Isaac Agudo

Associate Professor


Computer Science Department, University of Malaga
Campus de Teatinos s/n,29071 - Malaga (Spain)
Phone: (+34) 952136315 / 951952913    Fax: (+34) 952131397
E-mail: isaac@lcc.uma.es

Current research

  • Applied crypto for IoT and Cloud scenarios: Analysis of current security problems ,and proposal of new solutions, in Cloud and IoT scenarios, in particular with regard to Privacy, Authentication and Confidentiality.
  • Digital Identity: New requirements for interoperable identity scheme in the Future Internet. Exploring the possiblities of wearable devices as identity enablers.
  • Authentication, Authorization and Delegation: Definition and implementation of privacy frienly autentication mechanisms.

Education

  • Ph.D. in Computer Science (with European Doctorate mention), University of Malaga (July 2008).
  • MSc. in Mathematics, University of Malaga (July 2002).
  • BSc. in Computer Science, UNED, Spain (August 2007).

Principal Investigator

  • MOTAM: Methods to Optimize Road Transport through Mobile Applications
  • DEPHISIT: Experimental Hybrid Platform for Intelligent Transport Systems
  • Crypto4BC: Advanced Cryptography for Blockchain Applications

Relevant publications

  • D. Nuñez, I. Agudo, and J. Lopez, "The fallout of key compromise in a proxy-mediated key agreement protocol",
    31st Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec'17), vol. LNCS 10359, Springer, pp. 453-472, 07/2017. DOI More..

    Abstract

    In this paper, we analyze how key compromise affects the protocol by Nguyen et al. presented at ESORICS 2016, an authenticated key agreement protocol mediated by a proxy entity, restricted to only symmetric encryption primitives and intended for IoT environments. This protocol uses long-term encryption tokens as intermediate values during encryption and decryption procedures, which implies that these can be used to encrypt and decrypt messages without knowing the cor- responding secret keys. In our work, we show how key compromise (or even compromise of encryption tokens) allows to break forward secu- rity and leads to key compromise impersonation attacks. Moreover, we demonstrate that these problems cannot be solved even if the affected user revokes his compromised secret key and updates it to a new one. The conclusion is that this protocol cannot be used in IoT environments, where key compromise is a realistic risk. 

  • D. Nuñez, I. Agudo, and J. Lopez, "Proxy Re-Encryption: Analysis of Constructions and its Application to Secure Access Delegation",
    Journal of Network and Computer Applications, vol. 87, Elsevier, pp. 193-209, 06/2017. DOI (I.F.: 3.991)More..

    Abstract

    This paper analyzes the secure access delegation problem, which occurs naturally in the cloud, and postulate that Proxy Re-Encryption is a feasible cryptographic solution, both from the functional and efficiency perspectives. Proxy re-encryption is a special type of public-key encryption that permits a proxy to transform ciphertexts from one public key to another, without the proxy being able to learn any information about the original message. Thus, it serves as a means for delegating decryption rights, opening up many possible applications that require of delegated access to encrypted data. In particular, sharing information in the cloud is a prime example. In this paper, we review the main proxy re-encryption schemes so far, and provide a detailed analysis of their characteristics. Additionally, we also study the efficiency of selected schemes, both theoretically and empirically, based on our own implementation. Finally, we discuss some applications of proxy re-encryption, with a focus on secure access delegation in the cloud. 

    Impact Factor: 3.991
    Journal Citation Reports® Science Edition (Thomson Reuters, 2017)

  • D. Nuñez, I. Agudo, and J. Lopez, "On the Application of Generic CCA-Secure Transformations to Proxy Re-Encryption",
    Security and Communication Networks, vol. 9, issue 12, Wiley, pp. 1769-1785, 08/2016. DOI (I.F.: 1.067)More..

