QURSA
QURSA - Arquitecturas y técnicas resistentes a computación cuántica: Seguridad post-cuántica
AGENCIA ESTATAL DE INVESTIGACION (AEI)
(Ref. TED2021-130369B-C32)
12/ 2022
--
11/ 2024
The QURSA project addresses the design and proof of concept of an architecture and algorithms for quantum key distribution (QKD) over complex networks, and their integration with the classical Internet core and distribution infrastructures by means of an improved post-processing layer. For achieving an effective, seamless integration and maximize the adoption of quantum-based physical security across a diverse range of domains, we also propose to develop a novel bridge QKD endpoints, i.e., a set of physical equipment, part of the QKD network themselves, but located near the network edge to which end-users (individuals or firms) can bring their own devices to download and take away secure uncorrelated keys generated and distributed through the QKD network. As a complement, we propose the use of truly random quantum-generated keys as sources for the first general implementation of post-quantum cryptographic (PQC) signing and encryption algorithms. These PQ techniques are presently at the final stages of the standardization started by NIST in 2016, and the resulting PQC primitives will thus be embedded into the universal Internet carrier and signaling protocols (e.g., TLS/DTLS, HTTP, DNSSEC) guaranteeing security for network applications and their pervasive traffic. With this approach, the reach of quantum-safe security is stretched out to the bulk of Internet traffic by means of an evolutionary roadmap.
QURSA will adopt the well-known design principles of software-defined networking (SDN) for separation of the control, data and management planes of the QKD network, as the emerging technical standards in this field issued by ETSI and IETF-ITU advocate. The proposed proof of concept to bind together and test all the technical challenges in the project will be a pilot for demonstrating and testing the hybridization of quantum-based and quantum-safe communications on a managed open network, since in addition to the benefits of making QKD usable as a service, it showcases most of the features that will be faced in this research agenda: the creation and management of ultra-secure channels, the engineering of the composite quantum-classical network, an instantiation of quantum-safe Internet protocols, and a flexible distributed management system based on SDN principles. In addition to our equipment and background, we have engaged CESGA, CCN and INCIBE for supporting us in building and testing a feasible pilot."
Publications
Llano-Miraval, Juan Diego; Campo, Celeste; García-Rubio, Carlos; Moure-Garrido, Marta
AI Versus IoT Security: Fingerprinting and Defenses Against TLS Handshake-Based IoT Device Classification Journal Article
In: IEEE Access, vol. 13, pp. 165607 - 165622, 2025, ISSN: 2169-3536.
@article{juandiego001,
title = {AI Versus IoT Security: Fingerprinting and Defenses Against TLS Handshake-Based IoT Device Classification},
author = {Juan Diego Llano-Miraval and Celeste Campo and Carlos García-Rubio and Marta Moure-Garrido},
url = {https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=11168239},
doi = {https://doi.org/10.1109/ACCESS.2025.3611160},
issn = {2169-3536},
year = {2025},
date = {2025-09-17},
urldate = {2025-09-17},
journal = {IEEE Access},
volume = {13},
pages = {165607 - 165622},
abstract = {The number of Internet of Things (IoT) devices in smart homes is steadily increasing, enhancing convenience but also raising security concerns. While secure communication protocols like Transport Layer Security (TLS) are commonly used, attackers can still exploit metadata to profile users and identify vulnerabilities. This research focuses on analyzing the TLS handshake, where encryption parameters are established. Although newer versions of TLS aim to encrypt the Server Name Indication (SNI), we observed that some devices in real-world environments still transmit SNI in plaintext, potentially exposing device identities. Given this practical variability in SNI transmission among diverse IoT devices, we conducted two parallel studies, one including the SNI and one without it, while avoiding Media Access Control (MAC) and Internet Protocol (IP) addresses due to their inherent variability and privacy implications. We used TLS handshake parameters as input for machine learning algorithms to fingerprint IoT devices, classify them by type, and identify manufacturers. Six machine learning models were evaluated: Support Vector Machine (SVM), a multi-layer perceptron (MLP), Random Forest (RF), Convolutional Neural Network (CNN), XGBoost, and CNN+RF. The results showed that CNN+RF achieved the highest accuracy, reaching 99% for device type classification. However, our proposed countermeasure, which enhances TLS handshake privacy by obfuscating specific parameters, significantly reduced fingerprinting accuracy to a maximum of 80% when SNI was excluded. These findings highlight the potential risks of TLS metadata exposure and demonstrate the effectiveness of privacy-enhancing countermeasures in mitigating IoT device fingerprinting attacks.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The number of Internet of Things (IoT) devices in smart homes is steadily increasing, enhancing convenience but also raising security concerns. While secure communication protocols like Transport Layer Security (TLS) are commonly used, attackers can still exploit metadata to profile users and identify vulnerabilities. This research focuses on analyzing the TLS handshake, where encryption parameters are established. Although newer versions of TLS aim to encrypt the Server Name Indication (SNI), we observed that some devices in real-world environments still transmit SNI in plaintext, potentially exposing device identities. Given this practical variability in SNI transmission among diverse IoT devices, we conducted two parallel studies, one including the SNI and one without it, while avoiding Media Access Control (MAC) and Internet Protocol (IP) addresses due to their inherent variability and privacy implications. We used TLS handshake parameters as input for machine learning algorithms to fingerprint IoT devices, classify them by type, and identify manufacturers. Six machine learning models were evaluated: Support Vector Machine (SVM), a multi-layer perceptron (MLP), Random Forest (RF), Convolutional Neural Network (CNN), XGBoost, and CNN+RF. The results showed that CNN+RF achieved the highest accuracy, reaching 99% for device type classification. However, our proposed countermeasure, which enhances TLS handshake privacy by obfuscating specific parameters, significantly reduced fingerprinting accuracy to a maximum of 80% when SNI was excluded. These findings highlight the potential risks of TLS metadata exposure and demonstrate the effectiveness of privacy-enhancing countermeasures in mitigating IoT device fingerprinting attacks.
Díaz-Sánchez, Daniel; Campo, Celeste; García-Rubio, Carlos
Zero‑Trust Token Authorization with Trapdoor Hashes for Scalable Distributed Firewalls Journal Article
In: pp. 18, 2025.
