Enhanced Quality of Experience Based on Enriched Network Centric and Access Control Mechanisms

In the digital world service provisioning in user satisfying quality has become the goal of any content or network provider. Besides having satisfied and therefore, loyal users, the creation of sustainable revenue streams is the most important issue for network operators [1], [2], [3]. The motivation of this work is to enhance the quality of experience of users when they connect to the Internet, request application services as well as to maintain full service when these users are on the move in WLAN based access networks. In this context, the aspect of additional revenue creation for network operators is considered as well. The enhancements presented in this work are based on enriched network centric and access control mechanisms which will be achieved in three different areas of networks capabilities, namely the network performance, the network access and the network features themselves. In the area of network performance a novel authentication and authorisation method is introduced which overcomes the drawback of long authentication time in the handover procedure as required by the generic IEEE 802.1X process using the EAP-TLS method. The novel sequential authentication solution reduces the communication interruption time in a WLAN handover process of currently several hundred milliseconds to some milliseconds by combining the WPA2 PSK and the WPA2 EAP-TLS. In the area of usability a new user-friendly hotspot registration and login mechanisms is presented which significantly simplifies how users obtain WLAN hotspot login credentials and logon to a hotspot. This novel barcode initiated hotspot auto-login solution obtains user credentials through a simple SMS and performs an auto-login process that avoids the need to enter user name and password on the login page manually. In the area of network features a new system is proposed which overcomes the drawback that users are not aware of the quality in which a service can be provided prior to starting the service. This novel graceful denial of service solution informs the user about the expected application service quality before the application service is started

Cooperating broadcast and cellular conditional access system for digital television

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.The lack of interoperability between Pay‐TV service providers and a horizontally integrated business transaction model have compromised the competition in the Pay‐TV market. In addition, the lack of interactivity with customers has resulted in high churn rate and improper security measures have contributed into considerable business loss. These issues are the main cause of high operational costs and subscription fees in the Pay‐TV systems. This paper presents a novel end‐to‐end system architecture for Pay‐TV systems cooperating mobile and broadcasting technologies. It provides a cost‐effective, scalable, dynamic and secure access control mechanism supporting converged services and new business opportunities in Pay‐TV systems. It enhances interactivity, security and potentially reduces customer attrition and operational cost. In this platform, service providers can effectively interact with their customers, personalise their services and adopt appropriate security measures. It breaks up the rigid relationship between a viewer and set‐top box as imposed by traditional conditional access systems, thus, a viewer can fully enjoy his entitlements via an arbitrary set‐top box. Having thoroughly considered state‐of‐the‐art technologies currently being used across the world, the thesis highlights novel use cases and presents the full design and implementation aspects of the system. The design section is enriched by providing possible security structures supported thereby. A business collaboration structure is proposed, followed by a reference model for implementing the system. Finally, the security architectures are analysed to propose the best architecture on the basis of security, complexity and set‐top box production cost criteria

Decentralized Identity and Access Management Framework for Internet of Things Devices