    Abstract

    Several generic methods exist for achieving chosen-ciphertext attack (CCA)-secure public-key encryption schemes from weakly secure cryptosystems, such as the Fujisaki–Okamoto and REACT transformations. In the context of proxy re-encryption (PRE), it would be desirable to count on analogous constructions that allow PRE schemes to achieve better security notions. In this paper, we study the adaptation of these transformations to proxy re-encryption and find both negative and positive results. On the one hand, we show why it is not possible to directly integrate these transformations with weakly secure PRE schemes because of general obstacles coming from both the constructions themselves and the security models, and we identify 12 PRE schemes that exhibit these problems. On the other hand, we propose an extension of the Fujisaki–Okamoto transformation for PRE, which achieves a weak form of CCA security in the random oracle model, and we describe the sufficient conditions for applying it

    Impact Factor: 1.067
    Journal Citation Reports® Science Edition (Thomson Reuters, 2016)

  • D. Nuñez, I. Agudo, and J. Lopez, "NTRUReEncrypt: An Efficient Proxy Re-Encryption Scheme Based on NTRU",
    10th ACM Symposium on Information, Computer and Communications Security (AsiaCCS), pp. 179-189, 04/2015. DOI More..

    Abstract

    The use of alternative foundations for constructing more secure and efficient cryptographic schemes is a topic worth exploring. In the case of proxy re-encryption, the vast majority of schemes are based on number theoretic problems such as the discrete logarithm. In this paper we present NTRUReEncrypt, a new bidirectional and multihop proxy re-encryption scheme based on NTRU, a widely known lattice-based cryptosystem. We provide two versions of our scheme: the first one is based on the conventional NTRU encryption scheme and, although it lacks a security proof, remains as efficient as its predecessor; the second one is based on a variant of NTRU proposed by Stehlé and Steinfeld, which is proven CPA-secure under the hardness of the Ring-LWE problem. To the best of our knowledge, our proposals are the first proxy re-encryption schemes to be based on the NTRU primitive. In addition, we provide experimental results to show the efficiency of our proposal, as well as a comparison with previous proxy re-encryption schemes, which confirms that our first scheme outperforms the rest by an order of magnitude.

  • D. Nuñez, I. Agudo, and J. Lopez, "A Parametric Family of Attack Models for Proxy Re-Encryption",
    28th IEEE Computer Security Foundations Symposium, IEEE Computer Society, pp. 290-301, 07/2015. DOI More..

    Abstract

    Proxy Re-Encryption (PRE) is a type of Public-Key Encryption (PKE) which provides an additional re-encryption functionality. Although PRE is inherently more complex than PKE, attack models for PRE have not been developed further than those inherited from PKE. In this paper we address this gap and define a parametric family of attack models for PRE, based on the availability of both the decryption and re-encryption oracles during the security game. This family enables the definition of a set of intermediate security notions for PRE that ranges from ``plain'' IND-CPA to ``full'' IND-CCA. We analyze some relations among these notions of security, and in particular, the separations that arise when the re-encryption oracle leaks re-encryption keys. In addition, we discuss which of these security notions represent meaningful adversarial models for PRE. Finally, we provide an example of a recent ``CCA1- secure'' scheme from PKC 2014 whose security model does not capture chosen-ciphertext attacks through re-encryption and for which we describe an attack under a more realistic security notion. This attack emphasizes the fact that PRE schemes that leak re-encryption keys cannot achieve strong security notions.

  • D. Nuñez, and I. Agudo, "BlindIdM: A Privacy-Preserving Approach for Identity Management as a Service",
    International Journal of Information Security, vol. 13, issue 2, Springer, pp. 199-215, 2014. DOI (I.F.: 0.963)More..

    Abstract

    Identity management is an almost indispensable component of today’s organizations and companies, as it plays a key role in authentication and access control; however, at the same time it is widely recognized as a costly and time-consuming task. The advent of cloud computing technologies, together with the promise of flexible, cheap and efficient provision of services, has provided the opportunity to externalize such a common process, shaping what has been called Identity Management as a Service (IDaaS). Nevertheless, as in the case of other cloud-based services, IDaaS brings with it great concerns regarding security and privacy, such as the loss of control over the outsourced data. In this paper we analyze these concerns and propose BlindIdM, a model for privacy-preserving IDaaS with a focus on data privacy protection. In particular, we describe how a SAML-based system can be augmented to employ proxy re-encryption techniques for achieving data condentiality with respect to the cloud provider, while preserving the ability to supply the identity service. This is an innovative contribution to both the privacy and identity management landscapes.

