Jose A. Onieva
Computer Science Department, University of Malaga
Campus de Teatinos s/n,29071 - Malaga (Spain)
Phone: +34-952-132898 Fax: +34-952-131397
Domain of interest and research
- Digital Identity
- Covert Channels
- Ubiquitous Computing Security
- Non-repudiation protocols, Fair exchange protocols, Certified Electronic Protocols and Contract Signing Protocols
- Payment protocols
- Mobile Agents
- Digital Identity: The focus of my current research on digital identity is on identification with minor information disclosure. That means, and that is on-going project, for instance allowing people to (verifiably) demonstrate some assertions while hiding non-intended identity data from the rest of entities (Service and Identity Providers). The focus is also placed in the search of killer applications for existing identification technology in order to boost their adoption.
- Ubiquitous Computing Security: The main focus on this topic comes on securely joining existing and emerging mobile and pervasive scenarios with novel applications and more specifically with digital identity. Research examples are on safe and secure access to the car (the car should not start if your driver license is, for instance, expired). More details on previous research in this area can be found in UBISEC.
- Covert Channels: My current research on covert channels is focused on the search of channels for new protocols (as those existing for wireless sensor networks, which is an on-going project) and general detectability.
I received the M.Sc. and Ph.D. degrees in computer science from the University of Málaga, Spain, in 2002, and 2006, respectively.
- "Covert Communications through Network Configuration Messages",
Computers & Security, vol. 39, Part A, Elsevier, pp. 34 - 46, Nov 2013. DOI (I.F.: 1.172)
Covert channels are a form of hidden communication that may violate the integrity of systems. Since their birth in Multi-Level Security systems in the early 70’s they have evolved considerably, such that new solutions have appeared for computer networks mainly due to vague protocols specifications. In this paper we concentrate on short-range covert channels and analyze the opportunities of concealing data in various extensively used protocols today. From this analysis we observe several features that can be effectively exploited for subliminal data transmission in the Dynamic Host Configuration Protocol (DHCP). The result is a proof-of-concept implementation, HIDE\_DHCP, which integrates three different covert channels each of which accommodate to different stealthiness and capacity requirements. Finally, we provide a theoretical and experimental analysis of this tool in terms of its reliability, capacity, and detectability.Impact Factor: 1.172Journal Citation Reports® Science Edition (Thomson Reuters, 2013)
"Secure Multi-Party Non-Repudiation Protocols and Applications",
Advances in Information Security, vol. 43, Springer, 2009.
- "Certified electronic mail: Properties revisited",
Computers & Security, vol. 29, no. 2, pp. 167 - 179, 2010. DOI (I.F.: 0.889)
Certified electronic mail is an added value to traditional electronic mail. In the definition of this service some differences arise: a message in exchange for a reception proof, a message and a non repudiation of origin token in exchange for a reception proof, etc. It greatly depends on whether we want to emulate the courier service or improve the service in the electronic world. If the definition of the service seems conflictive, the definition of the properties and requirements of a good certified electronic mail protocol is even more difficult. The more consensuated features are the need of a fair exchange and the existence of a trusted third party (TTP). Each author chooses the properties that considers the most important, and many times the list is conditioned by the proposal. Which kind of TTP must be used? Must it be verifiable, transparent and/or stateless? Which features must the communication channel fulfil? Which temporal requirements must be established? What kind of fairness is desired? What efficiency level is required? Are confidentiality or transferability of the proofs compulsory properties? In this paper we collect the definitions, properties and requirements related with certified electronic mail. The aim of the paper is to create a clearer situation and analyze how some properties cannot be achieved simultaneously. Each protocol designer will have to decide which properties are the most important in the environment in where the service is to be deployed.Impact Factor: 0.889Journal Citation Reports® Science Edition (Thomson Reuters, 2010)
- "Multi-Party Nonrepudiation: A survey",
ACM Comput. Surveys, vol. 41, no. 1, pp. 5, December, 2008. (I.F.: 9.92)
Nonrepudiation is a security service that plays an important role in many Internet applications. Traditional two-party nonrepudiation has been studied intensively in the literature. This survey focuses on multiparty scenarios and provides a comprehensive overview. It starts with a brief introduction of fundamental issues on nonrepudiation, including the types of nonrepudiation service and cryptographic evidence, the roles of trusted third-party, nonrepudiation phases and requirements, and the status of standardization. Then it describes the general multiparty nonrepudiation problem, and analyzes state-of-the-art mechanisms. After this, it presents in more detail the 1-N multiparty nonrepudiation solutions for distribution of different messages to multiple recipients. Finally, it discusses advanced solutions for two typical multiparty nonrepudiation applications, namely, multiparty certified email and multiparty contract signing.Impact Factor: 9.92Journal Citation Reports® Science Edition (Thomson Reuters, 2008)
- "A Synchronous Multi-Party Contract Signing Protocol Improving Lower Bound of Steps",
21st International Information Security Conference (IFIP SEC’06), no. 201, Springer, pp. 221-232, May, 2006.
