A JSON Token-Based Authentication and Access Management Schema for Cloud SaaS Applications

Cloud computing is significantly reshaping the computing industry built around core concepts such as virtualization, processing power, connectivity and elasticity to store and share IT resources via a broad network. It has emerged as the key technology that unleashes the potency of Big Data, Internet of Things, Mobile and Web Applications, and other related technologies, but it also comes with its challenges - such as governance, security, and privacy. This paper is focused on the security and privacy challenges of cloud computing with specific reference to user authentication and access management for cloud SaaS applications. The suggested model uses a framework that harnesses the stateless and secure nature of JWT for client authentication and session management. Furthermore, authorized access to protected cloud SaaS resources have been efficiently managed. Accordingly, a Policy Match Gate (PMG) component and a Policy Activity Monitor (PAM) component have been introduced. In addition, other subcomponents such as a Policy Validation Unit (PVU) and a Policy Proxy DB (PPDB) have also been established for optimized service delivery. A theoretical analysis of the proposed model portrays a system that is secure, lightweight and highly scalable for improved cloud resource security and management.Comment: 6 Page

Choosing security elements for the xAAL home automation system

International audienceThe emergence of Internet of Things (IoT) and smart-home systems allows us to combine devices from different domains and to explore new usages and services. Unfortunately interoperability between devices from different technologies is a major issue to overcome before being able to offer smart services. For this purpose we have proposed the xAAL system. It is both a federating home-automation protocol and an open infrastructure designed to address issues caused by the heterogeneity of existing home-automation solutions. xAAL has been implemented, deployed and has proved its efficiency. However, early versions have been designed with functional concerns in mind. The time has come to address security. xAAL has its own specificities: a distributed system, multicast communications on a bus, etc. This paper details choices, compromises and motivations for selecting security elements that have been introduced in the new version of xAAL

State-of-the art teaching material of the OWASP Top 10

Nowadays, web security has become something indispensable when working with the Internet, whether to protect business databases, establish communications, etc. With the aim of creating teaching material, I have created some laboratory sessions and documented several issues related to the ?OWASP (Open Web Application Security Project) top 10 vulnerabilities?. As a method, a systematic review o information in a large number of reliable Internet resources has been carried out, and several laboratory exercises has been created. As a result a large amount of teaching material including some exercises has been created about different themes, mianly: JWT (JSON Web Tokens), JKUs (JWK Set URL) and JWKs (JSON Web Keys); Cookies, XSS Attacks (Cross Site Scripting). As a conclusion, this project collects information about different topics related to web security, and the exploitation of some vulnerabilities. With all this material, students can get a solid base on this topics and see the performance of some of this attacks.En la actualidad, la seguridad web se ha convertido en algo indispensable a la hora de trabajar con Internet, ya sea para proteger bases de datos empresariales, establecer comunicaciones, etc. Con el objetivo de crear material docente, he creado algunas sesiones de laboratorio y documentado varios problemas relacionados con el 'Top 10 de vulnerabilidades de OWASP'. Como método se ha llevado a cabo una revisión sistemática de la información en un gran número de recursos fiables de Internet y se han creado varios ejercicios de laboratorio. Como resultado se ha creado una gran cantidad de material didáctico que incluye algunos ejercicios sobre diferentes temas, principalmente: JWT (JSON Web Tokens), JKUs (JWK Set URL) y JWKs (JSON Web Keys); Cookies, Ataques XSS (Cross Site Scripting). Como conclusión, este proyecto recopila información sobre diferentes temas relacionados con la seguridad web y la explotación de algunas vulnerabilidades. Con todo este material, los estudiantes pueden obtener una base sólida sobre estos temas y ver el rendimiento de algunos de estos ataques.En l'actualitat, la seguretat web s'ha convertit en una cosa indispensable per treballar amb Internet, ja sigui per a protegir les bases de dades empresarials, establir comunicacions, etc. Amb l'objectiu de crear material docent, he creat algunes sessions de laboratori i documentat diversos temes relacionats amb «OWASP (Open Web Application Security Project) top 10 vulnerabilitats». Com a mètode, s'ha dut a terme una revisió sistemàtica de la informació en un gran nombre de recursos d'Internet fiables, i s'han creat diversos exercicis de laboratori. Com a resultat, s'ha creat una gran quantitat de material docent que inclou alguns exercicis sobre diferents temes, principalment: JWT (JSON Web Tokens), JKUs (JWK Set URL) i JWKs (JSON Web Keys); Cookies, atacs XSS (Cross Site Scripting). Com a conclusió, aquest projecte recopila informació sobre diferents temes relacionats amb la seguretat web i l'explotació d'algunes vulnerabilitats. Amb tot aquest material, els estudiants poden obtenir una base sòlida en aquests temes i veure com es portem a terme alguns d'aquests atacs

