I-SHAPER
I-SHAPER - Fortalecimiento de autenticación, confidencialidad, privacidad y acceso confiable en servicio de Internet.
INSTITUTO NACIONAL DE CIBERSEGURIDAD - UE PRTR
(Ref. PRTR-INCIBE - 2023/00623/001)
12/ 2023
--
12/ 2025
Publications
Llano-Miraval, Juan Diego; Campo, Celeste; García-Rubio, Carlos; Moure-Garrido, Marta
AI Versus IoT Security: Fingerprinting and Defenses Against TLS Handshake-Based IoT Device Classification Journal Article
In: IEEE Access, vol. 13, pp. 165607 - 165622, 2025, ISSN: 2169-3536.
@article{juandiego001,
title = {AI Versus IoT Security: Fingerprinting and Defenses Against TLS Handshake-Based IoT Device Classification},
author = {Juan Diego Llano-Miraval and Celeste Campo and Carlos García-Rubio and Marta Moure-Garrido},
url = {https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=11168239},
doi = {https://doi.org/10.1109/ACCESS.2025.3611160},
issn = {2169-3536},
year = {2025},
date = {2025-09-17},
urldate = {2025-09-17},
journal = {IEEE Access},
volume = {13},
pages = {165607 - 165622},
abstract = {The number of Internet of Things (IoT) devices in smart homes is steadily increasing, enhancing convenience but also raising security concerns. While secure communication protocols like Transport Layer Security (TLS) are commonly used, attackers can still exploit metadata to profile users and identify vulnerabilities. This research focuses on analyzing the TLS handshake, where encryption parameters are established. Although newer versions of TLS aim to encrypt the Server Name Indication (SNI), we observed that some devices in real-world environments still transmit SNI in plaintext, potentially exposing device identities. Given this practical variability in SNI transmission among diverse IoT devices, we conducted two parallel studies, one including the SNI and one without it, while avoiding Media Access Control (MAC) and Internet Protocol (IP) addresses due to their inherent variability and privacy implications. We used TLS handshake parameters as input for machine learning algorithms to fingerprint IoT devices, classify them by type, and identify manufacturers. Six machine learning models were evaluated: Support Vector Machine (SVM), a multi-layer perceptron (MLP), Random Forest (RF), Convolutional Neural Network (CNN), XGBoost, and CNN+RF. The results showed that CNN+RF achieved the highest accuracy, reaching 99% for device type classification. However, our proposed countermeasure, which enhances TLS handshake privacy by obfuscating specific parameters, significantly reduced fingerprinting accuracy to a maximum of 80% when SNI was excluded. These findings highlight the potential risks of TLS metadata exposure and demonstrate the effectiveness of privacy-enhancing countermeasures in mitigating IoT device fingerprinting attacks.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The number of Internet of Things (IoT) devices in smart homes is steadily increasing, enhancing convenience but also raising security concerns. While secure communication protocols like Transport Layer Security (TLS) are commonly used, attackers can still exploit metadata to profile users and identify vulnerabilities. This research focuses on analyzing the TLS handshake, where encryption parameters are established. Although newer versions of TLS aim to encrypt the Server Name Indication (SNI), we observed that some devices in real-world environments still transmit SNI in plaintext, potentially exposing device identities. Given this practical variability in SNI transmission among diverse IoT devices, we conducted two parallel studies, one including the SNI and one without it, while avoiding Media Access Control (MAC) and Internet Protocol (IP) addresses due to their inherent variability and privacy implications. We used TLS handshake parameters as input for machine learning algorithms to fingerprint IoT devices, classify them by type, and identify manufacturers. Six machine learning models were evaluated: Support Vector Machine (SVM), a multi-layer perceptron (MLP), Random Forest (RF), Convolutional Neural Network (CNN), XGBoost, and CNN+RF. The results showed that CNN+RF achieved the highest accuracy, reaching 99% for device type classification. However, our proposed countermeasure, which enhances TLS handshake privacy by obfuscating specific parameters, significantly reduced fingerprinting accuracy to a maximum of 80% when SNI was excluded. These findings highlight the potential risks of TLS metadata exposure and demonstrate the effectiveness of privacy-enhancing countermeasures in mitigating IoT device fingerprinting attacks.
Díaz-Sánchez, Daniel; Campo, Celeste; García-Rubio, Carlos
Zero‑Trust Token Authorization with Trapdoor Hashes for Scalable Distributed Firewalls Journal Article
In: pp. 18, 2025.
@article{danieldiaz030,
title = {Zero‑Trust Token Authorization with Trapdoor Hashes for Scalable Distributed Firewalls},
author = {Daniel Díaz-Sánchez and Celeste Campo and Carlos García-Rubio },
url = {https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5313600},
doi = {http://dx.doi.org/10.2139/ssrn.5313600},
year = {2025},
date = {2025-08-31},
urldate = {2025-08-31},
pages = {18},
abstract = {Massive Internet of Things (IoT) deployments expose networks to severe risks, as a single compromised device can facilitate lateral movements across the entire infrastructure. Traditional firewalls, based on static rules, are fragile, difficult to synchronize across domains, and poorly suited for Zero Trust principles. In this work, we propose a scalable authorization architecture where each flow carries a cryptographically protected textit{token} that incorporates a signed and immutable policy, verifiable in a non-interactive manner. The textit{tokens} are issued based on attestation evidence, and the messages are reinforced using trapdoor textit{chameleon hashes}, which allows for flexible delegation and transferability without invalidating the original policy. Through key aggregation techniques, we enable collaborative issuance, optional anonymity, and multi-party governance. The experimental evaluation in a real textit{testbed} demonstrates that the verification of this embedded authorization incurs a fixed and predictable cost—higher than that of rule lookups, but constant regardless of network size, rule growth, or concurrency. This balance eliminates the burden of distributing and maintaining large rule tables while ensuring granular per-flow authorization, privacy preservation, and interoperability between providers. The proposal materializes a Zero Trust model resistant to impersonation, replay, and lateral attacks, and lays the groundwork for future optimizations through the progressive incorporation of post-quantum primitives.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Massive Internet of Things (IoT) deployments expose networks to severe risks, as a single compromised device can facilitate lateral movements across the entire infrastructure. Traditional firewalls, based on static rules, are fragile, difficult to synchronize across domains, and poorly suited for Zero Trust principles. In this work, we propose a scalable authorization architecture where each flow carries a cryptographically protected textit{token} that incorporates a signed and immutable policy, verifiable in a non-interactive manner. The textit{tokens} are issued based on attestation evidence, and the messages are reinforced using trapdoor textit{chameleon hashes}, which allows for flexible delegation and transferability without invalidating the original policy. Through key aggregation techniques, we enable collaborative issuance, optional anonymity, and multi-party governance. The experimental evaluation in a real textit{testbed} demonstrates that the verification of this embedded authorization incurs a fixed and predictable cost—higher than that of rule lookups, but constant regardless of network size, rule growth, or concurrency. This balance eliminates the burden of distributing and maintaining large rule tables while ensuring granular per-flow authorization, privacy preservation, and interoperability between providers. The proposal materializes a Zero Trust model resistant to impersonation, replay, and lateral attacks, and lays the groundwork for future optimizations through the progressive incorporation of post-quantum primitives.
