Rafael Marin-Lopez

A Framework for Supporting Network Continuity in Vehicular IPv6 Communications

The appearance of recent standards about cooperative ITS architectures towards a reference communication stack has been an inflection point in the research about vehicular networks. The ISO Communication Access for Land Mobiles (CALM) and the ETSI European ITS communication architecture have paved the way towards real and interoperable vehicular cooperative systems. Within these convergent proposals, IPv6 communications are recognized as a key component to enable traffic efficiency and infotainment applications. The proper operation of these applications and the achievement of value-added ITS services require an uninterrupted network connectivity. This paper addresses this problem by proposing a novel communication stack to support the provision of continuous and secure IPv6 vehicular communications. The solution follows the ISO/ETSI guidelines for the development of cooperative ITS systems and is based on standardized technologies such as Network Mobility (NEMO) protocol to provide an integral management of IPv6mobility. The solution integrates IEEE 802.21 media independent handover services for optimizing the handover process. While the support to the handover optimization offered by the proposed ITS communication stack is demonstrated through a mobility use case, a real testbed supporting most of the communications features is developed to validate and assess the real performance of the stack design.

PrivaKERB: A user privacy framework for Kerberos

Kerberos is one of the most well-respected and widely used authentication protocols in open and insecure networks. It is envisaged that its impact will increase as it comprises a reliable and scalable solution to support authentication and secure service acquisition in the Next Generation Networks (NGN) era. This means however that security and privacy issues related to the protocol itself must be carefully considered. This paper proposes a novel two-level privacy framework, namely PrivaKERB, to address user privacy in Kerberos. Our solution offers two privacy levels to cope with user anonymity and service access untraceability. We detail how these modes operate in preserving user privacy in both single-realm and cross-realm scenarios. By using the extensibility mechanisms already available in Kerberos, PrivaKERB does not change the semantics of messages and enables future implementations to maintain interoperability. We also evaluate our solution in terms of service time and resource utilization. The results show that PrivaKERB is a lightweight solution imposing negligible overhead in both the participating entities and network.

Privacy-enhanced fast re-authentication for EAP-based next generation network

In next generation networks one of the most challenging issues is the definition of seamless and secure handoffs in order to assure service continuity. In general, researchers agree on the use of EAP as an authentication framework independent of the underlying technology. To date, efforts have focused on optimizing the authentication process itself, leaving out other relevant but sometimes important aspects like privacy. In this paper we present a solution that provides a lightweight authentication process while preserving user anonymity at the same time. The goal is to define a multi-layered pseudonym architecture that does not affect the fast re-authentication procedure and that allows a user to be untraceable. Taking as reference our previous work in fast re-authentication, we describe the extensions required to support identity privacy. Moreover, results collected from an implemented prototype, reveal that the proposed privacy-enhanced fast re-authentication scheme is attainable without significant cost in terms of performance in 4G foreseeable environments.

Providing EAP-based Kerberos pre-authentication and advanced authorization for network federations

Kerberos is a well-known standard protocol which is becoming one of the most widely deployed for authentication and key distribution in application services. However, whereas service providers use the protocol to control their own subscribers, they do not widely deploy Kerberos infrastructures to handle subscribers coming from foreign domains, as happens in network federations. Instead, the deployment of Authentication, Authorization and Accounting (AAA) infrastructures has been preferred for that operation. Thus, the lack of a correct integration between these infrastructures and Kerberos limits the service access only to service providers subscribers. To avoid this limitation, we design an architecture which integrates a Kerberos pre-authentication mechanism, based on the use of the Extensible Authentication Protocol (EAP), and advanced authorization, based on the standards SAML and XACML, to link the end user authentication and authorization performed through an AAA infrastructure with the delivery of Kerberos tickets in the service providers domain. We detail the interfaces, protocols, operation and extensions required for our solution. Moreover, we discuss important aspects such as the implications on existing standards.

Analysis of Handover Key Management schemes under IETF perspective

The Extensible Authentication Protocol (EAP) has been standardized within the Internet Engineering Task Force (IETF) in order to provide flexible mechanisms for authentication and key management for network access control. However, some deficiencies have been revealed and recognized as a major obstacle to achieving secure and seamless handover in mobile scenarios. HOKEY (Handover Keying) Working Group in IETF is standardizing low-latency EAP re-authentication and key distribution protocols to address these deficiencies. This paper provides a critical analysis of the on-going work.

