In ad hoc networks, mobile devices communicate via wireless links without any fixed infrastructur... more In ad hoc networks, mobile devices communicate via wireless links without any fixed infrastructure. These devices must be able to discover and share services dynamically. In this paper, we propose a new service discovery protocol specifically designed for this kind of networks, the pervasive discovery protocol. PDP is a fully distributed protocol that merges characteristics of both pull and push
IFIP — The International Federation for Information Processing, 2007
Dynamic open environments demand trust negotiation systems for unknown entities willing to commun... more Dynamic open environments demand trust negotiation systems for unknown entities willing to communicate. A security context has to be negotiated gradually in a fair peer to peer basis depending on the security level demanded by the application. Trust negotiation engines are driven by decision engines that lack of flexibility: depend on the implementation, policies languages or credentials types to be used. In this paper we present an agnostic engine able to combine all that information despite its origin or language allowing to select policies or requirements, credentials and resources to disclose, according to user preferences and context using iterative weighted Multidimensional Scaling to assist a mobile device during a trust negotiation.
16th International Workshop on Database and Expert Systems Applications (DEXA'05), 2005
In ubiquitous computing, the main security challenges arise from network heterogeneity and from a... more In ubiquitous computing, the main security challenges arise from network heterogeneity and from a dynamic population of nomadic users and limited devices. For these environments, security infrastructures based on traditional PKIs present a number of major drawbacks: limited scalability and reconfigurability, static vision of trust, and high administrative costs. Besides, these infrastructures are not well adapted to authorisation, and lack delegation capabilities. In this paper, we present an enhanced PKI for ubiquitous networks which solves a number of these issues by providing flexible authentication and authorisation services in disconnected environments.
In the last years, trust management has become a fundamental basis for facilitating the cooperati... more In the last years, trust management has become a fundamental basis for facilitating the cooperation between different users in peer-to-peer (P2P) multimedia applications within autonomic networks. In these networks and applications, trust management should fulfill certain requirements (i.e. decentralisation, dynamism, simplicity, interoperability, etc.) for being functional. In this paper, we propose an evolutionary model of trust management that captures dynamic
Abstract Mobile devices of new generation are able to con-nect to multiple networks and to consti... more Abstract Mobile devices of new generation are able to con-nect to multiple networks and to constitute new infrastruc-tureless networks. These dynamic environments require new security paradigms and automatic mechanisms to minimize user intervention. Our goal is the definition of a ...
Network and device heterogeneity, nomadic mobility, intermittent connectivity and, more generally... more Network and device heterogeneity, nomadic mobility, intermittent connectivity and, more generally, extremely dynamic operating conditions, are major challenges in the design of security infrastructures for pervasive computing. Yet, in a ubiquitous computing environment, limitations of traditional solutions for authentication and authorization can be overcome with a pervasive public key infrastructure (pervasive-PKI). This choice allows the validation of credentials of users roaming between heterogeneous networks, even when global connectivity is lost and some services are temporarily unreachable. Proof-of-concept implementations and testbed validation results demonstrate that strong security can be achieved for users and applications through the combination of traditional PKI services with a number of enhancements like: (i) dynamic and collaborative trust model, (ii) use of attribute certificates for privilege management, and (iii) modular architecture enabling nomadic mobility and enhanced with reconfiguration capabilities.
Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, 2011
Abstract This article focus on IPTV security and IPTV service personalization by the introduction... more Abstract This article focus on IPTV security and IPTV service personalization by the introduction of an Identity Provider as new participant in IPTV service provision that deals with authentication, user profile and device profile management. The Identity Provider, ...
2010 IEEE Global Telecommunications Conference GLOBECOM 2010, 2010
With the rapid evolution of networks and the widespread penetration of mobile devices with increa... more With the rapid evolution of networks and the widespread penetration of mobile devices with increasing capabilities, that have already become a commodity, we are getting a step closer to ubiquity. Thus, we are moving a great part of our lives from the physical world to the online world, i.e. social interactions, business transactions, relations with government administrations, etc. However, while identity verification is easy to handle in the real world, there are many unsolved challenges when dealing with digital identity management, especially due to the lack of user awareness when it comes to privacy. Thus, with the aim to enhance the navigation experience and security in multiservice and multiprovider environments the user must be empowered to control how her attributes are shared and disclosed between different domains. With these goals on mind, we leverage the benefits of the Infocard technology and introduce this usercentric paradigm into the emerging NGN architectures. This paper proposes a way to combine the gains of a SAML federation between service and identity providers with the easiness for the final user of the Inforcard System using the well known architectural schema of IP Multimedia Subsystem.
