An Authentication mechanism for stateless communication

Most of the applications we use on a daily basis are distributed systems that are composed of at least one client and server and are exposed to the Internet. This communication is based on an HTTP protocol, which is a stateless protocol. Because of its communication characteristics, developers are forced to implement a series of mechanisms to pursue user privacy, security as well as business features. Modern social media applications such as Facebook have been using secure tokens as an authentication mechanism. These applications are relying on only one part of the approach, such as token mechanism generation. If the third party system does not consider another aspect of security, the authentication mechanism will fail unless we consider all the aspects in the user authentication process, as shown when Facebook shared private user tokens with unauthorized users. More than 50 million accounts were affected, and another 40 million could be affected as well. This work introduces a secure mechanism to identify the user in an enterprise/web application across all user interactions once the user has logged in. The system to be proposed creates a relationship between the user and the session management for each system. This project aims to show a different perspective based on a user-centered approach, where the approach is based on the user and its user access and not only on an ID/Token mechanism. The research proposes that the session manager mechanism can be more secure as well as the token-based mechanism. The approach integrates Blockchain technology for representing the relationship between the user and a system

Dwarna : a blockchain solution for dynamic consent in biobanking

Dynamic consent aims to empower research partners and facilitate active participation in the research process. Used within the context of biobanking, it gives individuals access to information and control to determine how and where their biospecimens and data should be used. We present Dwarna—a web portal for ‘dynamic consent’ that acts as a hub connecting the different stakeholders of the Malta Biobank: biobank managers, researchers, research partners, and the general public. The portal stores research partners’ consent in a blockchain to create an immutable audit trail of research partners’ consent changes. Dwarna’s structure also presents a solution to the European Union’s General Data Protection Regulation’s right to erasure—a right that is seemingly incompatible with the blockchain model. Dwarna’s transparent structure increases trustworthiness in the biobanking process by giving research partners more control over which research studies they participate in, by facilitating the withdrawal of consent and by making it possible to request that the biospecimen and associated data are destroyed.peer-reviewe

Access Control Mechanism for IoT Environments Based on Modelling Communication Procedures as Resources

Internet growth has generated new types of services where the use of sensors and actuators is especially remarkable. These services compose what is known as the Internet of Things (IoT). One of the biggest current challenges is obtaining a safe and easy access control scheme for the data managed in these services. We propose integrating IoT devices in an access control system designed for Web-based services by modelling certain IoT communication elements as resources. This would allow us to obtain a unified access control scheme between heterogeneous devices (IoT devices, Internet-based services, etc.). To achieve this, we have analysed the most relevant communication protocols for these kinds of environments and then we have proposed a methodology which allows the modelling of communication actions as resources. Then, we can protect these resources using access control mechanisms. The validation of our proposal has been carried out by selecting a communication protocol based on message exchange, specifically Message Queuing Telemetry Transport (MQTT). As an access control scheme, we have selected User-Managed Access (UMA), an existing Open Authorization (OAuth) 2.0 profile originally developed for the protection of Internet services. We have performed tests focused on validating the proposed solution in terms of the correctness of the access control system. Finally, we have evaluated the energy consumption overhead when using our proposal.Ministerio de Economía y CompetitividadUniversidad de Alcal

Blockin: Multi-Chain Sign-In Standard with Micro-Authorizations

The tech industry is currently making the transition from Web 2.0 to Web 3.0, and with this transition, authentication and authorization have been reimag- ined. Users can now sign in to websites with their unique public/private key pair rather than generating a username and password for every site. How- ever, many useful features, like role-based access control, dynamic resource owner privileges, and expiration tokens, currently don’t have efficient Web 3.0 solutions. Our solution aims to provide a flexible foundation for resource providers to implement the aforementioned features on any blockchain through a two-step process. The first step, authorization, creates an on-chain asset which is to be presented as an access token when interacting with a resource. The second step, authentication, verifies ownership of an asset through querying the blockchain and cryptographic digital signatures. Our solution also aims to be a multi-chain standard, whereas current Web 3.0 sign-in standards are limited to a single blockchain

A JSON Token-Based Authentication and Access Management Schema for Cloud SaaS Applications

Cloud computing is significantly reshaping the computing industry built around core concepts such as virtualization, processing power, connectivity and elasticity to store and share IT resources via a broad network. It has emerged as the key technology that unleashes the potency of Big Data, Internet of Things, Mobile and Web Applications, and other related technologies, but it also comes with its challenges - such as governance, security, and privacy. This paper is focused on the security and privacy challenges of cloud computing with specific reference to user authentication and access management for cloud SaaS applications. The suggested model uses a framework that harnesses the stateless and secure nature of JWT for client authentication and session management. Furthermore, authorized access to protected cloud SaaS resources have been efficiently managed. Accordingly, a Policy Match Gate (PMG) component and a Policy Activity Monitor (PAM) component have been introduced. In addition, other subcomponents such as a Policy Validation Unit (PVU) and a Policy Proxy DB (PPDB) have also been established for optimized service delivery. A theoretical analysis of the proposed model portrays a system that is secure, lightweight and highly scalable for improved cloud resource security and management.Comment: 6 Page

OIDC2OIDC^2: Open Identity Certification with OpenID Connect

OpenID Connect (OIDC) is a widely used authentication standard for the Web. In this work, we define a new Identity Certification Token (ICT) for OIDC. An ICT can be thought of as a JSON-based, short-lived user certificate for end-to-end user authentication without the need for cumbersome key management. A user can request an ICT from his OpenID Provider (OP) and use it to prove his identity to other users or services that trust the OP. We call this approach $OIDC^2$ and compare it to other well-known end-to-end authentication methods. Unlike certificates, $OIDC^2$ does not require installation and can be easily used on multiple devices, making it more user-friendly. We outline protocols for implementing $OIDC^2$ based on existing standards. We discuss the trust relationship between entities involved in $OIDC^2$, propose a classification of OPs' trust level, and propose authentication with multiple ICTs from different OPs. We explain how different applications such as videoconferencing, instant messaging, and email can benefit from ICTs for end-to-end authentication and recommend validity periods for ICTs. To test $OIDC^2$, we provide a simple extension to existing OIDC server software and evaluate its performance