Publications - Pervasive Computing Laboratory

Access control anotacionsemantica authentication Cloud computing coap compromise cryptography cynamon Discovery emadrid emrisco home network I-Shaper identity management inrisco Internet of Things IoT magos Pervasive computing Post-Quantum Cryptography privacy Protocols Qursa Ramones raudo2 Security Smart Card Trust management Ubisec VANETs 
Show all
2025
 Díaz-Sánchez, Daniel;  Almenarez, Florina;  Campo, Celeste;  García-Rubio, Carlos;  Sherratt, Simon
Beyond PKI: A DNSSEC Delegation Approach for Scalable Dynamic Credential Management in IoT Journal Article 
In: IEEE Internet of Things Journal , 2025, ISSN: 2327-4662.
Abstract | Links | BibTeX | Tags: authentication, Discovery, I-Shaper, Ramones, Security, signature delegation, TLS
@article{danieldiaz031,

title = {Beyond PKI: A DNSSEC Delegation Approach for Scalable Dynamic Credential Management in IoT},

author = {Daniel Díaz-Sánchez and Florina Almenarez and Celeste Campo and Carlos García-Rubio and Simon Sherratt},

url = {https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=11130501},

doi = {https://doi.org/10.1109/JIOT.2025.3600371},

issn = {2327-4662},

year  = {2025},

date = {2025-08-19},

urldate = {2025-08-19},

journal = {IEEE Internet of Things Journal },

abstract = {Internet of Things (IoT) systems that manage data across cloud, fog, and edge environments—and the devices that consume those services—face substantial challenges in confidentiality, privacy, and authentication. However, traditional Public Key Infrastructure (PKI) is too rigid and costly for massive, ephemeral IoT deployments. Moreover, device authentication is often overlooked in favor of service authentication, neglecting the security of the entire ecosystem. DNSSEC combined with DANE introduces a new paradigm in which service authentication can be managed globally, extending trust to locally generated, type-agnostic credentials. This framework can accommodate PKI certificates, self-signed credentials, and local keys, all of which can be verified by any client, local or remote. However, DNSSEC’s signature proofs grow linearly with the number of secured records, inflating communication overhead and energy consumption—an issue aggravated by the larger sizes of post-quantum signatures. Additionally, current DNSSEC delegation mechanisms lack the flexibility needed for secure load balancing and isolation. In this article, we present a collision-based DNSSEC signature-delegation mechanism designed to overcome these scalability limitations. By allowing a central DNS authority to delegate signing responsibilities to local DNS servers, our approach reduces certificate-management overhead and enables a dynamic, hierarchical trust model. It supports both service and device authentication in a unified DNS-name-based security context. Our evaluation shows that the proposed mechanism maintains a stable computational cost irrespective of credential count, a critical benefit for large-scale, resource-constrained IoT deployments. By leveraging existing DNS infrastructure and standards, this solution enhances scalability and efficiency compared to traditional PKI and DNSSEC, while promoting interoperability and ease of deployment. It also opens the adoption of future post quantum trapdoor systems still under research and development.},

keywords = {authentication, Discovery, I-Shaper, Ramones, Security, signature delegation, TLS},

pubstate = {published},

tppubtype = {article}

}

Close
Internet of Things (IoT) systems that manage data across cloud, fog, and edge environments—and the devices that consume those services—face substantial challenges in confidentiality, privacy, and authentication. However, traditional Public Key Infrastructure (PKI) is too rigid and costly for massive, ephemeral IoT deployments. Moreover, device authentication is often overlooked in favor of service authentication, neglecting the security of the entire ecosystem. DNSSEC combined with DANE introduces a new paradigm in which service authentication can be managed globally, extending trust to locally generated, type-agnostic credentials. This framework can accommodate PKI certificates, self-signed credentials, and local keys, all of which can be verified by any client, local or remote. However, DNSSEC’s signature proofs grow linearly with the number of secured records, inflating communication overhead and energy consumption—an issue aggravated by the larger sizes of post-quantum signatures. Additionally, current DNSSEC delegation mechanisms lack the flexibility needed for secure load balancing and isolation. In this article, we present a collision-based DNSSEC signature-delegation mechanism designed to overcome these scalability limitations. By allowing a central DNS authority to delegate signing responsibilities to local DNS servers, our approach reduces certificate-management overhead and enables a dynamic, hierarchical trust model. It supports both service and device authentication in a unified DNS-name-based security context. Our evaluation shows that the proposed mechanism maintains a stable computational cost irrespective of credential count, a critical benefit for large-scale, resource-constrained IoT deployments. By leveraging existing DNS infrastructure and standards, this solution enhances scalability and efficiency compared to traditional PKI and DNSSEC, while promoting interoperability and ease of deployment. It also opens the adoption of future post quantum trapdoor systems still under research and development.
Close
https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=11130501
doi:https://doi.org/10.1109/JIOT.2025.3600371
Close
 Blanco-Romero, Javier;  Otero-Garcia, Pedro;  Sobral-Blanco, Daniel;  Almenares-Mendoza, Florina;  Fernandez-Vilas, Ana;  Diaz-Redondo, Rebeca
QKD-KEM: Hybrid QKD Integration into TLS with OpenSSL Providers Conference 
2025.
Abstract | Links | BibTeX | Tags: I-Shaper, OpenSSL, Post-Quantum Cryptography, PQC, QKD, Qursa, TLS
@conference{javierblanco005,