ACM Transactions on Programming Languages and Systems (TOPLAS), vol. 19(4), Jul 1997
A formal refinement calculus targeted at system-level descriptions in the IEEE standard hardware ... more A formal refinement calculus targeted at system-level descriptions in the IEEE standard hardware description language VHDL is described here. Refinement can be used to develop hardware description code that is ``correct by construction."
The calculus is closely related to a Hoare-style programming logic for VHDL and real-time systems in general. That logic and a semantics for a core subset of VHDL are described.The programming logic and the associated refinement calculus are shown to be complete. This means that if there is a code that can be shown to implement a given specification, then it will be derivable from the specification via the calculus.
2010 IEEE Global Telecommunications Conference GLOBECOM 2010, 2010
With the rapid evolution of networks and the widespread penetration of mobile devices with increa... more With the rapid evolution of networks and the widespread penetration of mobile devices with increasing capabilities, that have already become a commodity, we are getting a step closer to ubiquity. Thus, we are moving a great part of our lives from the physical world to the online world, i.e. social interactions, business transactions, relations with government administrations, etc. However, while identity verification is easy to handle in the real world, there are many unsolved challenges when dealing with digital identity management, especially due to the lack of user awareness when it comes to privacy. Thus, with the aim to enhance the navigation experience and security in multiservice and multiprovider environments the user must be empowered to control how her attributes are shared and disclosed between different domains. With these goals on mind, we leverage the benefits of the Infocard technology and introduce this usercentric paradigm into the emerging NGN architectures. This paper proposes a way to combine the gains of a SAML federation between service and identity providers with the easiness for the final user of the Inforcard System using the well known architectural schema of IP Multimedia Subsystem.
Credential-based authorization offers interesting advantages for ubiquitous scenarios involving l... more Credential-based authorization offers interesting advantages for ubiquitous scenarios involving limited devices such as sensors and personal mobile equipment: the verification can be done locally; it offers a more reduced computational cost than its competitors for issuing, storing, and verification; and it naturally supports rights delegation. The main drawback is the revocation of rights. Revocation requires handling potentially large revocation lists, or using protocols to check the revocation status, bringing extra communication costs not acceptable for sensors and other limited devices. Moreover, the effective revocation consent-considered as a privacy rule in sensitive scenarios-has not been fully addressed. This paper proposes an event-based mechanism empowering a new concept, the sleepyhead credentials, which allows to substitute time constraints and explicit revocation by activating and deactivating authorization rights according to events. Our approach is to integrate this concept in IdM systems in a hybrid model supporting delegation, which can be an interesting alternative for scenarios where revocation of consent and user privacy are critical. The delegation includes a SAML compliant protocol, which we have validated through a proof-of-concept implementation. This article also explains the mathematical model describing the event-based model and offers estimations of the overhead introduced by the system. The paper focus on health care scenarios, where we show the flexibility of the proposed event-based user consent revocation mechanism.
ABSTRACT Secure wireless communications are fundamental in any interaction in order to avoid secu... more ABSTRACT Secure wireless communications are fundamental in any interaction in order to avoid security and privacy breaches, especially from mobile devices. The use of this kind of communications is far more frequent and the number of users increases day after day. This paper shows and analyzes the support, performance and consumption of cryptographic algorithms and cipher suites in terms of time and energy when secure communications (i.e., using SSL) are established according to different security levels. This study has been performed in distinct operating systems, and using different browsers and libraries.
Proceedings of the Eighth Euromicro Workshop on Real-Time Systems, 1996
Page 1. A Formal Method for Specification and Refinement of Rea Systems Peter T. Breuer, Nativida... more Page 1. A Formal Method for Specification and Refinement of Rea Systems Peter T. Breuer, Natividad Martinez Madrid Luis Sbnchez, Andres Marin and Carlos Delgado Kloos Departamento de Ingenieria de Sistemas Telemiiticos ...
