Biblio

Export results:
Author Title [ Type(Desc)] Year
Filters: First Letter Of Last Name is P  [Clear All Filters]
Book Chapter
I. Stellios, P. Kotzanikolaou, M. Psarakis, and C. Alcaraz, "Risk Assessment for IoT-Enabled Cyber-Physical Systems",
Advances in Core Computer Science-Based Technologies, Springer International Publishing, pp. 157-173, 2021. DOI More..

Abstract

Internet of Things (IoT) technologies have enabled Cyber-Physical Systems (CPS) to become fully interconnected. This connectivity however has radically changed their threat landscape. Existing risk assessment methodologies often fail to identify various attack paths that stem from the new connectivity/functionality features of IoT-enabled CPS. Even worse, due to their inherent characteristics, IoT systems are usually the weakest link in the security chain and thus many attacks utilize IoT technologies as their key enabler. In this paper we review risk assessment methodologies for IoT-enabled CPS. In addition, based on our previous work (Stellios et al. in IEEE Commun Surv Tutor 20:3453–3495, 2018, [47]) on modeling IoT-enabled cyberattacks, we present a high-level risk assessment approach, specifically suited for IoT-enabled CPS. The mail goal is to enable an assessor to identify and assess non-obvious(indirect or subliminal) attack paths introduced by IoT technologies, that usually target mission critical components of an CPS.

Conference Paper
C. Fernandez-Gago, et al., "A4Cloud Workshop: Accountability in the Cloud",
IFIP Sumer School 2015 on Privacy and Identity Management. Time for a Revolution?, vol. 476, AICT Series, Springer, pp. 61-78, 07/2016.
C. Fernandez-Gago, et al., "A4Cloud Workshop: Accountability in the Cloud",
IFIP Sumer School 2015 on Privacy and Identity Management. Time for a Revolution?, vol. 476, AICT Series, Springer, pp. 61-78, 07/2016.
J. Lopez, A. Mana, E. Pimentel, J. M. Troya, and M. I. Yague, "Access Control Infrastructure for Digital Objects",
International Conference on Information and Communications Security (ICICS’02), LNCS 2513, Springer-Verlag, pp. 399-410, December, 2002. More..

Abstract

Distributed systems usually contain objects with heterogeneous security requirements that pose important challenges on the underlying security mechanisms and especially in access control systems. Access control in distributed systems often relies on centralized security administration. Existing solutions for distributed access control do not provide the flexibility and manageability required. This paper presents the XML-based Secure Content Distribution (XSCD) infrastructure is based on the production of self-protected software objects that convey contents (software or data) and can be distributed without further security measures because they embed the access control enforcement mechanism. It also provides means for integrating Privilege Management Infrastructures (PMIs). Semantic information is used in the dynamic instantiation and semantic validation of policies. XSCD is scalable, facilitates the administration of the access control system, guarantees the secure distribution of the contents, enables semantic integration and interoperability of heterogeneous sources, solves the “originator retained control” issue and allows activities (such as payment) to be bound to the access to objects.  

PDF icon JavierLopez2002j.pdf (81.17 KB)
J. A. Onieva, R. Rios, and B. Palenciano, "Análisis y Desarrollo de un Canal Encubierto en una Red de Sensores",
XIII Reunión Española sobre Criptología y Seguridad de la Información (RECSI 2014), Universidad de Alicante, pp. 333-338, 09/2014. More..

Abstract

Continuamente aparecen nuevos estudios así como nuevos desarrollos de canales encubiertos. Como veremos, existen más de cien diseños distintos para redes de ordenadores, pero no hemos encontrado en la literatura ningún análisis, diseño e implementación de canales encubiertos sobre redes de sensores. En este artículo presentamos los resultados del diseño e implementación de un canal multitasa basado en los tiempos de monitorización sobre una red de sensores. En este proceso se han establecido las principales propiedades necesarias y, en base a ellas, se desarrolla e implementa el canal encubierto. Se describe el proceso de desarrollo y se analiza su detectabilidad.

PDF icon onieva2014.pdf (230.88 KB)
D. G. Rosado, E.. Fernandez-Medina, M.. Pattini, and J. Lopez, "Analysis of Secure Mobile Grid Systems: A systematic approach",
XVI Jornadas de Ingeniería del Software y Bases de Datos (JISBD 2011), Servizo de publicacións da Universidade da Coruña, pp. 487-491, 2011. More..

Abstract

Developing software through systematic processes is becoming more and more important due to the growing complexity of software development. It is important that the development process used integrates security aspects from the first stages at the same level as other functional and non-functional requirements. The identification of security aspects in the first stages ensures a more robust development and permits the security requirements to be perfectly coupled with the design and the rest of the system’s requirements. Systems which are based on Grid Computing are a kind of systems that have clear differentiating features in which security is a highly important aspect. Generic development processes are sometimes used to develop Grid specific systems without taking into consideration either the subjacent technological environment or the special features and particularities of these specific systems. In fact, the majority of existing Grid applications have been built without a systematic development process and are based on ad hoc developments.

PDF icon 1642.pdf (44.27 KB)
L. Pino, J. Lopez, F. Lopez, and C. Maraval, Aproximacion de Funciones mediante Redes Neuronales , pp. 209-215, Sep 1997.
F. Moyano, C. Fernandez-Gago, and J. Lopez, "Building Trust and Reputation In: A Development Framework for Trust Models Implementation",
8th International Workshop on Security and Trust Management (STM 2012), A. Jøsang, P. Samarati, and M. Petrocchi Eds., LNCS 7783, Springer, pp. 113-128, 2013. DOI More..

Abstract

During the last years, many trust and reputation models have been proposed, each one targeting different contexts and purposes, and with their own particularities. While most contributions focus on defining ever-increasing complex models, little attention has been paid to the process of building these models inside applications during their implementation. The result is that models have traditionally considered as ad-hoc and after-the-fact solutions that do not always fit with the design of the application. To overcome this, we propose an object-oriented development framework onto which it is possible to build applications that require functionalities provided by trust and reputation models. The framework is extensible and flexible enough to allow implementing an important variety of trust models. This paper presents the framework, describes its main components, and gives examples on how to use it in order to implement three different trust models.

 

PDF icon moyano2012stm.pdf (571.19 KB)
J. Lopez, R. Oppliger, and G. Pernul, "Classifying Public Key Certificates",
2nd European PKI Workshop: Research and Applications (EuroPKI’05), LNCS 3545, Springer, pp. 135-143, June, 2005. More..

Abstract

In spite of the fact that there are several companies that (try to) sell public key certificates, there is still no unified or standardized classification scheme that can be used to compare and put into perspective the various offerings. In this paper, we try to start filling this gap and propose a four-dimensional scheme that can be used to uniformly describe and classify public key certificates. The scheme distinguishes between (i) who owns a certificate, (ii) how the certificate owner is registered, (iii) on what medium the certificate (or the private key, respectively) is stored, and (iv) what type of functionality the certificate is intended to be used for. We think that using these or similar criteria to define and come up with unified or even standardized classes of public key certificate is useful and urgently needed in practice.

