Contact information
| Name | Florina Almenarez Mendoza |
Academic
| jobline | Associate Professor |
Contact
Publications
Blanco-Romero, Javier; Lorenzo, Vicente; Almenares, Florina; Díaz-Sánchez, Daniel; and Celeste Campo,; García-Rubio, Carlos
Integrating Post-Quantum Cryptography into CoAP and MQTT-SN Protocols Conference
2024 IEEE Symposium on Computers and Communications (ISCC), IEEE, 2024, ISBN: 979-8-3503-5424-9.
@conference{javierblanco002,
title = {Integrating Post-Quantum Cryptography into CoAP and MQTT-SN Protocols},
author = {Javier Blanco-Romero and Vicente Lorenzo and Florina Almenares and Daniel Díaz-Sánchez and and Celeste Campo and Carlos García-Rubio},
url = {https://ieeexplore.ieee.org/abstract/document/10733716/figures#figures},
doi = {https://doi.org/10.1109/ISCC61673.2024.10733716},
isbn = {979-8-3503-5424-9},
year = {2024},
date = {2024-10-31},
urldate = {2024-10-31},
booktitle = {2024 IEEE Symposium on Computers and Communications (ISCC)},
publisher = {IEEE},
abstract = {Post-Quantum Cryptography (PQC) is a practical and cost-effective solution to defend against emerging quantum computing threats. So, leading worldwide security agencies and standardization bodies strongly advocate for the proactive integration of PQ cryptography into underlying frameworks to support applications, protocols, and services. The current research predominantly addresses the incorporation of PQC in Internet communication protocols such as HTTP and DNS; nevertheless, the focus on embedded devices has been limited to evaluating PQC’s integration within TLS/DTLS in isolation. Hence, there is a notable gap in understanding how PQC impacts IoT-specific communication protocols. This paper presents the integration of PQC into two communication protocols specifically tailored for IoT devices, the Constrained Application Protocol (CoAP) and MQTT for Sensor Networks (MQTT-SN), via the wolfSSL library. These two integrations contribute to the understanding of PQC’s implications for IoT communication protocols.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Post-Quantum Cryptography (PQC) is a practical and cost-effective solution to defend against emerging quantum computing threats. So, leading worldwide security agencies and standardization bodies strongly advocate for the proactive integration of PQ cryptography into underlying frameworks to support applications, protocols, and services. The current research predominantly addresses the incorporation of PQC in Internet communication protocols such as HTTP and DNS; nevertheless, the focus on embedded devices has been limited to evaluating PQC’s integration within TLS/DTLS in isolation. Hence, there is a notable gap in understanding how PQC impacts IoT-specific communication protocols. This paper presents the integration of PQC into two communication protocols specifically tailored for IoT devices, the Constrained Application Protocol (CoAP) and MQTT for Sensor Networks (MQTT-SN), via the wolfSSL library. These two integrations contribute to the understanding of PQC’s implications for IoT communication protocols.
Blanco-Romero, Javier; Lorenzo, Vicente; Almenares, Florina; Díaz-Sánchez, Daniel; García-Rubio, Carlos; Campo, Celeste; Marín, Andrés
Evaluating integration methods of a quantum random number generator in OpenSSL for TLS Proceedings Article
In: Computer Networks, 2024, ISBN: 1389-1286.
@inproceedings{javierblanco003,
title = {Evaluating integration methods of a quantum random number generator in OpenSSL for TLS},
author = {Javier Blanco-Romero and Vicente Lorenzo and Florina Almenares and Daniel Díaz-Sánchez and Carlos García-Rubio and Celeste Campo and Andrés Marín},
url = {https://www.sciencedirect.com/science/article/pii/S1389128624007096?via%3Dihub},
doi = {https://doi.org/10.1016/j.comnet.2024.110877},
isbn = {1389-1286},
year = {2024},
date = {2024-10-25},
urldate = {2024-10-25},
volume = {255},
publisher = {Computer Networks},
abstract = {The rapid advancement of quantum computing poses a significant threat to conventional cryptography. Whilst post-quantum cryptography (PQC) stands as the prevailing trend for fortifying the security of cryptographic systems, the coexistence of quantum and classical computing paradigms presents an opportunity to leverage the strengths of both technologies, for instance, nowadays the use of Quantum Random Number Generators (QRNGs) – considered as True Random Number Generators (TRNGs) – opens up the possibility of discussing hybrid systems. In this paper, we evaluate both aspects, on the one hand, we use hybrid TLS (Transport Layer Security) protocol that leverages the widely used secure protocol on the Internet and integrates PQC algorithms, and, on the other hand, we evaluate two approaches to integrate a QRNG, i.e., Quantis PCIe-240M, in OpenSSL 3.0 to be used by TLS. Both approaches are compared through a Nginx Web server, that uses OpenSSL’s implementation of TLS 1.3 for secure web communication. Our findings highlight the importance of optimizing such integration method, because while direct integration can lead to performance penalties specific to the method and hardware used, alternative methods demonstrate the potential for efficient QRNG deployment in cryptographic systems.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
The rapid advancement of quantum computing poses a significant threat to conventional cryptography. Whilst post-quantum cryptography (PQC) stands as the prevailing trend for fortifying the security of cryptographic systems, the coexistence of quantum and classical computing paradigms presents an opportunity to leverage the strengths of both technologies, for instance, nowadays the use of Quantum Random Number Generators (QRNGs) – considered as True Random Number Generators (TRNGs) – opens up the possibility of discussing hybrid systems. In this paper, we evaluate both aspects, on the one hand, we use hybrid TLS (Transport Layer Security) protocol that leverages the widely used secure protocol on the Internet and integrates PQC algorithms, and, on the other hand, we evaluate two approaches to integrate a QRNG, i.e., Quantis PCIe-240M, in OpenSSL 3.0 to be used by TLS. Both approaches are compared through a Nginx Web server, that uses OpenSSL’s implementation of TLS 1.3 for secure web communication. Our findings highlight the importance of optimizing such integration method, because while direct integration can lead to performance penalties specific to the method and hardware used, alternative methods demonstrate the potential for efficient QRNG deployment in cryptographic systems.
Lorenzo, Vicente; Blanco-Romero, Javier; Almenares, Florina; Díaz-Sánchez, Daniel; García-Rubio, Carlos; Campo, Celeste; Marín, Andrés
Comparing Pseudo, Classical True and Quantum Random Number Generators Using Standard Quality Assessments Conference
XVIII Reunión Española sobre Criptología y Seguridad de la Información (RECSI 2024), León, 23 al 25 de Octubre, 2024., 2024.
@conference{nokey,
title = {Comparing Pseudo, Classical True and Quantum Random Number Generators Using Standard Quality Assessments},
author = {Vicente Lorenzo and Javier Blanco-Romero and Florina Almenares and Daniel Díaz-Sánchez and Carlos García-Rubio and Celeste Campo and Andrés Marín},
year = {2024},
date = {2024-10-25},
urldate = {2024-10-25},
booktitle = {XVIII Reunión Española sobre Criptología y Seguridad de la Información (RECSI 2024), León, 23 al 25 de Octubre, 2024.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Pérez-Díaz, J.; Almenares, Florina
Integración de un sistema de autenticación optimizado basado en PUF en OSCORE Conference
XVIII Reunión Española sobre Criptología y Seguridad de la Información (RECSI 2024), León, 23 al 25 de Octubre, 2024., 2024.
@conference{nokey,
title = { Integración de un sistema de autenticación optimizado basado en PUF en OSCORE},
author = {J. Pérez-Díaz and Florina Almenares },
year = {2024},
date = {2024-10-25},
booktitle = {XVIII Reunión Española sobre Criptología y Seguridad de la Información (RECSI 2024), León, 23 al 25 de Octubre, 2024.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Campo-Vázquez, Celeste; García-Rubio, Carlos; Jimenez-Berenguel, Andrea; Moure-Garrido, Marta; Almenares-Mendoza, Florina; Díaz-Sánchez, Daniel
Inferring mobile applications usage from DNS traffic Proceedings Article
In: Ad Hoc Networks, Elsevier B.V., 2024.
@inproceedings{campo012,
title = {Inferring mobile applications usage from DNS traffic},
author = {Celeste Campo-Vázquez and Carlos García-Rubio and Andrea Jimenez-Berenguel and Marta Moure-Garrido and Florina Almenares-Mendoza and Daniel Díaz-Sánchez },
url = {https://www.sciencedirect.com/science/article/pii/S1570870524002129#d1e710},
doi = {https://doi.org/10.1016/j.adhoc.2024.103601},
year = {2024},
date = {2024-07-19},
urldate = {2024-07-19},
booktitle = {Ad Hoc Networks},
publisher = {Elsevier B.V.},
abstract = {In the digital era, our lives are intrinsically linked to the daily use of mobile applications. As a consequence, we generate and transmit a large amount of personal data that puts our privacy in danger. Despite having encrypted communications, the DNS traffic is usually not encrypted, and it is possible to extract valuable information from the traffic generated by mobile applications. This study focuses on the analysis of the DNS traffic behavior found in mobile application traces, developing a methodology capable of identifying mobile applications based on the domains they query. With this methodology, we were able to identify apps with 98% accuracy. Furthermore, we have validated the effectiveness of the characterization obtained with one dataset by identifying traces from other independent datasets. The evaluation showed that the methodology provides successful results in identifying mobile applications.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
In the digital era, our lives are intrinsically linked to the daily use of mobile applications. As a consequence, we generate and transmit a large amount of personal data that puts our privacy in danger. Despite having encrypted communications, the DNS traffic is usually not encrypted, and it is possible to extract valuable information from the traffic generated by mobile applications. This study focuses on the analysis of the DNS traffic behavior found in mobile application traces, developing a methodology capable of identifying mobile applications based on the domains they query. With this methodology, we were able to identify apps with 98% accuracy. Furthermore, we have validated the effectiveness of the characterization obtained with one dataset by identifying traces from other independent datasets. The evaluation showed that the methodology provides successful results in identifying mobile applications.
Blanco-Romero, Javier; Lorenzo, Vicente; Almenares-Mendoza, Florina; Díaz-Sánchez, Daniel; Serrano-Navarro, Adrián
PQSec-DDS: Integrating Post-Quantum Cryptography into DDS Security for Robotic Applications Proceedings Article
In: IX Jornadas Nacionales de Investigación en Ciberseguridad - JNIC 2024, pp. 396-403, Universidad de Sevilla , 2024, ISBN: 978-84-09-62140-8.
@inproceedings{javierblanco001,
title = {PQSec-DDS: Integrating Post-Quantum Cryptography into DDS Security for Robotic Applications},
author = {Javier Blanco-Romero and Vicente Lorenzo and Florina Almenares-Mendoza and Daniel Díaz-Sánchez and Adrián Serrano-Navarro},
url = {https://hdl.handle.net/11441/159179
https://idus.us.es/handle/11441/159179
https://idus.us.es/bitstream/handle/11441/159179/ActasJNIC24%20%282%20ed%29.pdf?sequence=4&isAllowed=y},
isbn = {978-84-09-62140-8},
year = {2024},
date = {2024-05-28},
urldate = {2024-05-28},
booktitle = {IX Jornadas Nacionales de Investigación en Ciberseguridad - JNIC 2024},
pages = {396-403},
publisher = {Universidad de Sevilla },
abstract = {Leading cybersecurity agencies and standardization bodies have globally emphasized the critical need to transition towards Post-Quantum Cryptography (PQC) to defend against
emerging quantum computing threats. They advocate PQC as a practical and cost-effective solution for security systems nowadays. Nevertheless, emerging technologies such as industrial systems, e.g., autonomous vehicles, air traffic management, diagnostic imaging machines, etc., and robotics systems, e.g., ROS2 (Robotic Operating System), have not started their evolution to enhance crypto-agility and security robustness. Some of these emerging technologies use the Data Distribution Service (DDS)
standard as the underlying communication middleware protocol. DDS is a distributed publish-subscribe system that allows sending and receiving data by publishing and subscribing to topics across a network of connected nodes. However, DDS’s security is based on traditional symmetric and asymmetric cryptography, which is vulnerable to quantum computing attacks. To address this issue, we propose the integration of PQC into DDS, through the development of a C/C++ library, called pqsec-dds, which can be integrated across different DDS implementations such as CycloneDDS or OpenDDS. A proof-of-concept demonstrates the viability of our approach in enhancing the security and cryptoagility of DDS-based systems.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Leading cybersecurity agencies and standardization bodies have globally emphasized the critical need to transition towards Post-Quantum Cryptography (PQC) to defend against
emerging quantum computing threats. They advocate PQC as a practical and cost-effective solution for security systems nowadays. Nevertheless, emerging technologies such as industrial systems, e.g., autonomous vehicles, air traffic management, diagnostic imaging machines, etc., and robotics systems, e.g., ROS2 (Robotic Operating System), have not started their evolution to enhance crypto-agility and security robustness. Some of these emerging technologies use the Data Distribution Service (DDS)
standard as the underlying communication middleware protocol. DDS is a distributed publish-subscribe system that allows sending and receiving data by publishing and subscribing to topics across a network of connected nodes. However, DDS’s security is based on traditional symmetric and asymmetric cryptography, which is vulnerable to quantum computing attacks. To address this issue, we propose the integration of PQC into DDS, through the development of a C/C++ library, called pqsec-dds, which can be integrated across different DDS implementations such as CycloneDDS or OpenDDS. A proof-of-concept demonstrates the viability of our approach in enhancing the security and cryptoagility of DDS-based systems.
emerging quantum computing threats. They advocate PQC as a practical and cost-effective solution for security systems nowadays. Nevertheless, emerging technologies such as industrial systems, e.g., autonomous vehicles, air traffic management, diagnostic imaging machines, etc., and robotics systems, e.g., ROS2 (Robotic Operating System), have not started their evolution to enhance crypto-agility and security robustness. Some of these emerging technologies use the Data Distribution Service (DDS)
standard as the underlying communication middleware protocol. DDS is a distributed publish-subscribe system that allows sending and receiving data by publishing and subscribing to topics across a network of connected nodes. However, DDS’s security is based on traditional symmetric and asymmetric cryptography, which is vulnerable to quantum computing attacks. To address this issue, we propose the integration of PQC into DDS, through the development of a C/C++ library, called pqsec-dds, which can be integrated across different DDS implementations such as CycloneDDS or OpenDDS. A proof-of-concept demonstrates the viability of our approach in enhancing the security and cryptoagility of DDS-based systems.
Gutierrez-Portela, Fernando; Arteaga-Arteaga, Harold-Brayan; Almenares-Mendoza, Florina; Calderon-Benavides, Liliana; Acosta-Mesa, Héctor-Gabriel; Tabares-Soto, Reinel
Enhancing Intrusion Detection in IoT Communications Through ML Model Generalization With a New Dataset (IDSAI) Journal Article
In: IEEE Access, vol. 11, pp. 70542 - 70559, 2023, ISSN: 2169-3536.
