139 research outputs found
An Authentication mechanism for stateless communication
Most of the applications we use on a daily basis are distributed systems that are composed of at least one client and server and are exposed to the Internet. This communication is based on an HTTP protocol, which is a stateless protocol. Because of its communication characteristics, developers are forced to implement a series of mechanisms to pursue user privacy, security as well as business features.
Modern social media applications such as Facebook have been using secure tokens as an authentication mechanism. These applications are relying on only one part of the approach, such as token mechanism generation. If the third party system does not consider another aspect of security, the authentication mechanism will fail unless we consider all the aspects in the user authentication process, as shown when Facebook shared private user tokens with unauthorized users. More than 50 million accounts were affected, and another 40 million could be affected as well. This work introduces a secure mechanism to identify the user in an enterprise/web application across all user interactions once the user has logged in. The system to be proposed creates a relationship between the user and the session management for each system. This project aims to show a different perspective based on a user-centered approach, where the approach is based on the user and its user access and not only on an ID/Token mechanism. The research proposes that the session manager mechanism can be more secure as well as the token-based mechanism. The approach integrates Blockchain technology for representing the relationship between the user and a system
Dwarna : a blockchain solution for dynamic consent in biobanking
Dynamic consent aims to empower research partners and facilitate active participation in the research process. Used within
the context of biobanking, it gives individuals access to information and control to determine how and where their
biospecimens and data should be used. We present Dwarna—a web portal for ‘dynamic consent’ that acts as a hub
connecting the different stakeholders of the Malta Biobank: biobank managers, researchers, research partners, and the
general public. The portal stores research partners’ consent in a blockchain to create an immutable audit trail of research
partners’ consent changes. Dwarna’s structure also presents a solution to the European Union’s General Data Protection
Regulation’s right to erasure—a right that is seemingly incompatible with the blockchain model. Dwarna’s transparent
structure increases trustworthiness in the biobanking process by giving research partners more control over which research
studies they participate in, by facilitating the withdrawal of consent and by making it possible to request that the biospecimen
and associated data are destroyed.peer-reviewe
Access Control Mechanism for IoT Environments Based on Modelling Communication Procedures as Resources
Internet growth has generated new types of services where the use of sensors and actuators is especially remarkable. These services compose what is known as the Internet of Things (IoT). One of the biggest current challenges is obtaining a safe and easy access control scheme for the data managed in these services. We propose integrating IoT devices in an access control system designed for Web-based services by modelling certain IoT communication elements as resources. This would allow us to obtain a unified access control scheme between heterogeneous devices (IoT devices, Internet-based services, etc.). To achieve this, we have analysed the most relevant communication protocols for these kinds of environments and then we have proposed a methodology which allows the modelling of communication actions as resources. Then, we can protect these resources using access control mechanisms. The validation of our proposal has been carried out by selecting a communication protocol based on message exchange, specifically Message Queuing Telemetry Transport (MQTT). As an access control scheme, we have selected User-Managed Access (UMA), an existing Open Authorization (OAuth) 2.0 profile originally developed for the protection of Internet services. We have performed tests focused on validating the proposed solution in terms of the correctness of the access control system. Finally, we have evaluated the energy consumption overhead when using our proposal.Ministerio de EconomÃa y CompetitividadUniversidad de Alcal
Blockin: Multi-Chain Sign-In Standard with Micro-Authorizations
The tech industry is currently making the transition from Web 2.0 to Web 3.0,
and with this transition, authentication and authorization have been reimag-
ined. Users can now sign in to websites with their unique public/private key
pair rather than generating a username and password for every site. How-
ever, many useful features, like role-based access control, dynamic resource
owner privileges, and expiration tokens, currently don’t have efficient Web
3.0 solutions. Our solution aims to provide a flexible foundation for resource
providers to implement the aforementioned features on any blockchain
through a two-step process. The first step, authorization, creates an on-chain
asset which is to be presented as an access token when interacting with a
resource. The second step, authentication, verifies ownership of an asset
through querying the blockchain and cryptographic digital signatures. Our
solution also aims to be a multi-chain standard, whereas current Web 3.0
sign-in standards are limited to a single blockchain
A JSON Token-Based Authentication and Access Management Schema for Cloud SaaS Applications
Cloud computing is significantly reshaping the computing industry built
around core concepts such as virtualization, processing power, connectivity and
elasticity to store and share IT resources via a broad network. It has emerged
as the key technology that unleashes the potency of Big Data, Internet of
Things, Mobile and Web Applications, and other related technologies, but it
also comes with its challenges - such as governance, security, and privacy.
This paper is focused on the security and privacy challenges of cloud computing
with specific reference to user authentication and access management for cloud
SaaS applications. The suggested model uses a framework that harnesses the
stateless and secure nature of JWT for client authentication and session
management. Furthermore, authorized access to protected cloud SaaS resources
have been efficiently managed. Accordingly, a Policy Match Gate (PMG) component
and a Policy Activity Monitor (PAM) component have been introduced. In
addition, other subcomponents such as a Policy Validation Unit (PVU) and a
Policy Proxy DB (PPDB) have also been established for optimized service
delivery. A theoretical analysis of the proposed model portrays a system that
is secure, lightweight and highly scalable for improved cloud resource security
and management.Comment: 6 Page
: Open Identity Certification with OpenID Connect
OpenID Connect (OIDC) is a widely used authentication standard for the Web.
In this work, we define a new Identity Certification Token (ICT) for OIDC. An
ICT can be thought of as a JSON-based, short-lived user certificate for
end-to-end user authentication without the need for cumbersome key management.
A user can request an ICT from his OpenID Provider (OP) and use it to prove his
identity to other users or services that trust the OP. We call this approach
and compare it to other well-known end-to-end authentication methods.
Unlike certificates, does not require installation and can be easily
used on multiple devices, making it more user-friendly. We outline protocols
for implementing based on existing standards. We discuss the trust
relationship between entities involved in , propose a classification of
OPs' trust level, and propose authentication with multiple ICTs from different
OPs. We explain how different applications such as videoconferencing, instant
messaging, and email can benefit from ICTs for end-to-end authentication and
recommend validity periods for ICTs. To test , we provide a simple
extension to existing OIDC server software and evaluate its performance
- …