PDF icon JavierLopez2005a.pdf (132.5 KB)
J. A. Montenegro, J. Lopez, and R. Peralta, "Computacion Segura Multiparte Aplicada a Subastas Electrónicas",
IX Jornadas de Ingeniería Telemenatica (JITEL 2010), Octubre, 2010. More..

Abstract

La confidencialidad ha pasado de ser un requisito de seguridad a ser considerado como requisito funcional y de obligado cumplimiento e inclusión en todos los sistemas de comunicaciones. Un inconveniente que presenta las técnicas criptográficas, utilizadas para obtener la confidencialidad de la información, surge cuando varias entidades se ven forzadas a compartir información secreta para realizar tareas puntuales de colaboración, ya que las primitivas tradicionales utilizadas para conseguir la confidencialidad resultan poco flexibles. La situación ideal permitiría hacer posible dicha colaboración sin que ninguna de las partes revele la información aportada. En este escenario entra en juego la tecnología de Computación Segura Multiparte (CSM) que posibilita realizar operaciones con la información compartida sin tener que hacerla pública. Este trabajo muestra una solución CSM aplicada a una subasta electrónica que permite la realización de la subasta sin que las apuestas sean reveladas a ningún participante, incluyendo el subastador, por lo que no necesita el estableciendo de ninguna autoridad confiable. Aunque la literatura ofrece una amplia variedad de propuestas teóricas de CSM desde su creación en la década de los ochenta, no es común su aplicacion práctica en situaciones reales.

PDF icon JoseA.Montenegro2010.pdf (682.33 KB)
I. Agudo, D. Nuñez, G. Giammatteo, P. Rizomiliotis, and C. Lambrinoudakis, "Cryptography Goes to the Cloud",
1st International Workshop on Security and Trust for Applications in Virtualised Environments (STAVE 2011), C. Lee, J-M. Seigneur, J. J. Park, and R. R. Wagner Eds., Communications in Computer and Information Science 187, Springer, pp. 190-197, June, 2011. DOI More..

Abstract

In this paper we identify some areas where cryptography can help a rapid adoption of cloud computing. Although secure storage has already captured the attention of many cloud providers, offering a higher level of protection for their customer’s data, we think that more advanced techniques such as searchable encryption and secure outsourced computation will become popular in the near future, opening the doors of the Cloud to customers with higher security requirements.

PDF icon agudo2011cryptography.pdf (122.42 KB)
F. Paci, C. Fernandez-Gago, and F. Moyano, "Detecting Insider Threats: a Trust-Aware Framework",
8th International Conference on Availability, Reliability and Security, IEEE, pp. 121-130, Nov 2013. DOI More..

Abstract

The number of insider threats hitting organizations and big enterprises is rapidly growing. Insider threats occur when trusted employees misuse their permissions on organizational assets. Since insider threats know the organization and its processes, very often they end up undetected. Therefore, there is a pressing need for organizations to adopt preventive mechanisms to defend against insider threats. In this paper, we propose a framework for insiders identification during the early requirement analysis of organizational settings and of its IT systems. The framework supports security engineers in the detection of insider threats and in the prioritization of them based on the risk they represent to the organization. To enable the automatic detection of insider threats, we extend the SI* requirement modeling language with an asset model and a trust model. The asset model allows associating security properties and sensitivity levels to assets. The trust model allows specifying the trust level that a user places in another user with respect to a given permission on an asset. The insider threats identification leverages the trust levels associated with the permissions assigned to users, as well as the sensitivity of the assets to which access is granted. We illustrate the approach based on a patient monitoring scenario.

PDF icon moyano2013ares.pdf (552.98 KB)
F. Lopez, J. Lopez, A. Vergara, and L. Pino, "Determination of Objects Orientation in Assembly Lines using Neural Networks",
5th Intern. Conf. on Computer Aided Systems Theory and Technology (EUROCAST’97), pp. 183-189, February, 1997. More..

Abstract

This paper is a first approach to the use of artificial neural networks as a tool to estimate the orientation of an object, and is mainly directed towards industrial applications. The capability of neural networks to generalise is a key element in the calculation of an object’s orientation. In this sense, a neural network can identify the angle of a part never seen before. To evaluate the efficiency of this method we have performed a series of tests with the different parts used in a car assembly line.

S. Gurgens, J. Lopez, and R. Peralta, "Efficient Detection of Failure Modes in Electronic Commerce Protocols",
IEEE International Workshop on Electronic Commerce and Security, IEEE Press, pp. 850-857, September, 1999. More..

Abstract

The design of key distribution and authentication protocols has been shown to be error-prone. These protocols constitute the part of more complex protocols used for electronic commerce transactions. Consequently, these new protocols are likely to contain flaws that are even more difficult to find. In this paper, we present a search method for detecting potential security flaws in such protocols. Our method relies on automatic theorem proving tools. Among others we present our analysis of a protocol recently standardized by the German standardization organization DIN to be used in digital signature applications for smartcards. Our analysis resulted in the standard being supplemented with comments that explain the possible use of cryptographic keys.

D. G. Rosado, E. Fernandez-Medina, J. Lopez, and M. Piattini, "Engineering Process Based On Grid Use Cases For Mobile Grid Systems",
Third International Conference on Software and Data Technologies (ICSOFT’08), Springer, pp. 146-151, 2008. More..

Abstract

 

The interest to incorporate mobile devices into Grid systems has arisen with two main purposes. The firstone is to enrich users of these devices while the other is that of enriching the own Grid infrastructure.Security of these systems, due to their distributed and open nature, is considered a topic of great interest. Aformal approach to security in the software life cycle is essential to protect corporate resources. However,little attention has been paid to this aspect of software development. Due to its criticality, security should beintegrated as a formal approach into the software life cycle. We are developing a methodology ofdevelopment for secure mobile Grid computing based systems that helps to design and build secure Gridsystems with support for mobile devices directed by use cases and security use cases and focused onservice-oriented security architecture. In this paper, we will present one of the first steps of ourmethodology consisting of analyzing security requirements of mobile grid systems. This analysis will allowus to obtain a set of security requirements that our methodology must cover and implement.

 

 

PDF icon rosado2008a.pdf (813.44 KB)
J. Davila, J. Lopez, R. Peralta, and J. maria troya, "A First Approach to Latin Electronic Notary Public Services",
IFIP Conference on Security & Control of IT in Security, pp. 49-60, 2001.
J. Lopez, F. Ona, L. Pino, and C. Maraval, "Generación de Números Primos mediante Tests de Primalidad Probabilístas",
IV Reunión Española de Criptología (IV REC), pp. 27-33, Septiembre, 1996. More..