Granular confidentiality and integrity of JSON messages

Modern web and mobile-based applications exchange information with each other and with other services, through specific APIs that extend the applications multipart functionality and enable interoperable information exchange. Currently these mechanisms are implemented through the usage of RESTful APIs and data interchange is performed using the JSON format over the HTTP or HTTPS protocol. Most of the times, due to specific security requirements, the SSL/TLS protocol is used to create a secure authenticated channel between the two- communicating service end-points, where all the content is encrypted. This is an important security feature if the sender and the receptor are the only communicating parties, however this may not be the case. In this paper, a granular mechanism for selectively offering confidentiality and integrity to JSON messages, through the usage of public-key cryptography is presented. The proposed mechanism, as take in to consideration already existing mechanisms, such as XML security, to best fit developers’ acquaintance. In this paper, we will present the proposal of the syntax for the secure JSON format (SecJSON) and present a prototype implementation of that particular specification that was created to offer developers, written in Javascript and Node.JS, the possibility to offer this security mechanism into their own services and applications

Authentication and Authorization with Json Web Token

Ovim radom istraživala se tehnologija json web tokena i njegova upotreba. Također definirani su pojmovi autentikacije i autorizacije koji su osnova kod korištenja JWT-a. Nadalje detaljno su opisane kriptografske metode korištene kod digitalnog potpisa i šifriranja ključa JWT-a. Razrađene su prednosti i nedostaci korištenja tehnologije JWTa koje su detaljno poduprijete primjerima i načinu zaobilaska istih. Zadnji dio rada fokusirao se na izradu jednostavne aplikacije koja prikazuje upotrebu JWT-a kod autentikacije i autorizacije. Za izradu aplikacije korišteno je NodeJs okruženje, te mnoge biblioteke i paketi koji pomažu lakšoj implementaciji JWT-a poput bcrypt, nodemon, joi i drugi.This work explores the technology of Json web tokens and its use. Authentication and authorization concepts that are the basis for using JWT are also defined. The cryptographic methods used for digitally signing and encrypting the JWT key are further described. The advantages and disadvantages of using JWT technology have been elaborated, which are backed up in detail by examples and how to avoid them. The last part of the paper focused on creating a simple application that demonstrates the use of JWT for authentication and authorization. NodeJs environment was used to build the application, as well as many libraries and packages to help facilitate JWT implementation such as bcrypt, nodemon, joi and others

Authentication and key agreement on the application layer in the Web of Things environment