The emerging Internet of Things (IoT) domain is about connecting people and devices and systems together via sensors and actuators, to collect meaningful information from the devices surrounding environment and take actions to enhance productivity and efficiency. The proliferation of IoT devices from around few billion devices today to over 25 billion in the next few years spanning over heterogeneous networks defines a new paradigm shift for many industrial and smart connectivity applications. The existing IoT networks faces a number of operational challenges linked to devices management and the capability of devices’ mutual authentication and authorization. While significant progress has been made in adopting existing connectivity and management frameworks, most of these frameworks are designed to work for unconstrained devices connected in centralized networks. On the other hand, IoT devices are constrained devices with tendency to work and operate in decentralized and peer-to-peer arrangement. This tendency towards peer-to-peer service exchange resulted that many of the existing frameworks fails to address the main challenges faced by the need to offer ownership of devices and the generated data to the actual users. Moreover, the diversified list of devices and offered services impose that more granular access control mechanisms are required to limit the exposure of the devices to external threats and provide finer access control policies under control of the device owner without the need for a middleman. This work addresses these challenges by utilizing the concepts of decentralization introduced in Distributed Ledger (DLT) technologies and capability of automating business flows through smart contracts. The proposed work utilizes the concepts of decentralized identifiers (DIDs) for establishing a decentralized devices identity management framework and exploits Blockchain tokenization through both fungible and non-fungible tokens (NFTs) to build a self-controlled and self-contained access control policy based on capability-based access control model (CapBAC). The defined framework provides a layered approach that builds on identity management as the foundation to enable authentication and authorization processes and establish a mechanism for accounting through the adoption of standardized DLT tokenization structure. The proposed framework is demonstrated through implementing a number of use cases that addresses issues related identity management in industries that suffer losses in billions of dollars due to counterfeiting and lack of global and immutable identity records. The framework extension to support applications for building verifiable data paths in the application layer were addressed through two simple examples. The system has been analyzed in the case of issuing authorization tokens where it is expected that DLT consensus mechanisms will introduce major performance hurdles. A proof of concept emulating establishing concurrent connections to a single device presented no timed-out requests at 200 concurrent connections and a rise in the timed-out requests ratio to 5% at 600 connections. The analysis showed also that a considerable overhead in the data link budget of 10.4% is recorded due to the use of self-contained policy token which is a trade-off between building self-contained access tokens with no middleman and link cost

Authentication and Identity Management for the EPOS Project

The increase in the number of online services emphasizes the value of authentication and identity management that we, even without realizing, depend on. In EPOS this authentication and identity management are also crucial, by dealing and being responsible for large amounts of heterogeneous data in multiple formats and from various providers, that can be public or private. Controlling and identify the access to this data is the key. For this purpose, it is necessary to create a system capable of authenticating, authorizing, and account the usage of these services. While services in a development phase can have authentication and authorization modules directly implemented in them, this is not an option for legacy services that cannot be modified. This thesis regards the issue of providing secure and interoperable authentication and authorization framework, associated with correct identity management and an accounting module, stating the difficulties faced and how to be addressed. These issues are approached by implementing the proposed methods in one of the GNSS Data and Products TCS services, that will serve as a study case. While authentication mechanisms have improved constantly over the years, with the addition of multiple authentication factors, there is still not a clear and defined way of how authentication should be done. New security threats are always showing up, and authentication systems need to adapt and improve while maintaining a balance between security and usability. Our goal is, therefore, to propose a system that can provide a good user experience allied to security, which can be used in the TCS services or other web services facing similar problems.A importância da autenticação e gestão de identidades, de que dependemos inconscientemente, aumenta com o crescimento do número de serviços online ao nosso dispor. No EPOS, devido à disponibilização e gestão de dados heterogéneos de várias entidades, que podem ser públicas ou privadas, a existência de um sistema de autenticação e gestão de identidades é também crucial, em que o controlo e identificação do acesso a estes dados é a chave. Numa fase de desenvolvimento dos serviços, estes módulos de autenticação e autorização podem ser diretamente implementados e é possível existir uma adaptação do software aos mesmos. No entanto, há serviços já existentes, cujas alterações implicam mudanças de grande escala e uma reformulação de todo o sistema, e como tal não é exequível fazer alterações diretas aos mesmos. Esta dissertação aborda o desenvolvimento de um sistema de autenticação e autorização seguro e interoperável, associado a uma correta gestão de identidades e um módulo de controlo, identificando os problemas encontrados e propondo soluções para os mesmos. Este desenvolvimento é aplicado num dos serviços do TCS GNSS Data and Products e servirá como caso de estudo. Embora os mecanismos de autenticação tenham melhorado continuamente ao longo dos anos, com a adição de vários fatores de autenticação, ainda não existe um método único e claro de como a autenticação deve ser feita. Novas ameaças estão sempre a surgir e os sistemas atuais precisam de se adaptar e melhorar, mantendo um equilíbrio entre segurança e usabilidade. O nosso objetivo é propor um sistema que possa aliar a segurança a uma boa experiência para o utilizador, e que possa ser utilizado não só nos serviços do TCS, mas também em outros serviços web que enfrentem problemas semelhantes

