Visible to the public Authentication and Authorization (2014 Year in Review) Part 1

SoS Newsletter- Advanced Book Block


SoS Newsletter Logo

Authentication & Authorization
(2014 Year in Review)
Part 1


Authorization and authentication are cornerstones of computer security. As systems become larger, faster and more complex, authorization and authentication methods and protocols are proving to have limits and challenges. The research cited here explores new methods and techniques for improving security in cloud environments, efficient cryptographic computations, and exascale storage systems.  The work presented here was published in 2014. 


Kreutz, D.; Bessani, A.; Feitosa, E.; Cunha, H., "Towards Secure and Dependable Authentication and Authorization Infrastructures," Dependable Computing (PRDC), 2014 IEEE 20th Pacific Rim International Symposium on, pp. 43, 52, 18-21 Nov. 2014. doi: 10.1109/PRDC.2014.14

Abstract: We propose a resilience architecture for improving the security and dependability of authentication and authorization infrastructures, in particular the ones based on RADIUS and OpenID. This architecture employs intrusion-tolerant replication, trusted components and entrusted gateways to provide survivable services ensuring compatibility with standard protocols. The architecture was instantiated in two prototypes, one implementing RADIUS and another implementing OpenID. These prototypes were evaluated in fault-free executions, under faults, under attack, and in diverse computing environments. The results show that, beyond being more secure and dependable, our prototypes are capable of achieving the performance requirements of enterprise environments, such as IT infrastructures with more than 400k users.

 Keywords: authorisation; software fault tolerance; IT infrastructures; OpenID; RADIUS; authentication dependability; authentication infrastructures; authentication security; authorization infrastructures; diverse computing environments; enterprise environments; fault-free executions; intrusion-tolerant replication; resilience architecture; trusted components; untrusted gateways; Authentication; Logic gates; Protocols; Public key; Servers; OpenID; RADIUS; authentication and authorization services; dependability; intrusion tolerance; security   (ID#:15-4045)



Hummen, R.; Shafagh, H.; Raza, S.; Voig, T.; Wehrle, K., "Delegation-based Authentication and Authorization for the IP-based Internet of Things," Sensing, Communication, and Networking (SECON), 2014 Eleventh Annual IEEE International Conference on, pp. 284, 292, June 30 2014-July 3 2014. doi: 10.1109/SAHCN.2014.6990364

Abstract: IP technology for resource-constrained devices enables transparent end-to-end connections between a vast variety of devices and services in the Internet of Things (IoT). To protect these connections, several variants of traditional IP security protocols have recently been proposed for standardization, most notably the DTLS protocol. In this paper, we identify significant resource requirements for the DTLS handshake when employing public-key cryptography for peer authentication and key agreement purposes. These overheads particularly hamper secure communication for memory-constrained devices. To alleviate these limitations, we propose a delegation architecture that offloads the expensive DTLS connection establishment to a delegation server. By handing over the established security context to the constrained device, our delegation architecture significantly reduces the resource requirements of DTLS-protected communication for constrained devices. Additionally, our delegation architecture naturally provides authorization functionality when leveraging the central role of the delegation server in the initial connection establishment. Hence, in this paper, we present a comprehensive, yet compact solution for authentication, authorization, and secure data transmission in the IP-based IoT. The evaluation results show that compared to a public-key-based DTLS handshake our delegation architecture reduces the memory overhead by 64 %, computations by 97 %, network transmissions by 68 %.

Keywords: IP networks; Internet of Things; cryptographic protocols; public key cryptography; DTLS connection; DTLS protocol; IP security protocols; IP-based Internet of Things; authorization functionality; delegation server; delegation-based authentication; key agreement purposes; memory-constrained devices ;peer authentication; public-key cryptography; Context; Protocols; Public key cryptography; Random access memory; Servers   (ID#:15-4046)



Durmus, Y.; Langendoen, K., "Wifi Authentication Through Social Networks — A Decentralized And Context-Aware Approach," Pervasive Computing and Communications Workshops (PERCOM Workshops), 2014 IEEE International Conference on, pp. 532, 538, 24-28 March 2014. doi: 10.1109/PerComW.2014.6815263

