Summary

20090506_fidis_D3.12 final 1.0.od

Security in Distributed, Grid, Mobile, and Pervasive Computing

This book addresses the increasing demand to guarantee privacy, integrity, and availability of resources in networks and distributed systems. It first reviews security issues and challenges in content distribution networks, describes key agreement protocols based on the Diffie-Hellman key exchange and key management protocols for complex distributed systems like the Internet, and discusses securing design patterns for distributed systems. The next section focuses on security in mobile computing and wireless networks. After a section on grid computing security, the book presents an overview of security solutions for pervasive healthcare systems and surveys wireless sensor network security

WPSE: Fortifying Web Protocols via Browser-Side Security Monitoring

We present WPSE, a browser-side security monitor for web protocols designed to ensure compliance with the intended protocol flow, as well as confidentiality and integrity properties of messages. We formally prove that WPSE is expressive enough to protect web applications from a wide range of protocol implementation bugs and web attacks. We discuss concrete examples of attacks which can be prevented by WPSE on OAuth 2.0 and SAML 2.0, including a novel attack on the Google implementation of SAML 2.0 which we discovered by formalizing the protocol specification in WPSE. Moreover, we use WPSE to carry out an extensive experimental evaluation of OAuth 2.0 in the wild. Out of 90 tested websites, we identify security flaws in 55 websites (61.1%), including new critical vulnerabilities introduced by tracking libraries such as Facebook Pixel, all of which fixable by WPSE. Finally, we show that WPSE works flawlessly on 83 websites (92.2%), with the 7 compatibility issues being caused by custom implementations deviating from the OAuth 2.0 specification, one of which introducing a critical vulnerability

An identity based framework for security and privacy in pervasive networks

Master'sMASTER OF ENGINEERIN

A SOAP-based Model for secure messaging in a global context

For integration between application-systems in a global context, interoperability needs to be established on a global level; global interoperability, in turn, is based on a global common application-interface. This is achieved through resolving differences in, inter alia, protocol profiles, among participants in the global network. ebXML is used as the point of departure. A messaging framework, which is based on existing Web technology and standards, is proposed. Certain security and Web service standards are examined to determine specific parameters for an interoperable secure messaging environment. A security based framework comprising a predefined message format and architecture is investigated for a secure interoperable global electronic marketspace

Formal analysis of security protocols based on web services

This thesis examines the use of multi-stack pushdown automata to model the behaviour and properties of Web services based cryptographic protocols. The protocols are modelled in Promela and verified using the Spin model checker. The Simple Message Exchange Protocol and the Security Token Protocol are protocols that underlie the WS-Security and WS-Trust specifications, respectively. These two protocols are tested for correctness in the presence of an intruder that conforms to the Dolev-Yao model, i.e., it is tested whether the required properties the protocols hold in the presence of a Dolev-Yao intruder. The thesis also extends the Dolev-Yao intruder model to encompass attacks targeted specifically at Web services. An intruder model in Promela is created based on the Dolev-Yao abstraction which is extended to incorporate an XML injection attack model. The behaviour and properties of the Simple Message Exchange Protocol and the Security Token Protocol are then examined when subjected to an XML injection attack using this extended Dolev-Yao model

Providing Secure Web Services for Mobile Applications

Changing consumer behavior drives the demand for convenient and easy-to-use mobile applications across industries. This also impacts the financial sector. Banks are eager to offer their services as mobile applications to match the modern consumer needs. The mobile applications are not independently able to provide the required functionality; they interact with the existing core business functions by consuming secure Web Services over the Internet. The thesis analyses the problem of how a bank can enable a new secure distribution and communication channel via the mobile applications. This new channel must be able to interact with existing core systems. The problem is investigated from different axis related to Web Services protocols suitable for mobile use, security solutions for the communication protocols and the required support available in the selected mobile operating systems. The result of the analysis is an architectural description to fulfil the presented requirements. In addition to constructing the architecture, the thesis also describes some of the more advanced threats targeted against mobile apps and Web Services and provides mitigation schemes for the threats. The selected architecture contains a modular security solution that can be utilized outside of the financial context as well. ACM Computing Classification System (CCS 2012): - Information systems → Web Services - Security and privacy → Software and application security - Software and its engineering → Software architecture

Universally Composable Security Analysis of TLS---Secure Sessions with Handshake and Record Layer Protocols