Díaz-Sánchez, Daniel; Almenarez, Florina; Campo, Celeste; García-Rubio, Carlos; Sherratt, Simon
Beyond PKI: A DNSSEC Delegation Approach for Scalable Dynamic Credential Management in IoT Journal Article
In: IEEE Internet of Things Journal , 2025, ISSN: 2327-4662.
@article{danieldiaz031,
title = {Beyond PKI: A DNSSEC Delegation Approach for Scalable Dynamic Credential Management in IoT},
author = {Daniel Díaz-Sánchez and Florina Almenarez and Celeste Campo and Carlos García-Rubio and Simon Sherratt},
url = {https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=11130501},
doi = {https://doi.org/10.1109/JIOT.2025.3600371},
issn = {2327-4662},
year = {2025},
date = {2025-08-19},
urldate = {2025-08-19},
journal = {IEEE Internet of Things Journal },
abstract = {Internet of Things (IoT) systems that manage data across cloud, fog, and edge environments—and the devices that consume those services—face substantial challenges in confidentiality, privacy, and authentication. However, traditional Public Key Infrastructure (PKI) is too rigid and costly for massive, ephemeral IoT deployments. Moreover, device authentication is often overlooked in favor of service authentication, neglecting the security of the entire ecosystem. DNSSEC combined with DANE introduces a new paradigm in which service authentication can be managed globally, extending trust to locally generated, type-agnostic credentials. This framework can accommodate PKI certificates, self-signed credentials, and local keys, all of which can be verified by any client, local or remote. However, DNSSEC’s signature proofs grow linearly with the number of secured records, inflating communication overhead and energy consumption—an issue aggravated by the larger sizes of post-quantum signatures. Additionally, current DNSSEC delegation mechanisms lack the flexibility needed for secure load balancing and isolation. In this article, we present a collision-based DNSSEC signature-delegation mechanism designed to overcome these scalability limitations. By allowing a central DNS authority to delegate signing responsibilities to local DNS servers, our approach reduces certificate-management overhead and enables a dynamic, hierarchical trust model. It supports both service and device authentication in a unified DNS-name-based security context. Our evaluation shows that the proposed mechanism maintains a stable computational cost irrespective of credential count, a critical benefit for large-scale, resource-constrained IoT deployments. By leveraging existing DNS infrastructure and standards, this solution enhances scalability and efficiency compared to traditional PKI and DNSSEC, while promoting interoperability and ease of deployment. It also opens the adoption of future post quantum trapdoor systems still under research and development.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Internet of Things (IoT) systems that manage data across cloud, fog, and edge environments—and the devices that consume those services—face substantial challenges in confidentiality, privacy, and authentication. However, traditional Public Key Infrastructure (PKI) is too rigid and costly for massive, ephemeral IoT deployments. Moreover, device authentication is often overlooked in favor of service authentication, neglecting the security of the entire ecosystem. DNSSEC combined with DANE introduces a new paradigm in which service authentication can be managed globally, extending trust to locally generated, type-agnostic credentials. This framework can accommodate PKI certificates, self-signed credentials, and local keys, all of which can be verified by any client, local or remote. However, DNSSEC’s signature proofs grow linearly with the number of secured records, inflating communication overhead and energy consumption—an issue aggravated by the larger sizes of post-quantum signatures. Additionally, current DNSSEC delegation mechanisms lack the flexibility needed for secure load balancing and isolation. In this article, we present a collision-based DNSSEC signature-delegation mechanism designed to overcome these scalability limitations. By allowing a central DNS authority to delegate signing responsibilities to local DNS servers, our approach reduces certificate-management overhead and enables a dynamic, hierarchical trust model. It supports both service and device authentication in a unified DNS-name-based security context. Our evaluation shows that the proposed mechanism maintains a stable computational cost irrespective of credential count, a critical benefit for large-scale, resource-constrained IoT deployments. By leveraging existing DNS infrastructure and standards, this solution enhances scalability and efficiency compared to traditional PKI and DNSSEC, while promoting interoperability and ease of deployment. It also opens the adoption of future post quantum trapdoor systems still under research and development.
Suela, Julio Gento; Blanco-Romero, Javier; Almenares-Mendoza, Florina; Sánchez, Daniel Díaz
Implementing and Evaluating Post-Quantum DNSSEC in CoreDNS Journal Article
In: 2025.