Abstract

Nowadays cryptography is present in nearly every aspect of our everyday life, in particular public-key cryptosystems. Some of them have a mathematical foundation of number theory working with big integer numbers. Factoring these numbers is more complex and time-consuming than generating and testing prime numbers; this is the main reason for the strenght of some public key cryptosystems. This paper presents three different probabilistic methods for testing big prime numbers in a reasonable amount of time. A comparison of their efficiency to test prime numbers is also introduced.

D. G. Rosado, E. Fernandez-Medina, J. Lopez, and M. Piattini, "Hacia un Proceso sistemático para el desarrollo de sistemas Grid Seguros con Dispositivos Móviles",
IV Congreso Iberoamericano de Seguridad Informática (CIBSI’07), Sebastián Cañón, M.A., pp. 111-124, 2007.
R. Rios, I. Agudo, and J. L. Gonzalez, "Implementación de un esquema de localización privada y segura para interiores",
IX Jornadas de Ingeniería Telemática (JITEL’10), Y. Dimitriadis, and M. Jesús Ver Pérez Eds., pp. 237 - 244, Sept., 2010. More..

Abstract

Las aplicaciones basadas en localización proporcionan a los usuarios servicios personalizados dependiendo de su ubicación. Las estimaciones prevén que estos servicios se extenderán enormemente en los próximos años reportando grandes beneficios tanto a la industria como a los usuarios finales. Sin embargo, para que estos avances sean posibles se hace necesario analizar en profundidad las distintas implicaciones de seguridad y privacidad que la utilización de tales servicios pueden traer consigo a los usuarios. En este trabajo proponemos un sistema de localización que da soporte a la provisión de servicios basados en localización para entornos indoor y que se fundamenta en la tecnología de redes de sensores inalámbricos. En este esquema hemos tenido en cuenta diversos aspectos de seguridad y privacidad, prestando especial atención a la limitación extrema de recursos característica de las redes de sensores. Finalmente hemos desarrollado una prueba de concepto para comprobar la viabilidad de nuestro esquema dentro del ámbito del proyecto OSAmI.

PDF icon Rios2010a.pdf (311.53 KB)
M. Payeras, J. L. Ferrer Gomila, L. Huguet Rotger, and J. A. Onieva, "Incompatibilidades entre Propiedades de los Protocolos de Intercambio Equitativo de Valores",
VI Jornadas de Ingeniería Telemática (JITEL’07), Universidad de Malaga, pp. 605-608, 2007. More..

Abstract

Sets of ideal properties are defined for different kinds of protocols designed for e-commerce applications. These sets are used as a start point in the design and then as a tool to evaluate the quality of the protocols. This is the case of fair exchange protocols and their application to electronic contract signing and certified electronic mail. However, in this area does not exist an agreement about which properties are ideal. Instead we can find properties described by different authors to his convenience. We illustrate the contradictions that appear between some of these properties.

A. Mana, J. Lopez, L. Pino, J. J. Ortega, and C. Maraval, "Incremento de la Seguridad del Estandar de Cifrado de Datos basado en la Combinación de Datos y Clave",
III Jornadas de Informática y Automática, pp. 423-432, Julio, 1997. More..

Abstract

A pesar del gran esfuerzo investigador llevado a cabo, el ataque al DES ha sido infructuoso desde que a mediados de los setenta fue adoptado como estándar por el U. S. National Bureau of Standards. El criptoanálisis diferencial constituye la base de las primeras técnicas capaces de acabar con tal invulnerabilidad. Las técnicas de criptoanálisis basadas en modelos de fallos y su adaptación a DES, el criptoanálisis de fallos diferencial, son dos de esas técnicas que han conseguido recientemente romper sistemas DES (aunque el ataque está limitado a ciertos casos especiales, en particular implementaciones hardware). En este artículo se presenta un punto débil de DES sobre el cual puede aumentarse la seguridad y se propone una modificación de la estructura interna de DES con objeto de mejorar su resistencia ante el criptoanálisis diferencial y por ende de los ataques derivados de este. La modificación introducida no supone un coste adicional elevado

PDF icon AntonioMana1997.pdf (270.73 KB)
J. L. Hernández-Ardieta, et al., "An Intelligent and Adaptive Live Simulator: A new Concept for Cybersecurity Training",
9th Future Security Conference, 2014. More..

Abstract

The rapid rate of change in technology and the increasing sophistication of cyber attacks require any organization to have a continuous preparation. However, the resource and time intensive nature of cybersecurity education and training renders traditional approaches highly inefficient. Simulators have attracted the attention in the last years as a potential solution for cybersecurity training. However, in spite of the advances achieved, there is still an urgent need to address some open challenges. In this paper we present a novel simulator that solves some these challenges. First, we analyse the main properties that any cybersecurity training solution should comprise, and evaluate to what extent training simulators can meet them. Next, we introduce the functional architecture and innovative features of the simulator, of which a functional prototype has already been released. Finally, we demonstrate how these capabilities are put into practice in training courses already available in the simulator.

PDF icon 1637.pdf (1005.4 KB)
J. L. Hernández-Ardieta, et al., "An Intelligent and Adaptive Live Simulator: A new Concept for Cybersecurity Training",
9th Future Security Conference, 2014. More..

Abstract

The rapid rate of change in technology and the increasing sophistication of cyber attacks require any organization to have a continuous preparation. However, the resource and time intensive nature of cybersecurity education and training renders traditional approaches highly inefficient. Simulators have attracted the attention in the last years as a potential solution for cybersecurity training. However, in spite of the advances achieved, there is still an urgent need to address some open challenges. In this paper we present a novel simulator that solves some these challenges. First, we analyse the main properties that any cybersecurity training solution should comprise, and evaluate to what extent training simulators can meet them. Next, we introduce the functional architecture and innovative features of the simulator, of which a functional prototype has already been released. Finally, we demonstrate how these capabilities are put into practice in training courses already available in the simulator.

PDF icon 1637.pdf (1005.4 KB)
D. Nuñez, C. Fernandez-Gago, S. Pearson, and M. Felici, "A Metamodel for Measuring Accountability Attributes in the Cloud",
2013 IEEE International Conference on Cloud Computing Technology and Science (CloudCom 2013), IEEE, pp. 355-362, 12/2013. DOI More..

Abstract

Cloud governance, and in particular data governance in the cloud, relies on different technical and organizational practices and procedures, such as policy enforcement, risk management, incident management and remediation. The concept of accountability encompasses such practices, and is essential for enhancing security and trustworthiness in the cloud. Besides this, proper measurement of cloud services, both at a technical and governance level, is a distinctive aspect of the cloud computing model. Hence, a natural problem that arises is how to measure the impact on accountability of the procedures held in practice by organizations that participate in the cloud ecosystem. In this paper, we describe a metamodel for addressing the problem of measuring accountability properties for cloud computing, as discussed and defined by the Cloud Accountability Project (A4Cloud). The goal of this metamodel is to act as a language for describing: (i) accountability properties in terms of actions between entities, and (ii) metrics for measuring the fulfillment of such properties. It also allows the recursive decomposition of properties and metrics, from a high-level and abstract world to a tangible and measurable one. Finally, we illustrate our proposal of the metamodel by modelling the transparency property, and define some metrics for it.