Contract signing is a fundamental service in doing business. The Internet has facilitated the electronic commerce, and it is necessary to find appropriate mechanisms for contract signing in the digital world. A number of two-party contract signing protocols have been proposed with various features. Nevertheless, in some applications, a contract may need to be signed by multiple parties. Less research has been done on multi-party contract signing. In this paper, we propose a new synchronous multi-party contract signing protocol that, with n parties, it reaches a lower bound of 3(n − 1) steps in the all-honest case and 4n − 2 steps in the worst case (i.e., all parties contact the trusted third party). This is so far the most efficient synchronous multi-party contract signing protocol in terms of the number of messages required. We further consider the additional features like timeliness and abuse-freeness in the improved version.
- "Agent-mediated non-repudiation protocols",
Electronic Commerce Research and Applications, vol. 3, no. 2, Elsevier, pp. 152-162, 2004.
Non-repudiation is a security service that provides cryptographic evidence to support the settlement of disputes in electronic commerce. In commercial transactions, an intermediary (or agent) might be involved to help transacting parties to conduct their business. Nevertheless, such an intermediary may not be fully trusted. In this paper, we propose agent-mediated non-repudiation protocols and analyze their security requirements. We first present a simple scenario with only one recipient, followed by a more complicated framework where multiple recipients are involved and collusion between them is possible. We also identify applications that could take advantage of these agent-mediated non-repudiation protocols.
Attended courses and seminars
- IPICS’05. International Summer School. University of the Aegean, Chios, Greece. 18-29 July, 2005.
- Electronic Commerce Security (University of Malaga), UMA, Málaga, 27-30, June.
- Journal of Convergence (JoC), http://www.ftrai.org/joc/
- General (co)chair:
- II Workshop in Information Security Theory and Practices 2008 (WISTP 2008). Sevilla, May 13-16.
- 1st FTRA International Workshop on Convergence Security in Pervasive Environments (IWCS 2011), Crete, Greece, June 28-30, 2011.
- FTRA/IEEE 3rd International Conference on Computer Science and its Applications (CSA-11).
- Program committee member:
- 6th International Conference on Web Information Systems and Technologies (WEBIST 2010), Valencia, Spain.
- 5th International Conference on Security and Cryptography (SECRYPT 2010). Athens, Greece, 26-28 July.
- 11th International Conference on Electronic Commerce and Web Technologies (EC-Web 2010). University of Deusto, Bilbao, Spain, 30 August - 3 September 2010.
- IV Workshop in Information Security Theory and Practices 2010 (WISTP 2010), Passau, Germany, April 2010.
- Fifth International Conference on Availability, Reliability and Security (ARES 2010), Krakow, Poland 15-18 February.
- 6th International ICST Conference on Security and Privacy in Communication Networks (SecureComm 2010), Singapore, 7-10 Septiember.
- 5th Workshop on Security and High Performance Computing Systems (S-HPCS’10). Caen, Normandy, France, 28 June - 2 July.
- 4th International Conference on Network and System Security (NSS 2010). Melbourne, Australia, 1-3 September.
- 3rd International Conference on Security of Information and Networks (SIN 2010). Taganrog, Rostov region, Russia, 7-11 September.
- 8th IEEE Consumer Communications and Networking Conference (CCNC 2011), Security Track. Las Vegas, USA, 8-11 January.
- V Workshop in Information Security Theory and Practices 2010 (WISTP 2011), Heraklion, Greece, 1-3 June.
- 6th Workshop on Security and High Performance Computing Systems (S-HPCS’11). Istanbul, Turkey, 4 J-8 July.