@article{javierblanco006,
title = {Implementing and Evaluating Post-Quantum DNSSEC in CoreDNS},
author = {Julio Gento Suela and Javier Blanco-Romero and Florina Almenares-Mendoza and Daniel Díaz Sánchez },
doi = { https://doi.org/10.48550/arXiv.2507.09301},
year = {2025},
date = {2025-07-15},
urldate = {2025-07-15},
abstract = {The emergence of quantum computers poses a significant threat to current secure service, application and/or protocol implementations that rely on RSA and ECDSA algorithms, for instance DNSSEC, because public-key cryptography based on number factorization or discrete logarithm is vulnerable to quantum attacks. This paper presents the integration of post-quantum cryptographic (PQC) algorithms into CoreDNS to enable quantum-resistant DNSSEC functionality. We have developed a plugin that extends CoreDNS with support for five PQC signature algorithm families: ML-DSA, FALCON, SPHINCS+, MAYO, and SNOVA. Our implementation maintains compatibility with existing DNS resolution flows while providing on-the-fly signing using quantum-resistant signatures. A benchmark has been performed and performance evaluation results reveal significant trade-offs between security and efficiency. The results indicate that while PQC algorithms introduce operational overhead, several candidates offer viable compromises for transitioning DNSSEC to quantum-resistant cryptography.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The emergence of quantum computers poses a significant threat to current secure service, application and/or protocol implementations that rely on RSA and ECDSA algorithms, for instance DNSSEC, because public-key cryptography based on number factorization or discrete logarithm is vulnerable to quantum attacks. This paper presents the integration of post-quantum cryptographic (PQC) algorithms into CoreDNS to enable quantum-resistant DNSSEC functionality. We have developed a plugin that extends CoreDNS with support for five PQC signature algorithm families: ML-DSA, FALCON, SPHINCS+, MAYO, and SNOVA. Our implementation maintains compatibility with existing DNS resolution flows while providing on-the-fly signing using quantum-resistant signatures. A benchmark has been performed and performance evaluation results reveal significant trade-offs between security and efficiency. The results indicate that while PQC algorithms introduce operational overhead, several candidates offer viable compromises for transitioning DNSSEC to quantum-resistant cryptography.
Blanco-Romero, Javier; García, Pedro Otero; Sobral-Blanco, Daniel; Almenares-Mendoza, Florina; Vilas, Ana Fernández; Fernández-Veiga, Manuel
Hybrid Quantum Security for IPsec Journal Article
In: pp. 23, 2025.
@article{javierblanco007,
title = {Hybrid Quantum Security for IPsec},
author = {Javier Blanco-Romero and Pedro Otero García and Daniel Sobral-Blanco and Florina Almenares-Mendoza and Ana Fernández Vilas and Manuel Fernández-Veiga},
url = {https://arxiv.org/pdf/2507.09288},
doi = {https://doi.org/10.48550/arXiv.2507.09288},
year = {2025},
date = {2025-07-12},
pages = {23},
abstract = {Quantum Key Distribution (QKD) offers information-theoretic security against quantum computing threats, but integrating QKD into existing security protocols remains an unsolved challenge due to fundamental mismatches between pre-distributed quantum keys and computational key exchange paradigms. This paper presents the first systematic comparison of sequential versus parallel hybrid QKD-PQC key establishment strategies for IPsec, revealing fundamental protocol design principles that extend beyond specific implementations. We introduce two novel approaches for incorporating QKD into Internet Key Exchange version 2 (IKEv2) with support for both ETSI GS QKD 004 stateful and ETSI GS QKD 014 stateless API specifications: (1) a pure QKD approach that replaces computational key derivation with identifier-based quantum key coordination, and (2) a unified QKD-KEM abstraction that enables parallel composition of quantum and post-quantum cryptographic methods within existing protocol frameworks. Our key insight is that parallel hybrid approaches eliminate the multiplicative latency penalties inherent in sequential methods mandated by RFC 9370, achieving significant performance improvements under realistic network conditions. Performance evaluation using a Docker-based testing framework with IDQuantique QKD hardware demonstrates that the parallel hybrid approach significantly outperforms sequential methods under network latency conditions, while pure QKD achieves minimal bandwidth overhead through identifier-based key coordination. Our implementations provide practical quantum-enhanced IPsec solutions suitable for critical infrastructure deployments requiring defense-in-depth security.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Quantum Key Distribution (QKD) offers information-theoretic security against quantum computing threats, but integrating QKD into existing security protocols remains an unsolved challenge due to fundamental mismatches between pre-distributed quantum keys and computational key exchange paradigms. This paper presents the first systematic comparison of sequential versus parallel hybrid QKD-PQC key establishment strategies for IPsec, revealing fundamental protocol design principles that extend beyond specific implementations. We introduce two novel approaches for incorporating QKD into Internet Key Exchange version 2 (IKEv2) with support for both ETSI GS QKD 004 stateful and ETSI GS QKD 014 stateless API specifications: (1) a pure QKD approach that replaces computational key derivation with identifier-based quantum key coordination, and (2) a unified QKD-KEM abstraction that enables parallel composition of quantum and post-quantum cryptographic methods within existing protocol frameworks. Our key insight is that parallel hybrid approaches eliminate the multiplicative latency penalties inherent in sequential methods mandated by RFC 9370, achieving significant performance improvements under realistic network conditions. Performance evaluation using a Docker-based testing framework with IDQuantique QKD hardware demonstrates that the parallel hybrid approach significantly outperforms sequential methods under network latency conditions, while pure QKD achieves minimal bandwidth overhead through identifier-based key coordination. Our implementations provide practical quantum-enhanced IPsec solutions suitable for critical infrastructure deployments requiring defense-in-depth security.
Blanco-Romero, Javier; García, Pedro Otero; Sobral-Blanco, Daniel; Almenares-Mendoza, Florina; Vilas, Ana Fernández; Fernández-Veiga, Manuel
Hybrid Quantum Security for IPsec Journal Article
In: pp. 23, 2025.