Serviços multimédia multicast de próxima geração

Mestrado em Engenharia Electrónica e TelecomunicaçõesUma das mais recentes conquistas na evolução móvel foi o 3G, permitindo o acesso a serviços multimédia com qualidade de serviço assegurada. No entanto, a tecnologia UMTS, tal como definida na sua Release ’99, é apenas capaz de transmitir em modo unicast, sendo manifestamente ineficiente para comunicações multimédia almejando grupos de utilizadores. A tecnologia IMS surge na Release 5 do 3GPP que começou a responder já a algumas necessidades, permitindo comunicações sobre IP oferecendo serviços Internet a qualquer momento e em qualquer lugar sobre tecnologias de comunicação móveis fornecendo pela primeira vez sessões multimédia satisfatórias. A Release 6 por sua vez trouxe a tecnologia MBMS que permite transmissões em broadcast e multicast para redes móveis. O MBMS fornece os serviços de aplicações multimédia que todos estavam à espera, tanto para os utilizadores como para os prestadores de serviços. O operador pode agora fazer uso da tecnologia existente aumentando todo o tipo de benefícios no serviço prestado ao cliente. Com a possível integração destas duas tecnologias passa a ser possível desenvolver serviços assentes em redes convergentes em que os conteúdos são entregues usando tecnologias unicast, multicast ou broadcast. Neste contexto, o principal motivo deste trabalho consiste essencialmente em fazer uso dos recursos da rede terminando com o desperdício dos mesmos e aumentando a eficiência dos serviços através da integração das tecnologias IMS e MBMS. O trabalho realizado começa com o estudo do estado da arte das telecomunicações móveis com referência às tecnologias referidas, seguindo-se a apresentação da possível integração IMS-MBMS e terminando com o projecto de uma plataforma de demonstração que no futuro possa ser uma implementação de serviço multimédia multicast. O objectivo principal é mostrar os benefícios de um serviço que era normalmente executado em unicast relativamente ao modo multicast, fazendo uso da nova convergência de tecnologias IMS e MBMS. Na conclusão do trabalho são referidas as vantagens do uso de portadoras multicast e broadcast, tendo como perspectiva de que este trabalho possa ser um ponto de partida para um novo conjunto de serviços poupando recursos de rede e permitindo uma eficiência considerável em serviços inovadores.3G is bang up to date in the mobile phone industry. It allows access to multimedia services and gives a guarantee of quality of service. The UMTS technology, defined in 3GPP Release ’99, provides an unicast transmission, but it is completely inefficient when it comes to multimedia group communications. The IMS technology first appeared in Release 5 that has already started to consider the interests of the clients. It provides communications over IP, offering Internet services anytime, anywhere on mobile communication technologies. Also, it offers for the first time satisfactory multimedia sessions. On the other hand, Release 6 gave rise to the MBMS technology that provides broadcast and multicast transmissions for mobile networks. The MBMS provides multimedia applications services that everyone was waiting, including users and service providers. Now the operator makes use of existing technology in order to provide better costumer services. The possible integration of these two technologies will contribute to develop services based on converged networks in which contents are delivered through the unicast, multicast or broadcast technologies. Therefore, the objective of this work is basically to make use of network resources avoiding wastes and improving customer services through the integration of the IMS and the MBMS technologies. The executed work starts with the mobile telecommunications state of the art with reference to the referred technologies, followed by the IMS-MBMS convergence presentation and finishing with the proposal for implementation of a service platform that can be used for a multimedia multicast service. The main point is to show the benefits of a service that has been normally executed in unicast mode over the multicast mode, making use of the new IMS and MBMS technologies integration. To closure the work it is referred the advantages to use multicast and broadcast bearers, with the perspective that this work could be a starting point to a new set of services, saving network resources and allowing for innovate services a considerable efficency