Abstract: With the proliferation of WiFi-enabled devices, people expect to be able to use them everywhere, be it at work, while commuting, or when visiting friends. In the latter case, home owners are confronted with the burden of controlling the access to their WiFi router, and usually resort to simply sharing the password. Although convenient, this solution breaches basic security principles, and puts the burden on the friends who have to enter the password in each and every of their devices. The use of social networks, specifying the trust relations between people and devices, provides for a more secure and more friendly authentication mechanism. In this paper, we progress the state-of-the-art by abandoning the centralized solution to embed social networks in WiFi authentication; we introduce EAP-SocTLS, a decentralized approach for authentication and authorization of WiFi access points and other devices, exploiting the embedded trust relations. In particular, we address the (quadratic) search complexity when indirect trust relations, like the smartphone of a friend's kid, are involved. We show that the simple heuristic of limiting the search to friends and devices in physical proximity makes for a scalable solution. Our prototype implementation, which is based on WebID and EAP-TLS, uses WiFi probe requests to determine the pool of neighboring devices and was shown to reduce the search time from 1 minute for the naive policy down to 11 seconds in the case of granting access over an indirect friend.

 Keywords: authorisation; message authentication; search problems; social networking (online);telecommunication security; trusted computing; ubiquitous computing; wireless LAN; EAP-SocTLS; EAP-TLS; WebID; WiFi authentication; WiFi router; WiFi-enabled devices; authentication mechanism; authorization; context-aware approach; decentralized approach; embedded trust relations; heuristic; password; physical proximity; quadratic search complexity; search time reduction; security principles; smartphone ;social networks; Authentication; Authorization; IEEE 802.11 Standards; Probes; Protocols; Servers; Social network services; EAP-SocTLS; EAP-TLS; Social Devices; WebID; WiFi Authentication and Authorization   (ID#:15-4047)



Ben Ameur, S.; Zarai, F.; Smaoui, S.; Obaidat, M.S.; Hsiao, K.F., "A Lightweight Mutual Authentication Mechanism For Improving Fast PMIPV6-Based Network Mobility Scheme," Network Infrastructure and Digital Content (IC-NIDC), 2014 4th IEEE International Conference on, pp.61,68, 19-21 Sept. 2014. doi: 10.1109/ICNIDC.2014.7000266

Abstract: In the last decade, the request for Internet access in heterogeneous environments keeps on growing, principally in mobile platforms such as buses, airplanes and trains. Consequently, several extensions and schemes have been introduced to achieve seamless handoff of mobile networks from one subnet to another. Even with these enhancements, the problem of maintaining the security concerns and availability has not been resolved yet, especially, the absence of authentication mechanism between network entities in order to avoid vulnerability from attacks. To eliminate the threats on the interface between the mobile access gateway (MAG) and the mobile router (MR) in improving fast PMIPv6-based network mobility (IFP-NEMO) protocol, we propose a lightweight mutual authentication mechanism in improving fast PMIPv6-based network mobility scheme (LMAIFPNEMO). This scheme uses authentication, authorization and accounting (AAA) servers to enhance the security of the protocol IFP-NEMO which allows the integration of improved fast proxy mobile IPv6 (PMIPv6) in network mobility (NEMO). We use only symmetric cryptographic, generated nonces and hash operation primitives to ensure a secure authentication procedure. Then, we analyze the security aspect of the proposed scheme and evaluate it using the automated validation of internet security protocols and applications (AVISPA) software which has proved that authentication goals are achieved.

Keywords: mobility management (mobile radio);protocols; telecommunication security; AAA servers; AVISPA software; IFP-NEMO protocol; Internet access; LMAIFPNEMO; MAG; MR; NEMO; PMIPV6 based network mobility scheme; authentication authorization and accounting ;automated validation of internet security protocols and applications; lightweight mutual authentication mechanism; mobile access gateway; mobile platforms; mobile router; network mobility; secure authentication procedure; Authentication; Handover; Mobile communication; Mobile computing; Protocols; AVISPA; authentication; network mobility; proxy mobile IPv6; security   (ID#:15-4048)



Hyun-Suk Chai; Jun-Dong Cho; Jongpil Jeong, "On Security-Effective and Global Mobility Management for FPMIPv6 Networks," Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), 2014 Eighth International Conference on, pp. 247, 253, 2-4 July 2014. doi: 10.1109/IMIS.2014.91