@article{almenarez017,
title = {Enhancing Intrusion Detection in IoT Communications Through ML Model Generalization With a New Dataset (IDSAI)},
author = {Fernando Gutierrez-Portela and Harold-Brayan Arteaga-Arteaga and Florina Almenares-Mendoza and Liliana Calderon-Benavides and Héctor-Gabriel Acosta-Mesa and Reinel Tabares-Soto},
url = {https://ieeexplore.ieee.org/document/10172186},
doi = {https://doi.org/10.1109/ACCESS.2023.3292267},
issn = {2169-3536},
year = {2023},
date = {2023-07-04},
urldate = {2023-07-04},
journal = {IEEE Access},
volume = {11},
pages = {70542 - 70559},
abstract = {One of the fields where Artificial Intelligence (AI) must continue to innovate is computer security. The integration of Wireless Sensor Networks (WSN) with the Internet of Things (IoT) creates ecosystems of attractive surfaces for security intrusions, being vulnerable to multiple and simultaneous attacks. This research evaluates the performance of supervised ML techniques for detecting intrusions based on network traffic captures. This work presents a new balanced dataset (IDSAI) with intrusions generated in attack environments in a real scenario. This new dataset has been provided in order to contrast model generalization from different datasets. The results show that for the detection of intruders, the best supervised algorithms are XGBoost, Gradient Boosting, Decision Tree, Random Forest, and Extra Trees, which can generate predictions when trained and predicted with ten specific intrusions (such as ARP spoofing, ICMP echo request Flood, TCP Null, and others), both of binary form (intrusion and non-intrusion) with up to 94% of accuracy, as multiclass form (ten different intrusions and non-intrusion) with up to 92% of accuracy. In contrast, up to 90% of accuracy is achieved for prediction on the Bot-IoT dataset using models trained with the IDSAI dataset.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
One of the fields where Artificial Intelligence (AI) must continue to innovate is computer security. The integration of Wireless Sensor Networks (WSN) with the Internet of Things (IoT) creates ecosystems of attractive surfaces for security intrusions, being vulnerable to multiple and simultaneous attacks. This research evaluates the performance of supervised ML techniques for detecting intrusions based on network traffic captures. This work presents a new balanced dataset (IDSAI) with intrusions generated in attack environments in a real scenario. This new dataset has been provided in order to contrast model generalization from different datasets. The results show that for the detection of intruders, the best supervised algorithms are XGBoost, Gradient Boosting, Decision Tree, Random Forest, and Extra Trees, which can generate predictions when trained and predicted with ten specific intrusions (such as ARP spoofing, ICMP echo request Flood, TCP Null, and others), both of binary form (intrusion and non-intrusion) with up to 94% of accuracy, as multiclass form (ten different intrusions and non-intrusion) with up to 92% of accuracy. In contrast, up to 90% of accuracy is achieved for prediction on the Bot-IoT dataset using models trained with the IDSAI dataset.
Chica, Sergio; Marín-López, Andrés; Arroyo, David; Almenares-Mendoza, Florina; Díaz-Sánchez, Daniel
Enhancing the anonymity and auditability of whistleblowers protection Proceedings Article
In: pp. 413 - 422, Springer International Publishing, 2023, ISBN: 978-3-031-21229-1.
@inproceedings{pa057,
title = {Enhancing the anonymity and auditability of whistleblowers protection},
author = {Sergio Chica and Andrés Marín-López and David Arroyo and Florina Almenares-Mendoza and Daniel Díaz-Sánchez},
doi = {https://doi.org/10.1007/978-3-031-21229-1_38},
isbn = {978-3-031-21229-1},
year = {2023},
date = {2023-01-08},
pages = {413 - 422},
publisher = {Springer International Publishing},
abstract = {In our democracy a trade-off between checks and balances is mandatory. To play the role of balances, it is necessary to have information that is often only obtainable through channels that ensure the anonymity of the source. Here we present a work in progress of a system that provides anonymity to sources in a open and auditable system, oriented to audit systems of critical infrastructure and built on our previous work autoauditor.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
In our democracy a trade-off between checks and balances is mandatory. To play the role of balances, it is necessary to have information that is often only obtainable through channels that ensure the anonymity of the source. Here we present a work in progress of a system that provides anonymity to sources in a open and auditable system, oriented to audit systems of critical infrastructure and built on our previous work autoauditor.
Díaz-Sanchez, Daniel; Almenarez-Mendoza, Florina; Marín-López, Andres; Rojo-Rivas, Isabel
A Hybrid Approach to Ephemeral PKI Credentials Validation and Auditing Proceedings Article
In: Proceedings of the International Conference on Ubiquitous Computing & Ambient Intelligence (UCAmI 2022), pp. 1043 - 1054, Springer International Publishing, 2022, ISBN: 978-3-031-21332-8.
@inproceedings{pa056,
title = {A Hybrid Approach to Ephemeral PKI Credentials Validation and Auditing},
author = {Daniel Díaz-Sanchez and Florina Almenarez-Mendoza and Andres Marín-López and Isabel Rojo-Rivas },
isbn = {978-3-031-21332-8},
year = {2022},
date = {2022-12-20},
urldate = {2022-12-20},
booktitle = {Proceedings of the International Conference on Ubiquitous Computing & Ambient Intelligence (UCAmI 2022)},
pages = {1043 - 1054},
publisher = {Springer International Publishing},
abstract = {IoT/M2M solutions are expected to rely on near computing infrastructures for deployment of services, frequently ephemeral, that will need adequate protection. Communication protocols in IoT services have widely adopted TLS/PKI as the de facto security standard despite PKI was not designed for issuing short lived credentials. Moreover, after several Certificate Authorities were compromised, some Certificate Pinning proposal were developed to give an additional verification to PKI certificates. Some Certificate Pinning solutions, as Certificate Transparency, provide long term auditing information for PKI certificates issued by renowned Certificate Authorities only, whereas others, as DANE, are able to verify self-issued certificates and give support for security islands that would benefit the development of IoT/M2M micro services but cannot provide long term auditing information. This article describe DANEAudits, a novel service with the objective of complementing DANE with long term auditing information without the need of new Trusted Third Parties different from the information owner.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
IoT/M2M solutions are expected to rely on near computing infrastructures for deployment of services, frequently ephemeral, that will need adequate protection. Communication protocols in IoT services have widely adopted TLS/PKI as the de facto security standard despite PKI was not designed for issuing short lived credentials. Moreover, after several Certificate Authorities were compromised, some Certificate Pinning proposal were developed to give an additional verification to PKI certificates. Some Certificate Pinning solutions, as Certificate Transparency, provide long term auditing information for PKI certificates issued by renowned Certificate Authorities only, whereas others, as DANE, are able to verify self-issued certificates and give support for security islands that would benefit the development of IoT/M2M micro services but cannot provide long term auditing information. This article describe DANEAudits, a novel service with the objective of complementing DANE with long term auditing information without the need of new Trusted Third Parties different from the information owner.
Chica, Sergio; Marín, Andrés; Arroyo-Guardeño, David; Díaz, Jesús; Almenares, Florina; Díaz, Daniel
Enhancing the anonymity and auditability of whistleblowers protection Conference
2022.
@conference{almenarez015,
title = {Enhancing the anonymity and auditability of whistleblowers protection},
author = {Sergio Chica and Andrés Marín and David Arroyo-Guardeño and Jesús Díaz and Florina Almenares and Daniel Díaz },
url = {http://hdl.handle.net/10261/275765},
doi = {https://doi.org/10.20350/digitalCSIC/14702},
year = {2022},
date = {2022-11-30},
urldate = {2022-11-30},
abstract = { In our democracy a trade-off between checks and balances is mandatory. To play the role of balances, it is necessary to have information that is often only obtainable through channels that ensure the anonymity of the source. Here we present a work in progress of a system that provides anonymity to sources in a open and auditable system, oriented to audit systems of critical infrastructure and built on our previous work autoauditor.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
In our democracy a trade-off between checks and balances is mandatory. To play the role of balances, it is necessary to have information that is often only obtainable through channels that ensure the anonymity of the source. Here we present a work in progress of a system that provides anonymity to sources in a open and auditable system, oriented to audit systems of critical infrastructure and built on our previous work autoauditor.
Perez-Diaz, Jaime; Almenares-Mendoza, Florina
Integrating an optimised PUF-based authentication scheme in OSCORE Proceedings Article
In: Ad Hoc Networks Journal, 2022, ISSN: 1570-8705.
@inproceedings{almenarez007,
title = {Integrating an optimised PUF-based authentication scheme in OSCORE},
author = {Jaime Perez-Diaz and Florina Almenares-Mendoza },
doi = {https://doi.org/10.1016/j.adhoc.2022.103038},
issn = {1570-8705},
year = {2022},
date = {2022-11-23},
urldate = {2022-11-23},
volume = {140},
publisher = {Ad Hoc Networks Journal},
abstract = {Due to the growth in the amount and type of connected devices, mainly IoT devices, new scalable, lightweight and security-aware protocols, e.g., CoAP and MQTT, have been defined. For the definition of these protocols, the axioms concerning security must cover all the needs regarding authentication, confidentiality, integrity and availability of both devices and servers.
CoAP specifies mainly protocol security based on the transport layer through DTLS. Nevertheless, OSCORE (Object Security for Constrained RESTful Environments) has been recently defined to support end-to-end protection of RESTful interactions over the CoAP protocol. It was designed for constrained devices and networks supporting a range of proxy operations, including translation between different transport protocols. The main challenge presents in OSCORE is the establishment and exchange of pre-shared keys required to protect data. For that, this paper defines how use an optimised version of SRAM-based PUF (Physical Unclonable Functions) for a secure authentication, key establishment and exchanging model. The proposal has been implemented and evaluated in a scenario including IoT devices.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Due to the growth in the amount and type of connected devices, mainly IoT devices, new scalable, lightweight and security-aware protocols, e.g., CoAP and MQTT, have been defined. For the definition of these protocols, the axioms concerning security must cover all the needs regarding authentication, confidentiality, integrity and availability of both devices and servers.
CoAP specifies mainly protocol security based on the transport layer through DTLS. Nevertheless, OSCORE (Object Security for Constrained RESTful Environments) has been recently defined to support end-to-end protection of RESTful interactions over the CoAP protocol. It was designed for constrained devices and networks supporting a range of proxy operations, including translation between different transport protocols. The main challenge presents in OSCORE is the establishment and exchange of pre-shared keys required to protect data. For that, this paper defines how use an optimised version of SRAM-based PUF (Physical Unclonable Functions) for a secure authentication, key establishment and exchanging model. The proposal has been implemented and evaluated in a scenario including IoT devices.
CoAP specifies mainly protocol security based on the transport layer through DTLS. Nevertheless, OSCORE (Object Security for Constrained RESTful Environments) has been recently defined to support end-to-end protection of RESTful interactions over the CoAP protocol. It was designed for constrained devices and networks supporting a range of proxy operations, including translation between different transport protocols. The main challenge presents in OSCORE is the establishment and exchange of pre-shared keys required to protect data. For that, this paper defines how use an optimised version of SRAM-based PUF (Physical Unclonable Functions) for a secure authentication, key establishment and exchanging model. The proposal has been implemented and evaluated in a scenario including IoT devices.
Díaz-Sánchez, Daniel; Guerrero, Rosa Sánchez; López, Andrés Marín; Almenares, Florina; Arias, Patricia
A H.264 SVC distributed content protection system with flexible key stream generation Proceedings Article
In: 2012 IEEE Second International Conference on Consumer Electronics - Berlin (ICCE-Berlin), IEEE, 2022, ISSN: 2166-6814.
@inproceedings{PA012,
title = {A H.264 SVC distributed content protection system with flexible key stream generation},
author = {Daniel Díaz-Sánchez and Rosa Sánchez Guerrero and Andrés Marín López and Florina Almenares and Patricia Arias},
url = {https://ieeexplore.ieee.org/document/6336520},
doi = {https://doi.org/10.1109/ICCE-Berlin.2012.6336520},
issn = {2166-6814},
year = {2022},
date = {2022-10-22},
urldate = {2022-10-22},
booktitle = {2012 IEEE Second International Conference on Consumer Electronics - Berlin (ICCE-Berlin)},
publisher = {IEEE},
abstract = {Modern scalable coding techniques, as H264 SVC, are adequate to save processing power and bandwidth. Moreover, if the enhancements of a SVC encoded content are protected, it is possible to enable pay-per-quality systems. Transcoding and protection entail huge doses of processing power at provider side and should be distributed. Moreover, processing key streams to decrypt enhancements that were encrypted separately can increase the complexity at receiver side. This abstract describes a distributed system for content encoding and protection that generates a flexible key stream that simplifies the receiver.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Modern scalable coding techniques, as H264 SVC, are adequate to save processing power and bandwidth. Moreover, if the enhancements of a SVC encoded content are protected, it is possible to enable pay-per-quality systems. Transcoding and protection entail huge doses of processing power at provider side and should be distributed. Moreover, processing key streams to decrypt enhancements that were encrypted separately can increase the complexity at receiver side. This abstract describes a distributed system for content encoding and protection that generates a flexible key stream that simplifies the receiver.
Rojo-Rivas, MaríaIsabel; Díaz-Sánchez, Daniel; Almenarez, Florina; Marín-Lopez, Andrés
Kriper: A blockchain network with permissioned storage Journal Article
In: Future Generation Computer Systems, vol. 138, pp. 160-171, 2022, ISSN: 0167-739X.
@article{diazsanchez010,
title = {Kriper: A blockchain network with permissioned storage},
author = {MaríaIsabel Rojo-Rivas and Daniel Díaz-Sánchez and Florina Almenarez and Andrés Marín-Lopez},
doi = {https://doi.org/10.1016/j.future.2022.08.006},
issn = {0167-739X},
year = {2022},
date = {2022-08-17},
urldate = {2022-08-17},
journal = {Future Generation Computer Systems},
volume = {138},
pages = {160-171},
abstract = {Blockchain has been a revolution in the past few years. Beyond the new currencies that were created around different incarnations of the blockchain concept, there are many other contributions that provide interesting services as a data linked structure using a decentralized network that provide a high level of security. Companies have developed many projects to incorporate blockchain into their business logic pursuing to incorporate other related services as persistence of large volumes of data, privacy or anonymity of transactions, distributed data processing, security (confidentiality, integrity, and availability), document management or micro messages in real time. Nevertheless, as it will be discussed in this article, current blockchains do not meet the needs of companies in many aspects, leading to a scarce or superficial adoption. This article introduces Kriper, a blockchain that aims at meeting corporate world needs by responding with a community-based, open blockchain that may also be segregated and private for certain uses whereas it provides a permissioned distributed storage and micro message lightweight services.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Blockchain has been a revolution in the past few years. Beyond the new currencies that were created around different incarnations of the blockchain concept, there are many other contributions that provide interesting services as a data linked structure using a decentralized network that provide a high level of security. Companies have developed many projects to incorporate blockchain into their business logic pursuing to incorporate other related services as persistence of large volumes of data, privacy or anonymity of transactions, distributed data processing, security (confidentiality, integrity, and availability), document management or micro messages in real time. Nevertheless, as it will be discussed in this article, current blockchains do not meet the needs of companies in many aspects, leading to a scarce or superficial adoption. This article introduces Kriper, a blockchain that aims at meeting corporate world needs by responding with a community-based, open blockchain that may also be segregated and private for certain uses whereas it provides a permissioned distributed storage and micro message lightweight services.
