Desarrollo de un sistema de autenticación para control de acceso mediante tecnología Bluetooth

Este proyecto consiste en el diseño y desarrollo de un sistema de control de acceso mediante la tecnología Bluetooth Low Energy, con el fin de realizar un prototipo para evaluar su implementación en la empresa Redsys. El sistema está formado por una aplicación móvil desarrollada con tecnología Android y un dispositivo de control, que a su vez está compuesto por la placa de desarrollo ESP32 DevKitC V4, un LED tricolor y un zumbador. La aplicación Android realiza la función de “autenticador” frente a dispositivo de control de acceso, que se encarga de verificar esa autenticación y autorizar el paso. En este documento se introducirán las tecnologías y protocolos que se van a emplear para el sistema de control de acceso. A continuación, se explicará detalladamente cómo se han desarrollado los programas implantados en los dos dispositivos principales, cómo se realiza el proceso de autenticación basado en un protocolo de autenticación estándar y, lo más importante, cómo se ha implementado toda la conexión e intercambio de mensajes a través de la tecnología Bluetooth Low Energy. Además, se demostrará el correcto funcionamiento del sistema completo mediante las pruebas realizadas y se introducirán nuevas líneas de trabajado para seguir mejorando el sistema en el futuro.This project consists of the design and development of an access control system using Bluetooth Low Energy technology, in order to make a prototype to evaluate its implementation in the company Redsys. The system is composed of a mobile application developed with Android technology and a control device, which is also composed of the development board ESP32 DevKitC V4, a tricolor LED and a buzzer. The Android application performs the function of authenticator against the access control device, which is responsible for verifying that authentication and authorizing the passage. This document will introduce the technologies and protocols that will be used for the access control system. Next, it will be explained in detail how the programs implemented in the two main devices have been developed, how the authentication process is carried out based on a standard authentication protocol and, most importantly, how the entire connection and exchange of messages has been implemented through Bluetooth Low Energy technology. In addition, the correct functioning of the complete system will be demonstrated through the tests carried out and new lines of work will be introduced to continue improving the system in the future.Ingeniería en Tecnologías de Telecomunicación (Plan 2010

Extensible Authentication Protocol Vulnerabilities and Improvements

Extensible Authentication Protocol(EAP) is a widely used security protocol for Wireless networks around the world. The project examines different security issues with the EAP based protocols, the family of security protocols for Wireless LAN. The project discovers an attack on the subscriber identity module(SIM) based extension of EAP. The attack is a Denial-of-Service attack that exploits the error handling mechanism in EAP protocols. The project further proposes countermeasures for detection and a defense against the discovered attack. The discovered attack can be prevented by changing the protocol to delay the processing of protocol error messages

