198 research outputs found
Up-to-date Key Retrieval for Information Centric Networking
Information Centric Networking (ICN) leverages in-network caching to provide efficient data distribution and better performance by replicating contents in multiple nodes to bring content nearer the users. Since contents are stored and replicated into node caches, the content validity must be assured end-to-end. Each content object carries a digital signature to provide a proof of its integrity, authenticity, and provenance. However, the use of digital signatures requires a key management infrastructure to manage the key life cycle. To perform a proper signature verification, a node needs to know whether the signing key is valid or it has been revoked. This paper discusses how to retrieve up-to-date signing keys in the ICN scenario. In the usual public key infrastructure, the Certificate Revocation Lists (CRL) or the Online Certificate Status Protocol (OCSP) enable applications to obtain the revocation status of a certificate. However, the push-based distribution of Certificate Revocation Lists and the request/response paradigm of Online Certificate Status Protocol should be fit in the mechanism of named-data. We consider three possible approaches to distribute up-to-date keys in a similar way to the current CRL and OCSP. Then, we suggest a fourth protocol leveraging a set of distributed notaries, which naturally fits the ICN scenario. Finally, we evaluate the number and size of exchanged messages of each solution, and then we compare the methods considering the perceived latency by the end nodes and the throughput on the network links
SoK: The Ghost Trilemma
Trolls, bots, and sybils distort online discourse and compromise the security
of networked platforms. User identity is central to the vectors of attack and
manipulation employed in these contexts. However it has long seemed that, try
as it might, the security community has been unable to stem the rising tide of
such problems. We posit the Ghost Trilemma, that there are three key properties
of identity -- sentience, location, and uniqueness -- that cannot be
simultaneously verified in a fully-decentralized setting. Many
fully-decentralized systems -- whether for communication or social coordination
-- grapple with this trilemma in some way, perhaps unknowingly. We examine the
design space, use cases, problems with prior approaches, and possible paths
forward. We sketch a proof of this trilemma and outline options for practical,
incrementally deployable schemes to achieve an acceptable tradeoff of trust in
centralized trust anchors, decentralized operation, and an ability to withstand
a range of attacks, while protecting user privacy.Comment: 22 pages with 1 figure and 8 table
A Distributed Audit Trail for the Internet of Things
Sharing Internet of Things (IoT) data over open-data platforms and digital data
marketplaces can reduce infrastructure investments, improve sustainability by
reducing the required resources, and foster innovation. However, due to the
inability to audit the authenticity, integrity, and quality of IoT data, third-party
data consumers cannot assess the trustworthiness of received data. Therefore,
it is challenging to use IoT data obtained from third parties for quality-relevant
applications. To overcome this limitation, the IoT data must be auditable. Distributed
Ledger Technology (DLT) is a promising approach for building auditable
systems. However, the existing solutions do not integrate authenticity,
integrity, data quality, and location into an all-encompassing auditable model
and only focus on specific parts of auditability.
This thesis aims to provide a distributed audit trail that makes the IoT auditable
and enables sharing of IoT data between multiple organizations for
quality relevant applications. Therefore, we designed and evaluated the Veritaa
framework. The Veritaa framework comprises the Graph of Trust (GoT) as
distributed audit trail and a DLT to immutably store the transactions that build
the GoT. The contributions of this thesis are summarized as follows. First, we
designed and evaluated the GoT a DLT-based Distributed Public Key Infrastructure
(DPKI) with a signature store. Second, we designed a Distributed
Calibration Certificate Infrastructure (DCCI) based on the GoT, which makes
quality-relevant maintenance information of IoT devices auditable. Third, we
designed an Auditable Positioning System (APS) to make positions in the IoT
auditable. Finally, we designed an Location Verification System (LVS) to verify
location claims and prevent physical layer attacks against the APS. All these
components are integrated into the GoT and build the distributed audit trail.
We implemented a real-world testbed to evaluate the proposed distributed audit
trail. This testbed comprises several custom-built IoT devices connectable
over Long Range Wide Area Network (LoRaWAN) or Long-Term Evolution
Category M1 (LTE Cat M1), and a Bluetooth Low Energy (BLE)-based Angle
of Arrival (AoA) positioning system. All these low-power devices can manage
their identity and secure their data on the distributed audit trail using the IoT
client of the Veritaa framework. The experiments suggest that a distributed
audit trail is feasible and secure, and the low-power IoT devices are capable
of performing the required cryptographic functions. Furthermore, the energy
overhead introduced by making the IoT auditable is limited and reasonable
for quality-relevant applications
IMPLEMENTING PROPOSED IEEE 1588 INTEGRATED SECURITY MECHANISM
The IEEE 1588 Precision Time Protocol is the industry standard for precise time synchronization, used in applications such as the power grid, telecommunications, and audio-video bridging, among many others. However, the standard\u27s recommendations on how to secure the protocol are lacking, and thus have not been widely adopted. A new revision of IEEE 1588 is currently being developed, which will include revised specifications regarding security. The aim of this thesis is to explore the feasibility of the proposed security mechanism, specifically as it would apply to use in the power grid, through implementation and evaluation.
The security mechanism consists of two verification approaches, immediate and delayed; we implemented both approaches on top of PTPd, an existing open source implementation of PTP. We support the immediate verification security approach using manual key management at startup, and we support the delayed verification security approach emulating automated key management for a set of security parameters corresponding to one manually configured time period. In our experiments, we found that added performance cost for both verification approaches was within 30 ÎĽs, and PTP synchronization quality remained intact when security was enabled. This work should increase awareness and accelerate the adoption of the proposed security mechanism in the power industry
SCFS: A Shared Cloud-backed File System
Despite of their rising popularity, current cloud storage services and cloud-backed storage systems still have some limitations related to reliability, durability assurances and inefficient file sharing. We present SCFS, a cloud-backed file system that addresses these issues and provides strong consistency and near-POSIX semantics on top of eventually-consistent cloud storage services. SCFS provides a pluggable backplane that allows it to work with various storage clouds or a cloud-of-clouds (for added dependability). It also exploits some design opportunities inherent in the current cloud services through a set of novel ideas for cloud-backed file systems: always write and avoid reading, modular coordination, private name spaces and consistency anchors.
Enabling always on service discovery: WI-FI neighbor awareness networking (NAN)
2015 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.”There is untapped potential in the WiFi radios embedded in our smartphone and tablet devices. In this article we introduce the WiFi Neighbor Awareness Networking technology being standardized in the WiFi Alliance (R), which leverages this potential by allowing handheld devices to continuously discover other interesting services and devices while operating in the background in an energy-efficient way. In addition, we present a thorough performance evaluation based on packet-level simulations that illustrates the performance of WiFi NAN to be expected in realistic scenarios.Postprint (author's final draft
TLS/PKI Challenges and certificate pinning techniques for IoT and M2M secure communications
Transport Layer Security is becoming the de facto standard to provide end-to-end security in the current Internet. IoT and M2M scenarios are not an exception since TLS is also being adopted there. The ability of TLS for negotiating any security parameter, its flexibility and extensibility are responsible for its wide adoption but also for several attacks. Moreover, as it relies on Public Key Infrastructure (PKI) for authentication, it is also affected by PKI problems. Considering the advent of IoT/M2M scenarios and their particularities, it is necessary to have a closer look at TLS history to evaluate the potential challenges of using TLS and PKI in these scenarios. According to this, the article provides a deep revision of several security aspects of TLS and PKI, with a particular focus on current Certificate Pinning solutions in order to illustrate the potential problems that should be addressed
- …