Abstract: In PMIPv6-based network, mobile nodes can be made smaller and lighter because the network nodes perform the mobility management-related functions on behalf of the mobile nodes. One of the protocols, Fast Handovers for Proxy Mobile IPv6 (FPMIPv6) [1] was studied by the Internet Engineering Task Force (IETF). Since FPMIPv6 adopts the entities and the concepts of Fast Handovers for Mobile IPv6 (FMIPv6) in Proxy Mobile IPv6 (PMIPv6), it reduces the packet loss. The conventional scheme has been proposed to cooperate with an Authentication, Authorization and Accounting (AAA) infrastructure for authentication of a mobile node in PMIPv6. Despite the fact that this approach resulted in the best efficiency, without beginning secured signaling messages, The PMIPv6 is vulnerable to various security threats and it does not support global mobility. In this paper, the authors analyzed the Kang-Park & ESS-FH scheme, and proposed an Enhanced Security scheme for FPMIPv6 (ESS-FP). Based on the CGA method and the public key Cryptography, ESS-FP provides a strong key exchange and key independence in addition to improving the weaknesses of FPMIPv6 and its handover latency was analyzed and compared with that of the Kang-Park scheme & ESS-FH.

Keywords: cryptographic protocols; mobility management (mobile radio);public key cryptography; CGA method;FPMIPv6 networks; IETF; Internet Engineering Task Force; Kang-Park-ESS-FH scheme; authentication-authorization-accounting infrastructure; enhanced security scheme; fast handover-proxy mobile IPv6;global mobility management; handover latency; mobile node authentication; network node; packet loss reduction; protocols; public key cryptography; security threats; security-effective mobility management; Authentication; Handover; Manganese; Public key cryptography; AAA; CGA; ESS-FP; FPMIPv6; Security Analysis   (ID#:15-4049)



Memon, A.S.; Jensen, J.; Cernivec, A.; Benedyczak, K.; Riedel, M., "Federated Authentication and Credential Translation in the EUDAT Collaborative Data Infrastructure," Utility and Cloud Computing (UCC), 2014 IEEE/ACM 7th International Conference on, pp. 726, 731, 8-11 Dec. 2014. doi: 10.1109/UCC.2014.118

Abstract: One of the challenges in a distributed data infrastructure is how users authenticate to the infrastructure, and how their authorisations are tracked. Each user community comes with its own established practices, all different, and users are put off if they need to use new, difficult tools. From the perspective of the infrastructure project, the level of assurance must be high enough, and it should not be necessary to reimplement an authentication and authorisation infrastructure (AAI). In the EUDAT project, we chose to implement a mostly loosely coupled approach based on the outcome of the Contrail and Unicore projects. We have preferred a practical approach, combining the outcome of several projects who have contributed parts of the puzzle. The present paper aims to describe the experiences with the integration of these parts. Eventually, we aim to have a full framework which will enable us to easily integrate new user communities and new services.

Keywords: authorisation; groupware; AAI; Contrail project; EUDAT collaborative data infrastructure; Unicore project; authentication and authorisation infrastructure; credential translation; distributed data infrastructure; federated authentication; Authentication; Authorization; Bridges; Communities; Portals; Servers; EUDAT; OAuth; Open ID; PKI; SAML; federated identity management   (ID#:15-4050)



Toseef, U.; Zaalouk, A.; Rothe, T.; Broadbent, M.; Pentikousis, K., "C-BAS: Certificate-Based AAA for SDN Experimental Facilities," Software Defined Networks (EWSDN), 2014 Third European Workshop on,  pp.91,96, 1-3 Sept. 2014. doi: 10.1109/EWSDN.2014.41

Abstract: Efficient authentication, authorization, and accounting (AAA) management mechanisms will be key for the widespread adoption of SDN experimentation facilities beyond the confines of academic labs. In particular, we are interested in a robust AAA infrastructure to identify experimenters, police their actions based on the associated roles, facilitate secure resource sharing, and provide for detailed accountability. Currently, however, said facilities are forced to employ a patchy AAA infrastructure which lacks several of the aforementioned features. This paper proposes a certificate-based AAA architecture for SDN experimental facilities, which is by design both secure and flexible. As this work is implementation-driven and aims for a short deployment cycle in current facilities, we also outline a credible migration path which we are currently pursuing actively.