    Impact Factor: 0.963
    Journal Citation Reports® Science Edition (Thomson Reuters, 2014)

  • C. Fernandez-Gago, I. Agudo, and J. Lopez, "Building Trust from Context Similarity Measures",
    Computer Standards & Interfaces, Special Issue on Security in Information Systems, vol. 36, issue 4, Elsevier, pp. 792-800, 2014. DOI (I.F.: 0.879)More..

    Abstract

     Trust is an essential feature of any system where entities have to collaborate among them. Trust can assist entities making decisions about what is the best entity for establishing a certain collaboration. It would be desirable to simulate behaviour of users as in social environments where they tend to establish relationships or to trust users who have common interests or share some of their opinions, i.e., users who are similar to them to some extent. Thus, in this paper we first introduce the concept of context similarity among entities and from it we derive a similarity network which can be seen as a graph. Based on this similarity network we dene a trust model that allows us also to establish trust along a path of entities. A possible applications of our model are proximity-based trust establishment. We validate our model in this scenario.

     

    Impact Factor: 0.879
    Journal Citation Reports® Science Edition (Thomson Reuters, 2014)

  • I. Agudo, R. Rios, and J. Lopez, "A Privacy-Aware Continuous Authentication Scheme for Proximity-Based Access Control",
    Computers & Security, vol. 39 (B), Elsevier, pp. 117-126, 11/2013. DOI (I.F.: 1.172)More..

    Abstract

    Continuous authentication is mainly associated with the use of biometrics to guarantee that a resource is being accessed by the same user throughout the usage period. Wireless devices can also serve as a supporting technology for continuous authentication or even as a complete alternative to biometrics when accessing proximity-based services. In this paper we present the implementation of a secure, non-invasive continuous authentication scheme supported by the use of Wearable Wireless Devices (WWD), which allow users to gain access to proximity-based services while preserving their privacy. Additionally we devise an improved scheme that circumvents some of the limitations of our implementation.

    Impact Factor: 1.172
    Journal Citation Reports® Science Edition (Thomson Reuters, 2013)

  • D. Nuñez, I. Agudo, and J. Lopez, "Integrating OpenID with Proxy Re-Encryption to enhance privacy in cloud-based identity services",
    IEEE CloudCom 2012, IEEE Computer Society, pp. 241 - 248, Dec 2012. DOI More..

    Abstract

    The inclusion of identity management in the cloud computing landscape represents a new business opportunity for providing what has been called Identity Management as a Service (IDaaS). Nevertheless, IDaaS introduces the same kind of problems regarding privacy and data confidentiality as other cloud services; on top of that, the nature of the outsourced information (users’ identity) is critical. Traditionally, cloud services (including IDaaS) rely only on SLAs and security policies to protect the data, but these measures have proven insufficient in some cases; recent research has employed advanced cryptographic mechanisms as an additional safeguard. Apart from this, there are several identity management schemes that could be used for realizing IDaaS systems in the cloud; among them, OpenID has gained crescent popularity because of its open and decentralized nature, which makes it a prime candidate for this task. In this paper we demonstrate how a privacy-preserving IDaaS system can be implemented using OpenID Attribute Exchange and a proxy re-encryption scheme. Our prototype enables an identity provider to serve attributes to other parties without being able to read their values. This proposal constitutes a novel contribution to both privacy and identity management fields. Finally, we discuss the performance and economical viability of our proposal.

