Making the Distribution Subsystem Secure

This report presents how the Distribution Subsystem is made secure. A set of different security threats to a shared data programming system are identifed. The report presents the extensions nessesary to the DSS in order to cope with the identified security threats by maintaining reference security. A reference to a shared data structure cannot be forged or guessed; only by proper delegation can a thread acquire access to data originating at remote processes. Referential security is a requirement for secure distributed applications. By programmatically restricting access to distributed data to trusted nodes, a distributed application can be made secure. However, for this to be true, referential security must be supported on the level of the implementation

Secret Sharing for Cloud Data Security

Cloud computing helps reduce costs, increase business agility and deploy solutions with a high return on investment for many types of applications. However, data security is of premium importance to many users and often restrains their adoption of cloud technologies. Various approaches, i.e., data encryption, anonymization, replication and verification, help enforce different facets of data security. Secret sharing is a particularly interesting cryptographic technique. Its most advanced variants indeed simultaneously enforce data privacy, availability and integrity, while allowing computation on encrypted data. The aim of this paper is thus to wholly survey secret sharing schemes with respect to data security, data access and costs in the pay-as-you-go paradigm

Towards Securing Peer-to-peer SIP in the MANET Context: Existing Work and Perspectives

The Session Initiation Protocol (SIP) is a key building block of many social applications, including VoIP communication and instant messaging. In its original architecture, SIP heavily relies on servers such as proxies and registrars. Mobile Ad hoc NETworks (MANETs) are networks comprised of mobile devices that communicate over wireless links, such as tactical radio networks or vehicular networks. In such networks, no fixed infrastructure exists and server-based solutions need to be redesigned to work in a peer-to-peer fashion. We survey existing proposals for the implementation of SIP over such MANETs and analyze their security issues. We then discuss potential solutions and their suitability in the MANET context

Enabling Identity for the IoT-as-a-Service Business Model

The IoT-as-a-Service (IoTaaS) business model has already been identified by some people from both industry and academia, but has not been formally defined. IoTaaS offers IoT devices on demand, with considerable cost savings and resource optimization. In addition, it enables different applications to reuse the existing devices. However, this business model is associated with different technological challenges that need to be addressed, one of which is the identity problem. Focusing on this, self-sovereign identity (SSI) schemes have proven to provide better privacy and scalability than traditional identity paradigms, which is especially important in the IoT owing to its characteristics. In this paper, we formally analyze an IoTaaS business model, identifying and detailing its main technological challenges. In addition, we tackle the identity problem of this business model and propose an SSI-based identity management system, which is compliant with the existing standards from the W3C, and include a performance evaluation.This work was supported in part by the Basque Country Government through the Collaborative Research Grants Program in Strategic Areas (ELKARTEK) Program by the Project TRUSTIND under Grant KK-2020/00054 and in part by the Spanish Government-Ministry of Science and Innovation through the Project AI4ES-2021 under Grant CER-20211030 and through the Project SICRAC under Grant PID2020-114495RB-I0

CANE: A Controlled Application Environment for privacy protection in ITS

Many of the applications proposed for intelligent transportation systems (ITS) need to process and communicate detailed personal identifiable information. Examples are detailed location traces or unique identifiers for authentication towards paid services. Existing applications often run as monolithic black boxes inside users’ cars. Hence, users cannot verify that applications behave as expected. We propose CANE, an application sandboxing approach that enhances user control over privacy properties while, at the same time, supporting common application requirements. CANE makes privacy-relevant application properties explicit and allows their analysis and enforcement during application runtime. We evaluate CANE using a common ITS use case and demonstrate feasibility with a proof-of-concept implementation

Teaching self-sovereign identity

For service providers, secure and reliable identification of users is essential to provide its services. From a user perspective, traditional identifiers are currently solved by centralized entities who have the capacity to control not only the creation of the identifier, but also the withdrawal. Moreover, in most cases more personal information is being provided than needs to be demonstrated. A blockchain-based Self-Sovereign Identity (SSI) provides a secure and reliable identification method for service providers, gives the user self-control of the identifier, and enables a way to provide just the essential information that is needed to get the service. This paper aims to make two practical documents; the first one being an introductory practice to get started with this topic and the second one that consists of developing a simple SSI login system for web services offered to university students.Para los proveedores de servicios, la identificación segura y confiable de los usuarios es fundamental para prestar sus servicios. Desde la perspectiva del usuario, los identificadores tradicionales actualmente son proporcionados por entidades centralizadas que tienen la capacidad de controlar, no solo la creación del identificador, sino también la retirada. Además, en la mayoría de los casos se proporciona más información personal de la que se necesita demostrar. Una Auto-Identidad Soberana basada en blockchain proporciona un método de identificación seguro y fiable para los proveedores de servicios, le da al usuario el autocontrol del identificador y permite una forma de proporcionar sólo la información esencial que se necesita para obtener el servicio. Este trabajo tiene como objetivo realizar dos documentos prácticos, siendo el primero una práctica introductoria para iniciarse en este tema y el segundo que consiste en desarrollar un sistema de inicio de sesión de Auto-Identidad Soberana simple para servicios web ofrecidos a estudiantes universitarios.Per als proveïdors de serveis, la identificació segura i fiable dels usuaris és fonamental per prestar els seus serveis. Des de la perspectiva de l'usuari, els identificadors tradicionals són proporcionats actualment per entitats centralitzades que tenen la capacitat de controlar, no només la creació de l'identificador, sinó també la retirada. A més, en la majoria dels casos es proporciona més informació personal de la que cal demostrar. Una identitat autosobirana basada en blockchain proporciona un mètode d'identificació segur i fiable per als proveïdors de serveis, dóna a l'usuari l'autocontrol de l'identificador i permet una manera de proporcionar només la informació essencial que es necessita per obtenir el servei. Aquest treball té com a objectiu fer dos documents pràctics, sent el primer una pràctica introductòria per iniciar-se en aquest tema i el segon que consisteix a desenvolupar un sistema d'inici de sessió d'identitat autosobirana simple per a serveis web oferts a estudiants universitaris

TSKY: a dependable middleware solution for data privacy using public storage clouds

Dissertação para obtenção do Grau de Mestre em Engenharia InformáticaThis dissertation aims to take advantage of the virtues offered by data storage cloud based systems on the Internet, proposing a solution that avoids security issues by combining different providers’ solutions in a vision of a cloud-of-clouds storage and computing. The solution, TSKY System (or Trusted Sky), is implemented as a middleware system, featuring a set of components designed to establish and to enhance conditions for security, privacy, reliability and availability of data, with these conditions being secured and verifiable by the end-user, independently of each provider. These components, implement cryptographic tools, including threshold and homomorphic cryptographic schemes, combined with encryption, replication, and dynamic indexing mecha-nisms. The solution allows data management and distribution functions over data kept in different storage clouds, not necessarily trusted, improving and ensuring resilience and security guarantees against Byzantine faults and at-tacks. The generic approach of the TSKY system model and its implemented services are evaluated in the context of a Trusted Email Repository System (TSKY-TMS System). The TSKY-TMS system is a prototype that uses the base TSKY middleware services to store mailboxes and email Messages in a cloud-of-clouds