Protocolos de intercambio racional

An exchange protocol describes a sequence of steps by which several entities are capable of exchanging certain pieces of information in a particular context. Rational{exchange protocols serve that core purpose with several important advantages over the existing exchange paradigms, those referred to as fair{exchange solutions. Traditional fair{exchange protocols impose strong restrictions on the protocol exe- cution context. They ensure fairness to participants but at the expense of entities such as TTPs (trusted third parties) having to be involved in the exchange. By con- trast, rational schemes, although not ensuring fairness, assure that rational entities would have no reason to deviate from the steps described in the protocol and, have the enormous advantage of not needing the services of a TTP. Rational{exchange protocols therefore represent the only viable option in many modern ad{hoc and unstructured environments. The main goal of this thesis is to apply concepts from Game Theory to both the analysis and design of rational{exchange protocols. In our opinion, signi¯cant contributions have been made in both directions: ² In terms of the formal analysis of these schemes, our work has focused on the proposal of two extensions to an existing formalism. The viability and e®ec- tiveness of our proposals is corroborated by the application of both formalisms to the analysis and veri¯cation of several exchange schemes. ² With regard to the design of rational protocols, our approach is based on applying heuristic search to automate the process, and to generate exchange protocols which can be proven rational within an underlying game theoretical framework. Experimental work is carried out to illustrate the proposed methodology in a particular three-entity exchanging scenario as well as in several randomized environments. Di®erent heuristic techniques are implemented and their results compared, measuring success rates and the average number of protocols eval- uated until an optimal solution is obtained. Furthermore, as a result of this experimental work, a whole family of multi{party rational exchange protocols is presented. ____________________________________________________________________Durante siglos el comportamiento racional de la especie humana ha sido extensamente estudiado por filósofos, sociólogos, psicólogos, etc. Considerado siempre como un concepto abstracto, a mediados del siglo veinte el desarrollo de la Teoría de Juegos proporcionó, por primera vez, un marco matemático para la definición formal del comportamiento racional de las entidades participantes de un juego. A partir de entonces la Teoría de Juegos se ha convertido en el modelo matemático que sustenta importantes resultados en campos tan diversos como la Biología, la Economía, la Inteligencia Artificial o la Criptografía. Este trabajo se encuentra englobado dentro del campo de la Criptografía Racional. La Criptografía Racional nace de la aplicación de los resultados teóricos sobre juegos al campo de la Criptografía. Nielsen et al. en [Nielsen et al., 2007] establecen una relación de los avances más significativos llevados a cabo hasta el momento en esta área de reciente creación. En particular, especialmente relevantes para esta tesis serían los trabajos de Syverson [Syverson, 1998] y Buttyán et al. [Buttyán, 2001] centrados respectivamente en el diseño y análisis formal de protocolos seguros de intercambio racional

A multi-agent scanner to detect stored-XSS vulnerabilities

Proceeding of: 2010 International Conference for Internet Technology and Secured Transactions (ICITST), 8 to 11 November 2010 London, England, United KingdomThe cross-site scripting (XSS) has become a common vulnerability of many web sites and web applications. XSS consists in the exploitation of input validation flaws, with the purpose of injecting arbitrary script code which is later executed at the web browser of the victim. One interesting possibility to prevent this type of vulnerability is the use of vulnerability scanners. However, current scanners are capable of detecting just one of the two main modalities of XSS attacks. This paper introduces a novel multi–agent system for the automated scanning of web sites to detect the presence of XSS vulnerabilities exploitable by an stored–XSS attack. The rate of detection of the system is evaluated in two different scenarios.This work has been partially supported by CDTI (Ministerio de Industria, Turismo y Comercio of Spain) in collaboration with Telefonica I+D, Project SEGUR@ with reference CENIT-2007 2004Publicad

Privacy-preserving and accountable on-the-road prosecution of invalid vehicular mandatory authorizations

Nowadays, improving road safety is one of the major challenges in developed countries and, to this regard, attaining more effectiveness in the enforcement of road safety policies has become a key target. In particular, enforcing the requirements related to the technical and administrative mandatory documentation of on-the-road motor vehicles is one of the critical issues. The use of modern technologies in the context of Intelligent Transportation Systems (ITS) could enable the design of a more convenient, frequent and effective enforcement system compared to the traditional human patrol controls. In this article we propose a novel system for the on-the-fly verification of mandatory technical and administrative documentation of motor vehicles. Vehicles not complying with the required regulations will be identified and sanctioned whereas those vehicles, observant of the mandatory regulations, will maintain anonymity and non-traceability of their whereabouts. The proposed system is based on the use of anonymous credentials which will be loaded onto the vehicle to automatically and on-the-fly prove holdership of required credentials without requiring the vehicle to stop beside the road. We also implement a prototype of the credential system and analyze the feasibility of our solution in terms of computational cost and time to perform such telematic controls.This work has been funded by grant CCG10-UC3M/TIC-5174 (project PRECIOUS) and partially by grant TIN2009-13461 (project E-SAVE).En prens

Towards a privacy-respectful telematic verification system for vehicle & driver authorizations

Poster of: Eighth Annual International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services (MobiQuitous 2011), Copenhagen, Denmark, 2011The use of ubiquitous technologies to implement a telematic on-the-road verification of driver and vehicle authorizations would provide significant benefits regarding road safety, economic costs and convenience. Privacy-aware digital credentials would enable such a service although some challenges exist. The goal of this on-going work is to address these challenges. The first contribution herein presented is an enhanced data model of driver and vehicle authorizations. Secondly, we provide an analysis of existing privacy-aware digital credential systems that may support the implementation of the system.This work is partially supported by Ministerio de Ciencia e Innovacion of Spain, project E-SAVE, under grant TIN2009-13461.Publicad