@article{javierblanco007b,
title = {Hybrid Quantum Security for IPsec},
author = {Javier Blanco-Romero and Pedro Otero García and Daniel Sobral-Blanco and Florina Almenares-Mendoza and Ana Fernández Vilas and Manuel Fernández-Veiga},
url = {https://arxiv.org/pdf/2507.09288},
doi = {https://doi.org/10.48550/arXiv.2507.09288},
year = {2025},
date = {2025-07-12},
urldate = {2025-07-12},
pages = {23},
abstract = {Quantum Key Distribution (QKD) offers information-theoretic security against quantum computing threats, but integrating QKD into existing security protocols remains an unsolved challenge due to fundamental mismatches between pre-distributed quantum keys and computational key exchange paradigms. This paper presents the first systematic comparison of sequential versus parallel hybrid QKD-PQC key establishment strategies for IPsec, revealing fundamental protocol design principles that extend beyond specific implementations. We introduce two novel approaches for incorporating QKD into Internet Key Exchange version 2 (IKEv2) with support for both ETSI GS QKD 004 stateful and ETSI GS QKD 014 stateless API specifications: (1) a pure QKD approach that replaces computational key derivation with identifier-based quantum key coordination, and (2) a unified QKD-KEM abstraction that enables parallel composition of quantum and post-quantum cryptographic methods within existing protocol frameworks. Our key insight is that parallel hybrid approaches eliminate the multiplicative latency penalties inherent in sequential methods mandated by RFC 9370, achieving significant performance improvements under realistic network conditions. Performance evaluation using a Docker-based testing framework with IDQuantique QKD hardware demonstrates that the parallel hybrid approach significantly outperforms sequential methods under network latency conditions, while pure QKD achieves minimal bandwidth overhead through identifier-based key coordination. Our implementations provide practical quantum-enhanced IPsec solutions suitable for critical infrastructure deployments requiring defense-in-depth security.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Quantum Key Distribution (QKD) offers information-theoretic security against quantum computing threats, but integrating QKD into existing security protocols remains an unsolved challenge due to fundamental mismatches between pre-distributed quantum keys and computational key exchange paradigms. This paper presents the first systematic comparison of sequential versus parallel hybrid QKD-PQC key establishment strategies for IPsec, revealing fundamental protocol design principles that extend beyond specific implementations. We introduce two novel approaches for incorporating QKD into Internet Key Exchange version 2 (IKEv2) with support for both ETSI GS QKD 004 stateful and ETSI GS QKD 014 stateless API specifications: (1) a pure QKD approach that replaces computational key derivation with identifier-based quantum key coordination, and (2) a unified QKD-KEM abstraction that enables parallel composition of quantum and post-quantum cryptographic methods within existing protocol frameworks. Our key insight is that parallel hybrid approaches eliminate the multiplicative latency penalties inherent in sequential methods mandated by RFC 9370, achieving significant performance improvements under realistic network conditions. Performance evaluation using a Docker-based testing framework with IDQuantique QKD hardware demonstrates that the parallel hybrid approach significantly outperforms sequential methods under network latency conditions, while pure QKD achieves minimal bandwidth overhead through identifier-based key coordination. Our implementations provide practical quantum-enhanced IPsec solutions suitable for critical infrastructure deployments requiring defense-in-depth security.
Blanco-Romero, Javier; Otero-Garcia, Pedro; Sobral-Blanco, Daniel; Almenares-Mendoza, Florina; Fernandez-Vilas, Ana; Diaz-Redondo, Rebeca
QKD-KEM: Hybrid QKD Integration into TLS with OpenSSL Providers Conference
2025.
@conference{javierblanco005,
title = {QKD-KEM: Hybrid QKD Integration into TLS with OpenSSL Providers},
author = {Javier Blanco-Romero and Pedro Otero-Garcia and Daniel Sobral-Blanco and Florina Almenares-Mendoza and Ana Fernandez-Vilas and Rebeca Diaz-Redondo},
doi = { https://doi.org/10.48550/arXiv.2503.07196},
year = {2025},
date = {2025-03-10},
urldate = {2025-03-10},
abstract = {Quantum Key Distribution (QKD) promises information-theoretic security, yet integrating QKD into existing protocols like TLS remains challenging due to its fundamentally different operational model. In this paper, we propose a hybrid QKD-KEM protocol with two distinct integration approaches: a client-initiated flow compatible with both ETSI 004 and 014 specifications, and a server-initiated flow similar to existing work but limited to stateless ETSI 014 APIs. Unlike previous implementations, our work specifically addresses the integration of stateful QKD key exchange protocols (ETSI 004) which is essential for production QKD networks but has remained largely unexplored. By adapting OpenSSL’s provider infrastructure to accommodate QKD’s pre-distributed key model, we maintain compatibility with current TLS implementations while offering dual layers of security. Performance evaluations demonstrate the feasibility of our hybrid scheme with acceptable overhead, showing that robust security against quantum threats is achievable while addressing the unique requirements of different QKD API specifications.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Quantum Key Distribution (QKD) promises information-theoretic security, yet integrating QKD into existing protocols like TLS remains challenging due to its fundamentally different operational model. In this paper, we propose a hybrid QKD-KEM protocol with two distinct integration approaches: a client-initiated flow compatible with both ETSI 004 and 014 specifications, and a server-initiated flow similar to existing work but limited to stateless ETSI 014 APIs. Unlike previous implementations, our work specifically addresses the integration of stateful QKD key exchange protocols (ETSI 004) which is essential for production QKD networks but has remained largely unexplored. By adapting OpenSSL’s provider infrastructure to accommodate QKD’s pre-distributed key model, we maintain compatibility with current TLS implementations while offering dual layers of security. Performance evaluations demonstrate the feasibility of our hybrid scheme with acceptable overhead, showing that robust security against quantum threats is achievable while addressing the unique requirements of different QKD API specifications.
Blanco-Romero, Javier; Lorenzo, Vicente; Almenares-Mendoza, Florina; Díaz-Sánchez, Daniel
Machine Learning Predictors for Min-Entropy Estimation Journal Article
In: Entropy 2025, vol. 27, iss. 2, no. 156, pp. 1-31, 2025.