Web of Things -ympäristöjen (WoT) hypertekstimäisen sisällön tuomiseen ympärillemme oleville laitteille kustannustehokkaasti tarvitaan resurssitehokkaita ratkaisuja. Resurssiongelmia helpottamaan on kehitetty resurssirajoitteisille optimoitu tiedonsiirtoprotokolla Constrained Application Protocol (CoAP). CoAP perustuu RESTful-arkkitehtuuriin, joka on kehitetty Hypertext Transfer Protocol (HTTP) -protokollan arkkitehtuurista. Yhteinen arkkitehtuuripohja mahdollistaa edeltävien protokollien välillä tiedonsiirron yhdyskäytävän avulla. HTTP - ja CoAP -protokollien välinen tiedonsiirto on tarpeen WoT-ympäristöjen yleistymisessä, koska suurin osa verkon palvelimien toiminnasta perustuu HTTP-protokollaan. CoAP-asiakkaan tietoturvallisen yhteydenoton HTTP-palvelimelle mahdollistavasta sovellustason yhdyskäytävästä ei kuitenkaan ole toteutusta. Työssä esitellään edellä mainitut protokollat ja kuvataan niiden keinoja tietoturvasta huolehtimiseen ja soveltuvuuteen toimia yhdyskäytävän läpi. Pyrkimyksenä työssä on toteuttaa turvallinen autentikointi sekä tiedonsiirto asiakkaalta palvelimelle ja takaisin yhdyskäytävän läpi. Reunaehtoina ovat resurssirajoitteisten laitteiden vaatima yksinkertaisuus ja pysyminen kerrosmallien sovellustasolla. Työssä tutkitaan JavaScript Object Notation (JSON) -notaation ja sen tietoturvaksi kehitetyn JSON Web Token (JWT) -esitysmallin soveltuvuutta edellä selvitettyihin tarpeisiin. Autentikointi toteutetaan 3rd Generation Partnership Project (3GPP):n yleistä autentikointiarkkitehtuuria (GAA) käyttäen, jolloin avaimet saadaan SIM-operaattorilta HTTP-Digest-autentikaatioon perustuvalla AKA-Digest-autentikointitavalla. Suunnitelmien toimivuuden ja tulevien ongelmien havainnoimiseksi toteutettiin valittuja tekniikoita käyttäen demonstraatio, jonka komponentteja olivat CoAP-asiakas, yhdyskäytävä ja HTTP-palvelin. Toteutukset tehtiin Java-kielellä pyrkien käyttämään valmiita ohjelmistokirjastoja mahdollisuuksien mukaan. Toteutusvaiheessa havaitut ongelmat tulivat Digest-autentikaatio-ohjelmistoista, hajallaan olevasta dokumentaatiosta ja uusien ohjelmistokirjastojen keskeneräisyydestä. Digest-autentikaatiota toteuttavat ohjelmistot toimivat epästandardeilla tavoilla. 3GPP-dokumentit oli kohdennettu organisaatioille ja siten vaikeaselkoisia yksittäiselle lukijalle. Demonstraatiototeutus havaittiin toimivaksi WoT-ympäristöissä. Toteutuksen ja testauksen aikana syntyi erilaisia ideoita, joiden pohjalta toteutus on jatkokehitettävissä todellisiin ympäristöihin

Implementasi Algoritme BLAKE2S Pada JSON Web Token Sebagai Algoritme Hashing Untuk Mekanisme Autentikasi Layanan REST API

