Supporting authorize-then-authenticate for wi-fi access based on an electronic identity infrastructure

Federated electronic identity systems are increasingly used in commercial and public services to let users share their electronic identities (eIDs) across countries and providers. In Europe, the eIDAS Regulation and its implementation-the eIDAS Network-allowing mutual recognition of citizen’s eIDs in various countries, is now in action. We discuss authorization (before authentication), named also authorize-then-authenticate (AtA), in services exploiting the eIDAS Network. In the eIDAS Network, each European country runs a national eIDAS Node, which transfers in other Member State countries, via the eIDAS protocol, some personal attributes, upon successful authentication of a person in his home country. Service Providers in foreign countries typically use these attributes to implement authorization decisions for the requested service. We present a scenario where AtA is required, namely Wi-Fi access, in which the service provider has to implement access control decisions before the person is authenticated through the eIDAS Network with his/her national eID. The Wi-Fi access service is highly required in public and private places (e.g. shops, hotels, a.s.o.), but its use typically involves users’ registration at service providers and is still subject to security attacks. The eIDAS Network supports different authentication assurance levels, thus it might be exploited for a more secure and widely available Wi-Fi access service to the citizens with no prior registration, by exploiting their national eIDs. We propose first a model that discusses AtA in eIDAS-based services, and we consider different possible implementation choices. We describe next the implementation of AtA in an eIDAS-based Wi-Fi access service leveraging the eIDAS Network and a Zeroshell captive portal supporting the eIDAS protocol. We discuss the problems encountered and the deploy-ment issues that may impact on the service acceptance by the users and its exploitation on large scale

Electronic identification for universities: Building cross-border services based on the eIDAS infrastructure

The European Union (EU) Regulation 910/2014 on electronic IDentification, Authentication, and trust Services (eIDAS) for electronic transactions in the internal market went into effect on 29 September 2018, meaning that EU Member States are required to recognize the electronic identities issued in the countries that have notified their eID schemes. Technically speaking, a unified interoperability platform—named eIDAS infrastructure—has been set up to connect the EU countries’ national eID schemes to allow a person to authenticate in their home EU country when getting access to services provided by an eIDAS-enabled Service Provider (SP) in another EU country. The eIDAS infrastructure allows the transfer of authentication requests and responses back and forth between its nodes, transporting basic attributes about a person, e.g., name, surname, date of birth, and a so-called eIDAS identifier. However, to build new eIDAS-enabled services in specific domains, additional attributes are needed. We describe our approach to retrieve and transport new attributes through the eIDAS infrastructure, and we detail their exploitation in a selected set of academic services. First, we describe the definition and the support for the additional attributes in the eIDAS nodes. We then present a solution for their retrieval from our university. Finally, we detail the design, implementation, and installation of two eIDAS-enabled academic services at our university: the eRegistration in the Erasmus student exchange program and the Login facility with national eIDs on the university portal

Data set and machine learning models for the classification of network traffic originators

The widespread adoption of encryption in computer network traffic is increasing the difficulty of analyzing such traffic for security purposes. The data set presented in this data article is composed of network statistics computed on captures of TCP flows, originated by executing various network stress and web crawling tools, along with statistics of benign web browsing traffic. Furthermore, this data article describes a set of Machine Learning models, trained using the described data set, which can classify network traffic by the tool category (network stress tool, web crawler, web browser), the specific tool (e.g., Firefox), and also the tool version (e.g., Firefox 68) used to generate it. These models are compatible with the analysis of traffic with encrypted payload since statistics are evaluated only on the TCP headers of the packets. The data presented in this article can be useful to train and assess the performance of new Machine Learning models for tool classification

Offloading security applications into the network

Users currently experience different levels of protection when accessing the Internet via their various personal devices and network connections, due to variable network security conditions and security applications available at each device. The SECURED project addresses these issues by designing an architecture to offload security applications from the end-user devices to a suitable trusted node in the network: the Network Edge Device (NED). Users populate a repository with their security applications and policy, which will then be fetched by the closest NED to protect the user’s traffic when he connects to a network. This setting provides uniform protection, independent of the actual user device and network location (e.g. public WiFi hotspot or 3G mobile connection). In other words, a user-centric approach is fostered by this architecture, opposed to the current device- or network-based security schema, with cost and protection benefits and simultaneously enabling new business models for service and network providers

Economic impact of remote monitoring on ordinary follow-up of implantable cardioverter defibrillators as compared with conventional in-hospital visits: a single-center prospective and randomized study

Few data are available on actual follow-up costs of remote monitoring (RM) of implantable defibrillators (ICD). Our study aimed at assessing current direct costs of 1-year ICD follow-up based on RM compared with conventional quarterly in-hospital follow-ups. Methods and results Patients (N=233) with indications for ICD were consecutively recruited and randomized at implant to be followed up for 1 year with standard quarterly inhospital visits or by RM with one in-hospital visit at 12 months, unless additional in-hospital visits were required due to specific patient conditions or RM alarms. Costs were calculated distinguishing between provider and patient costs, excluding RM device and service cost. The frequency of scheduled in-hospital visits was lower in the RM group than in the control arm. Follow-up required 47 min per patient/year in the RM arm versus 86 min in the control arm (p=0.03) for involved physicians, generating cost estimates for the provider of USD 45 and USD 83 per patient/- year, respectively. Costs for nurses were comparable. Overall, the costs associated with RM and standard follow-up were USD 103±27 and 154±21 per patient/year, respectively (p=0.01). RM was cost-saving for the patients: USD 97±121 per patient/year in the RM group versus 287± 160 per patient/year (p=0.0001). Conclusion The time spent by the hospital staff was significantly reduced in the RM group. If the costs for the device and service are not charged to patients or the provider, patients could save about USD 190 per patient/year while the hospital could save USD 51 per patient/year