in public administration

Cilj ove doktorske disertacije je izrada modela informacijskog sustava za dugotrajnu pohranu elektroniĉki potpisanih dokumenata u podruĉju javne uprave. Za potrebe izrade modela obraĊen je referentni teorijski model za dugotrajnu pohranu elektroniĉkih informacijskih objekata – OAIS. Opisane su odgovornosti i sastavnice te funkcionalni entiteti navedenog modela. ObraĊena su teorijska saznanja s podruĉju infrastrukture javnog kljuĉa (PKI) zbog tehnologija i koncepata koji podrţavaju povjerenje u elektroniĉke zapise: digitalni certifikat, elektroniĉki potpis, napredni elektroniĉki potpis, certifikacijski (CA) i registracijski autoritet (RA), elektroniĉki vremenski ţig i dr. Uredbom eIDAS (Uredba (EU) br. 910/2014) je za podruĉje Europske Unije stavljena van snage do tada vaţeća EU Direktiva 1999/93/EC o okviru Zajednice za elektroniĉke potpise. Utjecaj Uredbe eIDAS je vrlo dalekoseţan za pravno reguliranje elemenata za dugotrajno oĉuvanje elektroniĉki potpisanih zapisa. Navedena uredba je propisala i koncept kvalificiranog pruţatelj usluga povjerenja (za izdavanje certifikata, vremenskih ţigova i dr.). Posebno su detaljno obraĊeni formati naprednog elektroniĉkog potpisa: XAdES, CAdES i PADES. Takvi formati potpisa omogućavaju oĉuvanje u dugom roku pa su iz tog razloga posebno zanimljivi. Detaljno su obraĊeni procesi izraĊivanja i validacije naprednog elektroniĉkog potpisa. Prepoznat je pojam dokaza postojanja, tj. PoE (engl. Proof of Existence) elektroniĉkog potpisa kao kljuĉan za ovaj rad. U prouĉavanju podruĉja dugoroĉnog oĉuvanja integriteta i autentiĉnosti elektroniĉkih zapisa s elektroniĉkim potpisima obraĊene su ĉetiri strategije oĉuvanja: uklanjanje elektroniĉkih potpisa, biljeţenje traga o elektroniĉkim potpisima u metapodacima, biljeţenje valjanosti o elektroniĉkim potpisima u blokchainu te oĉuvanje elektroniĉkih potpisa. Oĉuvanje elektroniĉkih potpisa je ĉesto implicitno definirano u zakonskim propisima te je stoga bilo i izazov za ovaj istraţivaĉki rad. Detaljno je obraĊena tematika elektroniĉke javne uprave (pojam, faze, mobilna javna uprava i sektori). Da bi se bolje shvatila vaţnost arhiva u elektroniĉkoj javnoj upravi obraĊen je kontekst elektroniĉke javne uprave u Europskoj Uniji i Republici Hrvatskoj. Sudjelovao sam na InterPARES Trust istraţivaĉkom projektu na temu analize elektroniĉkih javnih usluga. Analizirani su razliĉiti aspekti javnih e-usluga, a sa stanovišta ovog rada su posebno zanimljivi rezultati s podruĉja dugoroĉnog oĉuvanja elektroniĉkih zapisa te su i izneseni u ovom radu. Osim toga, istraţena je dostupnost servisa i komponenata temeljenih na infrastrukturi javnog kljuĉa u RH koji se mogu uĉinkovito iskoristiti za izgradnju infrastrukture za potpisivanje i dugotrajnu pohranu elektroniĉki potpisanih dokumenata. Konaĉno je dana i analiza uspješnosti elektroniĉkih javnih uprava po više metodologija. Napravljena je detaljna analiza razliĉitih aspekata elektroniĉki potpisanih dokumenata (interoperabilnost, pravna ureĊenost, rokovi ĉuvanja, norme za dugotrajnu pohranu). ObraĊen je i pojam elektroniĉke isprave u smislu zamjene za papirnate sluţbene dokumente izdane od javne uprave. Analizirani su hrvatski i strani zakoni s tog podruĉja. Kao priprema za izradu modela dugotrajne pohrane elektroniĉki potpisanih dokumenata obavljena je analiza uspješnih implementacija e-arhiva iz Hrvatske, Njemaĉke, Italije, Austrije, Litve i Estonije. ObraĊeni je i jedan referentni model za dugotrajnu pohranu te su analizirani rezultati istraţivaĉkog EARK projekta. S obzirom na saznanja iz analize uspješnih praksi i referentnih modela izradio sam model informacijskog sustava za pohranu elektroniĉki potpisanih dokumenta. RazraĊeni model se temelji na OAIS referentnom modelu. Vrlo bitan dio u izradi navedenog modela je razrada pojma oĉuvanja dokaza postojanja. Predlaţe se korištenje standarda RFC 6283 (XMLERS) za zapis oĉuvanja dokaza postojanja. Osim toga, kljuĉno u izradi modela je korištenje usluga kvalificiranih pruţatelja usluga povjerenja za certifikate i za vremenske ţigove. Kvalificirani vremenski ţig poprima i znaĉenje arhivskog vremenskog ţiga. IzraĊeni model podrazumijeva produţenje potpisa prije isteka prikladnosti korištenih algoritama. Osnovna namjera produţenja potpisa jest osigurati provjerljivost cjelovitosti i autentiĉnosti već potpisanih dokumenata. Osim toga i vremenski ţigovi s vremenom mogu izgubiti svoju prikladnost pa se pravovremeno treba dohvaćati novi vremenski ţig. Predloţeno je rješenje i za dugotrajno oĉuvanje elektroniĉke isprave na naĉin da tehnološka implementacija podrţi pravni okvir. Predloţeni su i formati dokumenata za ovaj model te korištenje formata naprednog elektroniĉkog potpisa. Predloţeni su formati iz AdES obitelji potpisa: XAdES, CAdES i PAdES. Na kraju rada je dan prijedlog uspostave infrastrukture za dugotrajno oĉuvanje potpisanih elektroniĉkih dokumenata u Republici Hrvatskoj.The aim of this PhD thesis is to develop a model of the information system for the long term storage of electronically signed documents within public administration domain. For the purpose