PAS: Predicate-Based Authentication Services Against Powerful Passive Adversaries

Securely authenticating a human user without assistance from any auxiliary device in the presence of powerful passive adversaries is an important and challenging problem. Passive adversaries are those that can passively monitor, intercept, and analyze every part of the authentication procedure, except for an initial secret shared between the user and the server. In this paper, we propose a new secure authentication scheme called predicate-based authentication service (PAS). In this scheme, for the first time, the concept of a predicate is introduced for authentication. We conduct analysis on the proposed scheme and implement its prototype system. Our analytical data and experimental data illustrate that the PAS scheme can simultaneously achieve a desired level of security and user friendliness

The solid ecosystem: ready for mainstream web development?

Companies have been collecting data from its users over the years. This data it is often grouped in places called data silos and may then be used for profit in many ways: building data models to predict or enforce user behaviour, selling their data to other companies, among others. Moreover, the centralisation of data makes it appealing for people with malicious intentions to attack data silos. Security breaches violate users’ privacy, by exposing its sensitive data such as passwords, credit card information, and personal details. One solution to this problem is to separate data from these systems, demanding a shift in the way companies create web applications. This dissertation explores different solutions and compares them, focusing on a particular project named Solid. Created by the inventor of the World Wide Web, Tim Berners-Lee, Solid is a solution that takes advantage of the power of RDF in order to create a web of Linked Data, introducing decentralisation on software architecture in different layers. In order to achieve mainstream adoption, various aspects such as the impact of the introduction of this technology have on the user experience and development experience need to be considered. This dissertation documents the development of a prototype web application built with Solid at its core and compares it with the same application developed using a more traditional stack of technologies. An analysis was conducted under two perspectives: developer and final user. While in the former it is considered aspects such as development time and documentation diversity and quality, the latter is focused on the user experience. Resorting to a questionnaire presented to real users, it was concluded that the user experience of some the features of these applications, such as the user’s registration and the login process is affected by introducing this type of decentralisation. Moreover, it was also considered the lack of documentation this technology has at the moment, though it has improved throughout the development of this dissertation.As empresas têm coletado dados dos seus utilizadores ao longo dos anos. Esses dados são frequentemente agrupados em locais denominados de data silos e podem ser usados para fins lucrativos através de várias formas: construção de modelos de dados para prever ou impor comportamentos nos seus utlizadores, venda dos seus dados a outras empresas, entre outras. Para além disso, a centralização desses dados capta a atenção de pessoas com intenções maliciosas, que possuem interesse em atacar esses agrupamentos de dados. Falhas de segurança violam a privacidade dos utilizadores, expondo dados confidenciais, como passwords, informações de cartões de crédito e outros detalhes pessoais. Uma solução para este problema passa por separar os dados da aplicação, exigindo uma mudança na forma como as empresas criam aplicações. Esta dissertação explora diferentes soluções e efetua uma comparação entre elas, com foco num projecto específico denominado de Solid. Desenvolvido pelo criador da World Wide Web, Tim Berners-Lee, Solid é uma tecnologia que aproveita o poder de RDF para criar uma rede de informação interligada, introduzindo descentralização nas arquitetures de software em diferentes camadas. Por forma a conseguir uma adoção massiva, vários aspetos, como o impacto que esta tecnologia tem na experiência de utilizador e no desenvolvimento de software, necessitam de ser considerados. Esta dissertação documenta o desenvolvimento de uma aplicação que utiliza Solid no seu núcleo e compara-a com uma outra aplicação desenvolvida com uma pilha de tecnologias mais tradicional. Foi conduzida uma análise através de duas perspectivas: desenvolvedores e utilizador final. Enquanto que na primeira os aspetos considerados estão relacionados com tempo de desenvolvimento assim como qualidade e diversidade de documentação, a última está mais focada na experiência de utilizador. Recorrendo a um questionário apresentado a utilizadores que tiveram a oportunidade de experimentar ambas as aplicações, concluiu-se que a experiência do utilizador em algumas funcionalidades, como o registo de utilizador e o processo de login, é afetada pela introdução deste tipo de descentralização, ainda que em muitas outras a diferença seja impercetível. Além disso, também foi considerada a falta de documentação que esta tecnologia possui no momento, embora tenha melhorado ao longo do desenvolvimento desta dissertação

Assessment of attribute-based credentials for privacy-preserving road traffic services in smart cities

Smart cities involve the provision of advanced services for road traffic users. Vehicular ad hoc networks (VANETs) are a promising communication technology in this regard. Preservation of privacy is crucial in these services to foster their acceptance. Previous approaches have mainly focused on PKI-based or ID-based cryptography. However, these works have not fully addressed the minimum information disclosure principle. Thus, questions such as how to prove that a driver is a neighbour of a given zone, without actually disclosing his identity or real address, remain unaddressed. A set of techniques, referred to as Attribute-Based Credentials (ABCs), have been proposed to address this need in traditional computation scenarios. In this paper, we explore the use of ABCs in the vehicular context. For this purpose, we focus on a set of use cases from European Telecommunications Standards Institute (ETSI) Basic Set of Applications, specially appropriate for the early development of smart cities. We assess which ABC techniques are suitable for this scenario, focusing on three representative ones—Idemix, U-Prove and VANET-updated Persiano systems. Our experimental results show that they are feasible in VANETs considering state-of-the-art technologies, and that Idemix is the most promising technique for most of the considered use cases.This work was supported by the MINECO grant TIN2013-46469-R (SPINY: Security and Privacy in the Internet of You); the CAM grant S2013/ICE-3095 (CIBERDINE: Cybersecurity, Data, and Risks) and by the MINECO grant TIN2016-79095-C2-2-R (SMOG-DEV - Security mechanisms for fog computing: advanced security for devices). Jose Maria de Fuentes and Lorena Gonzalez were also supported by the Programa de Ayudas para la Movilidad of Carlos III University of Madrid

Applications of Context-Aware Systems in Enterprise Environments

In bring-your-own-device (BYOD) and corporate-owned, personally enabled (COPE) scenarios, employees’ devices store both enterprise and personal data, and have the ability to remotely access a secure enterprise network. While mobile devices enable users to access such resources in a pervasive manner, it also increases the risk of breaches for sensitive enterprise data as users may access the resources under insecure circumstances. That is, access authorizations may depend on the context in which the resources are accessed. In both scenarios, it is vital that the security of accessible enterprise content is preserved. In this work, we explore the use of contextual information to influence access control decisions within context-aware systems to ensure the security of sensitive enterprise data. We propose several context-aware systems that rely on a system of sensors in order to automatically adapt access to resources based on the security of users’ contexts. We investigate various types of mobile devices with varying embedded sensors, and leverage these technologies to extract contextual information from the environment. As a direct consequence, the technologies utilized determine the types of contextual access control policies that the context-aware systems are able to support and enforce. Specifically, the work proposes the use of devices pervaded in enterprise environments such as smartphones or WiFi access points to authenticate user positional information within indoor environments as well as user identities