@article{danieldiaz030,
title = {Zero‑Trust Token Authorization with Trapdoor Hashes for Scalable Distributed Firewalls},
author = {Daniel Díaz-Sánchez and Celeste Campo and Carlos García-Rubio },
url = {https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5313600},
doi = {http://dx.doi.org/10.2139/ssrn.5313600},
year = {2025},
date = {2025-08-31},
urldate = {2025-08-31},
pages = {18},
abstract = {Massive Internet of Things (IoT) deployments expose networks to severe risks, as a single compromised device can facilitate lateral movements across the entire infrastructure. Traditional firewalls, based on static rules, are fragile, difficult to synchronize across domains, and poorly suited for Zero Trust principles. In this work, we propose a scalable authorization architecture where each flow carries a cryptographically protected textit{token} that incorporates a signed and immutable policy, verifiable in a non-interactive manner. The textit{tokens} are issued based on attestation evidence, and the messages are reinforced using trapdoor textit{chameleon hashes}, which allows for flexible delegation and transferability without invalidating the original policy. Through key aggregation techniques, we enable collaborative issuance, optional anonymity, and multi-party governance. The experimental evaluation in a real textit{testbed} demonstrates that the verification of this embedded authorization incurs a fixed and predictable cost—higher than that of rule lookups, but constant regardless of network size, rule growth, or concurrency. This balance eliminates the burden of distributing and maintaining large rule tables while ensuring granular per-flow authorization, privacy preservation, and interoperability between providers. The proposal materializes a Zero Trust model resistant to impersonation, replay, and lateral attacks, and lays the groundwork for future optimizations through the progressive incorporation of post-quantum primitives.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Massive Internet of Things (IoT) deployments expose networks to severe risks, as a single compromised device can facilitate lateral movements across the entire infrastructure. Traditional firewalls, based on static rules, are fragile, difficult to synchronize across domains, and poorly suited for Zero Trust principles. In this work, we propose a scalable authorization architecture where each flow carries a cryptographically protected textit{token} that incorporates a signed and immutable policy, verifiable in a non-interactive manner. The textit{tokens} are issued based on attestation evidence, and the messages are reinforced using trapdoor textit{chameleon hashes}, which allows for flexible delegation and transferability without invalidating the original policy. Through key aggregation techniques, we enable collaborative issuance, optional anonymity, and multi-party governance. The experimental evaluation in a real textit{testbed} demonstrates that the verification of this embedded authorization incurs a fixed and predictable cost—higher than that of rule lookups, but constant regardless of network size, rule growth, or concurrency. This balance eliminates the burden of distributing and maintaining large rule tables while ensuring granular per-flow authorization, privacy preservation, and interoperability between providers. The proposal materializes a Zero Trust model resistant to impersonation, replay, and lateral attacks, and lays the groundwork for future optimizations through the progressive incorporation of post-quantum primitives.
Suela, Julio Gento; Blanco-Romero, Javier; Almenares-Mendoza, Florina; Sánchez, Daniel Díaz
Implementing and Evaluating Post-Quantum DNSSEC in CoreDNS Journal Article
In: 2025.
@article{javierblanco006,
title = {Implementing and Evaluating Post-Quantum DNSSEC in CoreDNS},
author = {Julio Gento Suela and Javier Blanco-Romero and Florina Almenares-Mendoza and Daniel Díaz Sánchez },
doi = { https://doi.org/10.48550/arXiv.2507.09301},
year = {2025},
date = {2025-07-15},
urldate = {2025-07-15},
abstract = {The emergence of quantum computers poses a significant threat to current secure service, application and/or protocol implementations that rely on RSA and ECDSA algorithms, for instance DNSSEC, because public-key cryptography based on number factorization or discrete logarithm is vulnerable to quantum attacks. This paper presents the integration of post-quantum cryptographic (PQC) algorithms into CoreDNS to enable quantum-resistant DNSSEC functionality. We have developed a plugin that extends CoreDNS with support for five PQC signature algorithm families: ML-DSA, FALCON, SPHINCS+, MAYO, and SNOVA. Our implementation maintains compatibility with existing DNS resolution flows while providing on-the-fly signing using quantum-resistant signatures. A benchmark has been performed and performance evaluation results reveal significant trade-offs between security and efficiency. The results indicate that while PQC algorithms introduce operational overhead, several candidates offer viable compromises for transitioning DNSSEC to quantum-resistant cryptography.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The emergence of quantum computers poses a significant threat to current secure service, application and/or protocol implementations that rely on RSA and ECDSA algorithms, for instance DNSSEC, because public-key cryptography based on number factorization or discrete logarithm is vulnerable to quantum attacks. This paper presents the integration of post-quantum cryptographic (PQC) algorithms into CoreDNS to enable quantum-resistant DNSSEC functionality. We have developed a plugin that extends CoreDNS with support for five PQC signature algorithm families: ML-DSA, FALCON, SPHINCS+, MAYO, and SNOVA. Our implementation maintains compatibility with existing DNS resolution flows while providing on-the-fly signing using quantum-resistant signatures. A benchmark has been performed and performance evaluation results reveal significant trade-offs between security and efficiency. The results indicate that while PQC algorithms introduce operational overhead, several candidates offer viable compromises for transitioning DNSSEC to quantum-resistant cryptography.
Blanco-Romero, Javier; García, Pedro Otero; Sobral-Blanco, Daniel; Almenares-Mendoza, Florina; Vilas, Ana Fernández; Fernández-Veiga, Manuel
Hybrid Quantum Security for IPsec Journal Article
In: pp. 23, 2025.
@article{javierblanco007,
title = {Hybrid Quantum Security for IPsec},
author = {Javier Blanco-Romero and Pedro Otero García and Daniel Sobral-Blanco and Florina Almenares-Mendoza and Ana Fernández Vilas and Manuel Fernández-Veiga},
url = {https://arxiv.org/pdf/2507.09288},
doi = {https://doi.org/10.48550/arXiv.2507.09288},
year = {2025},
date = {2025-07-12},
pages = {23},
abstract = {Quantum Key Distribution (QKD) offers information-theoretic security against quantum computing threats, but integrating QKD into existing security protocols remains an unsolved challenge due to fundamental mismatches between pre-distributed quantum keys and computational key exchange paradigms. This paper presents the first systematic comparison of sequential versus parallel hybrid QKD-PQC key establishment strategies for IPsec, revealing fundamental protocol design principles that extend beyond specific implementations. We introduce two novel approaches for incorporating QKD into Internet Key Exchange version 2 (IKEv2) with support for both ETSI GS QKD 004 stateful and ETSI GS QKD 014 stateless API specifications: (1) a pure QKD approach that replaces computational key derivation with identifier-based quantum key coordination, and (2) a unified QKD-KEM abstraction that enables parallel composition of quantum and post-quantum cryptographic methods within existing protocol frameworks. Our key insight is that parallel hybrid approaches eliminate the multiplicative latency penalties inherent in sequential methods mandated by RFC 9370, achieving significant performance improvements under realistic network conditions. Performance evaluation using a Docker-based testing framework with IDQuantique QKD hardware demonstrates that the parallel hybrid approach significantly outperforms sequential methods under network latency conditions, while pure QKD achieves minimal bandwidth overhead through identifier-based key coordination. Our implementations provide practical quantum-enhanced IPsec solutions suitable for critical infrastructure deployments requiring defense-in-depth security.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Quantum Key Distribution (QKD) offers information-theoretic security against quantum computing threats, but integrating QKD into existing security protocols remains an unsolved challenge due to fundamental mismatches between pre-distributed quantum keys and computational key exchange paradigms. This paper presents the first systematic comparison of sequential versus parallel hybrid QKD-PQC key establishment strategies for IPsec, revealing fundamental protocol design principles that extend beyond specific implementations. We introduce two novel approaches for incorporating QKD into Internet Key Exchange version 2 (IKEv2) with support for both ETSI GS QKD 004 stateful and ETSI GS QKD 014 stateless API specifications: (1) a pure QKD approach that replaces computational key derivation with identifier-based quantum key coordination, and (2) a unified QKD-KEM abstraction that enables parallel composition of quantum and post-quantum cryptographic methods within existing protocol frameworks. Our key insight is that parallel hybrid approaches eliminate the multiplicative latency penalties inherent in sequential methods mandated by RFC 9370, achieving significant performance improvements under realistic network conditions. Performance evaluation using a Docker-based testing framework with IDQuantique QKD hardware demonstrates that the parallel hybrid approach significantly outperforms sequential methods under network latency conditions, while pure QKD achieves minimal bandwidth overhead through identifier-based key coordination. Our implementations provide practical quantum-enhanced IPsec solutions suitable for critical infrastructure deployments requiring defense-in-depth security.
Blanco-Romero, Javier; García, Pedro Otero; Sobral-Blanco, Daniel; Almenares-Mendoza, Florina; Vilas, Ana Fernández; Fernández-Veiga, Manuel
Hybrid Quantum Security for IPsec Journal Article
In: pp. 23, 2025.
