Traian Muntean

Algorithms for Network Topology Discovery using End-to-End Measurements

Identifying and inferring performances of a network topology is a well known problem. Achieving this by using only end-to-end measurements at the application level is a method known as network tomography. When the topology produced reflects capacities of sets of links with respect to a metric, the topology is called a Metric-Induced Network Topology (MINT). Tomography producing MINT has been widely used in order to predict performances of communications between clients and server. Nowadays grids connect up to thousands communicating resources that may interact in a partially or totally coordinated way. Consequently, applications running upon this kind of platform often involve massively concurrent bulk data transfers. This implies that the client/server model is no longer valid. In this paper, we introduce new algorithms that reconstruct a novel representation of the knowledge inferred from the network which is able to deal with multiple sources/multiple destinations transfers.

Managing the Privacy and Security of eHealth Data

The large scale adoption of mobile medicine, supported by an increasing number of medical devices and remote access to health services, correlated with the continuous involvement of the patients in their own healthcare, led to the emergence of tremendous amounts of clinical data. They need to be securely transferred, archived and accessed. This paper refers to a new approach for protecting the privacy and security of clinical data through the use of a state of the art encryption scheme and attribute-based access control authorization framework. As personal medical records are often used by different entities (e.g. Doctors, pharmacists, nurses, etc.), there is a need for different degrees of authorization access for specific parts of the personal dossier. Appropriate cryptographic tools are presented for allowing partial visibility and valid protection on authorized parts for hierarchical privacy protection of eHealth data. The encryption process relies on ARCANA, a security platform developed at ERISCS research laboratory from University Aix-Marseille. It provides the appropriate cryptographic tools for secure hierarchical access to healthcare data. This ensures that the access of various entities to the healthcare data is accurately and hierarchically controlled. The access control framework used in this research is based on XACML, a standard access control decision model specified by OASIS. The applicability and feasibility of XACML-based policies to regulate the access to patient data are demonstrated through SAFAX. SAFAX is a new public authorization framework developed by the Eindhoven University of Technology tested among others on eHealth case studies, in cooperation with Munich University of Applied Sciences. It is envisioned that the usage of data encryption and public authorization solutions to regulate access control on patients clinical data will have a big impact on the patients trust in electronic healthcare systems and will speed up their large scale adoption.

Towards fully incremental cryptographic schemes

This paper focus on incremental cryptographic schemes that solve the privacy problem introduced by Bellare, Goldreich and Goldwasser. To our knowledge, none of the schemes designed so far provide simultaneously strong privacy guarantees and byte-wise incremental operations. We propose a new method that extends a block-wise incremental cryptographic scheme into a fully byte-wise incremental one while keeping good performances. This one insures the property of perfect privacy with the same average overhead for both the size of the cryptographic form and the number of operations to perform when applying the conjugate algorithm.

Towards a Model for Broadcasting Secure Mobile Processes

In many parallel and distributed applications broadcasting represents a natural way of communication between processes/objects/actors. In addition mobility is often mandatory, as for instance, for the development of ad-hoc networks applications. The fusion of these two concepts into one unique and coherent model of concurrency represents a great interest for the development of such classes of applications together with appropriate programming models and languages. An original model that combines mobility and selective broadcasting has been developed by Ene and Muntean: the bpi-calculus. The mobile ambients by Gordon and Cardelli, represents also, among others, an interesting framework for mobility and ubiquity of applications. The goal of this paper is to propose a model for broadcasting secure systems that we consider to be more appropriate for ad-hoc networks and ubiquitous applications, reinforcing the mobility and security aspects

Authenticated dictionary based on frequency

We propose a model for data authentication which takes into account the behavior of the clients who perform queries. Our model reduces the size of the authenticated proof when the frequency of the query corresponding to a given data is higher. Existing models implicitly assume the frequency distribution of queries to be uniform, but in reality, this distribution generally follows Zipf’s law. Therefore, our model better reflects reality and the communication cost between clients and the server provider is reduced allowing the server to save bandwith. When the frequency distribution follows Zipf’s law, we obtain a gain of at least 20% on the average proof size compared to existing schemes.

A Cryptographic Keys Transfer Protocol for Secure Communicating Systems

This paper describes a new key forwarding protocol for networks messages exchange which guaranties both authentication of participants and forward security. The protocol lies within the framework of a keys derivation scheme used for spanning tree-based networks messages diffusion where compromising a key in a node involves compromising all derived keys in the corresponding sub tree. A complete specification and full proof of the protocol will be subject of a longer forthcoming conjoint paper.

A New Secure Virtual Connector Approach for Communication within Large Distributed Systems

Communicating entities in distributed systems and large scale applications require specific message exchange protocols which can be adjusted for multiple networks. Some secure networking protocols exist and provide different security properties. Such protocols include Transport Layer Security (TLS) and Secure Shell (SSH). We propose here a more specific approach for constructing a new model of distribution using connectors which implement a protocol as a support for securing exchanges over heterogeneous networks used for distributed applications. The Secure Virtual Connector (SVC) protocol provides enhanced security for exchanges between components of distributed applications. This protocol avoids existing shortcomings within existing secure communications protocols which have been designed to fit a wide variety of situations. This flexibility leads to potential vulnerabilities, most of which are avoidable. We consider here a full set of essential security properties for large distributed application such as confidentiality, authenticity, and a certain form of privacy. Other considerations include the use of heterogeneous networks, as well as the mobility of users using secure virtual connectors. The SVC protocol proposed here provides all the required security properties while keeping a low performance overhead which makes it efficient for both fixed and mobile networks. As such SVC is a suitable alternative to existing secure communication protocols.

Generic Parallel Cryptography for Hashing Schemes

We emphasize that future secure communicating systems, secured mass storages and access policies will require efficient and scalable security algorithms and protocols. More-over, parallelism will be used at quiet low level implementation of software or hardware basic mechanisms for offering efficient support to cryptographic algorithms. In this paper we concentrate on a family of generic schemes for efficient implementation of tree based hash functions. The main reason for designing a parallel algorithm based on a hash tree scheme is to obtain optimal performances when dealing with critical applications which can require tuned implementations for security aspects on multi-core target processors. Indeed, parallelism for cryptographic primitives has become a mandatory feature as imposed also by recent NIST requirements.