Pérez-Díaz, Jaime; Almenares, Florina
A PUF-based Authentication Mechanism for OSCORE Conference
PE-WASUN '21: Proceedings of the 18th ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks, 2021.
@conference{almenarez016,
title = {A PUF-based Authentication Mechanism for OSCORE},
author = {Jaime Pérez-Díaz and Florina Almenares},
url = {https://dl.acm.org/doi/10.1145/3479240.3488526},
doi = {https://doi.org/10.1145/3479240.3488526},
year = {2021},
date = {2021-11-22},
urldate = {2021-11-22},
booktitle = {PE-WASUN '21: Proceedings of the 18th ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks},
pages = {65-72},
abstract = {Within environment generated when deploying Internet of Things (IoT) solutions, there is a need to do it securely. Authentication of the devices against the applications deployed on the servers, which receive or send data to the IoT devices must be carried out. Standard IoT protocols, such as CoAP or MQTT, define secure communica- tions through protocols on transport, network or application layers. Nevertheless, a shortcoming when protocols using secret keys are used lies in the management of such keys, which is out of scope of the specifications. For this reason, this article presents an authenti- cation solution for OSCORE (Object Security for Constrained RESTful Environments) based on PUFs (Physical Unclonable Functions) that makes it possible to establish a secure mechanism for the exchange and management of keys. The performance of this proposal has been evaluated, showing its viability.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Within environment generated when deploying Internet of Things (IoT) solutions, there is a need to do it securely. Authentication of the devices against the applications deployed on the servers, which receive or send data to the IoT devices must be carried out. Standard IoT protocols, such as CoAP or MQTT, define secure communica- tions through protocols on transport, network or application layers. Nevertheless, a shortcoming when protocols using secret keys are used lies in the management of such keys, which is out of scope of the specifications. For this reason, this article presents an authenti- cation solution for OSCORE (Object Security for Constrained RESTful Environments) based on PUFs (Physical Unclonable Functions) that makes it possible to establish a secure mechanism for the exchange and management of keys. The performance of this proposal has been evaluated, showing its viability.
Seoane-Merida, Victor; García-Rubio, Carlos; Almenares-Mendoza, Florina; Campo-Vázquez, Celeste
Performance evaluation of CoAP and MQTT with security support for IoT environments Journal Article
In: COMPUTER NETWORKS, vol. 197, iss. 108338, pp. 1-22, 2021, ISSN: 1389-1286.
@article{campos004,
title = {Performance evaluation of CoAP and MQTT with security support for IoT environments},
author = {Victor Seoane-Merida and Carlos García-Rubio and Florina Almenares-Mendoza and Celeste Campo-Vázquez},
url = {http://hdl.handle.net/10016/33795},
doi = {https://doi.org/10.1016/j.comnet.2021.108338},
issn = {1389-1286},
year = {2021},
date = {2021-10-04},
urldate = {2021-10-04},
journal = {COMPUTER NETWORKS},
volume = {197},
issue = {108338},
pages = {1-22},
abstract = {World is living an overwhelming explosion of smart devices: electronic gadgets, appliances, meters, cars, sensors, camera and even traffic lights, that are connected to the Internet to extend their capabilities, constituting what is known as Internet of Things (IoT). In these environments, the application layer is decisive for the quality of the connection, which has dependencies to the transport layer, mainly when secure communications are used. This paper analyses the performance offered by these two most popular protocols for the application layer: Constrained Application Protocol (CoAP) and Message Queue Telemetry Transport (MQTT). This analysis aims to examine the features and capabilities of the two protocols and to determine their feasibility to operate under constrained devices taking into account security support and diverse network conditions, unlike the previous works. Since IoT devices typically show battery constraints, the analysis is focused on bandwidth and CPU use, using realistic network scenarios, since this use translates to power consumption.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
World is living an overwhelming explosion of smart devices: electronic gadgets, appliances, meters, cars, sensors, camera and even traffic lights, that are connected to the Internet to extend their capabilities, constituting what is known as Internet of Things (IoT). In these environments, the application layer is decisive for the quality of the connection, which has dependencies to the transport layer, mainly when secure communications are used. This paper analyses the performance offered by these two most popular protocols for the application layer: Constrained Application Protocol (CoAP) and Message Queue Telemetry Transport (MQTT). This analysis aims to examine the features and capabilities of the two protocols and to determine their feasibility to operate under constrained devices taking into account security support and diverse network conditions, unlike the previous works. Since IoT devices typically show battery constraints, the analysis is focused on bandwidth and CPU use, using realistic network scenarios, since this use translates to power consumption.
Gutierrez-Portela, Fernando; Almenares-Mendoza, Florina; Calderon-Benavides, Liliana; Romero-Riaño, Efren
Security perspective of wireless sensor networks = Prospectiva de seguridad de las redes de sensores inalámbricos Proceedings Article
In: pp. 189-201, UIS-Ingeniería , 2021, ISSN: 1657-4583.
@inproceedings{almenarez008,
title = {Security perspective of wireless sensor networks = Prospectiva de seguridad de las redes de sensores inalámbricos},
author = {Fernando Gutierrez-Portela and Florina Almenares-Mendoza and Liliana Calderon-Benavides and Efren Romero-Riaño},
url = {http://hdl.handle.net/10016/37285},
doi = {https://doi.org/10.18273/revuin.v20n3-2021014},
issn = {1657-4583},
year = {2021},
date = {2021-06-07},
urldate = {2021-06-07},
volume = {21},
issue = {3},
pages = {189-201},
publisher = {UIS-Ingeniería },
abstract = {En las Redes de Sensores Inalámbricos (WSN), los nodos son vulnerables a los ataques de seguridad porque están instalados en un entorno difícil, con energía y memoria limitadas, baja capacidad de procesamiento y transmisión de difusión media; por lo tanto, identificar las amenazas, los retos y las soluciones de seguridad y privacidad es un tema candente hoy en día. En este artículo se analizan los trabajos de investigación que se han realizado sobre los mecanismos de seguridad para la protección de las WSN frente a amenazas y ataques, así como las tendencias que surgen en otros países junto con futuras líneas de investigación. Desde el punto de vista metodológico, este análisis se muestra a través de la visualización y estudio de trabajos indexados en bases de datos como IEEE, ACM, Scopus y Springer, con un rango de 7 años como ventana de observación, desde 2013 hasta 2019. Se obtuvieron un total de 4.728 publicaciones, con un alto índice de colaboración entre China e India. La investigación planteó desarrollos, como avances en los principios de seguridad y mecanismos de defensa, que han llevado al diseño de contramedidas en la detección de intrusiones. Por último, los resultados muestran el interés de la comunidad científica y empresarial por el uso de la inteligencia artificial y el aprendizaje automático (ML) para optimizar las medidas de rendimiento.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
En las Redes de Sensores Inalámbricos (WSN), los nodos son vulnerables a los ataques de seguridad porque están instalados en un entorno difícil, con energía y memoria limitadas, baja capacidad de procesamiento y transmisión de difusión media; por lo tanto, identificar las amenazas, los retos y las soluciones de seguridad y privacidad es un tema candente hoy en día. En este artículo se analizan los trabajos de investigación que se han realizado sobre los mecanismos de seguridad para la protección de las WSN frente a amenazas y ataques, así como las tendencias que surgen en otros países junto con futuras líneas de investigación. Desde el punto de vista metodológico, este análisis se muestra a través de la visualización y estudio de trabajos indexados en bases de datos como IEEE, ACM, Scopus y Springer, con un rango de 7 años como ventana de observación, desde 2013 hasta 2019. Se obtuvieron un total de 4.728 publicaciones, con un alto índice de colaboración entre China e India. La investigación planteó desarrollos, como avances en los principios de seguridad y mecanismos de defensa, que han llevado al diseño de contramedidas en la detección de intrusiones. Por último, los resultados muestran el interés de la comunidad científica y empresarial por el uso de la inteligencia artificial y el aprendizaje automático (ML) para optimizar las medidas de rendimiento.
Seoane-Merida, Victor; Almenares-Mendoza, Florina; Campo-Vázquez, Celeste; García-Rubio, Carlos
Performance Evaluation of the CoAP Protocol with Security Support for IoT Environments Conference
PE-WASUN '20: Proceedings of the 17th ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks, ASSOCIATION FOR COMPUTING MACHINERY, INC , 2020, ISBN: 978-1-4503-8118-5.
@conference{campo016b,
title = {Performance Evaluation of the CoAP Protocol with Security Support for IoT Environments},
author = {Victor Seoane-Merida and Florina Almenares-Mendoza and Celeste Campo-Vázquez and Carlos García-Rubio},
doi = {https://doi.org/10.1145/3416011.3424754},
isbn = {978-1-4503-8118-5},
year = {2020},
date = {2020-11-09},
urldate = {2020-11-09},
booktitle = {PE-WASUN '20: Proceedings of the 17th ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks},
pages = {41-48},
publisher = {ASSOCIATION FOR COMPUTING MACHINERY, INC },
abstract = {Internet of Things (IoT) can be defined as the interconnection through Internet of an unprecedented number of devices with the purpose of exchanging data. It stands as one of the most popular technologies for the following years and it is requiring substantial changes in the Internet protocols to meet its requirements. As the application layer is decisive for the quality of the connection, this paper analyzes the performance offered by one of the most popular protocols for the application layer in IoT: the Constrained Application Protocol (CoAP). This analysis aims to examine the features and capabilities of this protocol and to determine its feasibility to operate under constrained devices using security support. For this, a realistic network scenario is deployed to run the simulations and to measure bandwidth, consumption of resources (i.e., CPU cycles and bandwidth usage) and communication latency. Additionally, the trade-off between security and performance is discussed measuring the bandwidth overhead and the consumption increase associated to secure the communications. Different ciphering and authentication algorithms are tested, following the recommendations made by the Internet Engineering Task Force (IETF).},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Internet of Things (IoT) can be defined as the interconnection through Internet of an unprecedented number of devices with the purpose of exchanging data. It stands as one of the most popular technologies for the following years and it is requiring substantial changes in the Internet protocols to meet its requirements. As the application layer is decisive for the quality of the connection, this paper analyzes the performance offered by one of the most popular protocols for the application layer in IoT: the Constrained Application Protocol (CoAP). This analysis aims to examine the features and capabilities of this protocol and to determine its feasibility to operate under constrained devices using security support. For this, a realistic network scenario is deployed to run the simulations and to measure bandwidth, consumption of resources (i.e., CPU cycles and bandwidth usage) and communication latency. Additionally, the trade-off between security and performance is discussed measuring the bandwidth overhead and the consumption increase associated to secure the communications. Different ciphering and authentication algorithms are tested, following the recommendations made by the Internet Engineering Task Force (IETF).
Marín-López, Andrés; Chica-Manjarrez, Sergio; Arroyo, David; Almenares-Mendoza, Florina; Díaz-Sánchez, Daniel
Security Information Sharing in Smart Grids: Persisting Security Audits to the Blockchain Journal Article
In: Electronics, vol. 9, pp. 1865, 2020, ISSN: 2079-9292.
@article{marin002,
title = {Security Information Sharing in Smart Grids: Persisting Security Audits to the Blockchain},
author = {Andrés Marín-López and Sergio Chica-Manjarrez and David Arroyo and Florina Almenares-Mendoza and Daniel Díaz-Sánchez },
url = {https://www.mdpi.com/2079-9292/9/11/1865
},
doi = {https://doi.org/10.3390/electronics9111865},
issn = {2079-9292},
year = {2020},
date = {2020-11-06},
urldate = {2020-11-06},
journal = {Electronics},
volume = {9},
pages = {1865},
abstract = {With the transformation in smart grids, power grid companies are becoming increasingly
dependent on data networks. Data networks are used to transport information and commands for
optimizing power grid operations: Planning, generation, transportation, and distribution. Performing
periodic security audits is one of the required tasks for securing networks, and we proposed in a
previous work AUTOAUDITOR, a system to achieve automatic auditing. It was designed according
to the specific requirements of power grid companies, such as scaling with the huge number of
heterogeneous equipment in power grid companies. Though pentesting and security audits are
required for continuous monitoring, collaboration is of utmost importance to fight cyber threats.
In this paper we work on the accountability of audit results and explore how the list of audit result
records can be included in a blockchain, since blockchains are by design resistant to data modification.
Moreover, blockchains endowed with smart contracts functionality boost the automation of both
digital evidence gathering, audit, and controlled information exchange. To our knowledge, no such
system exists. We perform throughput evaluation to assess the feasibility of the system and show
that the system is viable for adaptation to the inventory systems of electrical companies.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
With the transformation in smart grids, power grid companies are becoming increasingly
dependent on data networks. Data networks are used to transport information and commands for
optimizing power grid operations: Planning, generation, transportation, and distribution. Performing
periodic security audits is one of the required tasks for securing networks, and we proposed in a
previous work AUTOAUDITOR, a system to achieve automatic auditing. It was designed according
to the specific requirements of power grid companies, such as scaling with the huge number of
heterogeneous equipment in power grid companies. Though pentesting and security audits are
required for continuous monitoring, collaboration is of utmost importance to fight cyber threats.
In this paper we work on the accountability of audit results and explore how the list of audit result
records can be included in a blockchain, since blockchains are by design resistant to data modification.
Moreover, blockchains endowed with smart contracts functionality boost the automation of both
digital evidence gathering, audit, and controlled information exchange. To our knowledge, no such
system exists. We perform throughput evaluation to assess the feasibility of the system and show
that the system is viable for adaptation to the inventory systems of electrical companies.
dependent on data networks. Data networks are used to transport information and commands for
optimizing power grid operations: Planning, generation, transportation, and distribution. Performing
periodic security audits is one of the required tasks for securing networks, and we proposed in a
previous work AUTOAUDITOR, a system to achieve automatic auditing. It was designed according
to the specific requirements of power grid companies, such as scaling with the huge number of
heterogeneous equipment in power grid companies. Though pentesting and security audits are
required for continuous monitoring, collaboration is of utmost importance to fight cyber threats.