REST merupakan arsitektur komunikasi client-server berbasis web untuk komunikasi data yang menggunakan protokol HTTP. Pada arsitektur REST, REST server menyediakan data berupa URL untuk diakses oleh client yang dipertukarkan dalam bentuk JSON. Arsitektur REST memiliki kekurangan yaitu tidak memiliki mekanisme autentikasi yang mengakibatkan siapapun bisa mengakses, merubah, maupun menghapus data yang terdapat pada server. Untuk mengatasi masalah autentikasi dari arsitektur REST diperlukan sistem autentikasi. JWT merupakan token berbentuk string yang digunakan untuk melakukan autentikasi dan menjamin integritas pesan yang dikirim oleh salah satu pihak. Dengan menggunakan JWT pada arsitektur REST maka dapat memberikan autentikasi dan keamanan hak akses. Implementasi JWT terdapat berbagai macam algoritme hashing yang digunakan salah satunya algoritme HS256. Algoritme HS256 merupakan algoritme SHA256 dengan menggunakan message authentication code (MAC) yang disebut HMAC-SHA256. Tahun 2011 ditemukan serangan preimage attack dan pseudo collission yang memungkinkan beberapa tahun kemudian algoritme SHA256 dinyatakan tidak aman untuk digunakan. Algoritme BLAKE2S merupakan algoritme yang dibuat pada tahun 2012 dan merupakan pengembangan dari algoritme BLAKE. Algoritme BLAKE2S merupakan algoritme hashing yang dapat digunakan sebagai message authentication code (MAC). Keunggulan algoritme BLAKE2S memiliki tingkat keamanan yang lebih baik karena dibangun dengan iterasi HAIFA dan ChaCha stream cipher. Penelitian ini melakukan implementasi algoritme BLAKE2S pada JSON Web Token untuk mekanisme autentikasi layanan REST API sebagai alternatif dari algoritme hash HMAC-SHA256. Pengujian yang dilakukan berupa pengujian test vector dan pengujian waktu autentikasi. Pengujian test-vector dilakukan untuk mengetahui algoritme yang dibuat sesuai dengan ketentuan algoritme pada dokumen RFC dan didapatkan hasil yang sesuai. pengujian waktu autentikasi didapatkan algoritme BLAKE2S lebih cepat 0,981% dibanding HMAC-SHA256

Digital Governance and Privacy: The eDiplomas case study

Την τελευταία δεκαετία, ο τομέας της ιδιοκτησίας και του διαμοιρασμού δεδομένων ανάμεσα σε οντότητες με επίκεντρο την ιδιωτικότητα και την ασφάλεια, χαίρει ιδιαίτερης προσοχής. Η παρούσα πτυχιακή εξετάζει την ανταλλαγή δεδομένων ανάμεσα σε άτομα, κυβερνητικούς φορείς και εταιρείες, μέσα από το πρίσμα του eDiplomas, μιας πλατφόρμας υλοποιημένης από τα ελληνικά Πανεπιστήμια και το GUnet που επιτρέπει το διαμοιρασμό και τον έλεγχο αυθεντικότητας ψηφιακών τίτλων σπουδών με χρήση εξουσιοδοτήσεων OAuth2 και άλλων σύγχρονων τεχνολογιών. Στη συνέχεια, η πτυχιακή εξετάζει λύσεις τελευταίας τεχνολογίας στον τομέα ανταλλαγής και επιβεβαίωσης δεδομένων που δεν είναι σε παραγωγικό επίπεδο ακόμα, αλλά παρουσιάζουν ενδιαφέρον για το μέλλον.The subject of data ownership and sharing between entities in a privacy-respecting and secure manner has become of great interest over the last decade. The current thesis examines the exchange of an individual’s data with government entities and corporations through the lens of eDiplomas, a platform implemented by the Greek Universities and GUnet to facilitate sharing and validation of digital diplomas using OAuth2 authorization and other modern technologies. The thesis also explores state-of-the-art data exchange and verification solutions that are not production ready yet, but look promising for the near future

Content-Based Unsupervised Fake News Detection on Ukraine-Russia War

The Ukrainian-Russian war has garnered significant attention worldwide, with fake news obstructing the formation of public opinion and disseminating false information. This scholarly paper explores the use of unsupervised learning methods and the Bidirectional Encoder Representations from Transformers (BERT) to detect fake news in news articles from various sources. BERT topic modeling is applied to cluster news articles by their respective topics, followed by summarization to measure the similarity scores. The hypothesis posits that topics with larger variances are more likely to contain fake news. The proposed method was evaluated using a dataset of approximately 1000 labeled news articles related to the Syrian war. The study found that while unsupervised content clustering with topic similarity was insufficient to detect fake news, it demonstrated the prevalence of fake news content and its potential for clustering by topic