We present a security analysis of the complete TLS protocol in the Universal Composable security framework. This analysis evaluates the composition of key exchange functionalities realized by the TLS handshake with the message transmission of the TLS record layer to emulate secure communication sessions and is based on the adaption of the secure channel model from Canetti and Krawczyk to the setting where peer identities are not necessarily known prior the protocol invocation and may remain undisclosed. Our analysis shows that TLS, including the Diffie-Hellman and key transport suites in the uni-directional and bi-directional models of authentication, securely emulates secure communication sessions

Dynamic infrastructure for federated identity management in open environments

Centralized identity management solutions were created to deal with user and data security where the user and the systems they accessed were within the same network or domain of control. Nevertheless, the decentralization brought about by the integration of the Internet into every aspect of life is leading to an increasing separation of the user from the systems requiring access. Identity management has been continually evolving in order to adapt to the changing systems, and thus posing new challenges. In this sense, the challenges associated with cross-domain issues have given rise to a new approach of identity management, called Federated Identity Management (FIM), because it removes the largest barriers for achieving a common understanding. Due to the importance of the federation paradigm for online identity management, a lot of work has been done so far resulting in a set of standards and specifications. According to them, under the FIM paradigm a person’s electronic identity stored across multiple distinct domains can be linked, shared and reused. This concept allows interesting use-cases, such as Single Sign-on (SSO), which allows users to authenticate at a single service and gain access to multiple ones without providing additional information. But also provides means for cross-domain user account provisioning, cross-domain entitlement management and cross-domain user attribute exchange. However, for the federated exchange of user information to be possible in a secure way, a trust relationship must exist between the separated domains. The establishment of these trust relationships, if addressed in the federation specifications, is based on complex agreements and configurations that are usually manually set up by an administrator. For this reason, the “internet-like” scale of identity federations is still limited. Hence, there is a need to move from static configurations towards more flexible and dynamic federations in which members can join and leave more frequently and trust decisions can be dynamically computed on the fly. In this thesis, we address this issue. The main goal is contributing to improve the trust layer in FIM in order to achieve dynamic federation. And for this purpose, we propose an architecture that extends current federation systems. The architecture is based on two main pillars, namely a reputation-based trust computation module, and a risk assessment module. In regard to trust, we formalize a model to compute and represent trust as a number, which provides a basis for easy implementation and automation. It captures the features of current FIM systems and introduces new dimensions to add flexibility and richness. The model includes the definition of a trustworthiness metric, detailing the evidences used, and how they are combined to obtain a quantitative value. Basically, authentication information is merged with behavior data, i.e., reputation or history of interactions. In order to include reputation data in the model we contributed with the definition of a generic protocol to exchange reputation information between FIM entities, and its integration with the most widely deployed specification, i.e., Security Assertion Markup Language (SAML). In regard to risk, we define an assessment model that allow entities to calculate how much risk is involved in transacting with another entity according to its configuration, policies, operation rules, cryptographic algorithms, etc. The methodology employed to define the risk model consists of three steps. Firstly, we design a taxonomy to capture the different aspects of a relationship in FIM that may contribute to risk. Secondly, based on the taxonomy and aiming at developing a computational model, we propose a set of metrics as a basis to quantify risk. Finally, we describe how to combine the metrics into a meaningful risk figure by using the Multiattribute Utility Theory (MAUT) methodology, which has been applied and adapted to define the risk aggregation model. Furthermore, an also under the MAUT theory, we propose a fuzzy aggregation system to combine trust and risk into a final value that is the basis for dynamic federation decisions. Formal validation of the above mentioned ideas has been carried out. The risk assessment and decision making are analytically validated ensuring their correct behavior, the reputation protocol included in the trust management proposal is tested through simulations, and the architecture is verified through the development of prototypes. In addition, dissemination activities were performed in projects, journals and conferences. Summarizing, the contributions here constitute a step towards the realization of dynamic federation, based on the