Maider Huarte

Ladon 1 : end-to-end authorisation support for resource-deprived environments

The authors present Ladon, an enhanced version of Kerberos which extends the original protocol with authorisation capacity and relaxes the necessity of clock synchronisation by adding to the protocol special limited-lifetime nonces. This way, although all entities need timers, only the clocks of the two servers that constitute the key distribution centre must be synchronised with each other. The design of this protocol is motivated by the emergence of a new trend of applications in which sensors and low-capacity devices become tiny information or application servers directly addressable by any Internet-connected entity. Despite the huge potential of these environments, security is probably the greatest barrier to their long-term success. To address this issue, Ladon allows for end-to-end pair-wise key establishment in an authenticated and authorised manner, while keeping the introduced storage, computational and communication overhead very low. The security analysis with the AVISPA formal validation tool shows that the protocol meets the stated security goals, whereas the performance analysis shows that the overhead of the protocol is bounded and comparable to that of other security protocols which provide even less functionalities.

A proposal to contribute to ITS standardization activity: A valuable network mobility management approach

The introduction of communication services in the demanding ITS scenarios strongly relies on the existence of technologies that enable mobility and security. ITS related standardization bodies, mainly ISO and ETSI, are actively producing and developing new specifications in this regard. In this paper, we study those ITS standards related to security and communication efficiency and analyze the suitability of our NeMHIP protocol, in order to be considered for ITS scenarios. NeMHIP provides secure mobility while at the same time constitutes a framework to protect user data and services. In addition, despite being based on the introduction of a new namespace, its introduction in the current Internet architecture is considered affordable. Aware of the need to satisfy users for having a new technology accepted in a certain scenario, we have also assessed analytically the efficiency of our approach. Specifically, in this paper we analyze and compare the handover signaling delay with the standardized NEMO BS protocol, showing that our approach provides satisfactory results and outperforms it in specific cases. Moreover, we present the results obtained by means of a simulation tool, and show that QoS requirements for the demanding video streaming application are fulfilled. All of these features make our approach a candidate for being considered by standardization organizations and a valuable facility for ensuring secure and efficient communications in the ITS.

Integrating Complex Legacy Systems under OpenFlow Control: The DOCSIS Use Case

The possibility to deploy telecommunication services based on the availability of a fully flow-aware network is an appealing possibility. Concepts like Network Service Chaining and Network Function Virtualization expect the information to be manageable at the flow level. But, for this concept to be available for the development of user-centric applications, the access network should also be made flow-aware. In this paper we present the integration of a legacy DOCSIS based access network under an OpenFlow Control Framework by using the Hardware Abstraction Layer designed in the FP7 ALIEN project. The result is a dynamic wide area OpenFlow switch that spawns from the aggregation switch to the home equipment and hides all the complexity (including the provisioning) of the access technology to an unmodified and standard OpenFlow controller. As a result, the access network can react not only to any kind of user traffic but also to the connection of CPE to the network. The approach used is technology independent, and the results have been successfully demonstrated over a Cisco based DOCSIS access network.

Expressive Policy-Based Access Control for Resource-Constrained Devices

Upcoming smart scenarios enabled by the Internet of Things envision smart objects that expose services that can adapt to user behavior or be managed with the goal of achieving higher productivity, often in multi-stakeholder applications. In such environments, smart things are cheap sensors (and actuators) and, therefore, constrained devices. However, they are also critical components because of the importance of the provided information. Therefore, strong security is a must. Nevertheless, existing feasible approaches do not cope well with the principle of least privilege; they lack both expressiveness and the ability to update the policy to be enforced in the sensors. In this paper, we propose an access control model that comprises a policy language that provides dynamic fine-grained policy enforcement in the sensors based on local context conditions. This dynamic policy cycle requires a secure, efficient, and traceable message exchange protocol. For that purpose, a security protocol called Hidra is also proposed. A security and performance evaluation demonstrates the feasibility and adequacy of the proposed protocol and access control model.

An Optical Scan E-Voting System based on N-Version Programming

This article presents Demotek, a multi-agent prototype for an electronic voting system based on optical character recognition technology. Trade-offs in voter training, ease of use, security, and coercion across various systems are considered for the purpose of recognizing achievable improvements. Based on the use of N-version programming techniques, we propose improvements to Demotek, including those in security and new capabilities. This case study demonstrates how the voters authentication system and vote data transmission could further simplify and improve the electoral process by adding these new capabilities to the electronic voting system using N-version programming.

the MIH (media independent handover) contribution to mobility management in a heterogeneous railway communication context: a ieee802.11/802.16 case study

In this paper we propose the use of the IEEE802.21 protocol in the railway context to enhance the highly frequent, repeated and foreseeable handovers between different radio access technologies. This standard specifies IEEE802 media access-independent mechanisms that optimize handovers between heterogeneous IEEE802 systems and between IEEE 802 systems and cellular systems. The global aim is to contribute to develop a seamless layer that provides independence to the application layers from the radio access technology underneath. A case study with two out of the most popular radio access technologies, IEEE802.11 and IEEE 802.16 is undertaken.