@article{javierblanco007b,
title = {Hybrid Quantum Security for IPsec},
author = {Javier Blanco-Romero and Pedro Otero García and Daniel Sobral-Blanco and Florina Almenares-Mendoza and Ana Fernández Vilas and Manuel Fernández-Veiga},
url = {https://arxiv.org/pdf/2507.09288},
doi = {https://doi.org/10.48550/arXiv.2507.09288},
year = {2025},
date = {2025-07-12},
urldate = {2025-07-12},
pages = {23},
abstract = {Quantum Key Distribution (QKD) offers information-theoretic security against quantum computing threats, but integrating QKD into existing security protocols remains an unsolved challenge due to fundamental mismatches between pre-distributed quantum keys and computational key exchange paradigms. This paper presents the first systematic comparison of sequential versus parallel hybrid QKD-PQC key establishment strategies for IPsec, revealing fundamental protocol design principles that extend beyond specific implementations. We introduce two novel approaches for incorporating QKD into Internet Key Exchange version 2 (IKEv2) with support for both ETSI GS QKD 004 stateful and ETSI GS QKD 014 stateless API specifications: (1) a pure QKD approach that replaces computational key derivation with identifier-based quantum key coordination, and (2) a unified QKD-KEM abstraction that enables parallel composition of quantum and post-quantum cryptographic methods within existing protocol frameworks. Our key insight is that parallel hybrid approaches eliminate the multiplicative latency penalties inherent in sequential methods mandated by RFC 9370, achieving significant performance improvements under realistic network conditions. Performance evaluation using a Docker-based testing framework with IDQuantique QKD hardware demonstrates that the parallel hybrid approach significantly outperforms sequential methods under network latency conditions, while pure QKD achieves minimal bandwidth overhead through identifier-based key coordination. Our implementations provide practical quantum-enhanced IPsec solutions suitable for critical infrastructure deployments requiring defense-in-depth security.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Quantum Key Distribution (QKD) offers information-theoretic security against quantum computing threats, but integrating QKD into existing security protocols remains an unsolved challenge due to fundamental mismatches between pre-distributed quantum keys and computational key exchange paradigms. This paper presents the first systematic comparison of sequential versus parallel hybrid QKD-PQC key establishment strategies for IPsec, revealing fundamental protocol design principles that extend beyond specific implementations. We introduce two novel approaches for incorporating QKD into Internet Key Exchange version 2 (IKEv2) with support for both ETSI GS QKD 004 stateful and ETSI GS QKD 014 stateless API specifications: (1) a pure QKD approach that replaces computational key derivation with identifier-based quantum key coordination, and (2) a unified QKD-KEM abstraction that enables parallel composition of quantum and post-quantum cryptographic methods within existing protocol frameworks. Our key insight is that parallel hybrid approaches eliminate the multiplicative latency penalties inherent in sequential methods mandated by RFC 9370, achieving significant performance improvements under realistic network conditions. Performance evaluation using a Docker-based testing framework with IDQuantique QKD hardware demonstrates that the parallel hybrid approach significantly outperforms sequential methods under network latency conditions, while pure QKD achieves minimal bandwidth overhead through identifier-based key coordination. Our implementations provide practical quantum-enhanced IPsec solutions suitable for critical infrastructure deployments requiring defense-in-depth security.
Blanco-Romero, Javier; Otero-Garcia, Pedro; Sobral-Blanco, Daniel; Almenares-Mendoza, Florina; Fernandez-Vilas, Ana; Diaz-Redondo, Rebeca
QKD-KEM: Hybrid QKD Integration into TLS with OpenSSL Providers Conference
2025.
@conference{javierblanco005,
title = {QKD-KEM: Hybrid QKD Integration into TLS with OpenSSL Providers},
author = {Javier Blanco-Romero and Pedro Otero-Garcia and Daniel Sobral-Blanco and Florina Almenares-Mendoza and Ana Fernandez-Vilas and Rebeca Diaz-Redondo},
doi = { https://doi.org/10.48550/arXiv.2503.07196},
year = {2025},
date = {2025-03-10},
urldate = {2025-03-10},
abstract = {Quantum Key Distribution (QKD) promises information-theoretic security, yet integrating QKD into existing protocols like TLS remains challenging due to its fundamentally different operational model. In this paper, we propose a hybrid QKD-KEM protocol with two distinct integration approaches: a client-initiated flow compatible with both ETSI 004 and 014 specifications, and a server-initiated flow similar to existing work but limited to stateless ETSI 014 APIs. Unlike previous implementations, our work specifically addresses the integration of stateful QKD key exchange protocols (ETSI 004) which is essential for production QKD networks but has remained largely unexplored. By adapting OpenSSL’s provider infrastructure to accommodate QKD’s pre-distributed key model, we maintain compatibility with current TLS implementations while offering dual layers of security. Performance evaluations demonstrate the feasibility of our hybrid scheme with acceptable overhead, showing that robust security against quantum threats is achievable while addressing the unique requirements of different QKD API specifications.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Quantum Key Distribution (QKD) promises information-theoretic security, yet integrating QKD into existing protocols like TLS remains challenging due to its fundamentally different operational model. In this paper, we propose a hybrid QKD-KEM protocol with two distinct integration approaches: a client-initiated flow compatible with both ETSI 004 and 014 specifications, and a server-initiated flow similar to existing work but limited to stateless ETSI 014 APIs. Unlike previous implementations, our work specifically addresses the integration of stateful QKD key exchange protocols (ETSI 004) which is essential for production QKD networks but has remained largely unexplored. By adapting OpenSSL’s provider infrastructure to accommodate QKD’s pre-distributed key model, we maintain compatibility with current TLS implementations while offering dual layers of security. Performance evaluations demonstrate the feasibility of our hybrid scheme with acceptable overhead, showing that robust security against quantum threats is achievable while addressing the unique requirements of different QKD API specifications.
Blanco-Romero, Javier; Lorenzo, Vicente; Almenares-Mendoza, Florina; Díaz-Sánchez, Daniel
Machine Learning Predictors for Min-Entropy Estimation Journal Article
In: Entropy 2025, vol. 27, iss. 2, no. 156, pp. 1-31, 2025.
@article{javierblanco004,
title = {Machine Learning Predictors for Min-Entropy Estimation},
author = {Javier Blanco-Romero and Vicente Lorenzo and Florina Almenares-Mendoza and Daniel Díaz-Sánchez},
url = {https://www.mdpi.com/1099-4300/27/2/156},
doi = {https://doi.org/10.3390/e27020156},
year = {2025},
date = {2025-02-02},
urldate = {2025-02-02},
journal = {Entropy 2025},
volume = {27},
number = {156},
issue = {2},
pages = {1-31},
abstract = {This study investigates the application of machine learning predictors for the estimation of min-entropy in random number generators (RNGs), a key component in cryptographic applications where accurate entropy assessment is essential for cybersecurity. Our research indicates that these predictors, and indeed any predictor that leverages sequence correlations, primarily estimate average min-entropy, a metric not extensively studied in this context. We explore the relationship between average min-entropy and the traditional min-entropy, focusing on their dependence on the number of target bits being predicted. Using data from generalized binary autoregressive models, a subset of Markov processes, we demonstrate that machine learning models (including a hybrid of convolutional and recurrent long short-term memory layers and the transformer-based GPT-2 model) outperform traditional NIST SP 800-90B predictors in certain scenarios. Our findings underscore the importance of considering the number of target bits in min-entropy assessment for RNGs and highlight the potential of machine learning approaches in enhancing entropy estimation techniques for improved cryptographic security.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
This study investigates the application of machine learning predictors for the estimation of min-entropy in random number generators (RNGs), a key component in cryptographic applications where accurate entropy assessment is essential for cybersecurity. Our research indicates that these predictors, and indeed any predictor that leverages sequence correlations, primarily estimate average min-entropy, a metric not extensively studied in this context. We explore the relationship between average min-entropy and the traditional min-entropy, focusing on their dependence on the number of target bits being predicted. Using data from generalized binary autoregressive models, a subset of Markov processes, we demonstrate that machine learning models (including a hybrid of convolutional and recurrent long short-term memory layers and the transformer-based GPT-2 model) outperform traditional NIST SP 800-90B predictors in certain scenarios. Our findings underscore the importance of considering the number of target bits in min-entropy assessment for RNGs and highlight the potential of machine learning approaches in enhancing entropy estimation techniques for improved cryptographic security.