Keywords: authorisation; computer network management; software defined networking; C-BAS; SDN experimentation facilities; authentication authorization and accounting management mechanisms; certificate-based AAA architecture; patchy AAA infrastructure; robust AAA infrastructure; Aggregates; Authentication; Authorization; Computer architecture; Databases; Public key; Servers   (ID#:15-4051)



Sah, S.K.; Shakya, S.; Dhungana, H., "A Security Management For Cloud Based Applications And Services with Diameter-AAA," Issues and Challenges in Intelligent Computing Techniques (ICICT), 2014 International Conference on, pp.6,11, 7-8 Feb. 2014. doi: 10.1109/ICICICT.2014.6781243

Abstract: The Cloud computing offers various services and web based applications over the internet. With the tremendous growth in the development of cloud based services, the security issue is the main challenge and today's concern for the cloud service providers. This paper describes the management of security issues based on Diameter AAA mechanisms for authentication, authorization and accounting (AAA) demanded by cloud service providers. This paper focuses on the integration of Diameter AAA into cloud system architecture.

Keywords: authorisation; cloud computing; Internet; Web based applications; authentication, authorization and accounting; cloud based applications; cloud based services; cloud computing; cloud service providers; cloud system architecture; diameter AAA mechanisms; security management; Authentication; Availability; Browsers; Computational modeling; Protocols; Servers; Cloud Computing; Cloud Security; Diameter-AAA   (ID#:15-4052)



Toukabri, T.; Said, A.M.; Abd-Elrahman, E.; Afifi, H., "Cellular Vehicular Networks (CVN): ProSe-Based ITS in Advanced 4G Networks," Mobile Ad Hoc and Sensor Systems (MASS), 2014 IEEE 11th International Conference on, pp. 527, 528, 28-30 Oct. 2014. doi: 10.1109/MASS.2014.100

Abstract: LTE-based Device-to-Device (D2D) communications have been envisioned as a new key feature for short range wireless communications in advanced and beyond 4G networks. We propose in this work to exploit this novel concept of D2D as a new alternative for Intelligent Transportation Systems (ITS) Vehicle-to-Vehicle/Infrastructure (V2X) communications in next generation cellular networks. A 3GPP standard architecture has been recently defined to support Proximity Services (ProSe) in the LTE core network. Taking into account the limitations of this latter and the requirements of ITS services and V2X communications, we propose the CVN solution as an enhancement to the ProSe architecture in order to support hyper-local ITS services. CVN provides a reliable and scalable LTE-assisted opportunistic model for V2X communications through a distributed ProSe architecture. Using a hybrid clustering approach, vehicles are organized into dynamic clusters that are formed and managed by ProSe Cluster Heads which are elected centrally by the CVN core network. ITS services are deemed as Proximity Services and benefit from the basic ProSe discovery, authorization and authentication mechanisms. The CVN solution enhances V2V communication delays and overhead by reducing the need for multi-hop geo-routing. Preliminary simulation results show that the CVN solution provides short setup times and improves ITS communication delays.

Keywords: 4G mobile communication; cellular radio; intelligent transportation systems; CVN; CVN core network;D2D communications; ITS; LTE based device-to-device; LTE core network; ProSe; V2X communications; advanced 4G networks; cellular vehicular networks; distributed ProSe architecture; dynamic clusters; intelligent transportation systems; next generation cellular networks; proximity services; vehicle-to-vehicle/infrastructure; Authorization; Clustering algorithms; Delays; Logic gates; Protocols; Radio access networks;Vehicles;D2D; ITS; LTE; ProSe; clustering   (ID#:15-4053)



Patil, A.; Pandit, R.; Patel, S., "Implementation of Security Framework For Multiple Web Applications," Computer Communication and Informatics (ICCCI), 2014 International Conference on, pp. 1, 7, 3-5 Jan. 2014. doi: 10.1109/ICCCI.2014.6921787

Abstract: Single sign-on (SSO) is an identity management technique that provides users the ability to use multiple Web services with one set of credentials. However, when the authentication server is down or unavailable, users cannot access Web services, even if the services are operating normally. Therefore, enabling continuous use is important in single sign on. In this paper, we present security framework to overcome credential problems of accessing multiple web application. We explain system functionality with authorization and Authentication. We consider these methods from the viewpoint of continuity, security and efficiency makes the framework highly secure.