PDF icon nunez2013metamodel.pdf (304.22 KB)
R. J. Caro, et al., "Middleware Seguro EP2P: un Desafío para las Redes Sociales",
XVIII Jornadas Telecom I+D, October, 2008. More..

Abstract

Los sistemas distribuidos en dispositivos embebidos representan un nuevo reto en el desarrollo de software. Estos sistemas han supuesto una importante revolución en el paradigma de la computación distribuida donde se intenta fragmentar un problema grande en múltiples problemas más pequeños. El nuevo escenario tiende entonces hacia sistemas en los cuales todos los elementos de la red se consideran iguales y los mecanismos de comunicación estãn basados en redes ad-hoc que se forman dinámicamente. De esta forma cualquier usuario de la red (en realidad cualquier elemento, hasta el más simple dispositivo) adquiere valor, a mayor colaboración, mayor éxito del sistema. Sin embargo, desde el punto de vista de la seguridad, estos sistemas son extremadamente vulnerables. En este artículo se presenta SMEPP, un middleware diseñado especialmente para sistemas P2P incluyendo aspectos de seguridad. SMEPP está diseñado para poder ser ejecutado en un amplio rango de dispositivos (desde redes de sensores hasta PC), y trata de facilitar el desarrollo de aplicaciones ocultando los detalles de la plataforma y otros aspectos tales como escalabilidad, adaptabilidad e interoperabilidad. Además el artículo presenta dos aplicaciones de alto nivel que utilizando este middleware pasan a ser más personales, más sociales y más baratas, haciendo que todos los usuarios de la red cobren mayor importancia.

PDF icon Benito2008.pdf (575.71 KB)
F. Lopez, J. Lopez, L. Pino, and C. Maraval, "Neural Networks for Systems Security",
5th European Congress of Intelligent Techniques and Soft Computing (EUFIT’97), pp. 410-413, August, 1997. More..

Abstract

This paper is a first approach in the use of Neural Networks for security. We apply it for electronic mail private systems in Local Area Networks. Some of these systems use public keys directories which must be protected suitably. This task is very complicated because all users in the systems must be able to change their public keys in those directories. We see the advantage of using Neural Networks versus other classical methods to resolve this problem.

K.. Peng, E. Dawson, J. Gonzalez-Nieto, E. Okamoto, and J.. Lopez, "A Novel Method To Maintain Privacy in Mobile Agent Applications",
Fourth International Conference on Cryptology and Network Security (CANS´05), LNCS 3810, Springer, pp. 247-260, 2005. More..
PDF icon 1716.pdf (211.06 KB)
J. Lopez, A. Mana, J. J. Ortega, and E. Pimentel, "Protección de Software basada en Tarjetas Inteligentes",
VII Reunión Española sobre Criptología y Seguridad de la Información (VII RECSI), pp. 485-497, Septiembre, 2002.
D. G. Rosado, E. Fernandez-Medina, J. Lopez, and M. Piattini, "PSecGCM: Process for the development of Secure Grid Computing based Systems with Mobile devices",
International Conference on Availability, Reliability and Security (ARES’08), IEEE Computer Society, pp. 136-143, 2008. More..

Abstract

 

A Grid computing system is defined as a platformthat supports distributed system applications which require fastaccess to a large quantity of distributed resources in acoordinated manner. With the development of wirelesstechnology and mobile devices, the Grid becomes the perfectcandidate so that mobile users can make complex works that addnew computational capacity to the Grid. Security of thesesystems, due to their distributed and open nature, receives greatinterest. The growing size and profile of the grid requirecomprehensive security solutions as they are critical to thesuccess of the endeavour. A formal approach to security in thesoftware life cycle is essential to protect corporate resources.However, little thought has been given to this aspect of softwaredevelopment. Due to its criticality, security should be integratedas a formal approach in the software life cycle. A methodology ofdevelopment for secure mobile Grid computing based systems isdefined, that is to say, an engineering process that defines thesteps to follow so that starting from the necessities to solve, wecan design and construct a secure Grid system with support formobile devices that is able to solve and cover these necessities.

 

 

PDF icon rosado2008.pdf (164.18 KB)
J. Lopez, F. Ona, L. Pino, and C. Maraval, "Seguridad de Directorios en Criptosistemas de Clave Pública mediante Redes Neuronales en Sistemas de Comunicaciones",
X Symposium Nacional de la Unión Científica Internacional de Radio (URSI’95), pp. 147-150, Septiembre, 1995.
L. Pino, A. Mana, J. J. Ortega, and J. Lopez, "Sistema Jerárquico de Administración de Claves Públicas para el Correo Electrónico",
I Jornadas de Ingeniería Telemática (JITEL’97), pp. 295-302, Sep 1997.
R. J. Caro, et al., "SMEPP: A Secure Middleware for Embedded P2P",
ICT Mobile and Wireless Communications Summit (ICT-MobileSummit’09), June, 2009. More..

Abstract

The increasing presence of embedded devices with internet access capabilities constitutes a new challenge in software development. These devices are now cooperating in a distributed manner towards what has been called as "Internet of Things". In this new scenario the client-server model is sometimes not adequate and dynamic ad-hoc networks are more common than before. However, security poses as a hard issue as these systems are extremely vulnerable. In this paper, we introduce SMEPP project, which aims at developing a middleware designed for P2P systems with a special focus on embedded devices and security. SMEPP is designed to be deployed in a wide range of devices. It tries to ease the development of applications hiding platforms details and other aspects such as scalability, adaptability and interoperability. A full implementation of this middleware is already available that incorporates security features specially designed for low-resource devices. Moreover, we describe two business applications being developed using this middleware in the context of "Digital Home" and "Environmental Monitoring in Industrial Environments".

PDF icon Benito2009.pdf (331.96 KB)
N. Libor, et al., "Strong Authentication of Humans and Machines in Policy Controlled Cloud Computing Environment Using Automatic Cyber Identity",
Information Security Solutions Europe 2012, N. Pohlmann, H. Reimer, and W. Schneider Eds., Springer Vieweg, pp. 195-206, 2012. DOI More..

Abstract

The paper describes the experience with integration of automatic cyber identity technology with policy controlled virtualisation environment. One identity technology has been used to enable strong authentication of users (human beings) as well as machines (host systems) to the virtualization management system. The real experimental evaluation has been done in PASSIVE project (Policy-Assessed system-level Security of Sensitive Information processing in Virtualised Environments - SEVENTH FRAMEWORK PROGRAMME THEME ICT-2009.1.4 INFORMATION AND COMMUNICATION TECHNOLOGIES - Small or medium-scale focused research project - Grant agreement no.: 257644).