@article{javierblanco004,
title = {Machine Learning Predictors for Min-Entropy Estimation},
author = {Javier Blanco-Romero and Vicente Lorenzo and Florina Almenares-Mendoza and Daniel Díaz-Sánchez},
url = {https://www.mdpi.com/1099-4300/27/2/156},
doi = {https://doi.org/10.3390/e27020156},
year = {2025},
date = {2025-02-02},
urldate = {2025-02-02},
journal = {Entropy 2025},
volume = {27},
number = {156},
issue = {2},
pages = {1-31},
abstract = {This study investigates the application of machine learning predictors for the estimation of min-entropy in random number generators (RNGs), a key component in cryptographic applications where accurate entropy assessment is essential for cybersecurity. Our research indicates that these predictors, and indeed any predictor that leverages sequence correlations, primarily estimate average min-entropy, a metric not extensively studied in this context. We explore the relationship between average min-entropy and the traditional min-entropy, focusing on their dependence on the number of target bits being predicted. Using data from generalized binary autoregressive models, a subset of Markov processes, we demonstrate that machine learning models (including a hybrid of convolutional and recurrent long short-term memory layers and the transformer-based GPT-2 model) outperform traditional NIST SP 800-90B predictors in certain scenarios. Our findings underscore the importance of considering the number of target bits in min-entropy assessment for RNGs and highlight the potential of machine learning approaches in enhancing entropy estimation techniques for improved cryptographic security.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
This study investigates the application of machine learning predictors for the estimation of min-entropy in random number generators (RNGs), a key component in cryptographic applications where accurate entropy assessment is essential for cybersecurity. Our research indicates that these predictors, and indeed any predictor that leverages sequence correlations, primarily estimate average min-entropy, a metric not extensively studied in this context. We explore the relationship between average min-entropy and the traditional min-entropy, focusing on their dependence on the number of target bits being predicted. Using data from generalized binary autoregressive models, a subset of Markov processes, we demonstrate that machine learning models (including a hybrid of convolutional and recurrent long short-term memory layers and the transformer-based GPT-2 model) outperform traditional NIST SP 800-90B predictors in certain scenarios. Our findings underscore the importance of considering the number of target bits in min-entropy assessment for RNGs and highlight the potential of machine learning approaches in enhancing entropy estimation techniques for improved cryptographic security.
Pérez-Díaz, Jaime; Almenares-Mendoza, Florina
Authorisation models for IoT environments: A survey Journal Article
In: www.elsevier.com/locate/iot, 2024, ISSN: 2542-6605.
@article{almenarez018,
title = {Authorisation models for IoT environments: A survey},
author = {Jaime Pérez-Díaz and Florina Almenares-Mendoza},
url = {https://www.sciencedirect.com/science/article/pii/S2542660524003718?via%3Dihub#d1e3887},
doi = {https://doi.org/10.1016/j.iot.2024.101430},
issn = {2542-6605},
year = {2024},
date = {2024-11-23},
urldate = {2024-11-23},
journal = { www.elsevier.com/locate/iot},
abstract = {Authorization models are pivotal in the Internet of Things (IoT) ecosystem, ensuring secure management of data access and communication. These models function after authentication, determining the specific actions that a device is allowed to perform. This paper aims to provide a comprehensive and comparative analysis of authorization solutions within IoT contexts, based on the requirements identified from the existing literature. We critically assess the functionalities and capabilities of various authorization solutions, particularly those designed for IoT cloud platforms and distributed architectures. Our findings highlight the urgent need for further development of authorization models optimized for the unique demands of IoT environments. Consequently, we address both the persistent challenges and the gaps within this domain. As IoT continues to reshape the technological landscape, the refinement and adaptation of authorization models remain imperative ongoing pursuits.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Authorization models are pivotal in the Internet of Things (IoT) ecosystem, ensuring secure management of data access and communication. These models function after authentication, determining the specific actions that a device is allowed to perform. This paper aims to provide a comprehensive and comparative analysis of authorization solutions within IoT contexts, based on the requirements identified from the existing literature. We critically assess the functionalities and capabilities of various authorization solutions, particularly those designed for IoT cloud platforms and distributed architectures. Our findings highlight the urgent need for further development of authorization models optimized for the unique demands of IoT environments. Consequently, we address both the persistent challenges and the gaps within this domain. As IoT continues to reshape the technological landscape, the refinement and adaptation of authorization models remain imperative ongoing pursuits.
Lorenzo, Vicente; Blanco-Romero, Javier; Almenares, Florina; Díaz-Sánchez, Daniel; Rubio, Carlos García; Campo, Celeste; Marín, Andrés
Comparing Pseudo, Classical True and Quantum Random Number Generators Using Standard Quality Assessments Proceedings Article
In: XVIII Reunión Española sobre Criptología y Seguridad de la Información: XVIII RECSI, León 23-25 octubre 2024, Universidad de León, Servicio de Publicaciones, 2024.
@inproceedings{vicente002,
title = {Comparing Pseudo, Classical True and Quantum Random Number Generators Using Standard Quality Assessments},
author = {Vicente Lorenzo and Javier Blanco-Romero and Florina Almenares and Daniel Díaz-Sánchez and Carlos García Rubio and Celeste Campo and Andrés Marín},
url = {https://buleria.unileon.es/bitstream/handle/10612/24646/Comparing_Pseudo_Classical_True.pdf?sequence=1&isAllowed=y},
doi = {https://hdl.handle.net/10612/24646},
year = {2024},
date = {2024-11-05},
urldate = {2024-11-05},
booktitle = {XVIII Reunión Española sobre Criptología y Seguridad de la Información: XVIII RECSI, León 23-25 octubre 2024},
publisher = {Universidad de León, Servicio de Publicaciones},
abstract = {Nowadays, there exists a wide variety of Random Number Generators (RNGs). If the source of randomness is unpredictable physical phenomena, as in physical chips or quantum-based RNGs, they are called True Random Number Generators (TRNGs). If it is a deterministic mathematical algorithm, as in software-based RNGs, they are called Pseudo- Random Number Generators (PRNGs). This study evaluates and compares the quality of three Quantum RNGs, three TRNGs and three PRNGs. The comparative analysis includes NIST SP 800-22, NIST SP 800-90B entropy, Borel normality and Diehard tests, which are which are frequently used for assessing RNG quality.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Nowadays, there exists a wide variety of Random Number Generators (RNGs). If the source of randomness is unpredictable physical phenomena, as in physical chips or quantum-based RNGs, they are called True Random Number Generators (TRNGs). If it is a deterministic mathematical algorithm, as in software-based RNGs, they are called Pseudo- Random Number Generators (PRNGs). This study evaluates and compares the quality of three Quantum RNGs, three TRNGs and three PRNGs. The comparative analysis includes NIST SP 800-22, NIST SP 800-90B entropy, Borel normality and Diehard tests, which are which are frequently used for assessing RNG quality.