Keywords: Web services; security of data; Web applications; Web services; authentication server; credential problems; identity management technique; security framework implementation single sign-on; Authentication; Authorization; Computers; Encryption; Informatics; Servers; Identity Management System; MD5; OpenID; proxy signature; single sign-on   (ID#:15-4054)



Friedman, A.; Hu, V.C., " Attribute Assurance For Attribute Based Access Control," IT Professional Conference (IT Pro), 2014 , vol., no., pp.1,3, 22-22 May 2014. doi: 10.1109/ITPRO.2014.7029296

Abstract: In recent years, Attribute Based Access Control (ABAC) has evolved as the preferred logical access control methodology in the Department of Defense and Intelligence Community, as well as many other agencies across the federal government. Gartner recently predicted that “by 2020, 70% of enterprises will use attribute-based access control (ABAC) as the dominant mechanism to protect critical assets, up from less that 5% today.” A definition and introduction to ABAC can be found in NIST Special Publication 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations and Intelligence Community Policy Guidance (ICPG) 500.2, Attribute-Based Authorization and Access Management. Within ABAC, attributes are used to make critical access control decisions, yet standards for attribute assurance have just started to be researched and documented. This presentation outlines factors influencing attributes that an authoritative body must address when standardizing attribute assurance and proposes some notional implementation suggestions for consideration. Attribute Assurance brings a level of confidence to attributes that is similar to levels of assurance for authentication (e.g., guidelines specified in NIST SP 800-63 and OMB M-04-04). There are three principal areas of interest when considering factors related to Attribute Assurance. Accuracy establishes the policy and technical underpinnings for semantically and syntactically correct descriptions of Subjects, Objects, or Environmental conditions. Interoperability considers different standards and protocols used for secure sharing of attributes between systems in order to avoid compromising the integrity and confidentiality of the attributes or exposing vulnerabilities in provider or relying systems or entities. Availability ensures that the update and retrieval of attributes satisfy the application to which the ABAC system is applied. In addition, the security and backup capability of attr- bute repositories need to be considered. Similar to a Level of Assurance (LOA), a Level of Attribute Assurance (LOAA) assures a relying party that the attribute value received from an Attribute Provider (AP) is accurately associated with the subject, resource, or environmental condition to which it applies. An Attribute Provider (AP) is any person or system that provides subject, object (or resource), or environmental attributes to relying parties regardless of transmission method. The AP may be the original, authoritative source (e.g., an Applicant). The AP may also receive information from an authoritative source for repacking or store-and-forward (e.g., an employee database) to relying parties or they may derive the attributes from formulas (e.g., a credit score). Regardless of the source of the AP's attributes, the same standards should apply to determining the LOAA. As ABAC is implemented throughout government, attribute assurance will be a critical, limiting factor in its acceptance. With this presentation, we hope to encourage dialog between attribute relying parties, attribute providers, and federal agencies that will be defining standards for ABAC in the immediate future.

Keywords: authorisation; open systems; ABAC; AP; Department of Defense and Intelligence Community; ICPG; Intelligence Community Policy Guidance; LOAA; access management; attribute assurance; attribute based access control; attribute confidentiality; attribute integrity; attribute provider; attribute repositories; attribute retrieval; attribute update; attribute-based authorization; critical assets protection; environmental attributes; interoperability; level of attribute assurance; object attributes; subject attributes; Access control; Communities; Educational institutions; NIST; National security   (ID#:15-4055)



Fatemi Moghaddam, F.; Varnosfaderani, S.D.; Mobedi, S.; Ghavam, I.; Khaleghparast, R., "GD2SA: Geo Detection And Digital Signature Authorization For Secure Accessing To Cloud Computing Environments," Computer Applications and Industrial Electronics (ISCAIE), 2014 IEEE Symposium on, pp. 39, 42, 7-8 April 2014. doi: 10.1109/ISCAIE.2014.7010206