Courses and seminars

  • European Intensive Programme on Information & Communication Systems Security (IPICS), September 2012.
  • Computer Science Paradigms - Esp. in Information Security. University of la Laguna, November 2012

Scientific Activities

  • Editorial Board:
    • International Journal of Digital Content Technology and its Applications (JDCTA)
    • International Journal of Advances in Electrical & Electronics Engineering (IJAEEE)
  • Organization committee member:
    • The 11th FTRA International Conference on Secure and Trust Computing, data management, and Applications (STA 2014)
    • 5th IEEE International Conference on Cloud Computing Technology and Science (CloudCom 2013) Security and Privacy track, Bristol, UK, December 2-5, 2013
    • 10th European PKI Workshop (EuroPKI 2013) in conjuntion with European Symposium on Research in Computer Security (ESORICS 2013), 9 – 13 September 2013, Egham, United Kingdom.
    • 7th International Conference on Trust Management (IFIPTM 2013), Malaga, Spain, June 3-7, 2013.
    • 1st International Workshop on ‘Security & Trust for Applications in Virtualised Environments’ (STAVE 2011) in conjunction with The 8th FTRA International Conference on Secure and Trust Computing, data management, and Applications, Greece, 28-30 June 2011
    • 7th International Conference on Trust, Privacy & Security in Digital Business (TrustBus 2010) in conjunction with the 21th International Conference on Database and Expert Systems Applications (DEXA 2010), Bilbao, Spain, 30 August - 3 September 2010.
  • Program committee member: 
    • 15th IEEE International Conference on Advanced and Trusted Computing (ATC 2018)
    • 6th International Conference on e-Democracy: Citizen rights in the world of the new computing paradigms, 10-11 December 2015, Athens, Greece
    • 12th International Conference on Trust, Privacy & Security in Digital Business - TRUSTBUS, 1-2 September 2015, Valencia, Spain.
    • 10th International Conference on Availability, Reliability and Security - ARES, 24-28 August 2015, Toulouse, France.
    • 1st special track on Security and Privacy in Healthcare IT in the 26th IEEE International Symposium on Computer-Based Medical Systems, 20-22 June, 2013, Porto, Portugal.
    • 5th International Symposium on Security and Multimodality in Pervasive Environments (SMPE-11) 22-25 March, 2011, Biopolis, Singapore
    • 7th European Workshop on Public Key Services, Applications and Infrastructures (EuroPKI'10) 23-24 September, 2010, Athens, Greece
    • 6th International Conference on Web Information Systems and Technologies (WEBIST 2010) 7-10 April, 2010, Valencia, Spain
    • 2nd. Ibero-American Web Application Security Conference (IBWAS'10) 25-26 November, 2010, Lisbon, Portugal
    • 4th International Symposium on Security and Multimodality in Pervasive Environments (SMPE-10) 20-23 April, 2010, Perth, Australia
    • 3rd International Conference on Computational Intelligence in Security for Information Systems (CISIS'10) 11-12 November, 2010, Leon, Spain
    • FTRA 2010 International Symposium on Advances in Cryptography, Security and Applications for Future Computing (ACSA-10) 9-11 December, 2010, Gwangju, Korea
    • Sixth European Workshop on Public Key Services, Applications and Infrastructures (EuroPKI'09) 10-11 September, 2009, Pisa, Italy
    • 2009 International Conference on Security and Cryptography (SECRYPT 2009) 7-10 July, 2009, Milan, Italy
    • 2009 International Conference on Information Security and Privacy (ISP-09) 13-16 July, 2009, Orlando, USA
    • The 3rd International Conference on Information Security and Assurance (ISA'2009) 25-27 June, 2009, Korea University, Seoul, Korea
    • 3rd International Conference on Multimedia and Ubiquitous Engineering (MUE'09) June 4-6 2009. Qingdao, China.
    • International Conference on Web Information Systems and Technologies 2009 (WEBIST'2009) March 23-26 2009. Lisboa, Portugal.
    • Fifth European PKI Workshop (EuroPKI'08) 16-17 June, 2008, Trondheim, Norway.
    • International Conference on Computational Intelligence and Security 2007 (CIS'2007) 15-19 December, 2007, International Conference Center of Harbin Institure of Technology (HIT), Harbin, China