Blanco-Romero, Javier; Lorenzo, Vicente; Almenares, Florina; Díaz-Sánchez, Daniel; and Celeste Campo,; García-Rubio, Carlos
Integrating Post-Quantum Cryptography into CoAP and MQTT-SN Protocols Conference
2024 IEEE Symposium on Computers and Communications (ISCC), IEEE, 2024, ISBN: 979-8-3503-5424-9.
@conference{javierblanco002,
title = {Integrating Post-Quantum Cryptography into CoAP and MQTT-SN Protocols},
author = {Javier Blanco-Romero and Vicente Lorenzo and Florina Almenares and Daniel Díaz-Sánchez and and Celeste Campo and Carlos García-Rubio},
url = {https://ieeexplore.ieee.org/abstract/document/10733716/figures#figures},
doi = {https://doi.org/10.1109/ISCC61673.2024.10733716},
isbn = {979-8-3503-5424-9},
year = {2024},
date = {2024-10-31},
urldate = {2024-10-31},
booktitle = {2024 IEEE Symposium on Computers and Communications (ISCC)},
publisher = {IEEE},
abstract = {Post-Quantum Cryptography (PQC) is a practical and cost-effective solution to defend against emerging quantum computing threats. So, leading worldwide security agencies and standardization bodies strongly advocate for the proactive integration of PQ cryptography into underlying frameworks to support applications, protocols, and services. The current research predominantly addresses the incorporation of PQC in Internet communication protocols such as HTTP and DNS; nevertheless, the focus on embedded devices has been limited to evaluating PQC’s integration within TLS/DTLS in isolation. Hence, there is a notable gap in understanding how PQC impacts IoT-specific communication protocols. This paper presents the integration of PQC into two communication protocols specifically tailored for IoT devices, the Constrained Application Protocol (CoAP) and MQTT for Sensor Networks (MQTT-SN), via the wolfSSL library. These two integrations contribute to the understanding of PQC’s implications for IoT communication protocols.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Post-Quantum Cryptography (PQC) is a practical and cost-effective solution to defend against emerging quantum computing threats. So, leading worldwide security agencies and standardization bodies strongly advocate for the proactive integration of PQ cryptography into underlying frameworks to support applications, protocols, and services. The current research predominantly addresses the incorporation of PQC in Internet communication protocols such as HTTP and DNS; nevertheless, the focus on embedded devices has been limited to evaluating PQC’s integration within TLS/DTLS in isolation. Hence, there is a notable gap in understanding how PQC impacts IoT-specific communication protocols. This paper presents the integration of PQC into two communication protocols specifically tailored for IoT devices, the Constrained Application Protocol (CoAP) and MQTT for Sensor Networks (MQTT-SN), via the wolfSSL library. These two integrations contribute to the understanding of PQC’s implications for IoT communication protocols.
Blanco-Romero, Javier; Lorenzo, Vicente; Almenares, Florina; Díaz-Sánchez, Daniel; García-Rubio, Carlos; Campo, Celeste; Marín, Andrés
Evaluating integration methods of a quantum random number generator in OpenSSL for TLS Journal Article
In: vol. 255, 2024, ISBN: 1389-1286.
@article{javierblanco003,
title = {Evaluating integration methods of a quantum random number generator in OpenSSL for TLS},
author = {Javier Blanco-Romero and Vicente Lorenzo and Florina Almenares and Daniel Díaz-Sánchez and Carlos García-Rubio and Celeste Campo and Andrés Marín},
url = {https://www.sciencedirect.com/science/article/pii/S1389128624007096?via%3Dihub},
doi = {https://doi.org/10.1016/j.comnet.2024.110877},
isbn = {1389-1286},
year = {2024},
date = {2024-10-25},
urldate = {2024-10-25},
volume = {255},
publisher = {Computer Networks},
abstract = {The rapid advancement of quantum computing poses a significant threat to conventional cryptography. Whilst post-quantum cryptography (PQC) stands as the prevailing trend for fortifying the security of cryptographic systems, the coexistence of quantum and classical computing paradigms presents an opportunity to leverage the strengths of both technologies, for instance, nowadays the use of Quantum Random Number Generators (QRNGs) – considered as True Random Number Generators (TRNGs) – opens up the possibility of discussing hybrid systems. In this paper, we evaluate both aspects, on the one hand, we use hybrid TLS (Transport Layer Security) protocol that leverages the widely used secure protocol on the Internet and integrates PQC algorithms, and, on the other hand, we evaluate two approaches to integrate a QRNG, i.e., Quantis PCIe-240M, in OpenSSL 3.0 to be used by TLS. Both approaches are compared through a Nginx Web server, that uses OpenSSL’s implementation of TLS 1.3 for secure web communication. Our findings highlight the importance of optimizing such integration method, because while direct integration can lead to performance penalties specific to the method and hardware used, alternative methods demonstrate the potential for efficient QRNG deployment in cryptographic systems.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The rapid advancement of quantum computing poses a significant threat to conventional cryptography. Whilst post-quantum cryptography (PQC) stands as the prevailing trend for fortifying the security of cryptographic systems, the coexistence of quantum and classical computing paradigms presents an opportunity to leverage the strengths of both technologies, for instance, nowadays the use of Quantum Random Number Generators (QRNGs) – considered as True Random Number Generators (TRNGs) – opens up the possibility of discussing hybrid systems. In this paper, we evaluate both aspects, on the one hand, we use hybrid TLS (Transport Layer Security) protocol that leverages the widely used secure protocol on the Internet and integrates PQC algorithms, and, on the other hand, we evaluate two approaches to integrate a QRNG, i.e., Quantis PCIe-240M, in OpenSSL 3.0 to be used by TLS. Both approaches are compared through a Nginx Web server, that uses OpenSSL’s implementation of TLS 1.3 for secure web communication. Our findings highlight the importance of optimizing such integration method, because while direct integration can lead to performance penalties specific to the method and hardware used, alternative methods demonstrate the potential for efficient QRNG deployment in cryptographic systems.