Teaching Advanced Concepts in Computer Networks: VNUML-UM Virtualization Tool

In the teaching of computer networks the main problem that arises is the high price and limited number of network devices the students can work with in the laboratories. Nowadays, with virtualization we can overcome this limitation. In this paper, we present a methodology that allows students to learn advanced computer network concepts through hands-on experience with the VNUML-UM virtualization tool, which is offered freely as a resource for the practical teaching of mobility, load balancing, and high availability. To verify the utility of using the VNUML-UM virtualization tool in the teaching of advanced computer network concepts, we have performed some opinion polls to the students during the last three academic years. The obtained results confirm that our students agree that the VNUML-UM enables an enhanced learning process of the different concepts and their practical skills. This perception is also confirmed by the final marks obtained by the students, which have considerably improved along the years. To the best our knowledge, this paper presents the first experience that provides results on the use of virtualization to teach advanced concepts in the field of computer networks.

Identity Federations Beyond the Web: A Survey

Internet service providers have, in recent years, adopted identity federation technologies with a high degree of success. A typical Internet user will regularly use these in her daily use of the Internet, even if she does not notice it. For example, she will use these technologies when publishing a picture in Flickr, when sharing it with her friends in her Facebook wall, when she performs a roaming telephone call over the 3G network, or when she obtains access to the eduroam network at her university. Until recently, identity federation technologies were mainly applicable to web and network access services. However, the proliferation of new emerging infrastructures, such as the cloud and grids, is motivating service providers to consider new solutions capable of satisfying identity federation for any almost kind of Internet service (SSH, NFS, SMTP, Cloud, Grid, etc.). This has been called identity federation beyond the Web. International projects and standardization bodies have also been considering ways to satisfy this urgent need. This paper describes the unmet requirement for federating any other kind of (non-Web-based) Internet service. In particular, it provides a detailed survey of the two main proposals, i.e., Application Bridging for Federated Access Beyond Web (ABFAB) and Federated Kerberos (FedKERB), which are currently discussed to provide a solution for this new type of federation, known as Identity Federations beyond the Web. Finally, this paper shows a fair comparison between both alternatives.

Secure three-party key distribution protocol for fast network access in EAP-based wireless networks

In this paper, we present a solution that reduces the time spent on providing network access in multi-domain mobile networks where the authentication process is based on the Extensible Authentication Protocol (EAP). The goal is to achieve fast and smooth handoffs by reducing the latency added by the authentication process. This process is typically required when a mobile user moves from one authenticator to another regardless of whether the new authenticator is in the same domain (intra-domain) or different domain (inter-domain). To achieve an efficient solution to this problem, it has been generally recognized that a fast and secure key distribution process is required. We propose a new fast re-authentication architecture that employs a secure three-party key distribution protocol which reduces the number of message exchanges during the network access control process. Our approach is proved to preserve security and verified by means of a formal tool. The resulting performance benefits are shown through our extensive simulations. 2010 Elsevier B.V. All rights reserved.

KAMU: providing advanced user privacy in Kerberos multi-domain scenarios

In Next Generation Networks, Kerberos is becoming a key component to support authentication and key distribution for Internet application services. However, for this purpose, Kerberos needs to rectify certain deficiencies, especially in the area of privacy, which allow an eavesdropper to obtain information of the services users are accessing. This paper presents a comprehensive privacy framework that guarantees user anonymity, service access unlinkability and message exchange unlinkability in Kerberos both in single-domain and multi-domain scenarios. This proposal is based on different extensibility mechanisms already defined for Kerberos, which facilitate its adoption in already deployed systems. Apart from evaluating our proposal in terms of performance to prove its lightweight nature, we demonstrate its capability to work in perfect harmony with a widely used anonymous communication system like Tor.

Out-of-band federated authentication for Kerberos based on PANA

Nowadays, network operators and educational and research communities are extending the access to their Internet application services to external end users by deploying, with other domains, the so-called identity federations. In these federations, end users use the identity and authentication credentials registered in their home organizations for accessing resources managed by a remote service provider. However, current identity federation solutions focus mainly on assisting network access and web services, while a significant number of services are left aside (e.g., SSH, FTP, Jabber, etc.). Taking advantage of the widespread adoption of Kerberos by current application services, this paper presents a solution to provide federated access to any kind of application service by using existing Authentication, Authorization and Accounting (AAA) infrastructures. The solution bootstraps a security association, in the service provider which enables the acquisition of a Kerberos credential to access the service. To link the end user authentication with the AAA infrastructure and the bootstrapping of the security association the solution uses the so-called Protocol for Carrying Authentication for Network Access (PANA).