N. Libor, et al., "Strong Authentication of Humans and Machines in Policy Controlled Cloud Computing Environment Using Automatic Cyber Identity",
Information Security Solutions Europe 2012, N. Pohlmann, H. Reimer, and W. Schneider Eds., Springer Vieweg, pp. 195-206, 2012. DOI More..

Abstract

The paper describes the experience with integration of automatic cyber identity technology with policy controlled virtualisation environment. One identity technology has been used to enable strong authentication of users (human beings) as well as machines (host systems) to the virtualization management system. The real experimental evaluation has been done in PASSIVE project (Policy-Assessed system-level Security of Sensitive Information processing in Virtualised Environments - SEVENTH FRAMEWORK PROGRAMME THEME ICT-2009.1.4 INFORMATION AND COMMUNICATION TECHNOLOGIES - Small or medium-scale focused research project - Grant agreement no.: 257644).

J. Lopez, J. A. Montenegro, R. Oppliger, and G. Pernul, "On a Taxonomy of Systems for Authentication and/or Authorization Services",
TERENA Networking Conference, June, 2004. More..

Abstract

In this work we elaborate on a taxonomy of systems that provide either joint solutions for both authentication and authorization problems, or solutions for only one of the problems. Basically, we do not focus our work on theoretical systems that have been proposed only in the literature. On the other hand, we focus on: (i) systems that are already developed; (ii) systems that are under development or deployment; and (iii) systems that are still in the initial stages of design but are supported by international working groups or bodies. More precisely, we elaborate on a taxonomy of systems that are (or will be soon) available to final users.

PDF icon JavierLopez2004a.pdf (19.35 KB)
I. Agudo, A. El Kaafarani, D. Nuñez, and S. Pearson, "A Technique for Enhanced Provision of Appropriate Access to Evidence across Service Provision Chains",
10th International IFIP Summer School on Privacy and Identity Management, pp. 187-204, 2016. DOI More..

Abstract

Transparency and verifiability are necessary aspects of accountability, but care needs to be taken that auditing is done in a privacy friendly way. There are situations where it would be useful for certain actors to be able to make restricted views within service provision chains on accountability evidence, including logs, available to other actors with specific governance roles. For example, a data subject or a Data Protection Authority (DPA) might want to authorize an accountability agent to act on their behalf, and be given access to certain logs in a way that does not compromise the privacy of other actors or the security of involved data processors. In this paper two cryptographic-based techniques that may address this issue are proposed and assessed.

PDF icon agudo2016technique.pdf (1.19 MB)
L. Pino, J. Lopez, F. Lopez, and C. Maraval, "A Tool for Functions Approximation by Neural Networks",
5th European Congress of Intelligent Techniques and Soft Computing (EUFIT ’97), pp. 557-564, 1997.
C. Fernandez-Gago, et al., "Tools for Cloud Accountability: A4Cloud Tutorial",
9th IFIP Summer School on Privacy and Identity Management for the Future Internet in the Age of Globalisation, vol. 457, Springer IFIP AICT, pp. 219-236, 2015. DOI More..

Abstract

Cloud computing is becoming a key IT infrastructure technology being adopted progressively by companies and users. Still, there are issues and uncertainties surrounding its adoption, such as security and how users data is dealt with that require attention from developers, researchers, providers and users. The A4Cloud project tries to help solving the problem of accountability in the cloud by providing tools that support the process of achieving accountability. This paper presents the contents of the first A4Cloud tutorial. These contents include basic concepts and tools developed within the project. In particular, we will review how metrics can aid the accountability process and some of the tools that the A4Cloud project will produce such as the Data Track Tool (DTT) and the Cloud Offering Advisory Tool (COAT).

PDF icon 1516.pdf (1.48 MB)
F. Moyano, B. Baudry, and J. Lopez, "Towards Trust-Aware and Self-Adaptive Systems",
7th IFIP WG 11.11 International Conference on Trust Management (IFIPTM 2013), C. Fernandez-Gago, I. Agudo, F. Martinelli, and S. Pearson Eds., AICT 401, Springer, pp. 255-262, Jun 2013. DOI More..

Abstract

The Future Internet (FI) comprises scenarios where many heterogeneous and dynamic entities must interact to provide services (e.g., sensors, mobile devices and information systems in smart city scenarios). The dynamic conditions under which FI applications must execute call for self-adaptive software to cope with unforeseeable changes in the application environment. Software engineering currently provides frameworks to develop reasoning engines that automatically take reconfiguration decisions and that support the runtime adaptation of distributed, heterogeneous applications. However, these frameworks have very limited support to address security concerns of these application, hindering their usage for FI scenarios. We address this challenge by enhancing self-adaptive systems with the concepts of trust and reputation. Trust will improve decision-making processes under risk and uncertainty, in turn improving security of self-adaptive FI applications. This paper presents an approach that includes a trust and reputation framework into a platform for adaptive, distributed component-based systems, thus providing software components with new abilities to include trust in their reasoning process.  

PDF icon moyano2013ifiptm.pdf (585.82 KB)
S. K. Katsikas, J. Lopez, and G. Pernul, "Trust, Privacy and Security in E-business: Requirements and Solutions",
10th Panhellenic Conference in Informatics (PCI’05), LNCS 3746, Springer, pp. 548-558, November, 2005. More..

Abstract

  An important aspect of e-business is the area of e-commerce. One of the most severe restraining factors for the proliferation of e-commerce, is the lack of trust between customers and sellers, consumer privacy concerns and the lack of security measures required to assure both businesses and customers that their business relationship and transactions will be carried out in privacy, correctly, and timely. This paper considers trust privacy and security issues in e-commerce applications and discusses methods and technologies that can be used to fulfil the pertinent requirements.