Gutiérrez-Portela, Fernando; Almenares-Mendoza, Florina; Calderón-Benavides, Liliana
Evaluation of the performance of unsupervised learning algorithms for intrusion detection in unbalanced data environments Proceedings Article
In: IEEE, 2024, ISSN: 2169-3536.
@inproceedings{almenarez019,
title = {Evaluation of the performance of unsupervised learning algorithms for intrusion detection in unbalanced data environments},
author = {Fernando Gutiérrez-Portela and Florina Almenares-Mendoza and Liliana Calderón-Benavides},
url = {https://ieeexplore.ieee.org/document/10794744},
doi = {10.1109/ACCESS.2024.3516615},
issn = {2169-3536},
year = {2024},
date = {2024-12-12},
urldate = {2024-12-12},
publisher = {IEEE},
abstract = {In this study, the performance of different unsupervised machine learning algorithms used for intrusion detection within unbalanced data environments were analyzed; these algorithms included the K-means++ algorithm, density-based spatial clustering of applications with noise (DBSCAN), local outlier factor (LOF), and isolation forest (I-forest) using the BoT–IoT dataset. Performance metrics such as purity, homogeneity_score, completeness_score, v_measure_score, and adjusted_mutual_info_score were used to evaluate the effectiveness of algorithms in detecting various types of attacks such as distributed denial of service (DDoS), denial of service (DoS), and reconnaissance. Similarly, different methods were used for the automatic selection of the optimal number of clusters such as the elbow method, silhouette coefficient, Calinski–Harabasz index, and Davies–Bouldin index. Moreover, principal component analysis (PCA) was used to explain data variance and the influence of variables on intrusion detection. Results revealed that the K-means algorithm achieved 95% purity as well as 95% and 99% prediction accuracies for normal and abnormal data, respectively. The I-forest algorithm achieved 95% purity as well as 99% and 90% prediction accuracies for normal and abnormal data in a balanced dataset, respectively. These findings indicated that I-forest exhibited a low central processing unit (CPU) consumption rate of 10% on balanced data, outperforming DBSCAN, K-Means++, and LOF, with 16% consumption rates.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
In this study, the performance of different unsupervised machine learning algorithms used for intrusion detection within unbalanced data environments were analyzed; these algorithms included the K-means++ algorithm, density-based spatial clustering of applications with noise (DBSCAN), local outlier factor (LOF), and isolation forest (I-forest) using the BoT–IoT dataset. Performance metrics such as purity, homogeneity_score, completeness_score, v_measure_score, and adjusted_mutual_info_score were used to evaluate the effectiveness of algorithms in detecting various types of attacks such as distributed denial of service (DDoS), denial of service (DoS), and reconnaissance. Similarly, different methods were used for the automatic selection of the optimal number of clusters such as the elbow method, silhouette coefficient, Calinski–Harabasz index, and Davies–Bouldin index. Moreover, principal component analysis (PCA) was used to explain data variance and the influence of variables on intrusion detection. Results revealed that the K-means algorithm achieved 95% purity as well as 95% and 99% prediction accuracies for normal and abnormal data, respectively. The I-forest algorithm achieved 95% purity as well as 99% and 90% prediction accuracies for normal and abnormal data in a balanced dataset, respectively. These findings indicated that I-forest exhibited a low central processing unit (CPU) consumption rate of 10% on balanced data, outperforming DBSCAN, K-Means++, and LOF, with 16% consumption rates.
Pérez-Díaz, Jaime; Almenares-Mendoza, Florina
Authorisation models for IoT environments: A survey Journal Article
In: www.elsevier.com/locate/iot, 2024, ISSN: 2542-6605.
@article{almenarez018,
title = {Authorisation models for IoT environments: A survey},
author = {Jaime Pérez-Díaz and Florina Almenares-Mendoza},
url = {https://www.sciencedirect.com/science/article/pii/S2542660524003718?via%3Dihub#d1e3887},
doi = {https://doi.org/10.1016/j.iot.2024.101430},
issn = {2542-6605},
year = {2024},
date = {2024-11-23},
urldate = {2024-11-23},
journal = { www.elsevier.com/locate/iot},
abstract = {Authorization models are pivotal in the Internet of Things (IoT) ecosystem, ensuring secure management of data access and communication. These models function after authentication, determining the specific actions that a device is allowed to perform. This paper aims to provide a comprehensive and comparative analysis of authorization solutions within IoT contexts, based on the requirements identified from the existing literature. We critically assess the functionalities and capabilities of various authorization solutions, particularly those designed for IoT cloud platforms and distributed architectures. Our findings highlight the urgent need for further development of authorization models optimized for the unique demands of IoT environments. Consequently, we address both the persistent challenges and the gaps within this domain. As IoT continues to reshape the technological landscape, the refinement and adaptation of authorization models remain imperative ongoing pursuits.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Authorization models are pivotal in the Internet of Things (IoT) ecosystem, ensuring secure management of data access and communication. These models function after authentication, determining the specific actions that a device is allowed to perform. This paper aims to provide a comprehensive and comparative analysis of authorization solutions within IoT contexts, based on the requirements identified from the existing literature. We critically assess the functionalities and capabilities of various authorization solutions, particularly those designed for IoT cloud platforms and distributed architectures. Our findings highlight the urgent need for further development of authorization models optimized for the unique demands of IoT environments. Consequently, we address both the persistent challenges and the gaps within this domain. As IoT continues to reshape the technological landscape, the refinement and adaptation of authorization models remain imperative ongoing pursuits.
Lorenzo, Vicente; Blanco-Romero, Javier; Almenares, Florina; Díaz-Sánchez, Daniel; Rubio, Carlos García; Campo, Celeste; Marín, Andrés
Comparing Pseudo, Classical True and Quantum Random Number Generators Using Standard Quality Assessments Proceedings Article
In: XVIII Reunión Española sobre Criptología y Seguridad de la Información: XVIII RECSI, León 23-25 octubre 2024, Universidad de León, Servicio de Publicaciones, 2024.