System-on-chip architecture for secure sub-microsecond synchronization systems

213 p.En esta tesis, se pretende abordar los problemas que conlleva la protección cibernética del Precision Time Protocol (PTP). Éste es uno de los protocolos de comunicación más sensibles de entre los considerados por los organismos de estandarización para su aplicación en las futuras Smart Grids o redes eléctricas inteligentes. PTP tiene como misión distribuir una referencia de tiempo desde un dispositivo maestro al resto de dispositivos esclavos, situados dentro de una misma red, de forma muy precisa. El protocolo es altamente vulnerable, ya que introduciendo tan sólo un error de tiempo de un microsegundo, pueden causarse graves problemas en las funciones de protección del equipamiento eléctrico, o incluso detener su funcionamiento. Para ello, se propone una nueva arquitectura System-on-Chip basada en dispositivos reconfigurables, con el objetivo de integrar el protocolo PTP y el conocido estándar de seguridad MACsec para redes Ethernet. La flexibilidad que los modernos dispositivos reconfigurables proporcionan, ha sido aprovechada para el diseño de una arquitectura en la que coexisten procesamiento hardware y software. Los resultados experimentales avalan la viabilidad de utilizar MACsec para proteger la sincronización en entornos industriales, sin degradar la precisión del protocolo

Key distribution technique for IPTV services with support for admission control and user defined groups

Tese de doutoramento. Engenharia Electrotécnica e de Computadores. Faculdade de Engenharia. Universidade do Porto. 200

Anàlisi teòric de les debilitats de seguretat dels estàndards per a la Medició Intel·ligent

[ANGLÈS] This project has been accomplished in the Department of Telecommunications Engineering of the Czech Technical University, as a part of a collaborative work within the department to long-term study the development of software applications related to security in technologies for Smart Metering. This project aims to analyze the weaknesses, concerned in terms of security mechanisms, of the telecommunications standards that are used for communication with smart meter technology inside the Smart Metering. A wide range of these standards have been included in the draft standards based on different technologies such as the radio frequency, the PLC (PowerLine Communications) or infrared. For each of these technologies, there can be found an extensive description of the security mechanisms used for each of them for the purpose of encryption of messages, protect the keys used, authentication of terminals and network identification to access the network. To complete the description of each standard there can be found a description of possible attacks that may make possible to overcome the security barriers of these technologies. Once viewed in detail the characteristics of each of the standards, next steps for the analysis are the comparisons between them to highlight the weaknesses and strengths of each one of them towards the other technologies. And finally, there can be found a compilation of a wide range of tools, both software and hardware, developed for research of security professionals, which may allow performing various attacks that can affect the protocols described.[CASTELLÀ] Este proyecto realizado en el departamento de telecomunicaciones de la Czech Technical University, forma parte de un trabajo colaborativo dentro del departamento a largo plazo para el estudio y el desarrollo de aplicaciones software relacionadas con la seguridad de las tecnologías de Medición Inteligente. En este proyecto se pretende analizar los puntos débiles, en cuanto a mecanismos de seguridad se refiere, de los estándares de telecomunicaciones que se utilizan para la comunicación de los electrómetros inteligentes dentro del la tecnología del Smart Metering. Para ver un amplio abanico de estos estándares, se han incluido en el proyecto estándares basados en tecnologías dispares y diversas como pueden ser la radiofrecuencia, las PLC (PowerLine Communications) o los infrarrojos. Para cada una de estas tecnologías, podemos encontrar en el proyecto una amplia descripción de los mecanismos de seguridad utilizados en cada uno para la encriptación de los mensajes enviados, la protección de las claves que utiliza, la autentificación de los terminales de la red o la identificación para acceder a la red. Para terminar la descripción detallada de cada estándar podemos encontrar una descripción de los posibles ataques que es factible realizar para vencer las barreras de seguridad de estas tecnologías. Una vez vistas con detalle las características de cada uno de los estándares, se incluyen comparaciones entre todos ellos para destacar los puntos débiles y los puntos fuertes hacia el resto de tecnologías. Y, por último, podemos encontrar un recopilatorio de un amplio abanico de herramientas tanto de software como de hardware, desarrolladas para la investigación de los profesionales de la seguridad en telemática, que permiten realizar varios de los ataques que pueden afectar a los protocolos descritos.[CATALÀ] Aquest projecte realitzat en el Departament de Telecomunicacions de la Czech Technical University, forma part d'un treball col·laboratiu dins el departament a llarg plaç per a l'estudi i el desenvolupament d'aplicacions software relacionades amb la seguretat de les tecnologies de Medició Intel·ligent. En aquest projecte es pretén analitzar els punts dèbils, en quant a mecanismes de seguretat es refereix, dels estàndards de telecomunicacions que s'utilitzen per a la comunicació dels electròmetres intel·ligents dins del la tecnologia del Smart Metering. Per tal de veure un ampli ventall de aquests estàndards, s'han inclòs en el projecte estàndards basats en tecnologies dispars i diverses com poden ser la ràdiofreqüència, les PLC (PowerLine Communications) o els infrarojos. Per a cadascuna d'aquestes tecnologies, podem trobar en el projecte una amplia descripció dels mecanismes de seguretat utilitzats per a cadascun per a l'encriptació dels missatges enviats, la protecció de les claus que utilitza, l'autentificació del terminals de la xarxa o la identificació per accedir a la xarxa. Per acabar la descripció detallada de cada estàndard podem trobar una descripció dels possibles atacs que es factible realitzar per a vèncer les barreres de seguretat d'aquestes tecnologies. Un cop vistes amb detall les característiques de cadascun dels estàndards, s'inclouen comparacions entre tots ells per destacar els punts dèbils i els punts forts vers la resta de tecnologies. I, per últim, podem trobar un recopilatori d'un ampli ventall de eines tant de software com de hardware, desenvolupades per a la investigació dels professionals de la seguretat en telemàtica, que permeten realitzar varis dels atacs que poden afectar als protocols descrits