title = {QKD-KEM: Hybrid QKD Integration into TLS with OpenSSL Providers},

author = {Javier Blanco-Romero and Pedro Otero-Garcia and Daniel Sobral-Blanco and Florina Almenares-Mendoza and Ana Fernandez-Vilas and Rebeca Diaz-Redondo},

doi = { https://doi.org/10.48550/arXiv.2503.07196},

year  = {2025},

date = {2025-03-10},

urldate = {2025-03-10},

abstract = {Quantum Key Distribution (QKD) promises information-theoretic security, yet integrating QKD into existing protocols like TLS remains challenging due to its fundamentally different operational model. In this paper, we propose a hybrid QKD-KEM protocol with two distinct integration approaches: a client-initiated flow compatible with both ETSI 004 and 014 specifications, and a server-initiated flow similar to existing work but limited to stateless ETSI 014 APIs. Unlike previous implementations, our work specifically addresses the integration of stateful QKD key exchange protocols (ETSI 004) which is essential for production QKD networks but has remained largely unexplored. By adapting OpenSSL’s provider infrastructure to accommodate QKD’s pre-distributed key model, we maintain compatibility with current TLS implementations while offering dual layers of security. Performance evaluations demonstrate the feasibility of our hybrid scheme with acceptable overhead, showing that robust security against quantum threats is achievable while addressing the unique requirements of different QKD API specifications.},

keywords = {I-Shaper, OpenSSL, Post-Quantum Cryptography, PQC, QKD, Qursa, TLS},

pubstate = {published},

tppubtype = {conference}

}

Close
Quantum Key Distribution (QKD) promises information-theoretic security, yet integrating QKD into existing protocols like TLS remains challenging due to its fundamentally different operational model. In this paper, we propose a hybrid QKD-KEM protocol with two distinct integration approaches: a client-initiated flow compatible with both ETSI 004 and 014 specifications, and a server-initiated flow similar to existing work but limited to stateless ETSI 014 APIs. Unlike previous implementations, our work specifically addresses the integration of stateful QKD key exchange protocols (ETSI 004) which is essential for production QKD networks but has remained largely unexplored. By adapting OpenSSL’s provider infrastructure to accommodate QKD’s pre-distributed key model, we maintain compatibility with current TLS implementations while offering dual layers of security. Performance evaluations demonstrate the feasibility of our hybrid scheme with acceptable overhead, showing that robust security against quantum threats is achievable while addressing the unique requirements of different QKD API specifications.
Close
doi: https://doi.org/10.48550/arXiv.2503.07196
Close
2024
 Blanco-Romero, Javier;  Lorenzo, Vicente;  Almenares, Florina;  Díaz-Sánchez, Daniel;  García-Rubio, Carlos;  Campo, Celeste;  Marín, Andrés
Evaluating integration methods of a quantum random number generator in OpenSSL for TLS Journal Article 
In: vol. 255, 2024, ISBN: 1389-1286.
Abstract | Links | BibTeX | Tags: compromise, I-Shaper, Linux, OpenSSL, QRNGs, Quantum random number generators, Qursa, TLS
@article{javierblanco003,

title = {Evaluating integration methods of a quantum random number generator in OpenSSL for TLS},

author = {Javier Blanco-Romero and Vicente Lorenzo and Florina Almenares and Daniel Díaz-Sánchez and Carlos García-Rubio and Celeste Campo and Andrés Marín},

url = {https://www.sciencedirect.com/science/article/pii/S1389128624007096?via%3Dihub},

doi = {https://doi.org/10.1016/j.comnet.2024.110877},

isbn = {1389-1286},

year  = {2024},

date = {2024-10-25},

urldate = {2024-10-25},

volume = {255},

publisher = {Computer Networks},

abstract = {The rapid advancement of quantum computing poses a significant threat to conventional cryptography. Whilst post-quantum cryptography (PQC) stands as the prevailing trend for fortifying the security of cryptographic systems, the coexistence of quantum and classical computing paradigms presents an opportunity to leverage the strengths of both technologies, for instance, nowadays the use of Quantum Random Number Generators (QRNGs) – considered as True Random Number Generators (TRNGs) – opens up the possibility of discussing hybrid systems. In this paper, we evaluate both aspects, on the one hand, we use hybrid TLS (Transport Layer Security) protocol that leverages the widely used secure protocol on the Internet and integrates PQC algorithms, and, on the other hand, we evaluate two approaches to integrate a QRNG, i.e., Quantis PCIe-240M, in OpenSSL 3.0 to be used by TLS. Both approaches are compared through a Nginx Web server, that uses OpenSSL’s implementation of TLS 1.3 for secure web communication. Our findings highlight the importance of optimizing such integration method, because while direct integration can lead to performance penalties specific to the method and hardware used, alternative methods demonstrate the potential for efficient QRNG deployment in cryptographic systems.},