@inproceedings{vicente002,
title = {Comparing Pseudo, Classical True and Quantum Random Number Generators Using Standard Quality Assessments},
author = {Vicente Lorenzo and Javier Blanco-Romero and Florina Almenares and Daniel Díaz-Sánchez and Carlos García Rubio and Celeste Campo and Andrés Marín},
url = {https://buleria.unileon.es/bitstream/handle/10612/24646/Comparing_Pseudo_Classical_True.pdf?sequence=1&isAllowed=y},
doi = {https://hdl.handle.net/10612/24646},
year = {2024},
date = {2024-11-05},
urldate = {2024-11-05},
booktitle = {XVIII Reunión Española sobre Criptología y Seguridad de la Información: XVIII RECSI, León 23-25 octubre 2024},
publisher = {Universidad de León, Servicio de Publicaciones},
abstract = {Nowadays, there exists a wide variety of Random Number Generators (RNGs). If the source of randomness is unpredictable physical phenomena, as in physical chips or quantum-based RNGs, they are called True Random Number Generators (TRNGs). If it is a deterministic mathematical algorithm, as in software-based RNGs, they are called Pseudo- Random Number Generators (PRNGs). This study evaluates and compares the quality of three Quantum RNGs, three TRNGs and three PRNGs. The comparative analysis includes NIST SP 800-22, NIST SP 800-90B entropy, Borel normality and Diehard tests, which are which are frequently used for assessing RNG quality.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Nowadays, there exists a wide variety of Random Number Generators (RNGs). If the source of randomness is unpredictable physical phenomena, as in physical chips or quantum-based RNGs, they are called True Random Number Generators (TRNGs). If it is a deterministic mathematical algorithm, as in software-based RNGs, they are called Pseudo- Random Number Generators (PRNGs). This study evaluates and compares the quality of three Quantum RNGs, three TRNGs and three PRNGs. The comparative analysis includes NIST SP 800-22, NIST SP 800-90B entropy, Borel normality and Diehard tests, which are which are frequently used for assessing RNG quality.
Blanco-Romero, Javier; Lorenzo, Vicente; Almenares, Florina; Díaz-Sánchez, Daniel; and Celeste Campo,; García-Rubio, Carlos
Integrating Post-Quantum Cryptography into CoAP and MQTT-SN Protocols Conference
2024 IEEE Symposium on Computers and Communications (ISCC), IEEE, 2024, ISBN: 979-8-3503-5424-9.
@conference{javierblanco002,
title = {Integrating Post-Quantum Cryptography into CoAP and MQTT-SN Protocols},
author = {Javier Blanco-Romero and Vicente Lorenzo and Florina Almenares and Daniel Díaz-Sánchez and and Celeste Campo and Carlos García-Rubio},
url = {https://ieeexplore.ieee.org/abstract/document/10733716/figures#figures},
doi = {https://doi.org/10.1109/ISCC61673.2024.10733716},
isbn = {979-8-3503-5424-9},
year = {2024},
date = {2024-10-31},
urldate = {2024-10-31},
booktitle = {2024 IEEE Symposium on Computers and Communications (ISCC)},
publisher = {IEEE},
abstract = {Post-Quantum Cryptography (PQC) is a practical and cost-effective solution to defend against emerging quantum computing threats. So, leading worldwide security agencies and standardization bodies strongly advocate for the proactive integration of PQ cryptography into underlying frameworks to support applications, protocols, and services. The current research predominantly addresses the incorporation of PQC in Internet communication protocols such as HTTP and DNS; nevertheless, the focus on embedded devices has been limited to evaluating PQC’s integration within TLS/DTLS in isolation. Hence, there is a notable gap in understanding how PQC impacts IoT-specific communication protocols. This paper presents the integration of PQC into two communication protocols specifically tailored for IoT devices, the Constrained Application Protocol (CoAP) and MQTT for Sensor Networks (MQTT-SN), via the wolfSSL library. These two integrations contribute to the understanding of PQC’s implications for IoT communication protocols.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Post-Quantum Cryptography (PQC) is a practical and cost-effective solution to defend against emerging quantum computing threats. So, leading worldwide security agencies and standardization bodies strongly advocate for the proactive integration of PQ cryptography into underlying frameworks to support applications, protocols, and services. The current research predominantly addresses the incorporation of PQC in Internet communication protocols such as HTTP and DNS; nevertheless, the focus on embedded devices has been limited to evaluating PQC’s integration within TLS/DTLS in isolation. Hence, there is a notable gap in understanding how PQC impacts IoT-specific communication protocols. This paper presents the integration of PQC into two communication protocols specifically tailored for IoT devices, the Constrained Application Protocol (CoAP) and MQTT for Sensor Networks (MQTT-SN), via the wolfSSL library. These two integrations contribute to the understanding of PQC’s implications for IoT communication protocols.
Blanco-Romero, Javier; Lorenzo, Vicente; Almenares, Florina; Díaz-Sánchez, Daniel; García-Rubio, Carlos; Campo, Celeste; Marín, Andrés
Evaluating integration methods of a quantum random number generator in OpenSSL for TLS Journal Article
In: vol. 255, 2024, ISBN: 1389-1286.
@article{javierblanco003,
title = {Evaluating integration methods of a quantum random number generator in OpenSSL for TLS},
author = {Javier Blanco-Romero and Vicente Lorenzo and Florina Almenares and Daniel Díaz-Sánchez and Carlos García-Rubio and Celeste Campo and Andrés Marín},
url = {https://www.sciencedirect.com/science/article/pii/S1389128624007096?via%3Dihub},
doi = {https://doi.org/10.1016/j.comnet.2024.110877},
isbn = {1389-1286},
year = {2024},
date = {2024-10-25},
urldate = {2024-10-25},
volume = {255},
publisher = {Computer Networks},
abstract = {The rapid advancement of quantum computing poses a significant threat to conventional cryptography. Whilst post-quantum cryptography (PQC) stands as the prevailing trend for fortifying the security of cryptographic systems, the coexistence of quantum and classical computing paradigms presents an opportunity to leverage the strengths of both technologies, for instance, nowadays the use of Quantum Random Number Generators (QRNGs) – considered as True Random Number Generators (TRNGs) – opens up the possibility of discussing hybrid systems. In this paper, we evaluate both aspects, on the one hand, we use hybrid TLS (Transport Layer Security) protocol that leverages the widely used secure protocol on the Internet and integrates PQC algorithms, and, on the other hand, we evaluate two approaches to integrate a QRNG, i.e., Quantis PCIe-240M, in OpenSSL 3.0 to be used by TLS. Both approaches are compared through a Nginx Web server, that uses OpenSSL’s implementation of TLS 1.3 for secure web communication. Our findings highlight the importance of optimizing such integration method, because while direct integration can lead to performance penalties specific to the method and hardware used, alternative methods demonstrate the potential for efficient QRNG deployment in cryptographic systems.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The rapid advancement of quantum computing poses a significant threat to conventional cryptography. Whilst post-quantum cryptography (PQC) stands as the prevailing trend for fortifying the security of cryptographic systems, the coexistence of quantum and classical computing paradigms presents an opportunity to leverage the strengths of both technologies, for instance, nowadays the use of Quantum Random Number Generators (QRNGs) – considered as True Random Number Generators (TRNGs) – opens up the possibility of discussing hybrid systems. In this paper, we evaluate both aspects, on the one hand, we use hybrid TLS (Transport Layer Security) protocol that leverages the widely used secure protocol on the Internet and integrates PQC algorithms, and, on the other hand, we evaluate two approaches to integrate a QRNG, i.e., Quantis PCIe-240M, in OpenSSL 3.0 to be used by TLS. Both approaches are compared through a Nginx Web server, that uses OpenSSL’s implementation of TLS 1.3 for secure web communication. Our findings highlight the importance of optimizing such integration method, because while direct integration can lead to performance penalties specific to the method and hardware used, alternative methods demonstrate the potential for efficient QRNG deployment in cryptographic systems.