PDF icon SokratisKatsikas2005.pdf (240.98 KB)
J.. Davila, J. Lopez, and R.. Peralta, "Una Solución Flexible para Redes Privadas Virtuales",
VI Reunión Española de Criptología y Seguridad de la Información (VI RECSI), pp. 329-340, Sep 2000.
Conference Proceedings
J. Lopez, J. Pastor, and J. M. Troya Eds., "5th Spanish Conference on Cryptology and Information Security",
RECSI, 1998.
S. K. Katsikas, J. Lopez, M. Backes, S. Gritzalis, and B. Preneel Eds., "Information Security, 9th International Conference, ISC 2006, Samos Island, Greece, August 30 - September 2, 2006, Proceedings",
ISC, vol. 4176, Springer, 2006. More..
J. Cuellar, J. Lopez, G. Barthe, and A. Pretschner Eds., ""Security and Trust Management"",
6th International Workshop, STM 2010, Athens, Greece, September 23-24, 2010. Proceedings, vol. 6710, 2010. More..
S. K. Katsikas, J. Lopez, and G. Pernul Eds., "Trust and Privacy in Digital Business, First International Conference, TrustBus 2004, Zaragoza, Spain, August 30 - September 1, 2004, Proceedings",
TrustBus, vol. 3184, Springer, 2004. More..
C. Fernandez-Gago, F. Martinelli, S. Pearson, and I. Agudo Eds., Trust Management VII, 7th WG11.11 International conference , vol. 401, Springer, June 2013. More..
S. K. Katsikas, J. Lopez, and G. Pernul Eds., "Trust, Privacy and Security in Digital Business: Second International Conference, TrustBus 2005, Copenhagen, Denmark, August 22-26, 2005, Proceedings",
TrustBus, vol. 3592, Springer, 2005. More..
Journal Article
S. Gurgens, J. Lopez, and R. Peralta, "Analysis of E-commerce Protocols: Adapting a Traditional Technique",
International Journal of Information Security, vol. 2, no. 1, Springer, pp. 21-36, 2003. More..

Abstract

We present the adaptation of our model for the validation of key distribution and authentication protocols to address some of the specific needs of protocols for electronic commerce. The two models defer in both the threat scenario and in the protocol formalization. We demonstrate the suitability of our adaptation by analyzing a specific version of the Internet Billing Server protocol introduced by Carnegie MellonUniversity. Our analysis shows that, while the security properties a key distribution or authentication protocol shall provide are well understood, it is often not clear which properties an electronic commerce protocol can or shall provide. We use the automatic theorem proving software ‘‘Otter’’ developed at Argonne National Laboratories for state space exploration.

PDF icon SigridGuergens2003.pdf (222.22 KB)
D. G. Rosado, E. Fernandez-Medina, J. Lopez, and M. Piattini, "Analysis of Secure Mobile Grid Systems: A Systematic Approach",
Information and Software Technology, vol. 52, Elsevier, pp. 517-536, May 2010. DOI (I.F.: 1.527)More..

Abstract

Developing software through systematic processes is becoming more and more important due to the growing complexity of software development. It is important that the development process used integrates security aspects from the first stages at the same level as other functional and non-functional requirements. Systems which are based on Grid Computing are a kind of systems that have clear differentiating features in which security is a highly important aspect. The Mobile Grid, which is relevant to both Grid and Mobile Computing, is a full inheritor of the Grid with the additional feature that it supports mobile users and resources. A development methodology for Secure Mobile Grid Systems is proposed in which the security aspects are considered from the first stages of the life-cycle and in which the mobile Grid technological environment is always present in each activity. This paper presents the analysis activity, in which the requirements (focusing on the grid, mobile and security requirements) of the system are specified and which is driven by reusable use cases through which the requirements and needs of these systems can be defined. These use cases have been defined through a UML-extension for security use cases and Grid use cases which capture the behaviour of this kind of systems. The analysis activity has been applied to a real case.

Impact Factor: 1.527
Journal Citation Reports® Science Edition (Thomson Reuters, 2010)

J. Lopez, R. Oppliger, and G. Pernul, "Authentication and Authorization Infrastructures (AAIs): A Comparative Survey",
Computers & Security, vol. 23, no. 7, Elsevier, pp. 578-590, 2004. (I.F.: 0.412)More..

Abstract

In this article, we argue that traditional approaches for authorization and access control in computer systems (i.e., discretionary, mandatory, and role-based access controls) are not appropriate to address the requirements of networked or distributed systems, and that proper authorization and access control requires infrastructural support in one way or another. This support can be provided, for example, by an authentication and authorization infrastructure (AAI). Against this background, we overview, analyze, discuss, and put into perspective some technologies that can be used to build and operate AAIs. More specifically, we address Microsoft .NET Passport and some related activities (e.g. the Liberty Alliance Project), Kerberos-based solutions, and AAIs that are based on digital certificates and public key infrastructures (PKIs). We conclude with the observation that there is no single best approach for providing an AAI, that every approach has specific advantages and disadvantages, and that a comprehensive AAI must combine various technologies and approaches.

Impact Factor: 0.412
Journal Citation Reports® Science Edition (Thomson Reuters, 2004)

PDF icon JavierLopez2004.pdf (2.22 MB)
J. L. Ferrer-Gomilla, J. A. Onieva, M. Payeras, and J. Lopez, "Certified electronic mail: Properties revisited",
Computers & Security, vol. 29, no. 2, pp. 167 - 179, 2010. DOI (I.F.: 0.889)More..

Abstract

Certified electronic mail is an added value to traditional electronic mail. In the definition of this service some differences arise: a message in exchange for a reception proof, a message and a non repudiation of origin token in exchange for a reception proof, etc. It greatly depends on whether we want to emulate the courier service or improve the service in the electronic world. If the definition of the service seems conflictive, the definition of the properties and requirements of a good certified electronic mail protocol is even more difficult. The more consensuated features are the need of a fair exchange and the existence of a trusted third party (TTP). Each author chooses the properties that considers the most important, and many times the list is conditioned by the proposal. Which kind of TTP must be used? Must it be verifiable, transparent and/or stateless? Which features must the communication channel fulfil? Which temporal requirements must be established? What kind of fairness is desired? What efficiency level is required? Are confidentiality or transferability of the proofs compulsory properties? In this paper we collect the definitions, properties and requirements related with certified electronic mail. The aim of the paper is to create a clearer situation and analyze how some properties cannot be achieved simultaneously. Each protocol designer will have to decide which properties are the most important in the environment in where the service is to be deployed.

Impact Factor: 0.889
Journal Citation Reports® Science Edition (Thomson Reuters, 2010)

PDF icon FerrerGomilla2009.pdf (301.65 KB)
C. Alcaraz, G. Bernieri, F. Pascucci, J. Lopez, and R. Setola, "Covert Channels-based Stealth Attacks in Industry 4.0",
IEEE Systems Journal., vol. 13, issue 4, IEEE, pp. 3980-3988, 12/2019. DOI (I.F.: 3.987)More..

Abstract

Industry 4.0 advent opens several cyber-threats scenarios originally designed for classic information technology, drawing the attention to the serious risks for the modern industrial control networks. To cope with this problem, in this paper we address the security issues related to covert channels applied to industrial networks, identifying the new vulnerability points when information technologies converge with operational technologies such as edge computing infrastructures. Specifically, we define two signaling strategies where we exploit the Modbus/TCP protocol as target to set up a covert channel. Once the threat channel is established, passive and active offensive attacks (i.e. data exfiltration and command an control, respectively) are further exploited by implementing and testing them on a real Industrial Internet of Things testbed. The experimental results highlight the potential damage of such specific threats, and the easy extrapolation of the attacks to other types of channels in order to show the new risks for Industry 4.0. Related to this, we discuss some countermeasures to offer an overview of possible mitigation and defense measures.
 