In this paper we work on the accountability of audit results and explore how the list of audit result
records can be included in a blockchain, since blockchains are by design resistant to data modification.
Moreover, blockchains endowed with smart contracts functionality boost the automation of both
digital evidence gathering, audit, and controlled information exchange. To our knowledge, no such
system exists. We perform throughput evaluation to assess the feasibility of the system and show
that the system is viable for adaptation to the inventory systems of electrical companies.
Chica-Manjarrez, Sergio; Marín-López, Andrés; Díaz-Sánchez, Daniel; Almenares-Mendoza, Florina
On the Automation of Auditing in Power Grid Companies Proceedings Article
In: Actas de congreso internacional, Citas Google 2, CORE C, pp. 331 - 340, 2020, ISBN: ISSN/ISBN) 978-1-4503-5988-7.
@inproceedings{pa054,
title = {On the Automation of Auditing in Power Grid Companies},
author = {Sergio Chica-Manjarrez and Andrés Marín-López and Daniel Díaz-Sánchez and Florina Almenares-Mendoza},
doi = {10.3233/AISE200057},
isbn = {ISSN/ISBN) 978-1-4503-5988-7},
year = {2020},
date = {2020-07-23},
urldate = {2020-07-23},
booktitle = {Actas de congreso internacional, Citas Google 2, CORE C},
pages = {331 - 340},
abstract = {Auditing is a common task required to secure networks. This becomes of utter importance in power grid companies, the authorities of electricity supply. An increasing number of connected devices makes the use of semi automatic or fully automated auditing imperative. The inventory system has to incorporate the auditing results and subsequently integrate them in the security assessment of the company. The risk metrics incorporate the severity of exposures and facilitate the selection of vulnerabilities that have to be mitigated, according to the risk appetite of the company. This automatic approach has to address scale and privacy issues of large companies. In addition, connections from foreign domains that carry out the auditing involve additional risks that must be considered to effectively test the likelihood and depth of the found vulnerabilities.
In this paper we discuss the requirements of an automatic auditing system and present AUTOAUDITOR, a highly configurable module which allow companies to automatically perform pentesting in specific assets.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Auditing is a common task required to secure networks. This becomes of utter importance in power grid companies, the authorities of electricity supply. An increasing number of connected devices makes the use of semi automatic or fully automated auditing imperative. The inventory system has to incorporate the auditing results and subsequently integrate them in the security assessment of the company. The risk metrics incorporate the severity of exposures and facilitate the selection of vulnerabilities that have to be mitigated, according to the risk appetite of the company. This automatic approach has to address scale and privacy issues of large companies. In addition, connections from foreign domains that carry out the auditing involve additional risks that must be considered to effectively test the likelihood and depth of the found vulnerabilities.
In this paper we discuss the requirements of an automatic auditing system and present AUTOAUDITOR, a highly configurable module which allow companies to automatically perform pentesting in specific assets.
In this paper we discuss the requirements of an automatic auditing system and present AUTOAUDITOR, a highly configurable module which allow companies to automatically perform pentesting in specific assets.
Rubio-Drosdov, Eugenio; Díaz-Sánchez, Daniel; Marín-López, Andrés; Almenares-Mendoza, Florina
A Framework for Microservice Migration and Performance Assessment Proceedings Article
In: pp. 291 - 299, 2020, ISBN: 978-1-4503-5988-7.
@inproceedings{pa059,
title = {A Framework for Microservice Migration and Performance Assessment},
author = {Eugenio Rubio-Drosdov and Daniel Díaz-Sánchez and Andrés Marín-López and Florina Almenares-Mendoza},
doi = {doi:10.3233/AISE200053},
isbn = {978-1-4503-5988-7},
year = {2020},
date = {2020-06-25},
urldate = {2020-06-25},
pages = {291 - 299},
abstract = {In a large Smart Grid, smart meters produce tremendous amount of data that are hard to process, analyze and store. Fog computing is an environment that offers a place for collecting, computing and storing smart meter data before transmitting them to the cloud. Due to the distributed, heterogeneous and resource constrained nature of the fog computing nodes, fog applications need to be developed as a collection of interdependent, lightweight modules. Since this concept aligns with the goals of microservices architecture (MSA), efficient placement of microservices-based Smart Grid applications within fog environments has the potential to fully leverage capabilities of fog devices. Microservice architecture is an emerging software architectural style. It is based on microservices to provide several advantages over a monolithic solution, such as autonomy, composability, scalability, and fault-tolerance. However, optimizing the migration of microservices from one fog environment to other while assuring certain quality is still a big issue that needs to be addressed. In this paper, we propose an approach for assisting the migration of microservices in MSA-based Smart Grid systems, based on the analysis of their performance within the possible candidate destinations. Developers create microservices that will be eventually deployed at a given infrastructure. Either the developer, cosidering the design, or the entity deploying the service have a good knowledge of the quality required by the microservice. Due to that, they can create tests that determine if a destination meets the requirements of a given microservice and embed these tests as part of the microservice. Our goal is to automate the execution of performance tests by attaching a specification that contains the test parameters to each microservice.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
In a large Smart Grid, smart meters produce tremendous amount of data that are hard to process, analyze and store. Fog computing is an environment that offers a place for collecting, computing and storing smart meter data before transmitting them to the cloud. Due to the distributed, heterogeneous and resource constrained nature of the fog computing nodes, fog applications need to be developed as a collection of interdependent, lightweight modules. Since this concept aligns with the goals of microservices architecture (MSA), efficient placement of microservices-based Smart Grid applications within fog environments has the potential to fully leverage capabilities of fog devices. Microservice architecture is an emerging software architectural style. It is based on microservices to provide several advantages over a monolithic solution, such as autonomy, composability, scalability, and fault-tolerance. However, optimizing the migration of microservices from one fog environment to other while assuring certain quality is still a big issue that needs to be addressed. In this paper, we propose an approach for assisting the migration of microservices in MSA-based Smart Grid systems, based on the analysis of their performance within the possible candidate destinations. Developers create microservices that will be eventually deployed at a given infrastructure. Either the developer, cosidering the design, or the entity deploying the service have a good knowledge of the quality required by the microservice. Due to that, they can create tests that determine if a destination meets the requirements of a given microservice and embed these tests as part of the microservice. Our goal is to automate the execution of performance tests by attaching a specification that contains the test parameters to each microservice.
AGUILAR-IGARTUA, MÓNICA; ALMENARES-MENDOZA, FLORINA; DÍAZ-REDONDO, REBECA; MARTÍN-VICENTE, MANUELA; FORNÉ, JORDI; CAMPO, CELESTE; FERNÁNDEZ-VILAS, ANA; CRUZ-LLOPIS, LUIS; GARCÍA-RUBIO, CARLOS; MARÍN-LÓPEZ, ANDRÉS; MOHAMAD-MEZHER, AHMAD; DÍAZ-SÁNCHEZ, DANIEL; CEREZO-COSTAS, HÉCTOR; REBOLLO-MONEDERO, DAVID; ARIAS-CABARCOS, PATRICIA; RICO-NOVELLA, FRANCISCO JOSÉ
INRISCO: INcident monitoRing in Smart COmmunities Journal Article
In: IEEE Access, vol. 8, pp. 72435 - 72460, 2020, ISSN: 2169-3536.
@article{almenarez006,
title = {INRISCO: INcident monitoRing in Smart COmmunities},
author = {MÓNICA AGUILAR-IGARTUA AND FLORINA ALMENARES-MENDOZA AND REBECA DÍAZ-REDONDO AND MANUELA MARTÍN-VICENTE AND JORDI FORNÉ AND CELESTE CAMPO AND ANA FERNÁNDEZ-VILAS AND LUIS CRUZ-LLOPIS AND CARLOS GARCÍA-RUBIO AND ANDRÉS MARÍN-LÓPEZ AND AHMAD MOHAMAD-MEZHER AND DANIEL DÍAZ-SÁNCHEZ AND HÉCTOR CEREZO-COSTAS AND DAVID REBOLLO-MONEDERO AND PATRICIA ARIAS-CABARCOS AND FRANCISCO JOSÉ RICO-NOVELLA
},
url = {https://ieeexplore.ieee.org/document/9064504
https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9064504},
doi = {https://doi.org/10.1109/ACCESS.2020.2987483},
issn = {2169-3536},
year = {2020},
date = {2020-04-13},
urldate = {2020-04-13},
journal = {IEEE Access},
volume = {8},
pages = {72435 - 72460},
abstract = {Major advances in information and communication technologies (ICTs) make citizens to be considered as sensors in motion. Carrying their mobile devices, moving in their connected vehicles or actively participating in social networks, citizens provide a wealth of information that, after properly processing, can support numerous applications for the benefit of the community. In the context of smart communities, the INRISCO [1] proposal intends for (i) the early detection of abnormal situations in cities (i.e., incidents), (ii) the analysis of whether, according to their impact, those incidents are really adverse for the community; and (iii) the automatic actuation by dissemination of appropriate information to citizens and authorities. Thus, INRISCO will identify and report on incidents in traffic (jam, accident) or public infrastructure (e.g., works, street cut), the occurrence of specific events that affect other citizens' life (e.g., demonstrations, concerts), or environmental problems (e.g., pollution, bad weather). It is of particular interest to this proposal the identification of incidents with a social and economic impact, which affects the quality of life of citizens.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Major advances in information and communication technologies (ICTs) make citizens to be considered as sensors in motion. Carrying their mobile devices, moving in their connected vehicles or actively participating in social networks, citizens provide a wealth of information that, after properly processing, can support numerous applications for the benefit of the community. In the context of smart communities, the INRISCO [1] proposal intends for (i) the early detection of abnormal situations in cities (i.e., incidents), (ii) the analysis of whether, according to their impact, those incidents are really adverse for the community; and (iii) the automatic actuation by dissemination of appropriate information to citizens and authorities. Thus, INRISCO will identify and report on incidents in traffic (jam, accident) or public infrastructure (e.g., works, street cut), the occurrence of specific events that affect other citizens' life (e.g., demonstrations, concerts), or environmental problems (e.g., pollution, bad weather). It is of particular interest to this proposal the identification of incidents with a social and economic impact, which affects the quality of life of citizens.
Díaz-Sánchez, Daniel; Marín-Lopez, Andrés; Mendoza, Florina Almenárez; Cabarcos, Patricia Arias
DNS/DANE Collision-Based Distributed and Dynamic Authentication for Microservices in IoT † Journal Article
In: Sensors, vol. 19, iss. 15, pp. 1-23, 2019, ISSN: 1424-8220.
@article{Diaz_Sanchez_2019,
title = {DNS/DANE Collision-Based Distributed and Dynamic Authentication for Microservices in IoT †},
author = {Daniel Díaz-Sánchez and Andrés Marín-Lopez and Florina Almenárez Mendoza and Patricia Arias Cabarcos},
url = {http://dx.doi.org/10.3390/s19153292
/download/DNS_DANE_Collision-Based_Distributed_and_Dynamic_Authentication_for_Microservices_in_IoT.pdf},
doi = {https://doi.org/10.3390/s19153292},
issn = {1424-8220},
year = {2019},
date = {2019-07-26},
urldate = {2019-07-26},
journal = {Sensors},
volume = {19},
issue = {15},
pages = {1-23},
publisher = {MDPI AG},
abstract = {IoT devices provide real-time data to a rich ecosystem of services and applications. The volume of data and the involved subscribe/notify signaling will likely become a challenge also for access and core networks. To alleviate the core of the network, other technologies like fog computing can be used. On the security side, designers of IoT low-cost devices and applications often reuse old versions of development frameworks and software components that contain vulnerabilities. Many server applications today are designed using microservice architectures where components are easier to update. Thus, IoT can benefit from deploying microservices in the fog as it offers the required flexibility for the main players of ubiquitous computing: nomadic users. In such deployments, IoT devices need the dynamic instantiation of microservices. IoT microservices require certificates so they can be accessed securely. Thus, every microservice instance may require a newly-created domain name and a certificate. The DNS-based Authentication of Named Entities (DANE) extension to Domain Name System Security Extensions (DNSSEC) allows linking a certificate to a given domain name. Thus, the combination of DNSSEC and DANE provides microservices’ clients with secure information regarding the domain name, IP address, and server certificate of a given microservice. However, IoT microservices may be short-lived since devices can move from one local fog to another, forcing DNSSEC servers to sign zones whenever new changes occur. Considering DNSSEC and DANE were designed to cope with static services, coping with IoT dynamic microservice instantiation can throttle the scalability in the fog. To overcome this limitation, this article proposes a solution that modifies the DNSSEC/DANE signature mechanism using chameleon signatures and defining a new soft delegation scheme. Chameleon signatures are signatures computed over a chameleon hash, which have a property: a secret trapdoor function can be used to compute collisions to the hash. Since the hash is maintained, the signature does not have to be computed again. In the soft delegation schema, DNS servers obtain a trapdoor that allows performing changes in a constrained zone without affecting normal DNS operation. In this way, a server can receive this soft delegation and modify the DNS zone to cope with frequent changes such as microservice dynamic instantiation. Changes in the soft delegated zone are much faster and do not require the intervention of the DNS primary servers of the zone.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
IoT devices provide real-time data to a rich ecosystem of services and applications. The volume of data and the involved subscribe/notify signaling will likely become a challenge also for access and core networks. To alleviate the core of the network, other technologies like fog computing can be used. On the security side, designers of IoT low-cost devices and applications often reuse old versions of development frameworks and software components that contain vulnerabilities. Many server applications today are designed using microservice architectures where components are easier to update. Thus, IoT can benefit from deploying microservices in the fog as it offers the required flexibility for the main players of ubiquitous computing: nomadic users. In such deployments, IoT devices need the dynamic instantiation of microservices. IoT microservices require certificates so they can be accessed securely. Thus, every microservice instance may require a newly-created domain name and a certificate. The DNS-based Authentication of Named Entities (DANE) extension to Domain Name System Security Extensions (DNSSEC) allows linking a certificate to a given domain name. Thus, the combination of DNSSEC and DANE provides microservices’ clients with secure information regarding the domain name, IP address, and server certificate of a given microservice. However, IoT microservices may be short-lived since devices can move from one local fog to another, forcing DNSSEC servers to sign zones whenever new changes occur. Considering DNSSEC and DANE were designed to cope with static services, coping with IoT dynamic microservice instantiation can throttle the scalability in the fog. To overcome this limitation, this article proposes a solution that modifies the DNSSEC/DANE signature mechanism using chameleon signatures and defining a new soft delegation scheme. Chameleon signatures are signatures computed over a chameleon hash, which have a property: a secret trapdoor function can be used to compute collisions to the hash. Since the hash is maintained, the signature does not have to be computed again. In the soft delegation schema, DNS servers obtain a trapdoor that allows performing changes in a constrained zone without affecting normal DNS operation. In this way, a server can receive this soft delegation and modify the DNS zone to cope with frequent changes such as microservice dynamic instantiation. Changes in the soft delegated zone are much faster and do not require the intervention of the DNS primary servers of the zone.