keywords = {compromise, I-Shaper, Linux, OpenSSL, QRNGs, Quantum random number generators, Qursa, TLS},

pubstate = {published},

tppubtype = {article}

}

Close
The rapid advancement of quantum computing poses a significant threat to conventional cryptography. Whilst post-quantum cryptography (PQC) stands as the prevailing trend for fortifying the security of cryptographic systems, the coexistence of quantum and classical computing paradigms presents an opportunity to leverage the strengths of both technologies, for instance, nowadays the use of Quantum Random Number Generators (QRNGs) – considered as True Random Number Generators (TRNGs) – opens up the possibility of discussing hybrid systems. In this paper, we evaluate both aspects, on the one hand, we use hybrid TLS (Transport Layer Security) protocol that leverages the widely used secure protocol on the Internet and integrates PQC algorithms, and, on the other hand, we evaluate two approaches to integrate a QRNG, i.e., Quantis PCIe-240M, in OpenSSL 3.0 to be used by TLS. Both approaches are compared through a Nginx Web server, that uses OpenSSL’s implementation of TLS 1.3 for secure web communication. Our findings highlight the importance of optimizing such integration method, because while direct integration can lead to performance penalties specific to the method and hardware used, alternative methods demonstrate the potential for efficient QRNG deployment in cryptographic systems.
Close
https://www.sciencedirect.com/science/article/pii/S1389128624007096?via%3Dihub
doi:https://doi.org/10.1016/j.comnet.2024.110877
Close
2019
 Díaz-Sánchez, Daniel;  Marín-López, Andrés;  Almenárez-Mendoza, Florina;  Arias-Cabarcos, Patricia;  Simon-Sherratt, R.
TLS/PKI Challenges and Certificate Pinning Techniques for IoT and M2M Secure Communications Journal Article 
In: IEEE Communications Surveys and Tutorials, vol. 21, iss. 4, pp. 3502-3531, 2019, ISSN: 1553-877X.
Abstract | Links | BibTeX | Tags: authentication, certificate pinning, cynamon, DTLS, Internet of Things, Machine to Machine, magos, PKI, Protocols, TLS, Trusted Third Party, Tutorials
@article{8704893,

title = {TLS/PKI Challenges and Certificate Pinning Techniques for IoT and M2M Secure Communications},

author = {Daniel Díaz-Sánchez and Andrés Marín-López and Florina Almenárez-Mendoza and Patricia Arias-Cabarcos and R. Simon-Sherratt},

url = {https://doi.org/10.1109/COMST.2019.2914453

https://ieeexplore.ieee.org/document/8704893

https://phpmyadmin.pervasive.it.uc3m.es/download/TLC-PKI-challenges-certificate-pinning.pdf},

doi = {10.1109/COMST.2019.2914453},

issn = {1553-877X},

year  = {2019},

date = {2019-05-02},

urldate = {2019-05-02},

journal = {IEEE Communications Surveys and Tutorials},

volume = {21},

issue = {4},

pages = {3502-3531},

abstract = {Transport layer security (TLS) is becoming the de facto standard to provide end-to-end security in the current Internet. IoT and M2M scenarios are not an exception since TLS is also being adopted there. The ability of TLS for negotiating any security parameter, its flexibility and extensibility are responsible for its wide adoption but also for several attacks. Moreover, as it relies on public key infrastructure (PKI) for authentication, it is also affected by PKI problems. Considering the advent of IoT/M2M scenarios and their particularities, it is necessary to have a closer look at TLS history to evaluate the potential challenges of using TLS and PKI in these scenarios. According to this, this paper provides a deep revision of several security aspects of TLS and PKI, with a particular focus on current certificate pinning solutions in order to illustrate the potential problems that should be addressed.},

keywords = {authentication, certificate pinning, cynamon, DTLS, Internet of Things, Machine to Machine, magos, PKI, Protocols, TLS, Trusted Third Party, Tutorials},

pubstate = {published},

tppubtype = {article}

}

Close
Transport layer security (TLS) is becoming the de facto standard to provide end-to-end security in the current Internet. IoT and M2M scenarios are not an exception since TLS is also being adopted there. The ability of TLS for negotiating any security parameter, its flexibility and extensibility are responsible for its wide adoption but also for several attacks. Moreover, as it relies on public key infrastructure (PKI) for authentication, it is also affected by PKI problems. Considering the advent of IoT/M2M scenarios and their particularities, it is necessary to have a closer look at TLS history to evaluate the potential challenges of using TLS and PKI in these scenarios. According to this, this paper provides a deep revision of several security aspects of TLS and PKI, with a particular focus on current certificate pinning solutions in order to illustrate the potential problems that should be addressed.
Close
https://doi.org/10.1109/COMST.2019.2914453
https://ieeexplore.ieee.org/document/8704893
https://phpmyadmin.pervasive.it.uc3m.es/download/TLC-PKI-challenges-certificate-[...]
doi:10.1109/COMST.2019.2914453
Close