Abstract: Cloud computing is a new paradigm and emerged technology for hosting and delivering resources over a network such as internet by using concepts of virtualization, processing power and storage. However, many challenging issues are still unclear in cloud-based environments and decrease the rate of reliability and efficiency for service providers and users. User Authentication is one of the most challenging issues in cloud-based environments and according to this issue this paper proposes an efficient user authentication model that involves both of defined phases during registration and accessing processes. Geo Detection and Digital Signature Authorization (GD2SA) is a user authentication tool for provisional access permission in cloud computing environments. The main aim of GD2SA is to compare the location of an un-registered device with the location of the user by using his belonging devices (e.g. smart phone). In addition, this authentication algorithm uses the digital signature of account owner to verify the identity of applicant. This model has been evaluated in this paper according to three main parameters: efficiency, scalability, and security. In overall, the theoretical analysis of the proposed model showed that it can increase the rate of efficiency and reliability in cloud computing as an emerging technology.

Keywords: authorisation; cloud computing; digital signatures; virtualisation; GD2SA; Internet; cloud computing; digital signature authorization; geo detection; secure access; user authentication; virtualization; Authentication; Authorization; Cloud computing; Computational modeling; Digital signatures; Reliability; Cloud Computing; Geo-Detection; Second Verification; Security; User Authentication   (ID#:15-4056)



Balamurugan, B; Krishna, P.Venkata; Ninnala Devi, M; Meenakshi, R; Ahinaya, V, "Enhanced Framework For Verifying User Authorization And Data Correctness Using Token Management System In The Cloud," Circuit, Power and Computing Technologies (ICCPCT), 2014 International Conference on, pp. 1443, 1447, 20-21 March 2014. doi: 10.1109/ICCPCT.2014.7054925

Abstract: Cloud computing is an application and set of services given through the internet. However it is an emerging technology for shared infrastructure but it lacks with an access rights and security mechanism. As it lacks security issues for the cloud users our system focuses only on the security provided through the token management system. It is based on the internet where computing is done through the virtual shared servers for providing infrastructure, software, platform and security as a services. In which security plays an important role in the cloud service. Hence, this security has been given with three types of services such as mutual authentication, directory services, token granting for the resources. Since, existing token issuing mechanism does not provide scalability to large data sets and also increases memory overhead between the client and the server. Hence, our proposed work focuses on providing tokens to the users, which addresses the problem of scalability and memory overhead. The proposed framework of token management system monitors the entire operations of the cloud and there by managing the entire cloud infrastructure. Our model comes under the new category of cloud model known as "Security as a Service". This paper provides the security framework as an architectural model to verify user authorization and data correctness of the resource stored thereby provides guarantee to the data owner for their resource stored into the cloud This framework also describes about the storage of token in a secured manner and it also facilitates search and usage of tokens for auditing purpose and supervision of the users.

Keywords: Authentication; Cloud computing; Computers; Databases; Educational institutions; Servers; Access control; Token Management System   (ID#:15-4057)



Cherkaoui, A.; Bossuet, L.; Seitz, L.; Selander, G.; Borgaonkar, R., "New Paradigms For Access Control In Constrained Environments," Reconfigurable and Communication-Centric Systems-on-Chip (ReCoSoC), 2014 9th International Symposium on, pp. 1, 4, 26-28 May 2014. doi: 10.1109/ReCoSoC.2014.6861362

Abstract: The Internet of Things (IoT) is here, more than 10 billion units are already connected and five times more devices are expected to be deployed in the next five years. Technological standarization and the management and fostering of rapid innovation by governments are among the main challenges of the IoT. However, security and privacy are the key to make the IoT reliable and trusted. Security mechanisms for the IoT should provide features such as scalability, interoperability and lightness. This paper addresses authentication and access control in the frame of the IoT. It presents Physical Unclonable Functions (PUF), which can provide cheap, secure, tamper-proof secret keys to authentify constrained M2M devices. To be successfully used in the IoT context, this technology needs to be embedded in a standardized identity and access management framework. On the other hand, Embedded Subscriber Identity Module (eSIM) can provide cellular connectivity with scalability, interoperability and standard compliant security protocols. The paper discusses an authorization scheme for a constrained resource server taking advantage of PUF and eSIM features. Concrete IoT uses cases are discussed (SCADA and building automation).