2011 4th Joint IFIP Wireless and Mobile Networking Conference (WMNC 2011), 2011
The increasing popularity of broadband Internet and the widespread penetration of full-featured m... more The increasing popularity of broadband Internet and the widespread penetration of full-featured mobile devices have signaled WiMAX importance. IEEE 802.16 standard has focused on security from the beginning, being security support a fundamental aspect in wireless communication. We have found some limitations concerning authentication and authorization mechanisms at user level. To overcome those limitations we consider necessary to provide a proper identity management support for WiMAX for enhancing users' experience whereas delivering services in a secure fashion. In this article we analyze several weaknesses and vulnerabilities in WiMAX security and propose the introduction of identity management in WiMAX for a better provision of secure personalized services.
2012 IEEE Second International Conference on Consumer Electronics - Berlin (ICCE-Berlin), 2012
ABSTRACT Privacy rules imposed by social networks (SNs) impose several restrictions to user priva... more ABSTRACT Privacy rules imposed by social networks (SNs) impose several restrictions to user privacy. Though they usually offer the user some control to limit access to his own data, the social network may share uploaded data with other partners and marketing companies. Pictures and videos may have a second life, even after being deleted by the user, and consequently storage and access must take place in the user home domain or facilities managed by the user, following an end to end approach. We propose to combine the usage of private clouds, specialized in media contents, in cooperation with SNs, offering the user complete control over his data, while benefiting from the SNs visibility to announce and spread the data. To achieve transparency, we propose a plug-in system to embed links as annotations in reduced media replacement uploaded in the SN. These links point to the real resource stored in the private cloud, now under complete user control. We perform validation tests which show important improvements in uploading time and user experience.
2011 4th Joint IFIP Wireless and Mobile Networking Conference (WMNC 2011), 2011
Multimedia availability is exceeding our capacity of management in home environment and outside i... more Multimedia availability is exceeding our capacity of management in home environment and outside it. For that reason, solutions as Media Cloud have brought the concept of Cloud Computing to home environments. Media Cloud provides a comprehensive and efficient solution for managing content among federated home environments. However, when consuming those contents outside a home environment some problems should be addressed as dealing with limited devices and protecting user generated and commercial contents from eavesdroppers. This article describes a solution that enables limited devices to access contents located in private clouds, as Media Cloud, with the cooperation of network providers.
Nowadays we can perform business transactions with remote servers interconnected to Internet usin... more Nowadays we can perform business transactions with remote servers interconnected to Internet using our personal devices. These transactions can also be possible without any infrastructure in pure adhoc networks. In both cases, interacting parts are often unknown, therefore, they require some mechanism to establish ad-hoc trust relationships and perform secure transactions. Operating systems for mobile platforms support secure communication and authentication, but this support is based on hierarchical PKI. For wireless communications, they use the (in)secure protocol WEP. This paper presents a WCE security enhanced architecture allowing secure transactions, mutual authentication, and access control based on dynamic management of the trusted certificate list. We have successfully implemented our own CSP to support the new certificate management and data ciphering.
2011 IEEE International Conference on Consumer Electronics (ICCE), 2011
... Regarding security, OAuth [4] allows users to share their private resources stored in one dev... more ... Regarding security, OAuth [4] allows users to share their private resources stored in one device with others in a secure way without having to hand out usernames and passwords. ... The module is composed by a Content Server, an OAuth module and an Access Control System. ...
2008 Second International Conference on Electrical Engineering, 2008
In this paper we present a system to enable pay-per- view services in mobile handhelds which take... more In this paper we present a system to enable pay-per- view services in mobile handhelds which takes benefits of both DVB-H and UMTS networks. DVB-H infrastructure provides a more appropriate content delivery framework that UMTS. Despite this fact, UMTS can play an important role for charging and key distribution for pay-per-view applications by means of the provider SIM smart card.