Impact Factor: 3.987
Journal Citation Reports® Science Edition (Thomson Reuters, 2019)

PDF icon alcaraz2019a.pdf (938.98 KB)
D. G. Rosado, E. Fernandez-Medina, J. Lopez, and M. Piattini, "Developing a Secure Mobile Grid System through a UML Extension",
Journal of Universal Computer Science, vol. 16, no. 17, Springer, pp. 2333-2352, Sep 2010. DOI (I.F.: 0.578)More..

Abstract

The idea of developing software through systematic development processes toimprove software quality is not new. Nevertheless, there are still many information systemssuch as those of Grid Computing which are not developed through methodologies that areadapted to their most differentiating features. A systematic development process for Gridsystems that supports the participation of mobile nodes and incorporates security aspects intothe entire software lifecycle will thus play a significant role in the development of systemsbased on Grid computing. We are creating a development process for the construction ofinformation systems based on Grid Computing, which is highly dependent on mobile devices,in which security plays a highly important role. One of the activities in this process is that ofanalysis which is focused on ensuring that the system’s security and functional requirements areelicited, specified and modelled. In our approach, this activity is driven by use cases andsupported by the reusable repository. This obtains, builds, defines and refines the use cases ofthe secure Mobile Grid systems which represent the functional and non-functional requirementsof this kind of systems. In this paper, we present the proposed development process throughwhich we introduce the main aspects of the UML profile defined for building use case diagramsin the mobile Grid context through which it is possible to represent specific mobile Gridfeatures and security aspects, showing in detail how to build use case diagrams for a real mobile Grid application by using our UML profile, denominated as GridUCSec-Profile.

Impact Factor: 0.578
Journal Citation Reports® Science Edition (Thomson Reuters, 2010)

A. Mana, J. Lopez, J. J. Ortega, E. Pimentel, and J. M. Troya, "A Framework for Secure Execution of Software",
International Journal of Information Security (IJIS), vol. 3, no. 2, Springer, pp. 99-112, 2004. More..

Abstract

    The protection of software applications is one of the most important problems to solve in information security because it has a crucial effect on other security issues.We can find in the literature many research initiatives that have tried to solve this problem, many of them based on the use of tamperproof hardware tokens. This type of solutions depends on two basic premises: (i) to increase the physical security by using tamperproof devices, and (ii) to increase the complexity of the analysis of the software. The first premise is reasonable. The second one is certainly related to the first one. In fact, its main goal is that the pirate user can not modify the software to bypass an operation that is crucial: checking the presence of the token. However, the experience shows that the second premise is not realistic because the analysis of the executable code is always possible. Moreover, the techniques used to obstruct the analysis process are not enough to discourage an attacker with average resources. In this paper, we review the most relevant works related to software protection, present a taxonomy of those works and, most important, we introduce a new and robust software protection scheme. This solution, called SmartProt, is based on the use of smart cards and cryptographic techniques, and its security relies only on the first of previous premises; that is, Smartprot has been designed to avoid attacks based on code analysis and software modification. The entire system is described following a lifecycle approach, explaining in detail the card setup, production, authorization, and execution phases. We also present some interesting applications of Smart- Prot as well as the protocols developed to manage licenses. Finally, we provide an analysis of its implementation details.

PDF icon AntonioMana2004.pdf (496.63 KB)
J. A. Montenegro, M. J. Fischer, J. Lopez, and R. Peralta, "Secure sealed-bid online auctions using discreet cryptographic proofs",
Mathematical and Computer Modelling, vol. 57, Elsevier, pp. 2583–2595, Jun 2013. DOI (I.F.: 2.02)More..

Abstract

This work describes the design and implementation of an auction system using secure multiparty computation techniques. Our aim is to produce a system that is practical under actual field constraints on computation, memory, and communication. The underlying protocol is privacy-preserving, that is, the winning bid is determined without information about the losing bids leaking to either the auctioneer or other bidders. Practical implementation of the protocol is feasible using circuit-based cryptographic proofs along with additively homomorphic bit commitment. Moreover, we propose the development of a Proof Certificatestandard. These certificates convey sufficient information to recreate the cryptographic proofs and verify them offline.

Impact Factor: 2.02
Journal Citation Reports® Science Edition (Thomson Reuters, 2013)

PDF icon MFLR13.pdf (606.16 KB)
J. Lopez, A. Mana, E. Pimentel, J. maria troya, and M. Yague, "A Secure Solution for Commercial Digital Libraries",
Online Information Review Journal, vol. 27, no. 3, Emerald, pp. 147-159, 2003. (I.F.: 0.417)More..
Impact Factor: 0.417
Journal Citation Reports® Science Edition (Thomson Reuters, 2003)

PDF icon 1708.pdf (126.04 KB)
I. Stellios, P. Kotzanikolaou, M. Psarakis, C. Alcaraz, and J. Lopez, "Survey of IoT-enabled Cyberattacks: Assessing Attack Paths to Critical Infrastructures and Services",
IEEE Communications Surveys and Tutorials, vol. 20, issue 4, IEEE, pp. 3453-3495, 07/2018. DOI (I.F.: 22.973)More..

Abstract

As the deployment of Internet of Things (IoT) is experiencing an exponential growth, it is no surprise that many recent cyber attacks are IoT-enabled: The attacker initially exploits some vulnerable IoT technology as a first step towards compromising a critical system that is connected, in some way, with the IoT. For some sectors, like industry, smart grids, transportation and medical services, the significance of such attacks is obvious, since IoT technologies are part of critical backend systems. However, in sectors where IoT is usually at the enduser side, like smart homes, such attacks can be underestimated, since not all possible attack paths are examined. In this paper we survey IoT-enabled cyber attacks, found in all application domains since 2010. For each sector, we emphasize on the latest, verified IoT-enabled attacks, based on known real-world incidents and published proof-of-concept attacks. We methodologically analyze representative attacks that demonstrate direct, indirect and subliminal attack paths against critical targets. Our goal is threefold: (i) To assess IoT-enabled cyber attacks in a risk-like approach, in order to demonstrate their current threat landscape; (ii) To identify hidden and subliminal IoT-enabled attack paths against critical infrastructures and services, and (iii) To examine mitigation strategies for all application domains.

Impact Factor: 22.973
Journal Citation Reports® Science Edition (Thomson Reuters, 2018)

D. G. Rosado, E. Fernandez-Medina, J. Lopez, and M. Piattini, "Systematic Design of Secure Mobile Grid Systems",
Journal of Network and Computer Applications, vol. 34, Elsevier, pp. 1168-1183, 2011. (I.F.: 1.065)More..