EAP-TPM Αυθεντικοποίηση Χρηστών σε Ασύρματα Δίκτυα Πρόσβασης

Στην σημερινή εποχή πληθώρα συσκευών είναι συνδεδεμένες σε ασύρματα δίκτυα τόσο ιδιωτικά όσο και δημόσια. Η αυθεντικοποίηση τους στο δίκτυο αποτελεί μία διαδικασία στην οποία θα πρέπει να επεμβαίνει ο χρήστης ώστε να εισάγει τα διαπιστευτήρια του. Σκοπός της παρούσας εργασίας είναι η παρουσίαση μιας εναλλακτικής μεθόδου αυθεντικοποίησης στα ασύρματα δίκτυα μέσω του Trusted Platform Module (TPM). Βασική ιδέα ήταν η δημιουργία ενός μηχανισμού αυθεντικοποίησης παρόμοιου με αυτόν των δικτύων τηλεφωνίας. Σε ένα τηλεφωνικό δίκτυο και κατ’επέκταση σε ένα 5G δίκτυο, η αυθεντικοποίηση των χρηστών γίνεται μέσω διαπιστευτηρίων που είναι αποθηκευμένα στην κάρτα SIM των συσκευών, χωρίς να απαιτείται ο χρήστης να παρέχει επιπλέον στοιχεία για να συνδεθεί στο δίκτυο. Το ίδιο λοιπόν θα μπορούσε να εφαρμοστεί και σε περιπτώσεις σύνδεσης χρηστών σε ένα WiFi δίκτυο μέσω της χρήσης του TPM, το οποίο βρίσκεται πλέον ενσωματωμένο στις περισσότερες φορητές συσκευές (laptops, κινητα) και μπορεί να δημιουργεί αλλά και να αποθηκεύει πιστοποιητικά ασφαλείας. Βασιζόμενοι σε προηγούμενες έρευνες για την υλοποίηση μιας παραλλαγής του πρωτοκόλλου EAP-TLS, που ονομάστηκε EAP-TPM, προσπαθήσαμε να μελετήσουμε την υλοποίηση αυτού τον τρόπο αυθεντικοποίησης. Δημιουργήσαμε λοιπόν ένα δοκιμαστικό περιβάλλον αποτελούμενο από ένα ασύρματο σημείο πρόσβασης, έναν FreeRADIUS server και έναν client, ο οποίος έχει ενσωματωμένο TPM, και μελετήσαμε τον τρόπο δημιουργίας πιστοποιητικών ασφαλείας, τα οποία θα αποθηκεύονται στο TPM. Στην συνέχεια μελετήσαμε την παραμετροποίηση του TPM για να μπορεί να υποστηρίξει αυθεντικοποίηση μέσω του πρωτοκόλλου EAP-TLS, ώστε ο client να μπορεί να αυθεντικοποιείται μέσω των αποθηκευμένων σε αυτό πιστοποιητικών. Τέλος, παρουσιάζονται η οικονομική αξία των ασύρματων δικτύων πρόσβασης, όπως προκύπτει από έρευνες, τα πλεονεκτήματα που απορρέουν από την χρήση τους, το κόστος εγκατάστασης τους αλλα και τα βασικότερα κριτήρια επιλογής αυτών των δικτύων.Nowadays, many devices are connected to wireless networks, both private and public. Their authentication on the network is a process in which the user must intervene in order to enter his credentials. The purpose of this paper is to present an alternative authentication method for wireless networks through the Trusted Platform Module (TPM). The basic idea was to create an authentication mechanism similar to that of telephone networks. In a telephone network and consequently in a 5G network, user authentication is done through credentials stored on the SIM card of the devices, without requiring the user to provide additional information to connect to the network. The same could be applied in cases of users connecting to a wireless network through the use of TPM, which is now integrated in most mobile devices (laptops, mobile phones) and can create and store security certificates. Based on previous research to implement a variant of the EAP-TLS protocol, called EAP-TPM, we have tried to implement this authentication method. So we created a test environment consisting of a wireless access point, a FreeRADIUS server and a client, which has a built-in TPM, and we studied how to create security certificates, which will be stored in the TPM. Then we studied the TPM configuration to be able to support authentication via the EAP-TLS protocol, so that the client can authenticate via the certificates stored in it. Finally, the economic value of wireless access networks is presented, as shown by research, the advantages resulting from their use, their installation costs and the most basic selection criteria of these networks

IEEE 802.11 i Security and Vulnerabilities

Despite using a variety of comprehensive preventive security measures, the Robust Secure Networks (RSNs) remain vulnerable to a number of attacks. Failure of preventive measures to address all RSN vulnerabilities dictates the need for enhancing the performance of Wireless Intrusion Detection Systems (WIDSs) to detect all attacks on RSNs with less false positive and false negative rates

Human Computing for Handling Strong Corruptions in Authenticated Key Exchange

International audienceWe propose the first user authentication and key exchange protocols that can tolerate strong corruptions on the client-side. If a user happens to log in to a server from a terminal that has been fully compromised, then the other past and future user's sessions initiated from honest terminals stay secure. We define the security model for Human Authenticated Key Exchange (HAKE) protocols and first propose two generic protocols based on human-compatible (HC) function family, password-authenticated key exchange (PAKE), commitment, and authenticated encryption. We prove our HAKE protocols secure under reasonable assumptions and discuss efficient instantiations. We thereafter propose a variant where the human gets help from a small device such as RSA SecurID. This permits to implement an HC function family with stronger security and thus allows to weaken required assumptions on the PAKE. This leads to the very efficient HAKE which is still secure in case of strong corruptions. We believe that our work will promote further developments in the area of human-oriented cryptography

Towards secure communication and authentication: Provable security analysis and new constructions

Secure communication and authentication are some of the most important and practical topics studied in modern cryptography. Plenty of cryptographic protocols have been proposed to accommodate all sorts of requirements in different settings and some of those have been widely deployed and utilized in our daily lives. It is a crucial goal to provide formal security guarantees for such protocols. In this thesis, we apply the provable security approach, a standard method used in cryptography to formally analyze the security of cryptographic protocols, to three problems related to secure communication and authentication. First, we focus on the case where a user and a server share a secret and try to authenticate each other and establish a session key for secure communication, for which we propose the first user authentication and key exchange protocols that can tolerate strong corruptions on the client-side. Next, we consider the setting where a public-key infrastructure (PKI) is available and propose models to thoroughly compare the security and availability properties of the most important low-latency secure channel establishment protocols. Finally, we perform the first provable security analysis of the new FIDO2 protocols, the promising proposed standard for passwordless user authentication from the Fast IDentity Online (FIDO) Alliance to replace the world's over-reliance on passwords to authenticate users, and design new constructions to achieve stronger security.Ph.D