Díaz-Sánchez, Daniel; Marín-López, Andrés; Almenárez-Mendoza, Florina; Arias-Cabarcos, Patricia; Simon-Sherratt, R.
TLS/PKI Challenges and Certificate Pinning Techniques for IoT and M2M Secure Communications Journal Article
In: IEEE Communications Surveys and Tutorials, vol. 21, iss. 4, pp. 3502-3531, 2019, ISSN: 1553-877X.
@article{8704893,
title = {TLS/PKI Challenges and Certificate Pinning Techniques for IoT and M2M Secure Communications},
author = {Daniel Díaz-Sánchez and Andrés Marín-López and Florina Almenárez-Mendoza and Patricia Arias-Cabarcos and R. Simon-Sherratt},
url = {https://doi.org/10.1109/COMST.2019.2914453
https://ieeexplore.ieee.org/document/8704893
https://phpmyadmin.pervasive.it.uc3m.es/download/TLC-PKI-challenges-certificate-pinning.pdf},
doi = {10.1109/COMST.2019.2914453},
issn = {1553-877X},
year = {2019},
date = {2019-05-02},
urldate = {2019-05-02},
journal = {IEEE Communications Surveys and Tutorials},
volume = {21},
issue = {4},
pages = {3502-3531},
abstract = {Transport layer security (TLS) is becoming the de facto standard to provide end-to-end security in the current Internet. IoT and M2M scenarios are not an exception since TLS is also being adopted there. The ability of TLS for negotiating any security parameter, its flexibility and extensibility are responsible for its wide adoption but also for several attacks. Moreover, as it relies on public key infrastructure (PKI) for authentication, it is also affected by PKI problems. Considering the advent of IoT/M2M scenarios and their particularities, it is necessary to have a closer look at TLS history to evaluate the potential challenges of using TLS and PKI in these scenarios. According to this, this paper provides a deep revision of several security aspects of TLS and PKI, with a particular focus on current certificate pinning solutions in order to illustrate the potential problems that should be addressed.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Transport layer security (TLS) is becoming the de facto standard to provide end-to-end security in the current Internet. IoT and M2M scenarios are not an exception since TLS is also being adopted there. The ability of TLS for negotiating any security parameter, its flexibility and extensibility are responsible for its wide adoption but also for several attacks. Moreover, as it relies on public key infrastructure (PKI) for authentication, it is also affected by PKI problems. Considering the advent of IoT/M2M scenarios and their particularities, it is necessary to have a closer look at TLS history to evaluate the potential challenges of using TLS and PKI in these scenarios. According to this, this paper provides a deep revision of several security aspects of TLS and PKI, with a particular focus on current certificate pinning solutions in order to illustrate the potential problems that should be addressed.
Almenarez, Florina; Alonso, Lucía; Marín, Andrés; Díaz-Sánchez, Daniel; Arias, Patricia
Assessment of fitness tracker security: a case of study Proceedings Article
In: 2018, ISSN: 2504-3900.
@inproceedings{pa058,
title = {Assessment of fitness tracker security: a case of study},
author = {Florina Almenarez and Lucía Alonso and Andrés Marín and Daniel Díaz-Sánchez and Patricia Arias},
url = {https://www.mdpi.com/2504-3900/2/19/1235},
doi = {https://doi.org/10.3390/proceedings2191235},
issn = {2504-3900},
year = {2018},
date = {2018-10-26},
abstract = {The wearable industry has experienced a notable growth over the last decade, especially in fitness or e-health trackers. These trackers bring new functionalities that require collecting a great amount of sensitive information about the user. This fact has made fitness trackers the target of deliberate attacks, e.g., eavesdropping, unauthorized account access, fake firmware update, and so on. For this reason, this paper describes a vulnerability study on one of the most popular fitness trackers in 2017, together with the mobile application associated to the tracker. The study results show what vulnerabilities of the communications among agents (i.e., wearable device, mobile application and server) could put at risk users sensitive information and privacy.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
The wearable industry has experienced a notable growth over the last decade, especially in fitness or e-health trackers. These trackers bring new functionalities that require collecting a great amount of sensitive information about the user. This fact has made fitness trackers the target of deliberate attacks, e.g., eavesdropping, unauthorized account access, fake firmware update, and so on. For this reason, this paper describes a vulnerability study on one of the most popular fitness trackers in 2017, together with the mobile application associated to the tracker. The study results show what vulnerabilities of the communications among agents (i.e., wearable device, mobile application and server) could put at risk users sensitive information and privacy.
Díaz-Sánchez, Daniel; Marín-López, Andrés; Almenares-Mendoza, Florina; Arias-Cabarcos, Patricia
DNS-Based Dynamic Authentication for Microservices in IoT Proceedings Article
In: pp. 1-11, 2018, ISSN: 2504-3900.
@inproceedings{pa055,
title = {DNS-Based Dynamic Authentication for Microservices in IoT},
author = {Daniel Díaz-Sánchez and Andrés Marín-López and Florina Almenares-Mendoza and Patricia Arias-Cabarcos},
url = {https://www.mdpi.com/2504-3900/2/19/1233},
doi = {https://doi.org/10.3390/proceedings2191233},
issn = {2504-3900},
year = {2018},
date = {2018-10-25},
pages = {1-11},
abstract = {IoT devices provide with real-time data to a rich ecosystems of services and applications that will be of uttermost importance for ubiquitous computing. The volume of data and the involved subscribe/notify signaling will likely become a challenge also for access and core netkworks. Designers may opt for microservice architectures and fog computing to address this challenge while offering the required flexibility for the main players of ubiquitous computing: nomadic users. Microservices require strong security support for Fog computing, to rely on nodes in the boundary of the network for secure data collection and processing. IoT low cost devices face outdated certificates and security support, due to the elapsed time from manufacture to deployment. In this paper we propose a solution based on microservice architectures and DNSSEC, DANE and chameleon signatures to overcome these difficulties. We will show how trap doors included in the certificates allow a secure and flexible delegation for off-loading data collection and processing to the fog. The main result is showing this requires minimal manufacture device configuration, thanks to DNSSEC support.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
IoT devices provide with real-time data to a rich ecosystems of services and applications that will be of uttermost importance for ubiquitous computing. The volume of data and the involved subscribe/notify signaling will likely become a challenge also for access and core netkworks. Designers may opt for microservice architectures and fog computing to address this challenge while offering the required flexibility for the main players of ubiquitous computing: nomadic users. Microservices require strong security support for Fog computing, to rely on nodes in the boundary of the network for secure data collection and processing. IoT low cost devices face outdated certificates and security support, due to the elapsed time from manufacture to deployment. In this paper we propose a solution based on microservice architectures and DNSSEC, DANE and chameleon signatures to overcome these difficulties. We will show how trap doors included in the certificates allow a secure and flexible delegation for off-loading data collection and processing to the fog. The main result is showing this requires minimal manufacture device configuration, thanks to DNSSEC support.
Alario-Hoyos, Carlos; Estevez-Ayres, Iria; Gallego-Romero, Jesus; Delgado-Kloss, Carlos; Fernandez-Panadero, Carmen; Crespo-Garcia, Raquel; Almenares-Mendoza, Florina; Ibañez-Espiga, Blanca; Villena-Roman, Julio; Ruiz-Magaña, Jorge; Blasco-Alis, Jorge
In: JOURNAL OF UNIVERSAL COMPUTER SCIENCE , vol. 24, iss. 8, pp. 1015-1033, 2018, ISSN: 0948-695X.
@article{almenarez009,
title = {A study of learning-by-doing in MOOCs through the integration of third-party external tools: comparison of synchronous and asynchronous running modes },
author = {Carlos Alario-Hoyos and Iria Estevez-Ayres and Jesus Gallego-Romero and Carlos Delgado-Kloss and Carmen Fernandez-Panadero and Raquel Crespo-Garcia and Florina Almenares-Mendoza and Blanca Ibañez-Espiga and Julio Villena-Roman and Jorge Ruiz-Magaña and Jorge Blasco-Alis},
url = {http://hdl.handle.net/10016/29864},
doi = {https://doi.org/10.3217/jucs-024-08-1015},
issn = {0948-695X},
year = {2018},
date = {2018-08-28},
urldate = {2018-08-28},
journal = {JOURNAL OF UNIVERSAL COMPUTER SCIENCE },
volume = {24},
issue = {8},
pages = {1015-1033},
abstract = {Many MOOCs are being designed replicating traditional passive teaching approaches but using video lectures as the means of transmitting information. However, it is well known that learning-by-doing increases retention rates and, thus, allows achieving a more effective learning. To this end, it is worth exploring which tools fit best in the context of each MOOC to enrich learners' experience, including built-in tools already available in the MOOC platform, and third-party external tools which can be integrated in the MOOC platform. This paper presents an example of the integration of a software development tool, called Codeboard, in three MOOCs which serve as an introduction to programming with Java. We analyze the effect this tool has on learners' interaction and engagement when running the MOOCs in synchronous (instructor-paced) or asynchronous (self-paced) modes. Results show that the overall use of the tool is similar, regardless of the course running mode, although in the case of the synchronous mode the use of the tool is concentrated in a shorter period of time. Results also show that in the synchronous mode there is a higher percentage of accesses to the tool from registered learners (who can save their advances and continue the work later); this finding suggests that learners in the synchronous running mode are more engaged with the MOOC.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Many MOOCs are being designed replicating traditional passive teaching approaches but using video lectures as the means of transmitting information. However, it is well known that learning-by-doing increases retention rates and, thus, allows achieving a more effective learning. To this end, it is worth exploring which tools fit best in the context of each MOOC to enrich learners' experience, including built-in tools already available in the MOOC platform, and third-party external tools which can be integrated in the MOOC platform. This paper presents an example of the integration of a software development tool, called Codeboard, in three MOOCs which serve as an introduction to programming with Java. We analyze the effect this tool has on learners' interaction and engagement when running the MOOCs in synchronous (instructor-paced) or asynchronous (self-paced) modes. Results show that the overall use of the tool is similar, regardless of the course running mode, although in the case of the synchronous mode the use of the tool is concentrated in a shorter period of time. Results also show that in the synchronous mode there is a higher percentage of accesses to the tool from registered learners (who can save their advances and continue the work later); this finding suggests that learners in the synchronous running mode are more engaged with the MOOC.
Hinajeros, Francisca; Almenares-Mendoza, Florina; Gomila, Patricia Arias-Cabarcos Josep-Lluis Ferrer; Marín-López, Andrés
RiskLaine: A Probabilistic Approach for Assessing Risk in Certificate-Based Security. Journal Article
In: IEEE Transactions on Information Forensics and Security , vol. 13, iss. 8, pp. 1975-1988, 2018, ISSN: 1556-6013.
@article{almenarez009b,
title = {RiskLaine: A Probabilistic Approach for Assessing Risk in Certificate-Based Security. },
author = {Francisca Hinajeros and Florina Almenares-Mendoza and Patricia Arias-Cabarcos Josep-Lluis Ferrer Gomila and Andrés Marín-López},
doi = {https://doi.org/10.1109/tifs.2018.2807788},
issn = {1556-6013},
year = {2018},
date = {2018-02-19},
urldate = {2018-02-19},
journal = {IEEE Transactions on Information Forensics and Security },
volume = {13},
issue = {8},
pages = {1975-1988},
abstract = {Digital certificates, based on X.509 PKI standard, are located at the core of many security mechanisms implemented in services and applications. However, the usage of certificates has revealed flaws in the certificate validation process (e.g., possibility of unavailable or non-updated data). This fact implies security risks that are not assessed. In order to address these issues that such flaws entail, we propose a novel probabilistic approach for quantitative risk assessment in X.509 PKI, together with trust management when there is uncertainty. We have evaluated our risk assessment approach and demonstrated its usage, considering as a use case the secure installation of mobile applications. The results show that our approach provides more granularity, appropriate values according to the impact, and relevant information in the risk calculation than other approaches.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Digital certificates, based on X.509 PKI standard, are located at the core of many security mechanisms implemented in services and applications. However, the usage of certificates has revealed flaws in the certificate validation process (e.g., possibility of unavailable or non-updated data). This fact implies security risks that are not assessed. In order to address these issues that such flaws entail, we propose a novel probabilistic approach for quantitative risk assessment in X.509 PKI, together with trust management when there is uncertainty. We have evaluated our risk assessment approach and demonstrated its usage, considering as a use case the secure installation of mobile applications. The results show that our approach provides more granularity, appropriate values according to the impact, and relevant information in the risk calculation than other approaches.
Sánchez-Guerrero, Rosa; Almenárez-Mendoza, Florina; Díaz-Sánchez, Daniel; Arias-Cabarcos, Patricia; Marín-López, Andrés
Collaborative eHealth Meets Security: Privacy-Enhancing Patient Profile Management Journal Article
In: IEEE Journal of Biomedical and Health Informatics, vol. 21, iss. 6, pp. 1741-1749, 2017, ISSN: 2168-2194 .
@article{8003467,
title = {Collaborative eHealth Meets Security: Privacy-Enhancing Patient Profile Management},
author = {Rosa Sánchez-Guerrero and Florina Almenárez-Mendoza and Daniel Díaz-Sánchez and Patricia Arias-Cabarcos and Andrés Marín-López},
url = {/download/Collaborative_eHealth_meets_Security_Privacy-Enhancing_Patient_Profile_Management.pdf
https://ieeexplore.ieee.org/document/8003467},
doi = {10.1109/JBHI.2017.2655419},
issn = {2168-2194 },
year = {2017},
date = {2017-11-01},
urldate = {2017-11-01},
journal = {IEEE Journal of Biomedical and Health Informatics},
volume = {21},
issue = {6},
pages = {1741-1749},
abstract = {Collaborative healthcare environments offer potential benefits, including enhancing the healthcare quality delivered to patients and reducing costs. As a direct consequence, sharing of electronic health records (EHRs) among healthcare providers has experienced a noteworthy growth in the last years, since it enables physicians to remotely monitor patients' health and enables individuals to manage their own health data more easily. However, these scenarios face significant challenges regarding security and privacy of the extremely sensitive information contained in EHRs. Thus, a flexible, efficient, and standards-based solution is indispensable to guarantee selective identity information disclosure and preserve patient's privacy. We propose a privacy-aware profile management approach that empowers the patient role, enabling him to bring together various healthcare providers as well as user-generated claims into an unique credential. User profiles are represented through an adaptive Merkle Tree, for which we formalize the underlying mathematical model. Furthermore, performance of the proposed solution is empirically validated through simulation experiments.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Collaborative healthcare environments offer potential benefits, including enhancing the healthcare quality delivered to patients and reducing costs. As a direct consequence, sharing of electronic health records (EHRs) among healthcare providers has experienced a noteworthy growth in the last years, since it enables physicians to remotely monitor patients' health and enables individuals to manage their own health data more easily. However, these scenarios face significant challenges regarding security and privacy of the extremely sensitive information contained in EHRs. Thus, a flexible, efficient, and standards-based solution is indispensable to guarantee selective identity information disclosure and preserve patient's privacy. We propose a privacy-aware profile management approach that empowers the patient role, enabling him to bring together various healthcare providers as well as user-generated claims into an unique credential. User profiles are represented through an adaptive Merkle Tree, for which we formalize the underlying mathematical model. Furthermore, performance of the proposed solution is empirically validated through simulation experiments.