Lorenzo, Vicente; Blanco-Romero, Javier; Almenares, Florina; Díaz-Sánchez, Daniel; García-Rubio, Carlos; Campo, Celeste; Marín, Andrés
Comparing Pseudo, Classical True and Quantum Random Number Generators Using Standard Quality Assessments Conference
XVIII Reunión Española sobre Criptología y Seguridad de la Información (RECSI 2024), León, 23 al 25 de Octubre, 2024., 2024.
@conference{nokey,
title = {Comparing Pseudo, Classical True and Quantum Random Number Generators Using Standard Quality Assessments},
author = {Vicente Lorenzo and Javier Blanco-Romero and Florina Almenares and Daniel Díaz-Sánchez and Carlos García-Rubio and Celeste Campo and Andrés Marín},
year = {2024},
date = {2024-10-25},
urldate = {2024-10-25},
booktitle = {XVIII Reunión Española sobre Criptología y Seguridad de la Información (RECSI 2024), León, 23 al 25 de Octubre, 2024.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Pérez-Díaz, J.; Almenares, Florina
Integración de un sistema de autenticación optimizado basado en PUF en OSCORE Conference
XVIII Reunión Española sobre Criptología y Seguridad de la Información (RECSI 2024), León, 23 al 25 de Octubre, 2024., 2024.
@conference{nokey,
title = { Integración de un sistema de autenticación optimizado basado en PUF en OSCORE},
author = {J. Pérez-Díaz and Florina Almenares },
year = {2024},
date = {2024-10-25},
urldate = {2024-10-25},
booktitle = {XVIII Reunión Española sobre Criptología y Seguridad de la Información (RECSI 2024), León, 23 al 25 de Octubre, 2024.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Moure-Garrido, Marta; Das, Sajal; Campo, Celeste; García-Rubio, Carlos
Real-Time Analysis of Encrypted DNS Traffic for Threat Detection Conference
ICC 2024 - IEEE International Conference on Communications, IEEE, 2024, ISSN: 1550-3607.
@conference{marta003,
title = {Real-Time Analysis of Encrypted DNS Traffic for Threat Detection},
author = {Marta Moure-Garrido and Sajal Das and Celeste Campo and Carlos García-Rubio},
url = {https://ieeexplore.ieee.org/document/10622347},
doi = {https://doi.org/10.1109/ICC51166.2024.10622347},
issn = {1550-3607},
year = {2024},
date = {2024-08-20},
booktitle = {ICC 2024 - IEEE International Conference on Communications},
pages = {3292-3297},
publisher = {IEEE},
abstract = {Domain Name System (DNS) tunneling is a well-known cyber-attack that allows data exfiltration - the attackers exploit this tunnel to extract sensitive information from the system. Advanced Persistent Threat (APT) attackers encapsulate malicious traffic in a DNS connection to elude security mechanisms such as Intrusion Detection System (IDS). Although different techniques have been implemented to detect these targeted attacks, their rise induces a threat to Cyber-Physical Systems (CPS). The DNS over HTTPS (DoH) tunnel detection is a challenge because the encrypted data prevents an analysis of DNS traffic content. In this paper, we present a novel detection system that identifies malicious DoH tunnels in real time. We study the normal traffic pattern and based on that, we define a profile. The objective of this system is to detect malicious activity on the system as early as possible through a lightweight packet by packet analysis based on a real-time IDS classifier. This system is evaluated on three available data sets and the results obtained are compared with a machine learning technique. We demonstrate that the identification of anomalous activity, in particular DoH tunnels, is possible by analyzing different traffic features.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Domain Name System (DNS) tunneling is a well-known cyber-attack that allows data exfiltration - the attackers exploit this tunnel to extract sensitive information from the system. Advanced Persistent Threat (APT) attackers encapsulate malicious traffic in a DNS connection to elude security mechanisms such as Intrusion Detection System (IDS). Although different techniques have been implemented to detect these targeted attacks, their rise induces a threat to Cyber-Physical Systems (CPS). The DNS over HTTPS (DoH) tunnel detection is a challenge because the encrypted data prevents an analysis of DNS traffic content. In this paper, we present a novel detection system that identifies malicious DoH tunnels in real time. We study the normal traffic pattern and based on that, we define a profile. The objective of this system is to detect malicious activity on the system as early as possible through a lightweight packet by packet analysis based on a real-time IDS classifier. This system is evaluated on three available data sets and the results obtained are compared with a machine learning technique. We demonstrate that the identification of anomalous activity, in particular DoH tunnels, is possible by analyzing different traffic features.
Campo-Vázquez, Celeste; García-Rubio, Carlos; Jimenez-Berenguel, Andrea; Moure-Garrido, Marta; Almenares-Mendoza, Florina; Díaz-Sánchez, Daniel
Inferring mobile applications usage from DNS traffic Proceedings Article
In: Ad Hoc Networks, Elsevier B.V., 2024.
@inproceedings{campo012,
title = {Inferring mobile applications usage from DNS traffic},
author = {Celeste Campo-Vázquez and Carlos García-Rubio and Andrea Jimenez-Berenguel and Marta Moure-Garrido and Florina Almenares-Mendoza and Daniel Díaz-Sánchez },
url = {https://www.sciencedirect.com/science/article/pii/S1570870524002129#d1e710},
doi = {https://doi.org/10.1016/j.adhoc.2024.103601},
year = {2024},
date = {2024-07-19},
urldate = {2024-07-19},
booktitle = {Ad Hoc Networks},
publisher = {Elsevier B.V.},
abstract = {In the digital era, our lives are intrinsically linked to the daily use of mobile applications. As a consequence, we generate and transmit a large amount of personal data that puts our privacy in danger. Despite having encrypted communications, the DNS traffic is usually not encrypted, and it is possible to extract valuable information from the traffic generated by mobile applications. This study focuses on the analysis of the DNS traffic behavior found in mobile application traces, developing a methodology capable of identifying mobile applications based on the domains they query. With this methodology, we were able to identify apps with 98% accuracy. Furthermore, we have validated the effectiveness of the characterization obtained with one dataset by identifying traces from other independent datasets. The evaluation showed that the methodology provides successful results in identifying mobile applications.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
In the digital era, our lives are intrinsically linked to the daily use of mobile applications. As a consequence, we generate and transmit a large amount of personal data that puts our privacy in danger. Despite having encrypted communications, the DNS traffic is usually not encrypted, and it is possible to extract valuable information from the traffic generated by mobile applications. This study focuses on the analysis of the DNS traffic behavior found in mobile application traces, developing a methodology capable of identifying mobile applications based on the domains they query. With this methodology, we were able to identify apps with 98% accuracy. Furthermore, we have validated the effectiveness of the characterization obtained with one dataset by identifying traces from other independent datasets. The evaluation showed that the methodology provides successful results in identifying mobile applications.
Jimenez-Berenguel, Andrea; Moure-Garrido, Marta; García-Rubio, Carlos; Campo-Vázquez, Celeste
Caracterización de aplicaciones móviles mediante el análisis del tráfico DNS Proceedings Article
In: IX Jornadas Nacionales de Investigación en Ciberseguridad - JNIC 2024, pp. 506-507, Universidad de Sevilla, 2024, ISBN: 978-84-09-62140-8.