Authentication and Authorization Modules for Open Messaging Interface (O-MI)

With the constant rise of new technology, developments in the fields of computer science, wireless networks, storage capabilities and sensing possibilities along with the demand for continuous connectivity have lead to the formation of the Internet of Things (IoT) concept. Today, there are numerous organizations working on the IoT technology aimed at developing smart products and services. Each company proposes its own methods directed for a particular field of industry thus, it ends up with having several protocols. This has poorly followed the concept of a unified system. The Open Group attempted to address this issue by proposing Open Messaging Interface (O-MI) and Open Data Format (O-DF) protocols and claimed O-MI to be an IoT messaging standard as that of HTTP for world-wide-web (WWW). The proposed protocols have been designed to ensure robust development, data standardization, and required security level. However, the security model needs to be upgraded with the recent security techniques. This thesis attempts to specify appropriate authentication and authorization (access control) mechanisms that manage various consumers and provide functionalities that fit into O-MI/O-DF standards. The thesis first discusses several challenges regarding IoT security and then different authentication and authorization techniques available today. It then describes in detail the design decisions and implementation technicalities of the autonomous services created for the reference implementation of O-MI and O-DF

System-on-chip architecture for secure sub-microsecond synchronization systems

213 p.En esta tesis, se pretende abordar los problemas que conlleva la protección cibernética del Precision Time Protocol (PTP). Éste es uno de los protocolos de comunicación más sensibles de entre los considerados por los organismos de estandarización para su aplicación en las futuras Smart Grids o redes eléctricas inteligentes. PTP tiene como misión distribuir una referencia de tiempo desde un dispositivo maestro al resto de dispositivos esclavos, situados dentro de una misma red, de forma muy precisa. El protocolo es altamente vulnerable, ya que introduciendo tan sólo un error de tiempo de un microsegundo, pueden causarse graves problemas en las funciones de protección del equipamiento eléctrico, o incluso detener su funcionamiento. Para ello, se propone una nueva arquitectura System-on-Chip basada en dispositivos reconfigurables, con el objetivo de integrar el protocolo PTP y el conocido estándar de seguridad MACsec para redes Ethernet. La flexibilidad que los modernos dispositivos reconfigurables proporcionan, ha sido aprovechada para el diseño de una arquitectura en la que coexisten procesamiento hardware y software. Los resultados experimentales avalan la viabilidad de utilizar MACsec para proteger la sincronización en entornos industriales, sin degradar la precisión del protocolo