Rubio-Drosdov, E; Díaz-Sánchez, D; Almenárez, F; Arias-Cabarcos, P; Marín, A
Seamless human-device interaction in the internet of things Journal Article
In: IEEE Transactions on Consumer Electronics, vol. 63, iss. 4, pp. 490-498, 2017, ISSN: 1558-4127.
@article{8246828,
title = {Seamless human-device interaction in the internet of things},
author = {E Rubio-Drosdov and D Díaz-Sánchez and F Almenárez and P Arias-Cabarcos and A Marín},
url = {/download/Seamless_Human-Device_Interaction_in_the_Internet_of_Things.pdf
https://ieeexplore.ieee.org/document/8246828},
doi = {10.1109/TCE.2017.015076},
issn = {1558-4127},
year = {2017},
date = {2017-11-01},
urldate = {2017-11-01},
journal = {IEEE Transactions on Consumer Electronics},
volume = {63},
issue = {4},
pages = {490-498},
abstract = {The Internet of Things will bring a scenario in which interaction between humans and devices will be critical to allow people to use, monitor or configure Internet of Things devices. Interactions in such applications are based on traditional graphical interfaces. Devices that accept interaction based on Natural Language, e.g., through voice commands, can understand basic human orders or answering questions whenever user expressions fit into a known language pattern. Some devices can understand natural language voice commands but require sophisticated voice assistants located in the cloud, which raises significant privacy concerns. Others devices which handle voice-processing locally can perform a very limited local recognition system, requiring users to be familiar with words the system can process. The purpose of this work is to diminish the complexity of Natural Language processing in the context of IoT. The solution posited in this article allows Internet of Things devices to offload Natural Language processing to a system that improves the use of Natural Language and alleviates the need to learn or remember specific words or terms intended for triggering device actions. We have evaluated the feasibility of the design with a proof-of-concept implemented in a home environment and it was tested by real users.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The Internet of Things will bring a scenario in which interaction between humans and devices will be critical to allow people to use, monitor or configure Internet of Things devices. Interactions in such applications are based on traditional graphical interfaces. Devices that accept interaction based on Natural Language, e.g., through voice commands, can understand basic human orders or answering questions whenever user expressions fit into a known language pattern. Some devices can understand natural language voice commands but require sophisticated voice assistants located in the cloud, which raises significant privacy concerns. Others devices which handle voice-processing locally can perform a very limited local recognition system, requiring users to be familiar with words the system can process. The purpose of this work is to diminish the complexity of Natural Language processing in the context of IoT. The solution posited in this article allows Internet of Things devices to offload Natural Language processing to a system that improves the use of Natural Language and alleviates the need to learn or remember specific words or terms intended for triggering device actions. We have evaluated the feasibility of the design with a proof-of-concept implemented in a home environment and it was tested by real users.
Arias-Cabarcos, Patricia; Marín, Andrés; Palacios, Diego; Almenárez, Florina; Díaz-Sánchez, Daniel
Comparing Password Management Software: Toward Usable and Secure Enterprise Authentication Journal Article
In: IT Professional, vol. 18, iss. 5, pp. 34-40, 2016, ISSN: 1941-045X.
@article{7579116,
title = {Comparing Password Management Software: Toward Usable and Secure Enterprise Authentication},
author = {Patricia Arias-Cabarcos and Andrés Marín and Diego Palacios and Florina Almenárez and Daniel Díaz-Sánchez},
url = {https://ieeexplore.ieee.org/document/7579116
https://doi.org/10.1109/MITP.2016.81
/download/ComparingPasswordManagementSoftware.pdf},
doi = {10.1109/MITP.2016.81},
issn = {1941-045X},
year = {2016},
date = {2016-09-01},
urldate = {2016-09-01},
journal = {IT Professional},
volume = {18},
issue = {5},
pages = {34-40},
abstract = {In today's corporate IT systems, employees routinely repeat an undeniable pattern: accessing a huge number of password-protected services. In this regard, although deploying a strong enterprise password policy can increase security against online breaches and data leaks, it also imposes a significant usability burden on users. To alleviate this problem, password managers (PMs) are considered user-friendly tools that automate password generation and login processes. But how secure and usable are these tools? The authors analyze the four most popular PMs with free versions from both security and usability perspectives. The comparison leads to recommendations on enterprise PM selection, as well as to the identification of new lines of research and development on usable authentication.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
In today's corporate IT systems, employees routinely repeat an undeniable pattern: accessing a huge number of password-protected services. In this regard, although deploying a strong enterprise password policy can increase security against online breaches and data leaks, it also imposes a significant usability burden on users. To alleviate this problem, password managers (PMs) are considered user-friendly tools that automate password generation and login processes. But how secure and usable are these tools? The authors analyze the four most popular PMs with free versions from both security and usability perspectives. The comparison leads to recommendations on enterprise PM selection, as well as to the identification of new lines of research and development on usable authentication.
Marín-López, Andrés; Almenáres-Mendoza, Florina; Arias-Cabarcos, Patricia; Díaz-Sánchez, Daniel
Wi-Fi Direct: Lessons learned Proceedings Article
In: 2016 Mediterranean Ad Hoc Networking Workshop (Med-Hoc-Net), Institute of Electrical and Electronics Engineers (IEEE), 2016, ISBN: 978-1-5090-1984-7.
@inproceedings{pa002,
title = {Wi-Fi Direct: Lessons learned},
author = {Andrés Marín-López and Florina Almenáres-Mendoza and Patricia Arias-Cabarcos and Daniel Díaz-Sánchez},
url = {https://ieeexplore.ieee.org/document/7528493
https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7528493},
doi = {10.1109/MedHocNet.2016.7528493},
isbn = {978-1-5090-1984-7},
year = {2016},
date = {2016-08-04},
urldate = {2016-08-04},
booktitle = {2016 Mediterranean Ad Hoc Networking Workshop (Med-Hoc-Net)},
publisher = {Institute of Electrical and Electronics Engineers (IEEE)},
abstract = {Adhoc networking was initially designed for military application area. But adhoc networks have been found also appealing for autonomous computing. The adhoc mode of IEEE 802.11 (Independent Basic Service Set (IBSS) has not been successful due to several reasons. Within this article we explore and compare two alternatives for adhoc network formation in heterogeneous environments: Wi-Fi P2P also known as Wi-Fi Direct, and Wi-Fi Hotspot. The comparison shows that there are usability, security and performance reasons to favor Hotspot for application development.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Adhoc networking was initially designed for military application area. But adhoc networks have been found also appealing for autonomous computing. The adhoc mode of IEEE 802.11 (Independent Basic Service Set (IBSS) has not been successful due to several reasons. Within this article we explore and compare two alternatives for adhoc network formation in heterogeneous environments: Wi-Fi P2P also known as Wi-Fi Direct, and Wi-Fi Hotspot. The comparison shows that there are usability, security and performance reasons to favor Hotspot for application development.
Khaled, Omar; Marín, Andrés; Almenares, Florina; Arias, Patricia; Díaz, Daniel
Analysis of Secure TCP/IP Profile in 61850 Based Substation Automation System for Smart Grids Journal Article
In: International Journal of Distributed Sensor Networks, vol. 12, iss. 4, pp. 1-11, 2016, ISSN: 1550-1477.
@article{khaled001,
title = {Analysis of Secure TCP/IP Profile in 61850 Based Substation Automation System for Smart Grids},
author = {Omar Khaled and Andrés Marín and Florina Almenares and Patricia Arias and Daniel Díaz},
url = {https://journals.sagepub.com/doi/10.1155/2016/5793183},
doi = {https://doi.org/10.1155/2016/5793183},
issn = {1550-1477},
year = {2016},
date = {2016-04-18},
urldate = {2016-04-18},
journal = {International Journal of Distributed Sensor Networks},
volume = {12},
issue = {4},
pages = {1-11},
abstract = {Smart grid is the term used to describe modern power grids. It aims at achieving efficient, sustainable, economic, and secure delivery of electricity supplies. In order to achieve these goals, communication between different components within the grid and control centers is required. In a rapidly growing world, the demands for substation automation are increasing. Recently, two trends have been changing Substation Automation Systems: IEC 61850 and the need for cybersecurity. IEC 61850 specifies very strict performance requirements for message transfer time. The security for the smart grid must be designed to satisfy both performance and reliability requirements. In this paper, we address a study about secure communication in the substation real-time environment, complying with the IEC 61850 specifications. We mainly focus on analyzing the proposed Secure TCP/IP profile for MMS, testing different cipher suite combinations and examining whether by applying TLS we can still achieve the strict performance requirements of IEC 61850 or not. As a result of the study, we propose a list of cipher suite combinations that should be used. The importance of this study lies mainly on future scenarios, because IEC 61850 is thought to support smart metering communications.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Smart grid is the term used to describe modern power grids. It aims at achieving efficient, sustainable, economic, and secure delivery of electricity supplies. In order to achieve these goals, communication between different components within the grid and control centers is required. In a rapidly growing world, the demands for substation automation are increasing. Recently, two trends have been changing Substation Automation Systems: IEC 61850 and the need for cybersecurity. IEC 61850 specifies very strict performance requirements for message transfer time. The security for the smart grid must be designed to satisfy both performance and reliability requirements. In this paper, we address a study about secure communication in the substation real-time environment, complying with the IEC 61850 specifications. We mainly focus on analyzing the proposed Secure TCP/IP profile for MMS, testing different cipher suite combinations and examining whether by applying TLS we can still achieve the strict performance requirements of IEC 61850 or not. As a result of the study, we propose a list of cipher suite combinations that should be used. The importance of this study lies mainly on future scenarios, because IEC 61850 is thought to support smart metering communications.
Díaz-Sánchez, Daniel; Sherratt, Simon; Arias, Patricia; Almenares, Florina; Marín-López, Andrés
Proxy re-encryption schemes for IoT and crowd sensing Proceedings Article
In: IEEE, 2016, ISSN: 2158-4001.
@inproceedings{pa004,
title = {Proxy re-encryption schemes for IoT and crowd sensing},
author = {Daniel Díaz-Sánchez and Simon Sherratt and Patricia Arias and Florina Almenares and Andrés Marín-López},
url = {https://ieeexplore.ieee.org/document/7430505},
doi = {https://doi.org/10.1109/ICCE.2016.7430505},
issn = {2158-4001},
year = {2016},
date = {2016-04-01},
urldate = {2016-04-01},
publisher = {IEEE},
abstract = {IoT, crowd sensing and smart cities will be a traffic challenge. New communication paradigms as asynchronous messaging carry and forward, scheduled delivery and temporary storage will be needed to manage network resources dynamically. Since traditional end to end security will require keeping security associations among devices for a long time draining valuable resources, we propose and evaluate the use of proxy re-encryption protocols in these scenarios as a solution for reliable and flexible security.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
IoT, crowd sensing and smart cities will be a traffic challenge. New communication paradigms as asynchronous messaging carry and forward, scheduled delivery and temporary storage will be needed to manage network resources dynamically. Since traditional end to end security will require keeping security associations among devices for a long time draining valuable resources, we propose and evaluate the use of proxy re-encryption protocols in these scenarios as a solution for reliable and flexible security.
Díaz-Sánchez, Daniel; Sherratt, Simon; Almenares, Florina; Arias, Patricia; López, Andrés Marín-
Distributed access control and privacy for the internet of me Proceedings Article
In: 2016 IEEE International Conference on Consumer Electronics (ICCE), IEEE, 2016, ISSN: 2158-4001.
@inproceedings{pa003,
title = {Distributed access control and privacy for the internet of me},
author = {Daniel Díaz-Sánchez and Simon Sherratt and Florina Almenares and Patricia Arias and Andrés Marín- López},
url = {https://ieeexplore.ieee.org/document/7430506},
doi = {10.1109/ICCE.2016.7430506},
issn = {2158-4001},
year = {2016},
date = {2016-03-14},
booktitle = {2016 IEEE International Conference on Consumer Electronics (ICCE)},
publisher = {IEEE},
abstract = {This article presents an experimental scalable message driven IoT and its security architecture based on Decentralized Information Flow Control. The system uses a gateway that exports SoA (REST) interfaces to the internet simplifying external applications whereas uses DIFC and asynchronous messaging within the home environment.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
This article presents an experimental scalable message driven IoT and its security architecture based on Decentralized Information Flow Control. The system uses a gateway that exports SoA (REST) interfaces to the internet simplifying external applications whereas uses DIFC and asynchronous messaging within the home environment.
Almenarez, Florina; Hinarejos, M. Francisca; Marín, Andrés; Ferrer-Gomila, Josep Lluís; Sánchez, Daniel Díaz
PECEVA: An adaptable and energy-saving credential validation solution for pervasive networks Journal Article
In: INFORMATION SCIENCES, vol. 354, pp. 41-59, 2016, ISSN: 0020-0255.
@article{almenarez005,
title = {PECEVA: An adaptable and energy-saving credential validation solution for pervasive networks},
author = {Florina Almenarez and M. Francisca Hinarejos and Andrés Marín and Josep Lluís Ferrer-Gomila and Daniel Díaz Sánchez},
url = {https://www.sciencedirect.com/science/article/abs/pii/S0020025516301578?via%3Dihub},
doi = {https://doi.org/10.1016/j.ins.2016.03.010},
issn = {0020-0255},
year = {2016},
date = {2016-03-12},
urldate = {2016-03-12},
journal = {INFORMATION SCIENCES},
volume = {354},
pages = {41-59},
abstract = {Wireless, mobile, and context-awareness applications are considered to be the epitome of pervasive computing, but they bring with them the inherent security challenges of mobile ad-hoc networking. Mobile ad-hoc networks are mainly formed by mobile users, which can belong to different trust domains, in order to leverage the wealth of pervasive resources and available capabilities. The use of digital certificates is suitable for pervasive networking because of its decentralized and dynamic nature. Nevertheless, the validation of such certificates can become a more complex and costly process than it is in fixed-infrastructure networks. This is because pervasive networks face challenges such as environments that change with a certain degree of randomness, ad-hoc interactions with foreign devices, temporal disconnections that make it difficult to access updated and required information, and limited devices running costly processes. For these reasons, we propose a user-centric architecture that extends the validation of digital certificates in an adaptive way. The main contribution consists of a decision engine that takes advantage of the specific local and external resources in an opportunistic fashion. The solution preserves the security level required for each application and the resource consumption of the user device.
