@article{juandiego001,

title = {AI Versus IoT Security: Fingerprinting and Defenses Against TLS Handshake-Based IoT Device Classification},

author = {Juan Diego Llano-Miraval and Celeste Campo and Carlos García-Rubio and Marta Moure-Garrido},

url = {https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=11168239},

doi = {https://doi.org/10.1109/ACCESS.2025.3611160},

issn = {2169-3536},

year  = {2025},

date = {2025-09-17},

urldate = {2025-09-17},

journal = {IEEE Access},

volume = {13},

pages = {165607 - 165622},

abstract = {The number of Internet of Things (IoT) devices in smart homes is steadily increasing, enhancing convenience but also raising security concerns. While secure communication protocols like Transport Layer Security (TLS) are commonly used, attackers can still exploit metadata to profile users and identify vulnerabilities. This research focuses on analyzing the TLS handshake, where encryption parameters are established. Although newer versions of TLS aim to encrypt the Server Name Indication (SNI), we observed that some devices in real-world environments still transmit SNI in plaintext, potentially exposing device identities. Given this practical variability in SNI transmission among diverse IoT devices, we conducted two parallel studies, one including the SNI and one without it, while avoiding Media Access Control (MAC) and Internet Protocol (IP) addresses due to their inherent variability and privacy implications. We used TLS handshake parameters as input for machine learning algorithms to fingerprint IoT devices, classify them by type, and identify manufacturers. Six machine learning models were evaluated: Support Vector Machine (SVM), a multi-layer perceptron (MLP), Random Forest (RF), Convolutional Neural Network (CNN), XGBoost, and CNN+RF. The results showed that CNN+RF achieved the highest accuracy, reaching 99% for device type classification. However, our proposed countermeasure, which enhances TLS handshake privacy by obfuscating specific parameters, significantly reduced fingerprinting accuracy to a maximum of 80% when SNI was excluded. These findings highlight the potential risks of TLS metadata exposure and demonstrate the effectiveness of privacy-enhancing countermeasures in mitigating IoT device fingerprinting attacks.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{danieldiaz030,

title = {Zero‑Trust Token Authorization with Trapdoor Hashes for Scalable Distributed Firewalls},

author = {Daniel Díaz-Sánchez and Celeste Campo and Carlos García-Rubio },

url = {https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5313600},

doi = {http://dx.doi.org/10.2139/ssrn.5313600},

year  = {2025},

date = {2025-08-31},

urldate = {2025-08-31},

pages = {18},

abstract = {Massive Internet of Things (IoT) deployments expose networks to severe risks, as a single compromised device can facilitate lateral movements across the entire infrastructure. Traditional firewalls, based on static rules, are fragile, difficult to synchronize across domains, and poorly suited for Zero Trust principles. In this work, we propose a scalable authorization architecture where each flow carries a cryptographically protected textit{token} that incorporates a signed and immutable policy, verifiable in a non-interactive manner. The textit{tokens} are issued based on attestation evidence, and the messages are reinforced using trapdoor textit{chameleon hashes}, which allows for flexible delegation and transferability without invalidating the original policy. Through key aggregation techniques, we enable collaborative issuance, optional anonymity, and multi-party governance. The experimental evaluation in a real textit{testbed} demonstrates that the verification of this embedded authorization incurs a fixed and predictable cost—higher than that of rule lookups, but constant regardless of network size, rule growth, or concurrency. This balance eliminates the burden of distributing and maintaining large rule tables while ensuring granular per-flow authorization, privacy preservation, and interoperability between providers. The proposal materializes a Zero Trust model resistant to impersonation, replay, and lateral attacks, and lays the groundwork for future optimizations through the progressive incorporation of post-quantum primitives.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{danieldiaz031,

title = {Beyond PKI: A DNSSEC Delegation Approach for Scalable Dynamic Credential Management in IoT},

author = {Daniel Díaz-Sánchez and Florina Almenarez and Celeste Campo and Carlos García-Rubio and Simon Sherratt},

url = {https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=11130501},

doi = {https://doi.org/10.1109/JIOT.2025.3600371},

issn = {2327-4662},

year  = {2025},

date = {2025-08-19},

urldate = {2025-08-19},

journal = {IEEE Internet of Things Journal },

abstract = {Internet of Things (IoT) systems that manage data across cloud, fog, and edge environments—and the devices that consume those services—face substantial challenges in confidentiality, privacy, and authentication. However, traditional Public Key Infrastructure (PKI) is too rigid and costly for massive, ephemeral IoT deployments. Moreover, device authentication is often overlooked in favor of service authentication, neglecting the security of the entire ecosystem. DNSSEC combined with DANE introduces a new paradigm in which service authentication can be managed globally, extending trust to locally generated, type-agnostic credentials. This framework can accommodate PKI certificates, self-signed credentials, and local keys, all of which can be verified by any client, local or remote. However, DNSSEC’s signature proofs grow linearly with the number of secured records, inflating communication overhead and energy consumption—an issue aggravated by the larger sizes of post-quantum signatures. Additionally, current DNSSEC delegation mechanisms lack the flexibility needed for secure load balancing and isolation. In this article, we present a collision-based DNSSEC signature-delegation mechanism designed to overcome these scalability limitations. By allowing a central DNS authority to delegate signing responsibilities to local DNS servers, our approach reduces certificate-management overhead and enables a dynamic, hierarchical trust model. It supports both service and device authentication in a unified DNS-name-based security context. Our evaluation shows that the proposed mechanism maintains a stable computational cost irrespective of credential count, a critical benefit for large-scale, resource-constrained IoT deployments. By leveraging existing DNS infrastructure and standards, this solution enhances scalability and efficiency compared to traditional PKI and DNSSEC, while promoting interoperability and ease of deployment. It also opens the adoption of future post quantum trapdoor systems still under research and development.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{javierblanco006,

