Ioannis Broustis

Group authentication: A new paradigm for emerging applications

Traditional secure registration protocols rely on client-server authentication procedures. This concept has been extended to support single client registration to multiple servers, using “single sign-on” protocols. In this paper, we design a framework to solve the “reverse single sign-on” problem: How can multiple clients securely register with the same server/network in a single registration procedure? The main advantage of our framework is that it allows multiple clients to register with an infrastructure, such as a cellular network, as a “group,” yet generate individual session keys as well as a group session key. With this, the process of authenticating a large number of clients is greatly simplified, thereby dramatically reducing overheads. With a view towards simplifying the exposition, we describe how our framework can be applied for performing group authentication of devices in the machine-to-machine context. While this is an immediate area of application, we outline other extensions of the framework in the application layer including webcasting in a social networking environment.

Detecting and preventing machine-to-machine hijacking attacks in cellular networks

Machine-to-machine (M2M) communications are increasingly popular over cellular networks, due to their unlimited potential and the low cost of deployment. As a result, M2M infrastructures are attractive targets to attackers. For instance, hackers may use a water meter to browse the web over a mobile network. Given the expected tremendous growth of the M2M market within the next few years, such attacks can have a devastating impact on the economics of mobile broadband. However, prior studies in the area of fraud have not considered the inherent properties of cellular M2M deployments. In this paper, we demonstrate how hijacking attacks apply to contemporary networks, and provide a solution for mitigating them. In particular, we propose a novel framework for detecting and preventing M2M device hijacking. Our solution is novel in two main ways: 1) It is network centric, and 2) it completely avoids the use of overhead-intensive cryptographic functions.

MAC Layer Throughput Estimation in Impulse-Radio UWB Networks

The inherent channel characteristics of impulse-based UWB networks affect the MAC layer performance significantly. Most previous studies on evaluating MAC protocols are based on prolonged simulations and do not account for the multiple access interference due to multipath delay spread. In this work, we develop CTU, an analytical framework for Capturing the Throughput dependencies in UWB networks, while taking into account the PHY layer effects. The key attributes of CTU are: 1) It is modular; it can be easily modified to provide a basis for evaluating a wide range of MAC protocols for impulse-based UWB networks. The only requirements are that the MAC protocol under study be based on time-hopping and the modulation scheme be pulse position modulation; these are common design decisions in UWB networks. 2) It considers the channel characteristics in addition to MAC layer effects; CTU correlates probabilistically the multipath delay profile of the channel with the packet error rate. We employ CTU to evaluate the performance of different generic medium access procedure. We compare the results with those from extensive simulations and show the high accuracy of CTU. We use CTU to assess the impact of various system parameters on the MAC layer performance; we make several interesting observations that are discussed in depth.

Secure enablement of real time applications: A novel end-to-end approach

The Internet has evolved into a multi-service Internet Protocol (IP) network with support for various types of traffic, including multimedia. Given the relatively open nature of IP networks, securely enabling multimedia services is increasingly important. While protocols such as Secure Real Time Protocol (SRTP) provide container formats for various applications, the supporting security solutions lack end-to-end secure key management. In this paper, we propose a novel secure key management framework targeted for real time applications in multi-operator environments. In particular, by leveraging an Identity-Based Authenticated Key Exchange (IBAKE) protocol, we develop secure key management solutions to support two-party communications, conferencing applications, call forking, call redirect, and deferred delivery. Our framework eliminates the need for costly public key infrastructure (PKI) or other online solutions, overcomes the problem of key escrow while providing perfect forward and backwards secrecy, and works across applications and media types. Overall, our solution opens-up new lines of research and business opportunities in secure application enablement.