Maryline Laurent

Trust management system design for the Internet of Things: A context-aware and multi-service approach

This work proposes a new trust management system (TMS) for the Internet of Things (IoT). The wide majority of these systems are today bound to the assessment of trustworthiness with respect to a single function. As such, they cannot use past experiences related to other functions. Even those that support multiple functions hide this heterogeneity by regrouping all past experiences into a single metric. These restrictions are detrimental to the adaptation of TMSs to todays emerging M2M and IoT architectures, which are characterized with heterogeneity in nodes, capabilities and services. To overcome these limitations, we design a context-aware and multi-service trust management system fitting the new requirements of the IoT. Simulation results show the good performance of the proposed system and especially highlight its ability to deter a class of common attacks designed to target trust management systems.

Lightweight collaborative key establishment scheme for the Internet of Things

This work addresses new security issues in the Internet of Things (IoT). The heterogeneous nature of IoT communications and imbalance in resource capabilities between IoT entities make it challenging to provide the required end-to-end secured connections. Clarifying how existing security protocols can be adapted to fulfill these new challenges still has to be improved. A direct use of existing key exchange schemes between two IoT entities may be unfeasible unless both entities be able to run the resource consuming cryptographic primitives required to bootstrap them - thus leaving aside a whole class of resource-constrained devices. In this paper, we revisit existing end-to-end security standards and key establishment schemes and discuss their limitations considering the specific scenarios of the IoT. Later, we propose novel collaborative approaches for key establishment designed to reduce the requirements of these existing security protocols. A constrained device may delegate its heavy cryptographic load to less constrained nodes in neighborhood exploiting the spatial heterogeneity of IoT environment. We demonstrate through a performance analysis that our collaborative key establishment solution allows for a reduction in energy consumption at the constrained device by up to 80% in comparison with existing key establishment schemes.

Significantly improved performances of the cryptographically generated addresses thanks to ECC and GPGPU

Cryptographically Generated Addresses (CGA) are today mainly used with the Secure Neighbor Discovery Protocol (SEND). Despite CGA generalization, current standards only show how to construct CGA with the RSA algorithm and SHA-1 hash function. This limitation may prevent new usages of CGA and SEND in mobile environments where nodes are energy and storage limited. In this paper, we present the results of a performance and security study of the CGA and SEND. To significantly improve the performances of the CGA, we investigate first replacing RSA with ECC (Elliptic Curve Cryptography) and ECDSA (Elliptic Curve DSA), and second using the General-Purpose computing on Graphical Processing Units (GPGPU). Finally, a performance comparison between different hash algorithms (SHA-256, WHIRLPOOL,...) allows to prepare a better transition for the CGA when SHA-1 will be deprecated.

A Full Bandwidth ATM Firewall

In this paper we describe an architecture providing an high speed access control service for ATM networks. This architecture is based on two main components. The first one is a signalling analyser which takes the signalling information as an input and produces dynamically the configuration for our second module. This second module called IFT (Internet Fast Translator) is used to analyse the information located in the ATM cells and currently operates at 622 Mb/s. The complete architecture provides the access control at the ATM, IP and transport levels without packet reassembling.

Decisive Heuristics to Differentiate Legitimate from Phishing Sites

Phishing attacks are a major concern for preserving Internet users privacy, especially when most of them lead to financial data theft by combining both social engineering and spoofing techniques. As blacklists are not the most effective in detecting phishing sites because of their short lifetime, heuristics appears as a privileged way at time 0. Several previous studies discussed the different types of phishing characteristics that can help defining heuristics tests, as well as comparing them to blacklists. In our paper, we studied heuristics using a different approach. Based on the characteristics of phishing URLs and webpages, we defined 20 heuristics tests and implemented them in our own active anti-phishing toolbar (Phishark). Then, we tested the heuristics effectiveness and determined which heuristics are decisive to differentiate legitimate from phishing sites.

A performance view on DNSSEC migration

In July 2008, the Kaminsky attack showed that DNS is sensitive to cache poisoning, and DNSSEC is considered the long term solution to mitigate this attack. A lot of technical documents provide configuration and security guide lines to deploy DNSSEC on organizations servers. However, such documents do not provide ISP or network administrators inputs to plan or evaluate the cost of the migration. This paper describes current deployment of DNSSEC and provides key elements to consider when planning DNSSEC deployment. Then we focus our work on performance aspects and provide experimental measurements for both DNS and DNSSEC architecture. Experimental results evaluate the cost of DNSSEC for authoritative and recursive server with different implementations.

A Secure Client Side Deduplication Scheme in Cloud Storage Environments

Recent years have witnessed the trend of leveraging cloud-based services for large scale content storage, processing, and distribution. Security and privacy are among top concerns for the public cloud environments. Towards these security challenges, we propose and implement, on OpenStack Swift, a new client-side deduplication scheme for securely storing and sharing outsourced data via the public cloud. The originality of our proposal is twofold. First, it ensures better confidentiality towards unauthorized users. That is, every client computes a per data key to encrypt the data that he intends to store in the cloud. As such, the data access is managed by the data owner. Second, by integrating access rights in metadata file, an authorized user can decipher an encrypted file only with his private key.

ID Based Cryptography for Cloud Data Storage

This paper addresses the security issues of storing sensitive data in a cloud storage service and the need for users to trust the commercial cloud providers. It proposes a cryptographic scheme for cloud storage, based on an original usage of ID-Based Cryptography. Our solution has several advantages. First, it provides secrecy for encrypted data which are stored in public servers. Second, it offers controlled data access and sharing among users, so that unauthorized users or untrusted servers cannot access or search over data without clients authorization.

XPACML eXtensible Privacy Access Control Markup Langua

Privacy in the digital world is a critical problem which is becoming even more imperious with the growth of the Internet, accompanied by the proliferation of e-services (e.g. e-commerce, e-health). One research track for efficient privacy management is to make use of users and service providers (SP) privacy policies, and to perform an automatic comparison in between to help any (skilled or unskilled) users preserving their privacy.

A Distributed Approach for Secure M2M Communications

A key establishment solution for heterogeneous Machine to Machine (M2M) communications is proposed. Decentralization in M2M environment leads to situations where highly resource-constrained nodes have to establish end-to-end secured contexts with powerful remote servers, which would normally be impossible because of the technological gap between these classes of devices. This paper proposes a novel collaborative session key exchange method, wherein a highly resource-constrained node obtains assistance from its more powerful neighbors when handling costly cryptographic operations. Formal security analysis and performance evaluation of this method are provided; they confirm the safety and efficiency of the proposed solution.