Callejo, Patricia; Gómez-Fernandez, Ignacio; Bagnulo, Marcelo
“Animation” URL in NFT marketplaces considered harmful for privacy Journal Article
In: International Journal of Information Security, 2024, ISSN: 1615-5270.
@article{marcelo001,
title = {“Animation” URL in NFT marketplaces considered harmful for privacy},
author = {Patricia Callejo and Ignacio Gómez-Fernandez and Marcelo Bagnulo},
doi = {https://doi.org/10.1007/s10207-024-00908-x},
issn = {1615-5270},
year = {2024},
date = {2024-09-17},
journal = {International Journal of Information Security},
abstract = {Non-Fungible Tokens (NFTs) are becoming increasingly popular as a way to represent and own digital property. However, the usage of NFTs also prompts questions about privacy. In this work, we show that it is possible to use NFTs to retrieve enough information to fingerprint users. By doing so, we can uniquely associate users with blockchain accounts. This would allow linking several blockchain accounts to the same user. This work focuses on the vulnerabilities presented by some popular NFT marketplaces. Since NFTs may have HTML files embedded, they allow the use of fingerprinting techniques if not handled carefully. Finally, we provide recommendations and countermeasures for the different actors in this ecosystem to avoid these kinds of tracking methods and, in doing so, safeguard user privacy.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Non-Fungible Tokens (NFTs) are becoming increasingly popular as a way to represent and own digital property. However, the usage of NFTs also prompts questions about privacy. In this work, we show that it is possible to use NFTs to retrieve enough information to fingerprint users. By doing so, we can uniquely associate users with blockchain accounts. This would allow linking several blockchain accounts to the same user. This work focuses on the vulnerabilities presented by some popular NFT marketplaces. Since NFTs may have HTML files embedded, they allow the use of fingerprinting techniques if not handled carefully. Finally, we provide recommendations and countermeasures for the different actors in this ecosystem to avoid these kinds of tracking methods and, in doing so, safeguard user privacy.
Campo-Vázquez, Celeste; García-Rubio, Carlos; Jimenez-Berenguel, Andrea; Moure-Garrido, Marta; Almenares-Mendoza, Florina; Díaz-Sánchez, Daniel
Inferring mobile applications usage from DNS traffic Proceedings Article
In: Ad Hoc Networks, Elsevier B.V., 2024.
@inproceedings{campo012,
title = {Inferring mobile applications usage from DNS traffic},
author = {Celeste Campo-Vázquez and Carlos García-Rubio and Andrea Jimenez-Berenguel and Marta Moure-Garrido and Florina Almenares-Mendoza and Daniel Díaz-Sánchez },
url = {https://www.sciencedirect.com/science/article/pii/S1570870524002129#d1e710},
doi = {https://doi.org/10.1016/j.adhoc.2024.103601},
year = {2024},
date = {2024-07-19},
urldate = {2024-07-19},
booktitle = {Ad Hoc Networks},
publisher = {Elsevier B.V.},
abstract = {In the digital era, our lives are intrinsically linked to the daily use of mobile applications. As a consequence, we generate and transmit a large amount of personal data that puts our privacy in danger. Despite having encrypted communications, the DNS traffic is usually not encrypted, and it is possible to extract valuable information from the traffic generated by mobile applications. This study focuses on the analysis of the DNS traffic behavior found in mobile application traces, developing a methodology capable of identifying mobile applications based on the domains they query. With this methodology, we were able to identify apps with 98% accuracy. Furthermore, we have validated the effectiveness of the characterization obtained with one dataset by identifying traces from other independent datasets. The evaluation showed that the methodology provides successful results in identifying mobile applications.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
In the digital era, our lives are intrinsically linked to the daily use of mobile applications. As a consequence, we generate and transmit a large amount of personal data that puts our privacy in danger. Despite having encrypted communications, the DNS traffic is usually not encrypted, and it is possible to extract valuable information from the traffic generated by mobile applications. This study focuses on the analysis of the DNS traffic behavior found in mobile application traces, developing a methodology capable of identifying mobile applications based on the domains they query. With this methodology, we were able to identify apps with 98% accuracy. Furthermore, we have validated the effectiveness of the characterization obtained with one dataset by identifying traces from other independent datasets. The evaluation showed that the methodology provides successful results in identifying mobile applications.
Blanco-Romero, Javier; Lorenzo, Vicente; Almenares-Mendoza, Florina; Díaz-Sánchez, Daniel; Serrano-Navarro, Adrián
PQSec-DDS: Integrating Post-Quantum Cryptography into DDS Security for Robotic Applications Proceedings Article
In: IX Jornadas Nacionales de Investigación en Ciberseguridad - JNIC 2024, pp. 396-403, Universidad de Sevilla , 2024, ISBN: 978-84-09-62140-8.