flexibilization of the underlying trust frameworks. --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Históricamente el diseño de soluciones de gestión de identidad centralizada ha estado orientado a proteger la seguridad de usuarios y datos en entornos en los que tanto los usuarios como los sistemas se encuentran en la misma red o dominio. Sin embargo, la creciente descentralización acaecida al integrar Internet en muchos aspectos de la vida cotidiana está dando lugar a una separación cada vez mayor entre los usuarios y los sistemas a los que acceden. La gestión de identidad ha ido evolucionando para adaptarse a estos cambios, dando lugar a nuevos e interesantes retos. En este sentido, los retos relacionados con el acceso a diferentes dominios han dado lugar a una nueva aproximación en la gestión de identidad conocida como Federación de Identidad o Identidad Federada. Debido a la importancia de este paradigma, se ha llevado a cabo un gran trabajo que se refleja en la definición de varios estándares y especificaciones. De acuerdo con estos documentos, bajo el paradigma de identidad federada, la identidad digital de un usuario almacenada en múltiples dominios diferentes puede ser enlazada, compartida y reutilizada. Este concepto hace posibles interesantes casos de uso, tales como el Single Sign-on (SSO), que permite a un usuario autenticarse una sola vez en un servicio y obtener acceso a múltiples servicios sin necesidad de proporcionar información adicional o repetir el proceso. Pero además, también se proporcionan mecanismos para muchos otros casos, como el intercambio de atributos entre dominios o la creación automática de cuentas a partir de la información proporcionada por otro dominio. No obstante, para que el intercambio de información personal del usuario entre dominios federados se pueda realizar de forma segura, debe existir una relación de confianza entre dichos dominios. Pero el establecimiento de estas relaciones de confianza, a veces ni siquiera recogido en las especificaciones, suele estar basado en acuerdos rígidos que requieren gran trabajo de configuración por parte de un administrador. Por esta razón, la escalabilidad de las federaciones de identidad es todavía limitada. Como puede deducirse, existe una necesidad clara de cambiar los acuerdos estáticos que rigen las federaciones actuales por un modelo más flexible que permita federaciones dinámicas en las que los miembros puedan unirse y marcharse más frecuentemente y las decisiones de confianza sean tomadas dinámicamente on-the-fly. Este es el problema que tratamos en la presente tesis. Nuestro objetivo principal es contribuir a mejorar la capa de confianza en federación de identidad de manera que el establecimiento de relaciones pueda llevarse a cabo de forma dinámica. Para alcanzar este objetivo, proponemos una arquitectura basada en dos pilares fundamentales: un módulo de cómputo de confianza basado en reputación, y un módulo de evaluación de riesgo. Por un lado, formalizamos un modelo para calcular y representar la confianza como un número, lo cual supone una base para una fácil implementación y automatización. El modelo captura las características de los sistemas de gestión de identidad federada actuales e introduce nuevas dimensiones para dotarlos de una mayor flexibilidad y riqueza expresiva. Se lleva a cabo pues una definición de la métrica de confianza, detallando las evidencias utilizadas y el método para combinarlas en un valor cuantitativo. Básicamente, se fusiona la información de autenticación disponible con datos de comportamiento, es decir, con reputación o historia de transacciones. Para la inclusión de datos de reputación en el modelo, contribuimos con la definición de un protocolo genérico que permite el intercambio de esta información entre las entidades de un sistema de gestión de identidad federada, que ha sido además integrado en el estándar más conocido y ampliamente desplegado (Security Assertion Markup Language, SAML). Por otro lado, en lo que se refiere al riesgo, proponemos un modelo que permite a las entidades calcular en cuánto riesgo se incurre al realizar una transacción con otra entidad, teniendo en cuenta su configuración, políticas, reglas de operación, algoritmos criptográficos en uso, etc. La metodología utilizada para definir el modelo de riesgo abarca tres pasos. En primer lugar, diseñamos una taxonomía que captura los distintos aspectos de una relación en el contexto de federación de identidad que puedan afectar al riesgo. En segundo lugar, basándonos en la taxonomía, proponemos un conjunto de métricas que serán la base para cuantificar el riesgo. En tercer y último lugar, describimos cómo combinar las métricas en una cifra final representativa utilizando el método Multiattribute Utility Theory (MAUT), que ha sido adaptado para definir el proceso de agregación de riesgo. Además, y también bajo la metodología MAUT, proponemos un sistema de agregación difuso que combina los valores de riesgo y confianza en un valor final que será el utilizado en la toma de decisiones dinámicas sobre si establecer o no una relación de federación. La validación de todas las ideas mencionadas ha sido llevada a cabo a través del análisis formal, simulaciones, desarrollo e implementación de prototipos y actividades de diseminación. En resumen, las contribuciones en esta tesis constituyen un paso hacia el establecimiento dinámico de federaciones de identidad, basado en la flexibilización de los modelos de confianza subyacentes