Survey on Access Control Models Feasible in Cyber-Physical Systems

Security is a key aspect in the development of innovative and valuable services based on Cyber-Physical Systems (CPSs). In the last years, the research area related to CPS security has received a significant attention, dealing with the design of different architectures, security protocols, and policy models. However, beyond monitoring data publishing behavior, CPSs are expected to offer some manageability-related services, and the proper fine-grained and flexible access control model remains challenging due to both criticality and feasibility. In fact, traditional security countermeasures cannot be applied directly to any sensor in CPS scenarios, because they are too resource-consuming and not optimized for resource-deprived devices. Different access control models facing both feasibility and enforcement tightness are arising as a way to solve the mentioned issues related to resource limitations, and this study provides a deep survey on them.

Evaluation of a Mobility Approach to Support Vehicular Applications Using a Realistic Simulation Framework

The connected vehicle is becoming a reality. Internet access onboard will indeed increase road safety and security thanks to the cooperative networking that it is expected among vehicles, roadside units and the Internet. Moreover, this connectivity will bring innovative driving assistance services and infotainment alike services for end users. This fact is endorsed by standardisation bodies like the ETSI or the 5G-PPP that are actively working on the definition of these innovative services and setting their requirements. The connected vehicle poses technological challenges that need to be addressed. The mobility has to be managed regardless the location of the vehicles to ensure connectivity. At the same time the required security and performance levels for the applications need to be ensured. In this paper, we present a realistic simulation framework to evaluate vehicular applications while the protocol to manage the mobility, NeMHIP, is running underneath. The simulation framework is based on the integration of the OMNeT++, SUMO, VEINS and VsimRTI simulation tools. Obtained results have been compared with the requirements defined by the 5G-PPP automotive white paper, ITU-T Y.1541 and 3GPP TS 22.105 standards with satisfactory results. Thus, we demonstrate that the NeMHIP protocol is suitable because it fulfils the requirements of the applications while it provides an essential mobility service. In addition, this work shows the validity of the simulation framework.

A compatibility strategy for enabling secure and efficient ITS communications in today's Internet

Emerging communication services in the intelligent transportation systems (ITS) scenario have recently considered the provision of Internet services because this fact will aid in safety purposes and will offer a wide scope of applications to end users. Consequently, and considering the ITS scenario a specific mobile networking context (several connection capable nodes moving at the same time), mobile communications should provide the required security level as well as efficiency. In this regard, mobility management is the key aspect in this scenario so the mobility protocol underneath has to ensure those properties. In this article, thanks to the security and efficiency properties it provides from its design, we consider the NeMHIP protocol an appropriate alternative for managing mobility in the ITS context. Nevertheless, NeMHIP entails challenges when being introduced in the current legacy Internet architecture. In order to deal with these issues, this article proposes a compatibility strategy. This strategy involves a novel naming resolution procedure based on the definion of an evolved DNS resolution process. As a result, mobile networks can securely and efficiently move along the current Internet, using most common communication services transparently. We have implemented the compatibility solution in a testbed, validated its functionality and design correctness to assess its feasibility. Obtained results demonstrate the feasibility of the proposed strategy.

An architecture for dynamic QoS management at Layer 2 for DOCSIS access networks using OpenFlow

Over the last few years, Software-Defined Networking (SDN) has emerged as one of the most disruptive and profitable novelties in networking. SDN was originally conceived to improve performance and reduce costs in Ethernet-based networks and it has been widely adopted in data center and campus networks. Similarly, thanks to the introduction of SDN concepts, access networks will benefit from the higher control, the lower maintenance costs and the better remote access to devices of SDN. However, its application to access networks is not straightforward and imposes great challenges to vendors and network operators, since current SDN technologies are not prepared to handle the provisioning of user equipment, specific port management or QoS requirements of common access networks. Most recent trends dealing with the SDN-ization of access networks advocate for the use of simple devices at the customer premises and the virtualization of the networking functionalities, requiring the provisioning of Layer 2 services in many cases. In such a scenario, this paper presents an architecture that brings SDN to common access networks using legacy equipment. In a nutshell, the architecture is based on the abstraction of the access network as a wide area OpenFlow switch where QoS-enabled pipes are dynamically created leveraging the high granularity of the OpenFlow protocol for packet classification. Furthermore, the OpenFlow protocol itself has been extended in order to support the advanced QoS requirements that are common to most access networks. The architecture has been implemented for DOCSIS access networks and it has been validated and evaluated using a real testbed deployed at our laboratory. The obtained results show that the architecture remains compliant with the ITU-T QoS recommendations and that the cost of introducing the elements required by the architecture in terms of service performance is negligible.