@inproceedings{javierblanco001,
title = {PQSec-DDS: Integrating Post-Quantum Cryptography into DDS Security for Robotic Applications},
author = {Javier Blanco-Romero and Vicente Lorenzo and Florina Almenares-Mendoza and Daniel Díaz-Sánchez and Adrián Serrano-Navarro},
url = {https://hdl.handle.net/11441/159179
https://idus.us.es/handle/11441/159179
https://idus.us.es/bitstream/handle/11441/159179/ActasJNIC24%20%282%20ed%29.pdf?sequence=4&isAllowed=y},
isbn = {978-84-09-62140-8},
year = {2024},
date = {2024-05-28},
urldate = {2024-05-28},
booktitle = {IX Jornadas Nacionales de Investigación en Ciberseguridad - JNIC 2024},
pages = {396-403},
publisher = {Universidad de Sevilla },
abstract = {Leading cybersecurity agencies and standardization bodies have globally emphasized the critical need to transition towards Post-Quantum Cryptography (PQC) to defend against
emerging quantum computing threats. They advocate PQC as a practical and cost-effective solution for security systems nowadays. Nevertheless, emerging technologies such as industrial systems, e.g., autonomous vehicles, air traffic management, diagnostic imaging machines, etc., and robotics systems, e.g., ROS2 (Robotic Operating System), have not started their evolution to enhance crypto-agility and security robustness. Some of these emerging technologies use the Data Distribution Service (DDS)
standard as the underlying communication middleware protocol. DDS is a distributed publish-subscribe system that allows sending and receiving data by publishing and subscribing to topics across a network of connected nodes. However, DDS’s security is based on traditional symmetric and asymmetric cryptography, which is vulnerable to quantum computing attacks. To address this issue, we propose the integration of PQC into DDS, through the development of a C/C++ library, called pqsec-dds, which can be integrated across different DDS implementations such as CycloneDDS or OpenDDS. A proof-of-concept demonstrates the viability of our approach in enhancing the security and cryptoagility of DDS-based systems.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Leading cybersecurity agencies and standardization bodies have globally emphasized the critical need to transition towards Post-Quantum Cryptography (PQC) to defend against
emerging quantum computing threats. They advocate PQC as a practical and cost-effective solution for security systems nowadays. Nevertheless, emerging technologies such as industrial systems, e.g., autonomous vehicles, air traffic management, diagnostic imaging machines, etc., and robotics systems, e.g., ROS2 (Robotic Operating System), have not started their evolution to enhance crypto-agility and security robustness. Some of these emerging technologies use the Data Distribution Service (DDS)
standard as the underlying communication middleware protocol. DDS is a distributed publish-subscribe system that allows sending and receiving data by publishing and subscribing to topics across a network of connected nodes. However, DDS’s security is based on traditional symmetric and asymmetric cryptography, which is vulnerable to quantum computing attacks. To address this issue, we propose the integration of PQC into DDS, through the development of a C/C++ library, called pqsec-dds, which can be integrated across different DDS implementations such as CycloneDDS or OpenDDS. A proof-of-concept demonstrates the viability of our approach in enhancing the security and cryptoagility of DDS-based systems.
emerging quantum computing threats. They advocate PQC as a practical and cost-effective solution for security systems nowadays. Nevertheless, emerging technologies such as industrial systems, e.g., autonomous vehicles, air traffic management, diagnostic imaging machines, etc., and robotics systems, e.g., ROS2 (Robotic Operating System), have not started their evolution to enhance crypto-agility and security robustness. Some of these emerging technologies use the Data Distribution Service (DDS)
standard as the underlying communication middleware protocol. DDS is a distributed publish-subscribe system that allows sending and receiving data by publishing and subscribing to topics across a network of connected nodes. However, DDS’s security is based on traditional symmetric and asymmetric cryptography, which is vulnerable to quantum computing attacks. To address this issue, we propose the integration of PQC into DDS, through the development of a C/C++ library, called pqsec-dds, which can be integrated across different DDS implementations such as CycloneDDS or OpenDDS. A proof-of-concept demonstrates the viability of our approach in enhancing the security and cryptoagility of DDS-based systems.
Moure-Garrido, Marta; García-Rubio, Carlos; Campo, Celeste
Reducing DNS Traffic to Enhance Home IoT Device Privacy Journal Article
In: Sensors , vol. 24, iss. 9, 2024.
@article{marta001,
title = {Reducing DNS Traffic to Enhance Home IoT Device Privacy},
author = {Marta Moure-Garrido and Carlos García-Rubio and Celeste Campo},
url = {https://www.mdpi.com/1424-8220/24/9/2690/pdf?version=1713941333},
doi = {https://doi.org/10.3390/s24092690},
year = {2024},
date = {2024-04-24},
urldate = {2024-04-24},
journal = {Sensors },
volume = {24},
issue = {9},
publisher = {Sensors 2024},
abstract = {The deployment of Internet of Things (IoT) devices is widespread in different environments, including homes. Although security is incorporated, homes can become targets for cyberattacks because of their vulnerabilities. IoT devices generate Domain Name Server (DNS) traffic primarily for communication with Internet servers. In this paper, we present a detailed analysis of DNS traffic from IoT devices. The queried domains are highly distinctive, enabling attackers to easily identify the IoT device. In addition, we observed an unexpectedly high volume of queries. The analysis reveals that the same domains are repeatedly queried, DNS queries are transmitted in plain text over User Datagram Protocol (UDP) port 53 (Do53), and the excessive generation of traffic poses a security risk by amplifying an attacker’s ability to identify IoT devices and execute more precise, targeted attacks, consequently escalating the potential compromise of the entire IoT ecosystem. We propose a simple measure that can be taken to reduce DNS traffic generated by IoT devices, thus preventing it from being used as a vector to identify the types of devices present in the network. This measure is based on the implementation of the DNS cache in the devices; caching few resources increases privacy considerably.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The deployment of Internet of Things (IoT) devices is widespread in different environments, including homes. Although security is incorporated, homes can become targets for cyberattacks because of their vulnerabilities. IoT devices generate Domain Name Server (DNS) traffic primarily for communication with Internet servers. In this paper, we present a detailed analysis of DNS traffic from IoT devices. The queried domains are highly distinctive, enabling attackers to easily identify the IoT device. In addition, we observed an unexpectedly high volume of queries. The analysis reveals that the same domains are repeatedly queried, DNS queries are transmitted in plain text over User Datagram Protocol (UDP) port 53 (Do53), and the excessive generation of traffic poses a security risk by amplifying an attacker’s ability to identify IoT devices and execute more precise, targeted attacks, consequently escalating the potential compromise of the entire IoT ecosystem. We propose a simple measure that can be taken to reduce DNS traffic generated by IoT devices, thus preventing it from being used as a vector to identify the types of devices present in the network. This measure is based on the implementation of the DNS cache in the devices; caching few resources increases privacy considerably.