Securing vehicular IPv6 communications

A common practice is applying security after a network has been designed or developed. We have the opportunity of not committing this error in vehicular networks. Apart from particular works in the literature, ETSI TC ITS has defined general security services for (vehicular) cooperative systems. However, existent efforts do not pay the needed attention to the integration of IPv6 yet. The potential of IPv6 in the field is being described within ISO TC 204, above all, but further work is needed for a proper integration of security. This work follows this direction, and a reference vehicular communication architecture considering ETSI/ISO regulations, uses Internet Protocol security (IPsec) and Internet Key Exchange version 2 (IKEv2) to secure IPv6 Network Mobility (NEMO). A key advance is also the implementation and experimental evaluation of the proposal in a challenging vertical handover scenario between 3G and 802.11p. The performance of the secured NEMO channel is widely analyzed in terms of the movement speed, bandwidth, traffic type or signal quality, and it is concluded that the addition of IPv6 security only implies a slight reduction in the overall performance, with the great advantage of providing confidentiality, integrity and authenticity to the communication path.This work has been sponsored by the EU 7th Framework Program through the ITSSv6, FOTsis, GEN6 and Inter-Trust projects (contracts 270519, 270447, 297239 and 317731), and the Ministry of Science and Innovation through the Walkie-Talkie project (TIN2011-27543-C03)

Service-Oriented Ad Hoc Grid Computing

Subject of this thesis are the design and implementation of an ad hoc Grid infrastructure. The vision of an ad hoc Grid further evolves conventional service-oriented Grid systems into a more robust, more flexible and more usable environment that is still standards compliant and interoperable with other Grid systems. A lot of work in current Grid middleware systems is focused on providing transparent access to high performance computing (HPC) resources (e.g. clusters) in virtual organizations spanning multiple institutions. The ad hoc Grid vision presented in this thesis exceeds this view in combining classical Grid components with more flexible components and usage models, allowing to form an environment combining dedicated HPC-resources with a large number of personal computers forming a "Desktop Grid". Three examples from medical research, media research and mechanical engineering are presented as application scenarios for a service-oriented ad hoc Grid infrastructure. These sample applications are also used to derive requirements for the runtime environment as well as development tools for such an ad hoc Grid environment. These requirements form the basis for the design and implementation of the Marburg ad hoc Grid Environment (MAGE) and the Grid Development Tools for Eclipse (GDT). MAGE is an implementation of a WSRF-compliant Grid middleware, that satisfies the criteria for an ad hoc Grid middleware presented in the introduction to this thesis. GDT extends the popular Eclipse integrated development environment by components that support application development both for traditional service-oriented Grid middleware systems as well as ad hoc Grid infrastructures such as MAGE. These development tools represent the first fully model driven approach to Grid service development integrated with infrastructure management components in service-oriented Grid computing. This thesis is concluded by a quantitative discussion of the performance overhead imposed by the presented extensions to a service-oriented Grid middleware as well as a discussion of the qualitative improvements gained by the overall solution. The conclusion of this thesis also gives an outlook on future developments and areas for further research. One of these qualitative improvements is "hot deployment" the ability to install and remove Grid services in a running node without interrupt to other active services on the same node. Hot deployment has been introduced as a novelty in service-oriented Grid systems as a result of the research conducted for this thesis. It extends service-oriented Grid computing with a new paradigm, making installation of individual application components a functional aspect of the application. This thesis further explores the idea of using peer-to-peer (P2P networking for Grid computing by combining a general purpose P2P framework with a standard compliant Grid middleware. In previous work the application of P2P systems has been limited to replica location and use of P2P index structures for discovery purposes. The work presented in this thesis also uses P2P networking to realize seamless communication accross network barriers. Even though the web service standards have been designed for the internet, the two-way communication requirement introduced by the WSRF-standards and particularly the notification pattern is not well supported by the web service standards. This defficiency can be answered by mechanisms that are part of such general purpose P2P communication frameworks. Existing security infrastructures for Grid systems focus on protection of data during transmission and access control to individual resources or the overall Grid environment. This thesis focuses on security issues within a single node of a dynamically changing service-oriented Grid environment. To counter the security threads arising from the new capabilities of an ad hoc Grid, a number of novel isolation solutions are presented. These solutions address security issues and isolation on a fine-grained level providing a range of applicable basic mechanisms for isolation, ranging from lightweight system call interposition to complete para-virtualization of the operating systems

Security design analysis

EThOS - Electronic Theses Online ServiceGBUnited Kingdo

On message-level security

Die vorliegende Dissertation beschäftigt sich mit dem Thema Nachrichtensicherheit in Webservices und Single Sign-On Systemen. Durch die in der Dissertation beschriebene Methodologie sind zahlreiche Sicherheitslücken in verschiedenen Softwarebibliotheken und Webseiten identifiziert, gemeldet und behoben worden. Im ersten Teil der Dissertation wird die Sicherheit von SOAP-basierten Webservices untersucht. In diesem Rahmen wird die Software WS-Attacker zur Durchführung vollautomatischer Penetrationstests konzipiert und implementiert. Im zweiten Teil wird die Sicherheit von Single Sign-On Systemen untersucht. Es werden generische Angriffskonzepte entwickelt, die anschließend auf die Protokolle (1.) OpenID, (2.) OpenID Connect und (3.) SAML angewendet werden. Diese beruhen auf einem neuen Single Sign-On Angriffsparadigma, welches erstmals einen Identity Provider (IdP) für das Auffinden und für die Ausnutzung von Schwachstellen verwendet