title = {Implementing and Evaluating Post-Quantum DNSSEC in CoreDNS},

author = {Julio Gento Suela and Javier Blanco-Romero and Florina Almenares-Mendoza and Daniel Díaz Sánchez },

doi = { https://doi.org/10.48550/arXiv.2507.09301},

year  = {2025},

date = {2025-07-15},

urldate = {2025-07-15},

abstract = {The emergence of quantum computers poses a significant threat to current secure service, application and/or protocol implementations that rely on RSA and ECDSA algorithms, for instance DNSSEC, because public-key cryptography based on number factorization or discrete logarithm is vulnerable to quantum attacks. This paper presents the integration of post-quantum cryptographic (PQC) algorithms into CoreDNS to enable quantum-resistant DNSSEC functionality. We have developed a plugin that extends CoreDNS with support for five PQC signature algorithm families: ML-DSA, FALCON, SPHINCS+, MAYO, and SNOVA. Our implementation maintains compatibility with existing DNS resolution flows while providing on-the-fly signing using quantum-resistant signatures. A benchmark has been performed and performance evaluation results reveal significant trade-offs between security and efficiency. The results indicate that while PQC algorithms introduce operational overhead, several candidates offer viable compromises for transitioning DNSSEC to quantum-resistant cryptography.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{javierblanco007,

title = {Hybrid Quantum Security for IPsec},

author = {Javier Blanco-Romero and Pedro Otero García and Daniel Sobral-Blanco and Florina Almenares-Mendoza and Ana Fernández Vilas and Manuel Fernández-Veiga},

url = {https://arxiv.org/pdf/2507.09288},

doi = {https://doi.org/10.48550/arXiv.2507.09288},

year  = {2025},

date = {2025-07-12},

pages = {23},

abstract = {Quantum Key Distribution (QKD) offers information-theoretic security against quantum computing threats, but integrating QKD into existing security protocols remains an unsolved challenge due to fundamental mismatches between pre-distributed quantum keys and computational key exchange paradigms. This paper presents the first systematic comparison of sequential versus parallel hybrid QKD-PQC key establishment strategies for IPsec, revealing fundamental protocol design principles that extend beyond specific implementations. We introduce two novel approaches for incorporating QKD into Internet Key Exchange version 2 (IKEv2) with support for both ETSI GS QKD 004 stateful and ETSI GS QKD 014 stateless API specifications: (1) a pure QKD approach that replaces computational key derivation with identifier-based quantum key coordination, and (2) a unified QKD-KEM abstraction that enables parallel composition of quantum and post-quantum cryptographic methods within existing protocol frameworks. Our key insight is that parallel hybrid approaches eliminate the multiplicative latency penalties inherent in sequential methods mandated by RFC 9370, achieving significant performance improvements under realistic network conditions. Performance evaluation using a Docker-based testing framework with IDQuantique QKD hardware demonstrates that the parallel hybrid approach significantly outperforms sequential methods under network latency conditions, while pure QKD achieves minimal bandwidth overhead through identifier-based key coordination. Our implementations provide practical quantum-enhanced IPsec solutions suitable for critical infrastructure deployments requiring defense-in-depth security.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@article{javierblanco007b,

title = {Hybrid Quantum Security for IPsec},

author = {Javier Blanco-Romero and Pedro Otero García and Daniel Sobral-Blanco and Florina Almenares-Mendoza and Ana Fernández Vilas and Manuel Fernández-Veiga},

url = {https://arxiv.org/pdf/2507.09288},

doi = {https://doi.org/10.48550/arXiv.2507.09288},

year  = {2025},

date = {2025-07-12},

urldate = {2025-07-12},

pages = {23},

abstract = {Quantum Key Distribution (QKD) offers information-theoretic security against quantum computing threats, but integrating QKD into existing security protocols remains an unsolved challenge due to fundamental mismatches between pre-distributed quantum keys and computational key exchange paradigms. This paper presents the first systematic comparison of sequential versus parallel hybrid QKD-PQC key establishment strategies for IPsec, revealing fundamental protocol design principles that extend beyond specific implementations. We introduce two novel approaches for incorporating QKD into Internet Key Exchange version 2 (IKEv2) with support for both ETSI GS QKD 004 stateful and ETSI GS QKD 014 stateless API specifications: (1) a pure QKD approach that replaces computational key derivation with identifier-based quantum key coordination, and (2) a unified QKD-KEM abstraction that enables parallel composition of quantum and post-quantum cryptographic methods within existing protocol frameworks. Our key insight is that parallel hybrid approaches eliminate the multiplicative latency penalties inherent in sequential methods mandated by RFC 9370, achieving significant performance improvements under realistic network conditions. Performance evaluation using a Docker-based testing framework with IDQuantique QKD hardware demonstrates that the parallel hybrid approach significantly outperforms sequential methods under network latency conditions, while pure QKD achieves minimal bandwidth overhead through identifier-based key coordination. Our implementations provide practical quantum-enhanced IPsec solutions suitable for critical infrastructure deployments requiring defense-in-depth security.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}