In ad hoc networks, mobile devices communicate via wireless links without any fixed infrastructur... more In ad hoc networks, mobile devices communicate via wireless links without any fixed infrastructure. These devices must be able to discover and share services dynamically. In this paper, we propose a new service discovery protocol specifically designed for this kind of networks, the pervasive discovery protocol. PDP is a fully distributed protocol that merges characteristics of both pull and push
IFIP — The International Federation for Information Processing, 2007
Dynamic open environments demand trust negotiation systems for unknown entities willing to commun... more Dynamic open environments demand trust negotiation systems for unknown entities willing to communicate. A security context has to be negotiated gradually in a fair peer to peer basis depending on the security level demanded by the application. Trust negotiation engines are driven by decision engines that lack of flexibility: depend on the implementation, policies languages or credentials types to be used. In this paper we present an agnostic engine able to combine all that information despite its origin or language allowing to select policies or requirements, credentials and resources to disclose, according to user preferences and context using iterative weighted Multidimensional Scaling to assist a mobile device during a trust negotiation.
16th International Workshop on Database and Expert Systems Applications (DEXA'05), 2005
In ubiquitous computing, the main security challenges arise from network heterogeneity and from a... more In ubiquitous computing, the main security challenges arise from network heterogeneity and from a dynamic population of nomadic users and limited devices. For these environments, security infrastructures based on traditional PKIs present a number of major drawbacks: limited scalability and reconfigurability, static vision of trust, and high administrative costs. Besides, these infrastructures are not well adapted to authorisation, and lack delegation capabilities. In this paper, we present an enhanced PKI for ubiquitous networks which solves a number of these issues by providing flexible authentication and authorisation services in disconnected environments.
In the last years, trust management has become a fundamental basis for facilitating the cooperati... more In the last years, trust management has become a fundamental basis for facilitating the cooperation between different users in peer-to-peer (P2P) multimedia applications within autonomic networks. In these networks and applications, trust management should fulfill certain requirements (i.e. decentralisation, dynamism, simplicity, interoperability, etc.) for being functional. In this paper, we propose an evolutionary model of trust management that captures dynamic
Abstract Mobile devices of new generation are able to con-nect to multiple networks and to consti... more Abstract Mobile devices of new generation are able to con-nect to multiple networks and to constitute new infrastruc-tureless networks. These dynamic environments require new security paradigms and automatic mechanisms to minimize user intervention. Our goal is the definition of a ...
Network and device heterogeneity, nomadic mobility, intermittent connectivity and, more generally... more Network and device heterogeneity, nomadic mobility, intermittent connectivity and, more generally, extremely dynamic operating conditions, are major challenges in the design of security infrastructures for pervasive computing. Yet, in a ubiquitous computing environment, limitations of traditional solutions for authentication and authorization can be overcome with a pervasive public key infrastructure (pervasive-PKI). This choice allows the validation of credentials of users roaming between heterogeneous networks, even when global connectivity is lost and some services are temporarily unreachable. Proof-of-concept implementations and testbed validation results demonstrate that strong security can be achieved for users and applications through the combination of traditional PKI services with a number of enhancements like: (i) dynamic and collaborative trust model, (ii) use of attribute certificates for privilege management, and (iii) modular architecture enabling nomadic mobility and enhanced with reconfiguration capabilities.
Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, 2011
Abstract This article focus on IPTV security and IPTV service personalization by the introduction... more Abstract This article focus on IPTV security and IPTV service personalization by the introduction of an Identity Provider as new participant in IPTV service provision that deals with authentication, user profile and device profile management. The Identity Provider, ...
2010 IEEE Global Telecommunications Conference GLOBECOM 2010, 2010
With the rapid evolution of networks and the widespread penetration of mobile devices with increa... more With the rapid evolution of networks and the widespread penetration of mobile devices with increasing capabilities, that have already become a commodity, we are getting a step closer to ubiquity. Thus, we are moving a great part of our lives from the physical world to the online world, i.e. social interactions, business transactions, relations with government administrations, etc. However, while identity verification is easy to handle in the real world, there are many unsolved challenges when dealing with digital identity management, especially due to the lack of user awareness when it comes to privacy. Thus, with the aim to enhance the navigation experience and security in multiservice and multiprovider environments the user must be empowered to control how her attributes are shared and disclosed between different domains. With these goals on mind, we leverage the benefits of the Infocard technology and introduce this usercentric paradigm into the emerging NGN architectures. This paper proposes a way to combine the gains of a SAML federation between service and identity providers with the easiness for the final user of the Inforcard System using the well known architectural schema of IP Multimedia Subsystem.
