Quantum Key Distribution (QKD) and Commodity Security Protocols: Introduction and Integration

We present an overview of quantum key distribution (QKD), a secure key exchange method based on the quantum laws of physics rather than computational complexity. We also provide an overview of the two most widely used commodity security protocols, IPsec and TLS. Pursuing a key exchange model, we propose how QKD could be integrated into these security applications. For such a QKD integration we propose a support layer that provides a set of common QKD services between the QKD protocol and the security applicationsComment: 12Page

SCoT: a secure content-oriented transport

The evolution of the Internet has resulted in the deployment of new application-level solutions to enhance the scalability and efficiency of content dissemination (e.g., content delivery networks and peer-to-peer systems). However, despite of this improvement on performance, the utilization of this type of solutions introduces new security concerns, as a content provider must necessarily delegate the role of distributing the content to third parties, and current security solutions, such as TLS and IPsec, do not allow authenticating the original content provider or the content itself in these scenarios. In this paper, we present SCoT, a transport-layer protocol that allows a content provider to bind protection to content, enabling content authentication at receivers regardless of any third party infrastructures that have been used to disseminate the content. Content authentication procedures are executed transparently to end-user applications. We implemented a fully operational prototype of the protocol in Java, including an API to support the development of SCoT applications. We utilized it to configure an experimentation scenario that served to validate a theoretical analysis of the SCoT throughput and to illustrate the performance that can be achieved in a practical deployment. The paper concludes describing a set of use cases of the protocol.This article has been partially supported by the European H2020 5Gin-FIRE project (grant agreement 732497), and by the DRONEXT project (TEC2014-54335-C4-2-R) funded by the Spanish Ministry of Economy and Competitiveness. The work of Ignacio Soto has partially been supported by the Spanish Texeo project (TEC2016-80339-R) funded by the Spanish Ministry of Economy and Competitiveness

A Mobile Secure Bluetooth-Enabled Cryptographic Provider

The use of digital X509v3 public key certificates, together with different standards for secure digital signatures are commonly adopted to establish authentication proofs between principals, applications and services. One of the robustness characteristics commonly associated with such mechanisms is the need of hardware-sealed cryptographic devices, such as Hardware-Security Modules (or HSMs), smart cards or hardware-enabled tokens or dongles. These devices support internal functions for management and storage of cryptographic keys, allowing the isolated execution of cryptographic operations, with the keys or related sensitive parameters never exposed. The portable devices most widely used are USB-tokens (or security dongles) and internal ships of smart cards (as it is also the case of citizen cards, banking cards or ticketing cards). More recently, a new generation of Bluetooth-enabled smart USB dongles appeared, also suitable to protect cryptographic operations and digital signatures for secure identity and payment applications. The common characteristic of such devices is to offer the required support to be used as secure cryptographic providers. Among the advantages of those portable cryptographic devices is also their portability and ubiquitous use, but, in consequence, they are also frequently forgotten or even lost. USB-enabled devices imply the need of readers, not always and not commonly available for generic smartphones or users working with computing devices. Also, wireless-devices can be specialized or require a development effort to be used as standard cryptographic providers. An alternative to mitigate such problems is the possible adoption of conventional Bluetooth-enabled smartphones, as ubiquitous cryptographic providers to be used, remotely, by client-side applications running in users’ devices, such as desktop or laptop computers. However, the use of smartphones for safe storage and management of private keys and sensitive parameters requires a careful analysis on the adversary model assumptions. The design options to implement a practical and secure smartphone-enabled cryptographic solution as a product, also requires the approach and the better use of the more interesting facilities provided by frameworks, programming environments and mobile operating systems services. In this dissertation we addressed the design, development and experimental evaluation of a secure mobile cryptographic provider, designed as a mobile service provided in a smartphone. The proposed solution is designed for Android-Based smartphones and supports on-demand Bluetooth-enabled cryptographic operations, including standard digital signatures. The addressed mobile cryptographic provider can be used by applications running on Windows-enabled computing devices, requesting digital signatures. The solution relies on the secure storage of private keys related to X509v3 public certificates and Android-based secure elements (SEs). With the materialized solution, an application running in a Windows computing device can request standard digital signatures of documents, transparently executed remotely by the smartphone regarded as a standard cryptographic provider

Cloudless Friend-to-Friend Middleware for Smartphones

Using smartphones for peer-to-peer communication over the Internet is difficult without the aid of centralized services. These centralized services, which usually reside in the cloud, are necessary for brokering communication between peers, and all communication must pass through them. A reason for this is that smartphones lack publicly reachable IP addresses. Also, because people carry their smartphones with them, smartphones will often disconnect from one network and connect to another. Smartphones can also go offline. Additionally, a network of trusted peers (or friends) requires a directory of known peers, authentication mechanisms, and secure communication channels. In this paper, we propose a peer-to-peer middleware that provides these features without the need for centralized services.Comment: ICETE 2018: E-Business and Telecommunications pp 199-218. Part of the Communications in Computer and Information Science book series (CCIS, volume 1118). The final authenticated publication is available online at https://doi.org/10.1007/978-3-030-34866-3_1