},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Wireless, mobile, and context-awareness applications are considered to be the epitome of pervasive computing, but they bring with them the inherent security challenges of mobile ad-hoc networking. Mobile ad-hoc networks are mainly formed by mobile users, which can belong to different trust domains, in order to leverage the wealth of pervasive resources and available capabilities. The use of digital certificates is suitable for pervasive networking because of its decentralized and dynamic nature. Nevertheless, the validation of such certificates can become a more complex and costly process than it is in fixed-infrastructure networks. This is because pervasive networks face challenges such as environments that change with a certain degree of randomness, ad-hoc interactions with foreign devices, temporal disconnections that make it difficult to access updated and required information, and limited devices running costly processes. For these reasons, we propose a user-centric architecture that extends the validation of digital certificates in an adaptive way. The main contribution consists of a decision engine that takes advantage of the specific local and external resources in an opportunistic fashion. The solution preserves the security level required for each application and the resource consumption of the user device.
Diaz-Sánchez, Daniel; Sherratt, Simon; Arias, Patricia; Almenarez, Florina; Marín, Andrés
Enabling actor model for crowd sensing and IoT Proceedings Article
In: IEEE, 2015, ISSN: 0747-668X.
@inproceedings{pa006,
title = {Enabling actor model for crowd sensing and IoT},
author = {Daniel Diaz-Sánchez and Simon Sherratt and Patricia Arias and Florina Almenarez and Andrés Marín},
url = {https://ieeexplore.ieee.org/document/7177779},
doi = {https://doi.org/10.1109/ISCE.2015.7177779},
issn = {0747-668X},
year = {2015},
date = {2015-08-06},
urldate = {2015-08-06},
publisher = {IEEE},
abstract = {The cloud is playing a very important role in wireless sensor network, crowd sensing and IoT data collection and processing. However, current cloud solutions lack of some features that hamper the innovation a number of other new services. We propose a cloud solution that provides these missing features as multi-cloud and device multi-tenancy relying in a whole different fully distributed paradigm, the actor model.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
The cloud is playing a very important role in wireless sensor network, crowd sensing and IoT data collection and processing. However, current cloud solutions lack of some features that hamper the innovation a number of other new services. We propose a cloud solution that provides these missing features as multi-cloud and device multi-tenancy relying in a whole different fully distributed paradigm, the actor model.
Rubio-Drosdov, Eugenio; Díaz-Sánchez, Daniel; Arias-Cabarcos, Patricia; Almenárez, Florina; Marín, Andrés
Towards a seamless human interaction in IoT Proceedings Article
In: IEEE, 2015, ISSN: 0747-668X.
@inproceedings{pa016,
title = {Towards a seamless human interaction in IoT},
author = {Eugenio Rubio-Drosdov and Daniel Díaz-Sánchez and Patricia Arias-Cabarcos and Florina Almenárez and Andrés Marín},
url = {https://ieeexplore.ieee.org/document/7177781},
doi = {https://doi.org/10.1109/ISCE.2015.7177781},
issn = {0747-668X},
year = {2015},
date = {2015-08-06},
urldate = {2015-08-06},
publisher = {IEEE},
abstract = {This article describes our approach for facilitating the interaction among devices in IoT environments. Our solution provides mechanisms to complement current IoT ontologies with device language annotations to facilitate device communication. This is our first step towards comprehensive user to environment communication that would bring the Internet of Me concept.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
This article describes our approach for facilitating the interaction among devices in IoT environments. Our solution provides mechanisms to complement current IoT ontologies with device language annotations to facilitate device communication. This is our first step towards comprehensive user to environment communication that would bring the Internet of Me concept.
Arias-Cabarcos, Patricia; Almenárez, Florina; Trapero, Rubén; Díaz-Sánchez, Daniel; Marín, Andrés
Blended Identity: Pervasive IdM for Continuous Authentication Journal Article
In: IEEE Xplore, vol. 13, iss. 3, pp. 32-39, 2015, ISSN: 1540-7993.
@article{ariascabarcos002,
title = {Blended Identity: Pervasive IdM for Continuous Authentication},
author = {Patricia Arias-Cabarcos and Florina Almenárez and Rubén Trapero and Daniel Díaz-Sánchez and Andrés Marín},
url = {https://ieeexplore.ieee.org/document/7118079},
doi = {https://doi.org/10.1109/MSP.2015.62},
issn = {1540-7993},
year = {2015},
date = {2015-06-04},
urldate = {2015-06-04},
journal = {IEEE Xplore},
volume = {13},
issue = {3},
pages = {32-39},
abstract = {A proper identity management approach is necessary for pervasive computing to be invisible to users. Federated identity management is key to achieving efficient identity blending and natural integration in the physical and online layers where users, devices, and services are present.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
A proper identity management approach is necessary for pervasive computing to be invisible to users. Federated identity management is key to achieving efficient identity blending and natural integration in the physical and online layers where users, devices, and services are present.
Díaz-Sanchez, Daniel; Arias-Cabarcos, Patricia; Almenarez, Florina; Marín-López, Andrés
P2P-based data layer for mobile Media Cloud Proceedings Article
In: IEEE, 2015, ISSN: 2158-3994.
@inproceedings{pa005,
title = {P2P-based data layer for mobile Media Cloud},
author = {Daniel Díaz-Sanchez and Patricia Arias-Cabarcos and Florina Almenarez and Andrés Marín-López},
url = {https://ieeexplore.ieee.org/document/7066362},
doi = {https://doi.org/10.1109/ICCE.2015.7066362},
issn = {2158-3994},
year = {2015},
date = {2015-03-26},
urldate = {2015-03-26},
publisher = {IEEE},
abstract = {This paper focus in an emerging concept called Elastic Personal Computing that is the ability to distribute data processing among multiple personal devices that constitute a mobile cloud. Among the most complex challenges is to provide data layer for the system to exchange input data transparently among nodes considering the data partitioning is application specific. Implementing data layers with replication and load distribution strategies is not feasible due to mobility, intermittent availability and the distributed character of mobile cloud systems. This article reasons about the problem and presents a P2P based data layer for distributed computing using personal devices.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
This paper focus in an emerging concept called Elastic Personal Computing that is the ability to distribute data processing among multiple personal devices that constitute a mobile cloud. Among the most complex challenges is to provide data layer for the system to exchange input data transparently among nodes considering the data partitioning is application specific. Implementing data layers with replication and load distribution strategies is not feasible due to mobility, intermittent availability and the distributed character of mobile cloud systems. This article reasons about the problem and presents a P2P based data layer for distributed computing using personal devices.
Díaz-Sánchez, Daniel; Sánchez-Guerrero, Rosa; Arias, Patricia; Almenarez, Florina; Marín, Andrés
A distributed transcoding and content protection system: Enabling pay per quality using the cloud Journal Article
In: Telecommunication Systems, vol. 61, iss. 1, pp. 59 - 76, 2015, ISSN: 1572-9451.
@article{diazsanchez002,
title = {A distributed transcoding and content protection system: Enabling pay per quality using the cloud},
author = {Daniel Díaz-Sánchez and Rosa Sánchez-Guerrero and Patricia Arias and Florina Almenarez and Andrés Marín },
url = {https://link.springer.com/article/10.1007/s11235-014-9952-x},
doi = {https://doi.org/10.1007/s11235-014-9952-x},
issn = {1572-9451},
year = {2015},
date = {2015-01-01},
urldate = {2015-01-01},
journal = {Telecommunication Systems},
volume = {61},
issue = {1},
pages = {59 - 76},
abstract = {Video coding is a process for adapting media content to the constraints of transmission networks delivery and terminal device visualization. Moreover, content protection is also necessary. Nowadays the heterogeneity of client devices is increasing leading to different resolutions, qualities and form factors. Due to this, transcoding and protection are essential processes to be conducted in modern video distribution networks to adapt video to devices and network constraints and to enable pay per quality schemas enforcing content licenses. Unfortunately, transcoding and protection can be no longer considered linear since every single content should be transcoded in several formats and sometimes protected, so it would require a long time to finish. Modern scalable coding techniques, as H264 SVC, can help to save processing power and bandwidth providing in a single stream several video versions. However, if the enhancements of a SVC encoded content are protected separately, it would possible to enable pay-per-quality providing an additional degree of freedom to content delivery industry. Unfortunatelly, transcoding and protection entail huge doses of processing power at provider side and should be distributed. Moreover, processing key streams to decrypt enhancements that were encrypted separately can increase the complexity at receiver side. Cloud computing emerges as a potential solution for coping with large population of users with heterogeneous visualization devices. The elastic nature of cloud computing can be an advantage given the difficulty to predict the computing resources video content would require to be distributed during the entire content life. This article describes a system that distributes and parallelizes the video transcoding process as well as the content encryption, following the SaaS approach in cloud computing. Moreover, the article describes an experimental approach for generating and processing a flexible key stream that would help to simplify key management at receiver side and would allow legacy receivers to consume SVC content with separate enhancement protection.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Video coding is a process for adapting media content to the constraints of transmission networks delivery and terminal device visualization. Moreover, content protection is also necessary. Nowadays the heterogeneity of client devices is increasing leading to different resolutions, qualities and form factors. Due to this, transcoding and protection are essential processes to be conducted in modern video distribution networks to adapt video to devices and network constraints and to enable pay per quality schemas enforcing content licenses. Unfortunately, transcoding and protection can be no longer considered linear since every single content should be transcoded in several formats and sometimes protected, so it would require a long time to finish. Modern scalable coding techniques, as H264 SVC, can help to save processing power and bandwidth providing in a single stream several video versions. However, if the enhancements of a SVC encoded content are protected separately, it would possible to enable pay-per-quality providing an additional degree of freedom to content delivery industry. Unfortunatelly, transcoding and protection entail huge doses of processing power at provider side and should be distributed. Moreover, processing key streams to decrypt enhancements that were encrypted separately can increase the complexity at receiver side. Cloud computing emerges as a potential solution for coping with large population of users with heterogeneous visualization devices. The elastic nature of cloud computing can be an advantage given the difficulty to predict the computing resources video content would require to be distributed during the entire content life. This article describes a system that distributes and parallelizes the video transcoding process as well as the content encryption, following the SaaS approach in cloud computing. Moreover, the article describes an experimental approach for generating and processing a flexible key stream that would help to simplify key management at receiver side and would allow legacy receivers to consume SVC content with separate enhancement protection.
Díaz-Sanchez, Daniel; Arias-Cabarcos, Patricia; Sánchez-Guerrero, Rosa; Almenarez, Florina; Marín-Lopez, Andrés
Elastic participatory sensing systems enabling cooperative meta sensors with consumer devices Proceedings Article
In: 2014 IEEE International Conference on Consumer Electronics (ICCE), IEEE, 2014, ISSN: 2158-3994.
@inproceedings{pa007,
title = {Elastic participatory sensing systems enabling cooperative meta sensors with consumer devices},
author = {Daniel Díaz-Sanchez and Patricia Arias-Cabarcos and Rosa Sánchez-Guerrero and Florina Almenarez and Andrés Marín-Lopez},
url = {https://ieeexplore.ieee.org/document/6776058},
doi = {https://doi.org/10.1109/ICCE.2014.6776058},
issn = {2158-3994},
year = {2014},
date = {2014-03-20},
booktitle = {2014 IEEE International Conference on Consumer Electronics (ICCE)},
publisher = {IEEE},
abstract = {Participatory Sensing systems can take benefit of the distributed processing personal consumer devices can provide since sensors can be grouped in meta-sensors and measures can be processed in a distributed fashion saving costs and improving the coverage. This abstract presents a solution introducing the concept of personal meta-sensor and provides a lightweight framework to consume and process measures.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Participatory Sensing systems can take benefit of the distributed processing personal consumer devices can provide since sensors can be grouped in meta-sensors and measures can be processed in a distributed fashion saving costs and improving the coverage. This abstract presents a solution introducing the concept of personal meta-sensor and provides a lightweight framework to consume and process measures.
Díaz-Sánchez, Daniel; Almenarez, Florina; Marín, Andrés; Sánchez-Guerrero, Rosa; Arias, Patricia
Media Gateway: bringing privacy to Private Multimedia Clouds connections Journal Article
In: Telecommunication Systems, vol. 55, iss. 2, pp. 315-330, 2014, ISSN: 1572-9451.
@article{diazsanchez001,
title = {Media Gateway: bringing privacy to Private Multimedia Clouds connections},
author = {Daniel Díaz-Sánchez and Florina Almenarez and Andrés Marín and Rosa Sánchez-Guerrero and Patricia Arias },
url = {https://link.springer.com/article/10.1007/s11235-013-9783-1},
doi = {https://doi.org/10.1007/s11235-013-9783-1},
issn = {1572-9451},
year = {2014},
date = {2014-02-01},
urldate = {2014-02-01},
journal = {Telecommunication Systems},
volume = {55},
issue = {2},
pages = {315-330},
abstract = {The growing interest in media sharing combined with the explosion of social applications have opened an opportunity window for cloud based applications for media management as Media Cloud, described in this article, that has brought the concept of Cloud Computing to home environments. Media Cloud provides a comprehensive and efficient solution for managing content among federated home environments. As part of the purpose of empowering the user role as well as to improve user experience, we placed significant efforts on interoperability and privacy protection when it comes to accessing cloud resources from other networks. This article describes a solution that enables limited devices to access contents located in private clouds, as Media Cloud, with the cooperation of network providers.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The growing interest in media sharing combined with the explosion of social applications have opened an opportunity window for cloud based applications for media management as Media Cloud, described in this article, that has brought the concept of Cloud Computing to home environments. Media Cloud provides a comprehensive and efficient solution for managing content among federated home environments. As part of the purpose of empowering the user role as well as to improve user experience, we placed significant efforts on interoperability and privacy protection when it comes to accessing cloud resources from other networks. This article describes a solution that enables limited devices to access contents located in private clouds, as Media Cloud, with the cooperation of network providers.
Arias-Cabarcos, Patricia; Almenares-Mendoza, Florina; Gómez-Mármol, Felix; López, Andrés Marín-
To Federate or Not To Federate: A Reputation-Based Mechanism to Dynamize Cooperation in Identity Management Journal Article
In: Wireless Personal Communications, vol. 75, iss. 3, pp. 1769-1786, 2013, ISSN: 0929-6212.