ACM Transactions on Programming Languages and Systems (TOPLAS), vol. 19(4), Jul 1997
A formal refinement calculus targeted at system-level descriptions in the IEEE standard hardware ... more A formal refinement calculus targeted at system-level descriptions in the IEEE standard hardware description language VHDL is described here. Refinement can be used to develop hardware description code that is ``correct by construction."
The calculus is closely related to a Hoare-style programming logic for VHDL and real-time systems in general. That logic and a semantics for a core subset of VHDL are described.The programming logic and the associated refinement calculus are shown to be complete. This means that if there is a code that can be shown to implement a given specification, then it will be derivable from the specification via the calculus.
2010 IEEE Global Telecommunications Conference GLOBECOM 2010, 2010
With the rapid evolution of networks and the widespread penetration of mobile devices with increa... more With the rapid evolution of networks and the widespread penetration of mobile devices with increasing capabilities, that have already become a commodity, we are getting a step closer to ubiquity. Thus, we are moving a great part of our lives from the physical world to the online world, i.e. social interactions, business transactions, relations with government administrations, etc. However, while identity verification is easy to handle in the real world, there are many unsolved challenges when dealing with digital identity management, especially due to the lack of user awareness when it comes to privacy. Thus, with the aim to enhance the navigation experience and security in multiservice and multiprovider environments the user must be empowered to control how her attributes are shared and disclosed between different domains. With these goals on mind, we leverage the benefits of the Infocard technology and introduce this usercentric paradigm into the emerging NGN architectures. This paper proposes a way to combine the gains of a SAML federation between service and identity providers with the easiness for the final user of the Inforcard System using the well known architectural schema of IP Multimedia Subsystem.
Credential-based authorization offers interesting advantages for ubiquitous scenarios involving l... more Credential-based authorization offers interesting advantages for ubiquitous scenarios involving limited devices such as sensors and personal mobile equipment: the verification can be done locally; it offers a more reduced computational cost than its competitors for issuing, storing, and verification; and it naturally supports rights delegation. The main drawback is the revocation of rights. Revocation requires handling potentially large revocation lists, or using protocols to check the revocation status, bringing extra communication costs not acceptable for sensors and other limited devices. Moreover, the effective revocation consent-considered as a privacy rule in sensitive scenarios-has not been fully addressed. This paper proposes an event-based mechanism empowering a new concept, the sleepyhead credentials, which allows to substitute time constraints and explicit revocation by activating and deactivating authorization rights according to events. Our approach is to integrate this concept in IdM systems in a hybrid model supporting delegation, which can be an interesting alternative for scenarios where revocation of consent and user privacy are critical. The delegation includes a SAML compliant protocol, which we have validated through a proof-of-concept implementation. This article also explains the mathematical model describing the event-based model and offers estimations of the overhead introduced by the system. The paper focus on health care scenarios, where we show the flexibility of the proposed event-based user consent revocation mechanism.
ABSTRACT Secure wireless communications are fundamental in any interaction in order to avoid secu... more ABSTRACT Secure wireless communications are fundamental in any interaction in order to avoid security and privacy breaches, especially from mobile devices. The use of this kind of communications is far more frequent and the number of users increases day after day. This paper shows and analyzes the support, performance and consumption of cryptographic algorithms and cipher suites in terms of time and energy when secure communications (i.e., using SSL) are established according to different security levels. This study has been performed in distinct operating systems, and using different browsers and libraries.
Proceedings of the Eighth Euromicro Workshop on Real-Time Systems, 1996
Page 1. A Formal Method for Specification and Refinement of Rea Systems Peter T. Breuer, Nativida... more Page 1. A Formal Method for Specification and Refinement of Rea Systems Peter T. Breuer, Natividad Martinez Madrid Luis Sbnchez, Andres Marin and Carlos Delgado Kloos Departamento de Ingenieria de Sistemas Telemiiticos ...