of building the model, the referent theoretical model for the long term storage of electronic information objects - OAIS is elaborated. The responsibilities, components and the functional entities of the mentioned model are described. Theoretical findings in connection with public key infrastructure (PKI) are covered because of the technologies and concepts that support the confidence in electronic records: digital certificate, electronic signature, advanced electronic signature, certificate authority (CA), registration authority (RA), electronic timestamp etc. The EU Directive 1999/93/EC on a Community framework for electronic signatures was derrogated in the EU area by eIDAS regulation (EU Regulation no. 910/2014). The influence of the eIDAS regulation is far-reaching for the legal regulation of the elements for the longterm preservation of electronically signed records. The regulation laid out the concept of the qualified trust server provider (for the certificate issuance, timestamps, etc.). Certain formats of advanced electronic signature are thoroughly covered. Such signature formats enable longterm preservation what makes these formats particularly interesting. The processes of development and validation of advanced electronic signature are described in detail. The term Proof of Existence (PoE) of electronic signature is recognized as key for this thesis. Studying the area of the long-term integrity and authenticity preservation of electronic records with electronic signatures four strategies of preservation are covered: the removal of electronic signatures, keeping track of electronic signatures within the metadata, recording electronic signature validity within the blokchain and the preservation of electronic signatures. The preservation of electronic signatures was a challenge for this thesis because it is often implicitly defined within legal regulations. The concept of electronic public administration is thoroughly covered (the term, phases, mobile public administration, sectors). To have a better understanding of the importance of archives in the electronic public administration the context of electronic public administration in the European Union and in the Republic of Croatia is described. The author took part at InterPARES Trust research project that was based on the analysis of electronic public services. Different aspects of public e-services are analyzed, form the point of this work the results from the area of electronic records long-term preservation are especially interesting and as such are elaborated in this thesis. Furthermore, the availability of services and components based on the public key infrastructure in the Republic of Croatia that can be efficiently used for signing and long term-storage of electronically signed document infrastructure development is investigated. Finally the analysis of efficacy of electronic public administrations according to numerous methodologies is presented. A detailed analysis of different aspects of electronically signed documents (interoperability, legal regulation, preservation time period, long-term storage standards) is made. The term electronic document as a substitute for official paper documents issued by public administration is elaborated. Croatian and foreign legal regulations are analyzed. As a preparation for the long-term storage of electronically signed documents model an analysis of successful e-archive implementations from Croatia, Germany, Italy, Austria, Lithuania and Estonia is made. One referent model for the long-term storage is elaborated and the results of the E-ARK research project are analyzed. Based on the findings from the analysis of successful practices and referent models the author built a model of the information system for storage of electronically signed documents. The developed model is based on OAIS reference model. An important part of the above mentioned model development is the elaboration of preservation of the proof of existence term. The use of RFC 6283 (XMLERS) standard for the Evidence Record Syntax is recommended. On top of that the use of qualified trust service providers for certificates and for timestamps is key for this model development. Qualified timestamp also takes the meaning of an archive timestamp. The developed model implies signature renewal before an expiration of the validity of the algorithms used. The main purpose of the signature renewal is to insure the verification of completeness of already signed documents. Additionally, timestamps can lose their validity as time passes so new timestamps must be acquired in time. The solution for the electronic document long-term preservation is suggested so that technological implementation supports legal regulation. Document formats for this model are suggested as well as the usage of the advanced electronic signature format. The formats from the AdES family of signatures are proposed: XAdES, CAdES, PAdES. At the end of this thesis the suggestion to set up an infrastructure for the long-term storage of electronically signed documents in the Republic of Croatia is given