Keywords: Internet of Things; authorisation; message authentication; mobile computing; open systems; private key cryptography; Internet of Things; IoT; PUF; SCADA; access control; access management framework; authentication; authorization scheme; building automation; cellular connectivity; constrained M2M devices; constrained resource server; eSIM; embedded subscriber identity module; identity management framework; interoperability; physical unclonable functions; standard compliant security protocols; tamper-proof secret keys; Authentication; Authorization; Field programmable gate arrays; Oscillators; Reliability; Servers   (ID#:15-4058)



Gerdes, S.; Bergmann, O.; Bormann, C., "Delegated Authenticated Authorization for Constrained Environments," Network Protocols (ICNP), 2014 IEEE 22nd International Conference on, pp. 654, 659, 21-24 Oct. 2014. doi: 10.1109/ICNP.2014.104

Abstract: Smart objects are small devices with limited system resources, typically made to fulfill a single simple task. By connecting smart objects and thus forming an Internet of Things, the devices can interact with each other and their users and support a new range of applications. Due to the limitations of smart objects, common security mechanisms are not easily applicable. Small message sizes and the lack of processing power severely limit the devices' ability to perform cryptographic operations. This paper introduces a protocol for delegating client authentication and authorization in a constrained environment. The protocol describes how to establish a secure channel based on symmetric cryptography between resource-constrained nodes in a cross-domain setting. A resource-constrained node can use this protocol to delegate authentication of communication peers and management of authorization information to a trusted host with less severe limitations regarding processing power and memory.

Keywords: Internet of Things; cryptographic protocols; Internet of Things; client authentication; constrained environments; cross-domain setting; delegated authenticated authorization; protocol; resource-constrained node; smart objects; symmetric cryptography; trusted host; Authentication; Authorization; Face; Peer-to-peer computing; Performance evaluation; Protocols   (ID#:15-4059)



Gvoqing Lu; Lingling Zhao; Kuihe Yang, "The Design Of The Secure Transmission And Authorization Management System Based on RBAC," Machine Learning and Cybernetics (ICMLC), 2014 International Conference on , vol.1, no., pp.103,108, 13-16 July 2014. doi: 10.1109/ICMLC.2014.7009100

Abstract: This paper designs a secure transmission and authorization management system which based on the principles of Public Key Infrastructure and Rose-Based Access Control. It can solve the problems of identity authentication, secure transmission and access control on internet. In the first place, according to PKI principles, certificate authority system is implemented. It can issue and revoke the server-side and client-side digital certificate. Data secure transmission is achieved through the combination of digital certificate and SSL protocol. In addition, this paper analyses access control mechanism and RBAC model. The structure of RBAC model has been improved. The principle of group authority is added into the model and the combination of centralized authority and distributed authority management is adopted, so the model becomes more flexible.

Keywords: Internet; authorisation; public key cryptography; Internet; PKI principles; RBAC model; Rose-based access control; SSL protocol; authorization management system; centralized authority; certificate authority system; client-side digital certificate; data secure transmission; distributed authority management; group authority; identity authentication; public key infrastructure; server-side digital certificate; Abstracts; Authorization; Electronic government; Internet; Aspect-oriented programming; Digital certificate; E-Government; MVC model; PKI; RBACt   (ID#:15-4060)



Mercy, S.S.; Srikanth, G.U., "An Efficient Data Security System For Group Data Sharing In Cloud System Environment," Information Communication and Embedded Systems (ICICES), 2014 International Conference on, pp. 1, 4, 27-28 Feb. 2014. doi: 10.1109/ICICES.2014.7033956

Abstract: Cloud Computing delivers the service to the users by having reliable internet connection. In the secure cloud, services are stored and shared by multiple users because of less cost and data maintenance. Sharing the data is the vital intention of cloud data centres. On the other hand, storing the sensitive information is the privacy concern of the cloud. Cloud service provider has to protect the stored client's documents and applications in the cloud by encrypting the data to provide data integrity. Designing proficient document sharing among the group members in the cloud is the difficult task because of group user membership change and conserving document and group user identity confidentiality. To propose the fortified data sharing scheme in secret manner for providing efficient group revocation Advanced Encryption Standard scheme is used. Proposed System contributes efficient group authorization, authentication, confidentiality and access control and document security. To provide more data security Advanced Encryption Standard algorithm is used to encrypt the document. By asserting security and confidentiality in this proficient method securely share the document among the multiple cloud user.