@inproceedings{andrea001,
title = {Caracterización de aplicaciones móviles mediante el análisis del tráfico DNS},
author = {Andrea Jimenez-Berenguel and Marta Moure-Garrido and Carlos García-Rubio and Celeste Campo-Vázquez},
url = {https://idus.us.es/handle/11441/159179
https://dialnet.unirioja.es/servlet/articulo?codigo=9633499
https://idus.us.es/bitstream/handle/11441/159179/ActasJNIC24%20%282%20ed%29.pdf?sequence=4&isAllowed=y},
isbn = {978-84-09-62140-8},
year = {2024},
date = {2024-05-28},
urldate = {2024-05-28},
booktitle = {IX Jornadas Nacionales de Investigación en Ciberseguridad - JNIC 2024},
pages = {506-507},
publisher = {Universidad de Sevilla},
abstract = {La privacidad del usuario sigue siendo vulnerable cuando se utilizan protocolos de comunicación cifrados, como HTTPS, cuando las consultas DNS se envían en texto claro a través del puerto UDP 53 (Do53). En este estudio, demostramos la posibilidad de caracterizar una aplicación móvil que utiliza un usuario basándonos en su tráfico Do53. Mediante el análisis de un conjunto de datos de tráfico, formado por 80 aplicaciones móviles Android, podemos identificar la aplicación que se está utilizando basándonos en sus consultas DNS con una precisión del 88,75 %. Aunque los sistemas operativos modernos, incluido Android desde la versión 9.0, admiten el tráfico DNS cifrado, esta función no está activada por defecto y depende del soporte del proveedor de DNS. Además, incluso cuando el tráfico DNS está cifrado, el proveedor de servicios DNS sigue teniendo acceso a nuestras consultas y podría extraer información de ellas.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
La privacidad del usuario sigue siendo vulnerable cuando se utilizan protocolos de comunicación cifrados, como HTTPS, cuando las consultas DNS se envían en texto claro a través del puerto UDP 53 (Do53). En este estudio, demostramos la posibilidad de caracterizar una aplicación móvil que utiliza un usuario basándonos en su tráfico Do53. Mediante el análisis de un conjunto de datos de tráfico, formado por 80 aplicaciones móviles Android, podemos identificar la aplicación que se está utilizando basándonos en sus consultas DNS con una precisión del 88,75 %. Aunque los sistemas operativos modernos, incluido Android desde la versión 9.0, admiten el tráfico DNS cifrado, esta función no está activada por defecto y depende del soporte del proveedor de DNS. Además, incluso cuando el tráfico DNS está cifrado, el proveedor de servicios DNS sigue teniendo acceso a nuestras consultas y podría extraer información de ellas.
Blanco-Romero, Javier; Lorenzo, Vicente; Almenares-Mendoza, Florina; Díaz-Sánchez, Daniel; Serrano-Navarro, Adrián
PQSec-DDS: Integrating Post-Quantum Cryptography into DDS Security for Robotic Applications Proceedings Article
In: IX Jornadas Nacionales de Investigación en Ciberseguridad - JNIC 2024, pp. 396-403, Universidad de Sevilla , 2024, ISBN: 978-84-09-62140-8.
@inproceedings{javierblanco001,
title = {PQSec-DDS: Integrating Post-Quantum Cryptography into DDS Security for Robotic Applications},
author = {Javier Blanco-Romero and Vicente Lorenzo and Florina Almenares-Mendoza and Daniel Díaz-Sánchez and Adrián Serrano-Navarro},
url = {https://hdl.handle.net/11441/159179
https://idus.us.es/handle/11441/159179
https://idus.us.es/bitstream/handle/11441/159179/ActasJNIC24%20%282%20ed%29.pdf?sequence=4&isAllowed=y},
isbn = {978-84-09-62140-8},
year = {2024},
date = {2024-05-28},
urldate = {2024-05-28},
booktitle = {IX Jornadas Nacionales de Investigación en Ciberseguridad - JNIC 2024},
pages = {396-403},
publisher = {Universidad de Sevilla },
abstract = {Leading cybersecurity agencies and standardization bodies have globally emphasized the critical need to transition towards Post-Quantum Cryptography (PQC) to defend against
emerging quantum computing threats. They advocate PQC as a practical and cost-effective solution for security systems nowadays. Nevertheless, emerging technologies such as industrial systems, e.g., autonomous vehicles, air traffic management, diagnostic imaging machines, etc., and robotics systems, e.g., ROS2 (Robotic Operating System), have not started their evolution to enhance crypto-agility and security robustness. Some of these emerging technologies use the Data Distribution Service (DDS)
standard as the underlying communication middleware protocol. DDS is a distributed publish-subscribe system that allows sending and receiving data by publishing and subscribing to topics across a network of connected nodes. However, DDS’s security is based on traditional symmetric and asymmetric cryptography, which is vulnerable to quantum computing attacks. To address this issue, we propose the integration of PQC into DDS, through the development of a C/C++ library, called pqsec-dds, which can be integrated across different DDS implementations such as CycloneDDS or OpenDDS. A proof-of-concept demonstrates the viability of our approach in enhancing the security and cryptoagility of DDS-based systems.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Leading cybersecurity agencies and standardization bodies have globally emphasized the critical need to transition towards Post-Quantum Cryptography (PQC) to defend against
emerging quantum computing threats. They advocate PQC as a practical and cost-effective solution for security systems nowadays. Nevertheless, emerging technologies such as industrial systems, e.g., autonomous vehicles, air traffic management, diagnostic imaging machines, etc., and robotics systems, e.g., ROS2 (Robotic Operating System), have not started their evolution to enhance crypto-agility and security robustness. Some of these emerging technologies use the Data Distribution Service (DDS)
standard as the underlying communication middleware protocol. DDS is a distributed publish-subscribe system that allows sending and receiving data by publishing and subscribing to topics across a network of connected nodes. However, DDS’s security is based on traditional symmetric and asymmetric cryptography, which is vulnerable to quantum computing attacks. To address this issue, we propose the integration of PQC into DDS, through the development of a C/C++ library, called pqsec-dds, which can be integrated across different DDS implementations such as CycloneDDS or OpenDDS. A proof-of-concept demonstrates the viability of our approach in enhancing the security and cryptoagility of DDS-based systems.
emerging quantum computing threats. They advocate PQC as a practical and cost-effective solution for security systems nowadays. Nevertheless, emerging technologies such as industrial systems, e.g., autonomous vehicles, air traffic management, diagnostic imaging machines, etc., and robotics systems, e.g., ROS2 (Robotic Operating System), have not started their evolution to enhance crypto-agility and security robustness. Some of these emerging technologies use the Data Distribution Service (DDS)
standard as the underlying communication middleware protocol. DDS is a distributed publish-subscribe system that allows sending and receiving data by publishing and subscribing to topics across a network of connected nodes. However, DDS’s security is based on traditional symmetric and asymmetric cryptography, which is vulnerable to quantum computing attacks. To address this issue, we propose the integration of PQC into DDS, through the development of a C/C++ library, called pqsec-dds, which can be integrated across different DDS implementations such as CycloneDDS or OpenDDS. A proof-of-concept demonstrates the viability of our approach in enhancing the security and cryptoagility of DDS-based systems.
Moure-Garrido, Marta; García-Rubio, Carlos; Campo, Celeste
Reducing DNS Traffic to Enhance Home IoT Device Privacy Journal Article
In: Sensors , vol. 24, iss. 9, 2024.