Challenges in Cybersecurity and Privacy - the European Research Landscape

Cybersecurity and Privacy issues are becoming an important barrier for a trusted and dependable global digital society development. Cyber-criminals are continuously shifting their cyber-attacks specially against cyber-physical systems and IoT, since they present additional vulnerabilities due to their constrained capabilities, their unattended nature and the usage of potential untrustworthiness components. Likewise, identity-theft, fraud, personal data leakages, and other related cyber-crimes are continuously evolving, causing important damages and privacy problems for European citizens in both virtual and physical scenarios. In this context, new holistic approaches, methodologies, techniques and tools are needed to cope with those issues, and mitigate cyberattacks, by employing novel cyber-situational awareness frameworks, risk analysis and modeling, threat intelligent systems, cyber-threat information sharing methods, advanced big-data analysis techniques as well as exploiting the benefits from latest technologies such as SDN/NFV and Cloud systems. In addition, novel privacy-preserving techniques, and crypto-privacy mechanisms, identity and eID management systems, trust services, and recommendations are needed to protect citizens’ privacy while keeping usability levels. The European Commission is addressing the challenge through different means, including the Horizon 2020 Research and Innovation program, thereby financing innovative projects that can cope with the increasing cyberthreat landscape. This book introduces several cybersecurity and privacy research challenges and how they are being addressed in the scope of 15 European research projects. Each chapter is dedicated to a different funded European Research project, which aims to cope with digital security and privacy aspects, risks, threats and cybersecurity issues from a different perspective. Each chapter includes the project’s overviews and objectives, the particular challenges they are covering, research achievements on security and privacy, as well as the techniques, outcomes, and evaluations accomplished in the scope of the EU project. The book is the result of a collaborative effort among relative ongoing European Research projects in the field of privacy and security as well as related cybersecurity fields, and it is intended to explain how these projects meet the main cybersecurity and privacy challenges faced in Europe. Namely, the EU projects analyzed in the book are: ANASTACIA, SAINT, YAKSHA, FORTIKA, CYBECO, SISSDEN, CIPSEC, CS-AWARE. RED-Alert, Truessec.eu. ARIES, LIGHTest, CREDENTIAL, FutureTrust, LEPS. Challenges in Cybersecurity and Privacy - the European Research Landscape is ideal for personnel in computer/communication industries as well as academic staff and master/research students in computer science and communications networks interested in learning about cyber-security and privacy aspects

Challenges in Cybersecurity and Privacy - the European Research Landscape

Cybersecurity and Privacy issues are becoming an important barrier for a trusted and dependable global digital society development. Cyber-criminals are continuously shifting their cyber-attacks specially against cyber-physical systems and IoT, since they present additional vulnerabilities due to their constrained capabilities, their unattended nature and the usage of potential untrustworthiness components. Likewise, identity-theft, fraud, personal data leakages, and other related cyber-crimes are continuously evolving, causing important damages and privacy problems for European citizens in both virtual and physical scenarios. In this context, new holistic approaches, methodologies, techniques and tools are needed to cope with those issues, and mitigate cyberattacks, by employing novel cyber-situational awareness frameworks, risk analysis and modeling, threat intelligent systems, cyber-threat information sharing methods, advanced big-data analysis techniques as well as exploiting the benefits from latest technologies such as SDN/NFV and Cloud systems. In addition, novel privacy-preserving techniques, and crypto-privacy mechanisms, identity and eID management systems, trust services, and recommendations are needed to protect citizens’ privacy while keeping usability levels. The European Commission is addressing the challenge through different means, including the Horizon 2020 Research and Innovation program, thereby financing innovative projects that can cope with the increasing cyberthreat landscape. This book introduces several cybersecurity and privacy research challenges and how they are being addressed in the scope of 15 European research projects. Each chapter is dedicated to a different funded European Research project, which aims to cope with digital security and privacy aspects, risks, threats and cybersecurity issues from a different perspective. Each chapter includes the project’s overviews and objectives, the particular challenges they are covering, research achievements on security and privacy, as well as the techniques, outcomes, and evaluations accomplished in the scope of the EU project. The book is the result of a collaborative effort among relative ongoing European Research projects in the field of privacy and security as well as related cybersecurity fields, and it is intended to explain how these projects meet the main cybersecurity and privacy challenges faced in Europe. Namely, the EU projects analyzed in the book are: ANASTACIA, SAINT, YAKSHA, FORTIKA, CYBECO, SISSDEN, CIPSEC, CS-AWARE. RED-Alert, Truessec.eu. ARIES, LIGHTest, CREDENTIAL, FutureTrust, LEPS. Challenges in Cybersecurity and Privacy - the European Research Landscape is ideal for personnel in computer/communication industries as well as academic staff and master/research students in computer science and communications networks interested in learning about cyber-security and privacy aspects