2011 4th Joint IFIP Wireless and Mobile Networking Conference (WMNC 2011), 2011
The increasing popularity of broadband Internet and the widespread penetration of full-featured m... more The increasing popularity of broadband Internet and the widespread penetration of full-featured mobile devices have signaled WiMAX importance. IEEE 802.16 standard has focused on security from the beginning, being security support a fundamental aspect in wireless communication. We have found some limitations concerning authentication and authorization mechanisms at user level. To overcome those limitations we consider necessary to provide a proper identity management support for WiMAX for enhancing users' experience whereas delivering services in a secure fashion. In this article we analyze several weaknesses and vulnerabilities in WiMAX security and propose the introduction of identity management in WiMAX for a better provision of secure personalized services.
2012 IEEE Second International Conference on Consumer Electronics - Berlin (ICCE-Berlin), 2012
ABSTRACT Privacy rules imposed by social networks (SNs) impose several restrictions to user priva... more ABSTRACT Privacy rules imposed by social networks (SNs) impose several restrictions to user privacy. Though they usually offer the user some control to limit access to his own data, the social network may share uploaded data with other partners and marketing companies. Pictures and videos may have a second life, even after being deleted by the user, and consequently storage and access must take place in the user home domain or facilities managed by the user, following an end to end approach. We propose to combine the usage of private clouds, specialized in media contents, in cooperation with SNs, offering the user complete control over his data, while benefiting from the SNs visibility to announce and spread the data. To achieve transparency, we propose a plug-in system to embed links as annotations in reduced media replacement uploaded in the SN. These links point to the real resource stored in the private cloud, now under complete user control. We perform validation tests which show important improvements in uploading time and user experience.
2011 4th Joint IFIP Wireless and Mobile Networking Conference (WMNC 2011), 2011
Multimedia availability is exceeding our capacity of management in home environment and outside i... more Multimedia availability is exceeding our capacity of management in home environment and outside it. For that reason, solutions as Media Cloud have brought the concept of Cloud Computing to home environments. Media Cloud provides a comprehensive and efficient solution for managing content among federated home environments. However, when consuming those contents outside a home environment some problems should be addressed as dealing with limited devices and protecting user generated and commercial contents from eavesdroppers. This article describes a solution that enables limited devices to access contents located in private clouds, as Media Cloud, with the cooperation of network providers.
Nowadays we can perform business transactions with remote servers interconnected to Internet usin... more Nowadays we can perform business transactions with remote servers interconnected to Internet using our personal devices. These transactions can also be possible without any infrastructure in pure adhoc networks. In both cases, interacting parts are often unknown, therefore, they require some mechanism to establish ad-hoc trust relationships and perform secure transactions. Operating systems for mobile platforms support secure communication and authentication, but this support is based on hierarchical PKI. For wireless communications, they use the (in)secure protocol WEP. This paper presents a WCE security enhanced architecture allowing secure transactions, mutual authentication, and access control based on dynamic management of the trusted certificate list. We have successfully implemented our own CSP to support the new certificate management and data ciphering.
2011 IEEE International Conference on Consumer Electronics (ICCE), 2011
... Regarding security, OAuth [4] allows users to share their private resources stored in one dev... more ... Regarding security, OAuth [4] allows users to share their private resources stored in one device with others in a secure way without having to hand out usernames and passwords. ... The module is composed by a Content Server, an OAuth module and an Access Control System. ...
2008 Second International Conference on Electrical Engineering, 2008
In this paper we present a system to enable pay-per- view services in mobile handhelds which take... more In this paper we present a system to enable pay-per- view services in mobile handhelds which takes benefits of both DVB-H and UMTS networks. DVB-H infrastructure provides a more appropriate content delivery framework that UMTS. Despite this fact, UMTS can play an important role for charging and key distribution for pay-per-view applications by means of the provider SIM smart card.
Uploads
Papers by Andres Marin
The calculus is closely related to a Hoare-style programming logic for VHDL and real-time systems in general. That logic and a semantics for a core subset of VHDL are described.The programming logic and the associated refinement calculus are shown to be complete. This means that if there is a code that can be shown to implement a given specification, then it will be derivable from the specification via the calculus.
The calculus is closely related to a Hoare-style programming logic for VHDL and real-time systems in general. That logic and a semantics for a core subset of VHDL are described.The programming logic and the associated refinement calculus are shown to be complete. This means that if there is a code that can be shown to implement a given specification, then it will be derivable from the specification via the calculus.