@article{marta001,
title = {Reducing DNS Traffic to Enhance Home IoT Device Privacy},
author = {Marta Moure-Garrido and Carlos García-Rubio and Celeste Campo},
url = {https://www.mdpi.com/1424-8220/24/9/2690/pdf?version=1713941333},
doi = {https://doi.org/10.3390/s24092690},
year = {2024},
date = {2024-04-24},
urldate = {2024-04-24},
journal = {Sensors },
volume = {24},
issue = {9},
publisher = {Sensors 2024},
abstract = {The deployment of Internet of Things (IoT) devices is widespread in different environments, including homes. Although security is incorporated, homes can become targets for cyberattacks because of their vulnerabilities. IoT devices generate Domain Name Server (DNS) traffic primarily for communication with Internet servers. In this paper, we present a detailed analysis of DNS traffic from IoT devices. The queried domains are highly distinctive, enabling attackers to easily identify the IoT device. In addition, we observed an unexpectedly high volume of queries. The analysis reveals that the same domains are repeatedly queried, DNS queries are transmitted in plain text over User Datagram Protocol (UDP) port 53 (Do53), and the excessive generation of traffic poses a security risk by amplifying an attacker’s ability to identify IoT devices and execute more precise, targeted attacks, consequently escalating the potential compromise of the entire IoT ecosystem. We propose a simple measure that can be taken to reduce DNS traffic generated by IoT devices, thus preventing it from being used as a vector to identify the types of devices present in the network. This measure is based on the implementation of the DNS cache in the devices; caching few resources increases privacy considerably.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The deployment of Internet of Things (IoT) devices is widespread in different environments, including homes. Although security is incorporated, homes can become targets for cyberattacks because of their vulnerabilities. IoT devices generate Domain Name Server (DNS) traffic primarily for communication with Internet servers. In this paper, we present a detailed analysis of DNS traffic from IoT devices. The queried domains are highly distinctive, enabling attackers to easily identify the IoT device. In addition, we observed an unexpectedly high volume of queries. The analysis reveals that the same domains are repeatedly queried, DNS queries are transmitted in plain text over User Datagram Protocol (UDP) port 53 (Do53), and the excessive generation of traffic poses a security risk by amplifying an attacker’s ability to identify IoT devices and execute more precise, targeted attacks, consequently escalating the potential compromise of the entire IoT ecosystem. We propose a simple measure that can be taken to reduce DNS traffic generated by IoT devices, thus preventing it from being used as a vector to identify the types of devices present in the network. This measure is based on the implementation of the DNS cache in the devices; caching few resources increases privacy considerably.
Lorenzo, Vicente; Blanco, Francisco Javier
Comparative Analysis of Quantum, Pseudo, and Hybrid Random Number Generation Conference
XVII Jornadas CCN-STIC CCN-CERT / V Jornadas de Ciberdefensa ESPDEF-CERT, 2023.
@conference{vicente001,
title = {Comparative Analysis of Quantum, Pseudo, and Hybrid Random Number Generation},
author = {Vicente Lorenzo and Francisco Javier Blanco},
year = {2023},
date = {2023-11-29},
urldate = {2023-11-29},
booktitle = {XVII Jornadas CCN-STIC CCN-CERT / V Jornadas de Ciberdefensa ESPDEF-CERT},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Jimenez-Berenguel, Andrea; Moure-Garrido, Marta; Campo-Vázquez, Carlos García-Rubio Celeste
Characterizing Mobile Applications Through Analysis of DNS Traffic Conference
PE-WASUN '23: Proceedings of the Int'l ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor & Ubiquitous Networks., ACM, 2023, ISBN: N 979-8-4007-0370-6.
@conference{campo013,
title = {Characterizing Mobile Applications Through Analysis of DNS Traffic},
author = {Andrea Jimenez-Berenguel and Marta Moure-Garrido and Carlos García-Rubio Celeste Campo-Vázquez},
doi = {https://doi.org/10.1145/3616394.3618268},
isbn = {N 979-8-4007-0370-6},
year = {2023},
date = {2023-10-30},
urldate = {2023-10-30},
booktitle = {PE-WASUN '23: Proceedings of the Int'l ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor & Ubiquitous Networks.},
pages = {69-76},
publisher = {ACM},
abstract = {User privacy may remain vulnerable when using encrypted communication protocols, such as HTTPS, if DNS queries are sent in cleartext over UDP port 53 (Do53). In this study, we demonstrate the possibility of characterizing the mobile application a user is using based on its Do53 traffic. By analyzing a dataset of traffic captured from 80 Android mobile apps, we can identify the app being used based on its DNS queries with an accuracy of 88.75%. While modern operating systems, including Android since version 9.0, support encrypted DNS traffic, this feature is not enabled by default and relies on the DNS provider's support. Moreover, even when DNS traffic is encrypted, the DNS service provider still has access to our queries and could potentially extract information from them.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
User privacy may remain vulnerable when using encrypted communication protocols, such as HTTPS, if DNS queries are sent in cleartext over UDP port 53 (Do53). In this study, we demonstrate the possibility of characterizing the mobile application a user is using based on its Do53 traffic. By analyzing a dataset of traffic captured from 80 Android mobile apps, we can identify the app being used based on its DNS queries with an accuracy of 88.75%. While modern operating systems, including Android since version 9.0, support encrypted DNS traffic, this feature is not enabled by default and relies on the DNS provider's support. Moreover, even when DNS traffic is encrypted, the DNS service provider still has access to our queries and could potentially extract information from them.
Moure-Garrido, Marta; Campo-Vázquez, Celeste; García-Rubio, Carlos
Real time detection of malicious DoH traffic using statistical analysis Journal Article
In: COMPUTER NETWORKS, vol. 234, iss. 109910, pp. 1-10, 2023, ISSN: 1389-1286.
@article{campo002,
title = {Real time detection of malicious DoH traffic using statistical analysis },
author = {Marta Moure-Garrido and Celeste Campo-Vázquez and Carlos García-Rubio},
url = {http://hdl.handle.net/10016/38151},
doi = {https://doi.org/10.1016/j.comnet.2023.109910},
issn = {1389-1286},
year = {2023},
date = {2023-10-09},
urldate = {2023-10-09},
journal = {COMPUTER NETWORKS},
volume = {234},
issue = {109910},
pages = {1-10},
abstract = {The DNS protocol plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. DNS over HTTPS (DoH) solves certain security problems present in the DNS protocol. However, malicious DNS tunnels, a covert way of encapsulating malicious traffic in a DNS connection, are difficult to detect because the encrypted data prevents performing an analysis of the content of the DNS traffic.
In this study, we introduce a real-time system for detecting malicious DoH tunnels, which is based on analyzing DoH traffic using statistical methods. Our research demonstrates that it is feasible to identify in real-time malicious traffic by analyzing specific parameters extracted from DoH traffic. In addition, we conducted statistical analysis to identify the most significant features that distinguish malicious traffic from benign traffic. Using the selected features, we achieved satisfactory results in classifying DoH traffic as either benign or malicious.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The DNS protocol plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. DNS over HTTPS (DoH) solves certain security problems present in the DNS protocol. However, malicious DNS tunnels, a covert way of encapsulating malicious traffic in a DNS connection, are difficult to detect because the encrypted data prevents performing an analysis of the content of the DNS traffic.
In this study, we introduce a real-time system for detecting malicious DoH tunnels, which is based on analyzing DoH traffic using statistical methods. Our research demonstrates that it is feasible to identify in real-time malicious traffic by analyzing specific parameters extracted from DoH traffic. In addition, we conducted statistical analysis to identify the most significant features that distinguish malicious traffic from benign traffic. Using the selected features, we achieved satisfactory results in classifying DoH traffic as either benign or malicious.
In this study, we introduce a real-time system for detecting malicious DoH tunnels, which is based on analyzing DoH traffic using statistical methods. Our research demonstrates that it is feasible to identify in real-time malicious traffic by analyzing specific parameters extracted from DoH traffic. In addition, we conducted statistical analysis to identify the most significant features that distinguish malicious traffic from benign traffic. Using the selected features, we achieved satisfactory results in classifying DoH traffic as either benign or malicious.