Secure and insecure chat implementation

MobilitatInternet is not a single network, but a worldwide collection of loosely connected networks that are accessible by using computers, smartphones or tablets, in a variety of ways, to anyone with a computer and a network connection. Thus, individuals and organizations can reach any point on the internet without regard to national or geographic boundaries or time of day. However, along with the convenience and easy access to information come risks. Among them are the risks that valuable information will be lost, stolen, changed, or misused. If information is recorded electronically and is available on networked computers, it is more vulnerable than if the same information is printed on paper and locked in a file cabinet. Intruders do not need to enter an office or home, they may not even be in the same country. They can steal or tamper with information without touching a piece of paper or a photocopier. They can also create new electronic files, run their own programs, and hide evidence of their unauthorized activity. As it can be seen, securities issues are of a high relevance because Internet is a network of networks in which the information sent can travel over a secure or insecure network. Nowadays, messaging or chat applications are used every day by millions of users to exchange text messages, pictures, videos, contacts, documents and so on. It is translated to a huge amount of data travelling by the network in a transparent way for the users involved. For all this reasons, applying security to the information sent is really important to guarantee data protection. In our case, it has been desired to implement a chat application in which a Server and a Client can exchange, for instance, messages, pictures, documents, songs, and videos. In this application, both entities should have the possibility of sending the information over a secure or insecure channel. If the secure way is chosen some cryptographic protocols, such as symmetric and asymmetric cryptography methods, will be applied to guarantee the most important security aspects: confidentiality, security, reliability and no repudiation. In the insecure way, any cryptographic method is applied and the information will be sent in clear. To be able to exchange messages and several types of documents, it is desired to implement an interface using JAVA language in which an option has to offer to the user the possibility of switching between the secure and insecure channel. Moreover, this interface should have a box in which to store the information sent and received and a copy of this information should be stored in a backup file for further treatment. After that, it is desired to compare the packets sent and received over the local loop using Wireshark tool to verify how the information is sent when using the secure and insecure way

Security performance and protocol consideration in optical communication system with optical layer security enabled by optical coding techniques

With the fast development of communication systems, network security issues have more and more impact on daily life. It is essential to construct a high degree of optical layer security to resolve the security problem once and for all. Three different techniques which can provide optical layer security are introduced and compared. Optical chaos can be used for fast random number generation. Quantum cryptography is the most promising technique for key distribution. And the optical coding techniques can be deployed to encrypt the modulated signal in the optical layer. A mathematical equation has been derived from information theory to evaluate the information-theoretic security level of the wiretap channel in optical coding schemes. And the merits and limitation of two coherent optical coding schemes, temporal phase coding and spectral phase coding, have been analysed. The security scheme based on a reconfigurable optical coding device has been introduced, and the corresponding security protocol has been developed. By moving the encryption operation from the electronic layer to the optical layer, the modulated signals become opaque to the unauthorised users. Optical code distribution and authentication is the one of the major challenges for our proposed scheme. In our proposed protocol, both of the operations are covered and defined in detail. As a preliminary draft of the optical code security protocol, it could be a useful guidance for further research

A FIREWALL MODEL OF FILE SYSTEM SECURITY

File system security is fundamental to the security of UNIX and Linux systems since in these systems almost everything is in the form of a file. To protect the system files and other sensitive user files from unauthorized accesses, certain security schemes are chosen and used by different organizations in their computer systems. A file system security model provides a formal description of a protection system. Each security model is associated with specified security policies which focus on one or more of the security principles: confidentiality, integrity and availability. The security policy is not only about “who” can access an object, but also about “how” a subject can access an object. To enforce the security policies, each access request is checked against the specified policies to decide whether it is allowed or rejected. The current protection schemes in UNIX/Linux systems focus on the access control. Besides the basic access control scheme of the system itself, which includes permission bits, setuid and seteuid mechanism and the root, there are other protection models, such as Capabilities, Domain Type Enforcement (DTE) and Role-Based Access Control (RBAC), supported and used in certain organizations. These models protect the confidentiality of the data directly. The integrity of the data is protected indirectly by only allowing trusted users to operate on the objects. The access control decisions of these models depend on either the identity of the user or the attributes of the process the user can execute, and the attributes of the objects. Adoption of these sophisticated models has been slow; this is likely due to the enormous complexity of specifying controls over a large file system and the need for system administrators to learn a new paradigm for file protection. We propose a new security model: file system firewall. It is an adoption of the familiar network firewall protection model, used to control the data that flows between networked computers, toward file system protection. This model can support decisions of access control based on any system generated attributes about the access requests, e.g., time of day. The access control decisions are not on one entity, such as the account in traditional discretionary access control or the domain name in DTE. In file system firewall, the access decisions are made upon situations on multiple entities. A situation is programmable with predicates on the attributes of subject, object and the system. File system firewall specifies the appropriate actions on these situations. We implemented the prototype of file system firewall on SUSE Linux. Preliminary results of performance tests on the prototype indicate that the runtime overhead is acceptable. We compared file system firewall with TE in SELinux to show that firewall model can accommodate many other access control models. Finally, we show the ease of use of firewall model. When firewall system is restricted to specified part of the system, all the other resources are not affected. This enables a relatively smooth adoption. This fact and that it is a familiar model to system administrators will facilitate adoption and correct use. The user study we conducted on traditional UNIX access control, SELinux and file system firewall confirmed that. The beginner users found it easier to use and faster to learn then traditional UNIX access control scheme and SELinux

Patterns in network security: an analysis of architectural complexity in securing recursive inter-network architecture networks

Recursive Inter-Network Architecture (RINA) networks have a shorter protocol stack than the current architecture (the Internet) and rely instead upon separation of mech- anism from policy and recursive deployment to achieve large scale networks. Due to this smaller protocol stack, fewer networking mechanisms, security or otherwise, should be needed to secure RINA networks. This thesis examines the security proto- cols included in the Internet Protocol Suite that are commonly deployed on existing networks and shows that because of the design principles of the current architecture, these protocols are forced to include many redundant non-security mechanisms and that as a consequence, RINA networks can deliver the same security services with substantially less complexity