Abstract

 Grid computing has arisen as an evolution of distributed systems mainly focused on the sharing of and remote access to resources in a uniform, transparent, secure, efficient and reliable manner. It is possible to join Grid technology and mobile technology in order to create one of the most promising technologies and developments to appear in recent years, in that they enrich one another and provide new solutions that solve many of the limitations and problems found in different technologies. Security is a very important factor in Mobile Grid Computing and is also difficult to achieve owing to the open nature of wireless networks and heterogeneous and distributed environments. Success in obtaining a secure system originates in incorporating security from the first stages of the development process. It has therefore been necessary to define a development process for this kind of systems in which security is incorporated in all stages of the development and the features and particularities of the Mobile Grid systems are taken into consideration. This paper presents one of the activities of this development process, the design activity, which consists of defining and designing a security software architecture. This architecture will be built from a security architecture, defined as reference architecture, in which security services, interfaces and operations are defined with the purpose of defining a reference security architecture which covers the majority of security requirements identified in the analysis activity. The design activity will build the system architecture that will be the input artefact for the subsequent activity in the process, which is the construction activity.

Impact Factor: 1.065
Journal Citation Reports® Science Edition (Thomson Reuters, 2011)

D. G. Rosado, E. Fernandez-Medina, J. Lopez, and M. Piattini, "Towards a UML Extension of Reusable Secure Use Cases for Mobile Grid systems",
IEICE Trans. on Information and Systems, vol. E94-D, IEICE, pp. 243-254, Feb 2011. DOI (I.F.: 0.178)More..

Abstract

The systematic processes exactly define the development cycle and help the development team follow the same development strategies and techniques, thus allowing a continuous improvement in the quality of the developed products. Likewise, it is important that the development process used integrates security aspects from the first stages at the same level as other functional and non-functional requirements. Grid systems allow us to build very complex information systems with different and remarkable features (interoperability between multiple security domains, cross-domain authentication and authorization, dynamic, heterogeneous and limited mobile devices, etc). With the development of wireless technology and mobile devices, the Grid becomes the perfect candidate for letting mobile users make complex works that add new computational capacity to the Grid. A methodology of development for secure mobile Grid systems is being defined. One of the activities of this methodology is the requirements analysis which is based in reusable use cases. In this paper, we will present a UML-extension for security use cases and Grid use case which capture the behaviour of this kind of systems. A detailed description of all these new use cases defined in the UML extension is necessary, describing the stereotypes, tagged values, constraints and graphical notation. We show an example of how to apply and use this extension for building the diagram of use cases and incorporating common security aspects for this kind of systems. Also, we will see how the diagrams built can be reused in the construction of others diagrams saving time and effort in this task.
 

Impact Factor: 0.178
Journal Citation Reports® Science Edition (Thomson Reuters, 2011)

PDF icon rosado2009.pdf (302.25 KB)
S.. Zeadally, A.. Pathan, C. Alcaraz, and M.. Badra, "Towards Privacy Protection in Smart Grid",
Wireless Personal Communications, vol. 73, Springer, pp. 23-50, Nov 2013, 2012. DOI (I.F.: 0.428)More..

Abstract

The smart grid is an electronically controlled electrical grid that connects power generation, transmission, distribution, and consumers using information communication technologies. One of the key characteristics of the smart grid is its support for bi-directional information flow between the consumer of electricity and the utility provider. This two-way interaction allows electricity to be generated in real-time based on consumers’ demands and power requests. As a result, consumer privacy becomes an important concern when collecting energy usage data with the deployment and adoption of smart grid technologies. To protect such sensitive information it is imperative that privacy protection mechanisms be used to protect the privacy of smart grid users. We present an analysis of recently proposed smart grid privacy solutions and identify their strengths and weaknesses in terms of their implementation complexity, efficiency, robustness, and simplicity.

 

Impact Factor: 0.428
Journal Citation Reports® Science Edition (Thomson Reuters, 2012)

PDF icon 1750.pdf (2 MB)
S. K. Katsikas, J. Lopez, and G. Pernul, "Trust, Privacy and Security in Digital Business",
International Journal of Computer Systems, Science & Engineering, vol. 20, no. 6, CRL Publishing, 2005. (I.F.: 0.119)More..

Abstract

An important aspect of e-business is the area of e-commerce. According to recent surveys, one of the most severe restraining factors for the proliferation of e-commerce, as measured by the gap between predicted market value and actual development is the (lack of) security measures required to assure both businesses and customers that their business relationship and transactions will be carried out in privacy, correctly, and timely. A large number of individuals are not willing to engage in e-commerce (or are only participating at a reduced level) simply because they do not trust the e-commerce sites and the underlying information and communication technologies to be secure enough. This paper first considers privacy and security requirements for e-commerce applications; it then discusses methods and technologies that can be used to fulfil these requirements.

Impact Factor: 0.119
Journal Citation Reports® Science Edition (Thomson Reuters, 2005)

PDF icon SokratisKatsikas2005a.pdf (215.19 KB)
J. Lopez, A. Mana, J. J. Ortega, and L. Pino, "Una Solución Integral para la Autenticación de Usuarios y la Administración de Claves en Internet",
Novática, vol. 134, pp. 20-26, 1998. More..

Abstract

La seguridad es uno de los aspectos más conflictivos del uso de Internet. La falta de una política de seguridad global está frenando el desarrollo de Internet en áreas tan interesantes y prometedoras como el comercio electrónico o la interacción con las administraciones públicas. Las técnicas criptográficas actuales proporcionan un alto grado de confidencialidad; no obstante, es difícil garantizar la identificación segura de los usuarios y, además, la gestión de las claves de los mismos es poco eficiente y presenta graves problemas de escalabilidad y seguridad. En este trabajo se describe una solución a ambos problemas basada en una Infraestructura de Clave Pública que proporciona una administración simple y eficiente de las claves de los usuarios y posibilita la autenticación segura de los mismos. El sistema se ha probado con éxito de forma local y, en breve, será instalado para su prueba por parte de la comunidad de usuarios de RedIris.

PDF icon JavierLopez1998.pdf (174.34 KB)
J. Lopez, R. Oppliger, and G. Pernul, "Why Public Key Infrastructures have failed so far?",
Internet Research, vol. 15, no. 5, Emerald, pp. 544-556, 2005. (I.F.: 0.688)More..

Abstract

Since public key cryptography is a fundamental technology for electronic commerce, people have often argued that public key infrastructures and corresponding certification services are the gold-mines of the information age. Contrary to these relatively high expectations, public key infrastructures have not really taken off and many certification service providers have even gone out of business. In this paper, we overview and discuss the technical, economical, legal, and social reasons why public key infrastructures have failed so far, summarize the lessons learnt, and give our expectations about the future development of the field.

Impact Factor: 0.688
Journal Citation Reports® Science Edition (Thomson Reuters, 2005)

PDF icon JavierLopez2005.pdf (101.63 KB)