@article{almenarez010,
title = {To Federate or Not To Federate: A Reputation-Based Mechanism to Dynamize Cooperation in Identity Management },
author = {Patricia Arias-Cabarcos and Florina Almenares-Mendoza and Felix Gómez-Mármol and Andrés Marín- López },
doi = {https://doi.org/10.1007/s11277-013-1338-y},
issn = {0929-6212},
year = {2013},
date = {2013-08-01},
urldate = {2013-08-01},
journal = {Wireless Personal Communications},
volume = {75},
issue = {3},
pages = {1769-1786},
abstract = {Identity Management systems cannot be centralized anymore. Nowadays, users have multiple accounts, profiles and personal data distributed throughout the web and hosted by different providers. However, the online world is currently divided into identity silos forcing users to deal with repetitive authentication and registration processes and hindering a faster development of large scale e-business. Federation has been proposed as a technology to bridge different trust domains, allowing user identity information to be shared in order to improve usability. But further research is required to shift from the current static model, where manual bilateral agreements must be pre-configured to enable cooperation between unknown parties, to a more dynamic one, where trust relationships are established on demand in a fully automated fashion. This paper presents IdMRep, the first completely decentralized reputation-based mechanism which makes dynamic federation a reality. Initial experiments demonstrate its accuracy as well as an assumable overhead in scenarios with and without malicious nodes.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Identity Management systems cannot be centralized anymore. Nowadays, users have multiple accounts, profiles and personal data distributed throughout the web and hosted by different providers. However, the online world is currently divided into identity silos forcing users to deal with repetitive authentication and registration processes and hindering a faster development of large scale e-business. Federation has been proposed as a technology to bridge different trust domains, allowing user identity information to be shared in order to improve usability. But further research is required to shift from the current static model, where manual bilateral agreements must be pre-configured to enable cooperation between unknown parties, to a more dynamic one, where trust relationships are established on demand in a fully automated fashion. This paper presents IdMRep, the first completely decentralized reputation-based mechanism which makes dynamic federation a reality. Initial experiments demonstrate its accuracy as well as an assumable overhead in scenarios with and without malicious nodes.
Almenares, Florina; Arias, Patricia; Marín, Andrés; Díaz-Sánchez, Daniel; Sánchez, Rosa
Overhead of using Secure Wireless Communications in Mobile Computing Journal Article
In: IEEE TRANSACTIONS ON CONSUMER ELECTRONICS, vol. 59, iss. 2, pp. 335-342, 2013, ISSN: 0098-3063.
@article{almenarez004,
title = {Overhead of using Secure Wireless Communications in Mobile Computing},
author = {Florina Almenares and Patricia Arias and Andrés Marín and Daniel Díaz-Sánchez and Rosa Sánchez
},
url = {https://ieeexplore.ieee.org/document/6531115
https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6531115},
doi = {https://doi.org/10.1109/TCE.2013.6531115},
issn = {0098-3063},
year = {2013},
date = {2013-05-06},
urldate = {2013-05-06},
journal = {IEEE TRANSACTIONS ON CONSUMER ELECTRONICS},
volume = {59},
issue = {2},
pages = {335-342},
abstract = {Secure wireless communications are fundamental in any interaction in order to avoid security and privacy breaches, especially from mobile devices. The use of this kind of communications is far more frequent and the number of users increases day after day. This paper shows and analyzes the support, performance and consumption of cryptographic algorithms and cipher suites in terms of time and energy when secure communications (i.e., using SSL) are established according to different security levels. This study has been performed in distinct operating systems, and using different browsers and libraries.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Secure wireless communications are fundamental in any interaction in order to avoid security and privacy breaches, especially from mobile devices. The use of this kind of communications is far more frequent and the number of users increases day after day. This paper shows and analyzes the support, performance and consumption of cryptographic algorithms and cipher suites in terms of time and energy when secure communications (i.e., using SSL) are established according to different security levels. This study has been performed in distinct operating systems, and using different browsers and libraries.
Díaz-Sánchez, Daniel; Marín-López, Andres; Almenares, Florina; Sánchez, Rosa; Arias, Patricia
Flexible Computing for personal electronic devices Proceedings Article
In: 2013 IEEE International Conference on Consumer Electronics (ICCE), IEEE, 2013, ISSN: 2158-3994.
@inproceedings{pa008,
title = {Flexible Computing for personal electronic devices},
author = {Daniel Díaz-Sánchez and Andres Marín-López and Florina Almenares and Rosa Sánchez and Patricia Arias},
url = {https://ieeexplore.ieee.org/document/6486863},
doi = {https://doi.org/10.1109/ICCE.2013.6486863},
issn = {2158-3994},
year = {2013},
date = {2013-03-28},
booktitle = {2013 IEEE International Conference on Consumer Electronics (ICCE)},
publisher = {IEEE},
abstract = {This article describes an experimental framework for Android called Light Weight Map Reduce that pursues enabling Elastic Personal Computing, a refinement of the Elastic Computing concept that allows personal electronics to automatically distribute the load among devices constituting a computing fabric seamlessly.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
This article describes an experimental framework for Android called Light Weight Map Reduce that pursues enabling Elastic Personal Computing, a refinement of the Elastic Computing concept that allows personal electronics to automatically distribute the load among devices constituting a computing fabric seamlessly.
Almenares, Florina; Arias, Patricia; Marín-López, Andrés; Díaz-Sánchez, Daniel; Sánchez, Rosa
How costly are secure transactions on handheld devices? Proceedings Article
In: IEEE, 2013, ISSN: 2158-3994.
@inproceedings{pa010,
title = {How costly are secure transactions on handheld devices?},
author = {Florina Almenares and Patricia Arias and Andrés Marín-López and Daniel Díaz-Sánchez and Rosa Sánchez},
url = {https://ieeexplore.ieee.org/document/6486865},
doi = {https://doi.org/10.1109/ICCE.2013.6486865},
issn = {2158-3994},
year = {2013},
date = {2013-03-08},
publisher = {IEEE},
abstract = {Handheld devices are more and more powerful allowing to do most things people do on a desktop. Nevertheless, mobile device security follows being an open issue. We have performed the first study of the security support between native and OpenSSL-based libraries, in terms of energy consumption and time, about secure communication performance.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Handheld devices are more and more powerful allowing to do most things people do on a desktop. Nevertheless, mobile device security follows being an open issue. We have performed the first study of the security support between native and OpenSSL-based libraries, in terms of energy consumption and time, about secure communication performance.
Díaz-Sánchez, Daniel; Marín-López, Andrés; Almenarez, Florina; Sánchez-Guerrero, Rosa; Arias, Patricia
A distributed transcoding system for mobile video delivery Proceedings Article
In: Institute of Electrical and Electronics Engineers (IEEE), 2013, ISBN: 978-1-4673-2993-4.
@inproceedings{pa019,
title = {A distributed transcoding system for mobile video delivery},
author = {Daniel Díaz-Sánchez and Andrés Marín-López and Florina Almenarez and Rosa Sánchez-Guerrero and Patricia Arias},
url = {https://ieeexplore.ieee.org/document/6416151},
doi = {https://doi.org/10.1109/WMNC.2012.6416151},
isbn = {978-1-4673-2993-4},
year = {2013},
date = {2013-01-24},
publisher = {Institute of Electrical and Electronics Engineers (IEEE)},
abstract = {The heterogeneity of client devices is increasing leading to different resolutions, qualities and form factors. Due to the amount of multimedia to be processed, transcoding and protection can be no longer performed linearly. For that reason, this article describes a solution to distribute and parallelize the transcoding process as well as the content encryption relying on cloud computing. Moreover, this article shows the benefits of this approach showing several experimental results.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
The heterogeneity of client devices is increasing leading to different resolutions, qualities and form factors. Due to the amount of multimedia to be processed, transcoding and protection can be no longer performed linearly. For that reason, this article describes a solution to distribute and parallelize the transcoding process as well as the content encryption relying on cloud computing. Moreover, this article shows the benefits of this approach showing several experimental results.
Sánchez-Guerrero, Rosa; Almenárez, Florina; Díaz-Sánchez, Daniel; Arias, Patricia; Marín, Andrés
A model for dimensioning a secure event-driven health care system Proceedings Article
In: 2012 5th Joint IFIP Wireless and Mobile Networking Conference (WMNC), Institute of Electrical and Electronics Engineers (IEEE), 2013, ISBN: 978-1-4673-2993-4.
@inproceedings{pa020,
title = {A model for dimensioning a secure event-driven health care system},
author = {Rosa Sánchez-Guerrero and Florina Almenárez and Daniel Díaz-Sánchez and Patricia Arias and Andrés Marín},
url = {https://ieeexplore.ieee.org/document/6416152},
doi = {https://doi.org/10.1109/WMNC.2012.6416152},
isbn = {978-1-4673-2993-4},
year = {2013},
date = {2013-01-24},
urldate = {2013-01-24},
booktitle = {2012 5th Joint IFIP Wireless and Mobile Networking Conference (WMNC)},
publisher = {Institute of Electrical and Electronics Engineers (IEEE)},
abstract = {Privacy is close to the user information and thus, present in any ubiquitous computing scenario. In this sense, privacy in identity management is gaining more importance, since IdM systems deal with services that requires sharing attributes belonging to users' identity with different entities across security domains. However, the effective revocation consent -considered as a privacy rule in sensitive scenarios- has not been fully addressed. This article builds on the flexible event-based user consent-revocation mechanism defined in [4] for health care scenarios. In this article we analyze the network dimensioning to calculate the overhead of activating/deactivating attributes and privileges, as subscription and notification event messages exchanged. We consider two main simulation scenarios: a large hospital, and a small-medium hospital.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Privacy is close to the user information and thus, present in any ubiquitous computing scenario. In this sense, privacy in identity management is gaining more importance, since IdM systems deal with services that requires sharing attributes belonging to users' identity with different entities across security domains. However, the effective revocation consent -considered as a privacy rule in sensitive scenarios- has not been fully addressed. This article builds on the flexible event-based user consent-revocation mechanism defined in [4] for health care scenarios. In this article we analyze the network dimensioning to calculate the overhead of activating/deactivating attributes and privileges, as subscription and notification event messages exchanged. We consider two main simulation scenarios: a large hospital, and a small-medium hospital.
Arias-Cabarcos, Patricia; Almenárez-Mendoza, Florina; Sánchez-Guerrero, Rosa; Marín-López, Andrés; Díaz-Sánchez, Daniel
SuSSo: Seamless and Ubiquitous Single Sign-on for Cloud Service Continuity across devices Journal Article
In: IEEE TRANSACTIONS ON CONSUMER ELECTRONICS, vol. 58, iss. 4, pp. 1425-1433, 2012, ISSN: 0098-3063.
@article{ariascabarcos004,
title = {SuSSo: Seamless and Ubiquitous Single Sign-on for Cloud Service Continuity across devices},
author = {Patricia Arias-Cabarcos and Florina Almenárez-Mendoza and Rosa Sánchez-Guerrero and Andrés Marín-López and Daniel Díaz-Sánchez},
url = {https://ieeexplore.ieee.org/document/6415016
https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6415016},
doi = {https://doi.org/10.1109/TCE.2012.6415016},
issn = {0098-3063},
year = {2012},
date = {2012-11-01},
urldate = {2012-11-01},
journal = {IEEE TRANSACTIONS ON CONSUMER ELECTRONICS},
volume = {58},
issue = {4},
pages = {1425-1433},
abstract = {The great variety of consumer electronic devices with support of wireless communications combined with the emerging Cloud Computing paradigm is paving the way to real anytime/anywhere computing. In this context, many services, such as music or video streaming, are delivered to the clients using Cloud-based providers. However, service continuity when moving across different terminals is still a major challenge. This paper proposes SuSSo, a novel middleware architecture that allows sessions initiated from one device to be seamlessly transferred to a second one, as might be desirable in the enjoyment of long running media.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The great variety of consumer electronic devices with support of wireless communications combined with the emerging Cloud Computing paradigm is paving the way to real anytime/anywhere computing. In this context, many services, such as music or video streaming, are delivered to the clients using Cloud-based providers. However, service continuity when moving across different terminals is still a major challenge. This paper proposes SuSSo, a novel middleware architecture that allows sessions initiated from one device to be seamlessly transferred to a second one, as might be desirable in the enjoyment of long running media.
Marín-López, Andrés; Díaz-Sánchez, Daniel; Almenárez-Mendoza, Florina; Arias-Cabarcos, Patricia; Sánchez-Guerrero, Rosa; Sanvido, Fabio
Private cloud and media privacy in social networks Proceedings Article
In: 2012 IEEE Second International Conference on Consumer Electronics - Berlin (ICCE-Berlin), IEEE, 2012, ISSN: 2166-6814.
@inproceedings{pa011,
title = {Private cloud and media privacy in social networks},
author = {Andrés Marín-López and Daniel Díaz-Sánchez and Florina Almenárez-Mendoza and Patricia Arias-Cabarcos and Rosa Sánchez-Guerrero and Fabio Sanvido},
url = {https://ieeexplore.ieee.org/document/6336476},
doi = {https://doi.org/10.1109/ICCE-Berlin.2012.6336476},
issn = {2166-6814},
year = {2012},
date = {2012-10-22},
booktitle = {2012 IEEE Second International Conference on Consumer Electronics - Berlin (ICCE-Berlin)},
publisher = {IEEE},
abstract = {Privacy rules imposed by social networks (SNs) impose several restrictions to user privacy. Though they usually offer the user some control to limit access to his own data, the social network may share uploaded data with other partners and marketing companies. Pictures and videos may have a second life, even after being deleted by the user, and consequently storage and access must take place in the user home domain or facilities managed by the user, following an end to end approach. We propose to combine the usage of private clouds, specialized in media contents, in cooperation with SNs, offering the user complete control over his data, while benefiting from the SNs visibility to announce and spread the data. To achieve transparency, we propose a plug-in system to embed links as annotations in reduced media replacement uploaded in the SN. These links point to the real resource stored in the private cloud, now under complete user control. We perform validation tests which show important improvements in uploading time and user experience.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Privacy rules imposed by social networks (SNs) impose several restrictions to user privacy. Though they usually offer the user some control to limit access to his own data, the social network may share uploaded data with other partners and marketing companies. Pictures and videos may have a second life, even after being deleted by the user, and consequently storage and access must take place in the user home domain or facilities managed by the user, following an end to end approach. We propose to combine the usage of private clouds, specialized in media contents, in cooperation with SNs, offering the user complete control over his data, while benefiting from the SNs visibility to announce and spread the data. To achieve transparency, we propose a plug-in system to embed links as annotations in reduced media replacement uploaded in the SN. These links point to the real resource stored in the private cloud, now under complete user control. We perform validation tests which show important improvements in uploading time and user experience.