Keywords: authorisation; cloud computing; cryptography; data privacy; document handling; software maintenance; software reliability; Internet connection reliability; access control; authentication; authorization; cloud computing; cloud data centres; cloud system environment; confidentiality; data encryption; data security advanced encryption standard algorithm; document conservation; document security; efficient data security system; group data sharing; group revocation advanced encryption standard scheme; group user identity confidentiality; group user membership change; privacy concern; proficient document sharing; sensitive information storage; Authorization; Cloud computing; Encryption; Servers; Cloud Computing; Document Sharing; Dynamic Group; Group Authorization   (ID#:15-4061)



Pawlowski, M.P.; Jara, A.J.; Ogorzalek, M.J., "Extending Extensible Authentication Protocol over IEEE 802.15.4 Networks," Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), 2014 Eighth International Conference on, pp. 340, 345, 2-4 July 2014. doi: 10.1109/IMIS.2014.93

Abstract: Internet into our physical world and making it present everywhere. This evolution is also raising challenges in issues such as privacy, and security. For that reason, this work is focused on the integration and lightweight adaptation of existing authentication protocols, which are able also to offer authorization and access control functionalities. In particular, this work is focused on the Extensible Authentication Protocol (EAP). EAP is widely used protocol for access control in local area networks such Wireless (802.11) and wired (802.3). This work presents an integration of the EAP frame into IEEE 802.15.4 frames, demonstrating that EAP protocol and some of its mechanisms are feasible to be applied in constrained devices, such as the devices that are populating the IoT networks.

Keywords: Internet; Zigbee; authorisation; computer network security; cryptographic protocols; wireless LAN;EAP;IEEE 802.15.4 networks; Internet; IoT networks; access control functionality; authorization; extensible authentication protocol; local area networks; Authentication; IEEE 802.15 Standards;Internet;Payloads;Protocols;Servers;802.1X;Authentication;EAP;IEEE 802.15.4; Internet of Things; Security   (ID#:15-4062)



Chakaravarthi, S.; Selvamani, K.; Kanimozhi, S.; Arya, P.K., "An Intelligent Agent Based Privacy Preserving Model For Web Service Security," Electrical and Computer Engineering (CCECE), 2014 IEEE 27th Canadian Conference on, pp. 1, 5, 4-7 May 2014. doi: 10.1109/CCECE.2014.6901164

Abstract: Web Service (WS) plays an important role in today's word to provide effective services for humans and these web services are built with the standard of SOAP, WSDL & UDDI. This technology enables various service providers to register and service sender their intelligent agent based privacy preserving model services to utilize the service over the internet through pre established networks. Also accessing these services need to be secured and protected from various types of attacks in the network environment. Exchanging data between two applications on a secure channel is a challenging issue in today communication world. Traditional security mechanism such as secured socket layer (SSL), Transport Layer Security (TLS) and Internet Protocol Security (IP Sec) is able to resolve this problem partially, hence this research paper proposes the privacy preserving named as HTTPI to secure the communication more efficiently. This HTTPI protocol satisfies the QoS requirements, such as authentication, authorization, integrity and confidentiality in various levels of the OSI layers. This work also ensures the QoS that covers non functional characteristics like performance (throughput), response time, security, reliability and capacity. This proposed intelligent agent based model results in excellent throughput, good response time and increases the QoS requirements.

Keywords: Web services; data privacy; electronic data interchange; multi-agent systems; quality of service; security of data; HTTPI protocol; IP Sec; Internet; Internet Protocol Security; OSI layers; QoS requirements; SOAP; SSL; TLS; Transport Layer Security; UDDI; WSDL; Web service security; data exchange; intelligent agent based privacy preserving model; secure channel; secured socket layer; Cryptography; Protocols; Quality of service; Simple object access protocol; XML; intelligent agent; privacy preserving; quality of services; uddi; web services   (ID#:15-4063)



Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.