I Congreso Nacional Turismo y Tecnología de la Información y las Comunicaciones (TURITEC’99), pp. 99-110, Septiembre, 1999.
Uno de los servicios que cada día cobra más importancia y que promete un cambio radical para las empresas es el comercio electrónico en Internet, pero tradicionalmente las empresas relacionadas con el turismo sólo han empleado la red para darse a conocer y ofertar sus productos. La razón esencial es la desconfianza que existe sobre la seguridad de las transacciones llevadas a cabo en la red. La criptografía de clave pública proporciona servicios adecuados para garantizar la seguridad de esas transacciones. Pero en la actualidad, algunos de esos servicios están menos desarrollados que otros; un ejemplo de ellos es el servicio de No-Repudio. En este artículo se estudian distintas formas de ofrecer servicios de no-repudio y se analizan sus ventajas y desventajas en función de las necesidades del entorno en que se utilicen.
IV Reunión Española de Criptología (IV REC), pp. 27-33, Septiembre, 1996.
Nowadays cryptography is present in nearly every aspect of our everyday life, in particular public-key cryptosystems. Some of them have a mathematical foundation of number theory working with big integer numbers. Factoring these numbers is more complex and time-consuming than generating and testing prime numbers; this is the main reason for the strenght of some public key cryptosystems. This paper presents three different probabilistic methods for testing big prime numbers in a reasonable amount of time. A comparison of their efficiency to test prime numbers is also introduced.
IEEE Globecom 2003 - Communications Security Track, IEEE Press, pp. 1506-1510, December, 2003.
In order to study the security systems, we have developed a methodology for the application to the analysis of cryptographic protocols of the formal analysis techniques commonly used in communication protocols. In particular, we have extended the design and analysis phases with security properties. Our proposal uses a specification notation based on HMSC/MSC, which can be automatically translated into a generic SDL specification.
International Conference on Information and Communications Security (ICICS’02), LNCS 2513, Springer-Verlag, pp. 399-410, December, 2002.
Distributed systems usually contain objects with heterogeneous security requirements that pose important challenges on the underlying security mechanisms and especially in access control systems. Access control in distributed systems often relies on centralized security administration. Existing solutions for distributed access control do not provide the flexibility and manageability required. This paper presents the XML-based Secure Content Distribution (XSCD) infrastructure is based on the production of self-protected software objects that convey contents (software or data) and can be distributed without further security measures because they embed the access control enforcement mechanism. It also provides means for integrating Privilege Management Infrastructures (PMIs). Semantic information is used in the dynamic instantiation and semantic validation of policies. XSCD is scalable, facilitates the administration of the access control system, guarantees the secure distribution of the contents, enables semantic integration and interoperability of heterogeneous sources, solves the “originator retained control” issue and allows activities (such as payment) to be bound to the access to objects.
Secure Networking (CQRE’99), LNCS 1740, Springer, pp. 109-118, December, 1999.
Public-Key Infrastructures are considered the basis of the protocols and tools needed to guarantee the security demanded for new Internet applications like electronic commerce, government-citizen relationships and digital distribution. This paper introduces a new infrastructure design, Cert’eM, a key management and certification system that is based on the structure of the electronic mail service and on the principle of near-certification. Cert’eM provides secure means to identify users and distribute their public-key certificates, enhances the efficiency of revocation procedures, and avoids scalability and synchronization problems. The system, developed and tested at the University of Malaga, was recently selected by RedIRIS, the National Research and Academic Network in Spain, to provide the public key service for its secure electronic mail.
Third International Conference on Ubiquitous Intelligence and Computing, LNCS 4159, no. 4159, Springer, pp. 977-987, August, 2006.
The increased heterogeneity and dynamism of new computing paradigms and especially of ubiquitous computing models is boosting the need for auto-configurable systems. In these new scenarios, heterogeneity and dynamism are inherent properties and applications are built by aggregating distributed information and services that are not under the control of a single entity. Furthermore, the current trend towards distributed computing poses important problems related to the need to transmit large amounts of data between the distributed nodes of the computing system; the control over the information; and the flexibility to adapt to heterogeneous client requirements. These characteristics are difficult to manage by traditional computing models. For these reasons, the mobile agent paradigm is gaining momentum and the interest of researchers and industry in this paradigm is increasing. In this paper we present a solution to provide a secure and auto-configurable environment for mobile agents in ubiquitous computing scenarios. Our approach is based on two main building blocks: trusted platforms and profiles.
III Reunión Española de Criptología (III REC), pp. 133-138, Noviembre, 1994.
First International Conference on Electronic Government (EGOV’02), LNCS 2456, Springer, pp. 211-214, September, 2002.
Interaction of citizens and private organizations with Public Administrations can produce meaningful benefits in the accessibility, efficiency and availability of documents, regardless of time, location and quantity. Although there are some experiences in the field of e-government there are still some technological and legal difficulties that avoid a higher rate of communications with Public Administrations through Internet, not only from citizens, but also from private companies. We have studied two of the technological problems, the need to work in a trustful environment and the creation of tools to manage electronic versions of the paper-based forms.
11th International Conference on Database and Expert Systems Applications (DEXA’00), LNCS 1873, Springer, pp. 929-938, September, 2000.
Public-key cryptography is fast becoming the foundation for those applications that require security and authentication in open networks. But the widespread use of a global public-key cryptosystem requires that public-key certificates are always available and up-to-date. Problems associated to digital certificates management, like storage, retrieval, maintenance, and, specially, revocation, require special procedures that ensure reliable features because of the critical significance of inaccuracies. Most of the existing systems use a Certificate Revocation List, a repository of certificates that have been revoked before their expiration date. The need to access CRLs in order to check certificate revocations becomes a performance handicap. Furthermore, they introduce a source of vulnerability in the whole security infrastructure, as it is impossible to produce a new CRL each time a revocation takes place. This paper introduces an alternative for the storage of digital certificates that avoids the use of CRLs. The system is designed to provide a distributed management of digital certificates by using Certification Authorities that, while being part of a whole Public-Key Infrastructure, operate over local certificates databases. Communication protocols between local databases have been designed to minimize network traffic without a lack of security and efficiency.
5th European Congress of Intelligent Techniques and Soft Computing (EUFIT’97), pp. 410-413, August, 1997.
This paper is a first approach in the use of Neural Networks for security. We apply it for electronic mail private systems in Local Area Networks. Some of these systems use public keys directories which must be protected suitably. This task is very complicated because all users in the systems must be able to change their public keys in those directories. We see the advantage of using Neural Networks versus other classical methods to resolve this problem.
11th International SDL Forum (SDL’03), LNCS 2708, Springer-Verlag, pp. 300-317, July, 2003.
Nowadays, it is widely accepted that critical systems have to be formally analysed in order to achieve well-known formal method benefits. In order to study the security of communication systems, we have developed a methodology for the application of the formal analysis techniques commonly used in communication protocols to the analysis of cryptographic ones. In particular, we have extended the design and analysis phases with security properties. Our proposal uses a specification notation based on MSC, which can be automatically translated into a generic SDL specification. This SDL system can then be used for the analysis of the desired security properties, by using an observer process schema. Apart from our main goal of providing a notation for describing the formal specification of security systems, our proposal also brings additional benefits, such as the study of the possible attacks to the system, and the possibility of re-using the specifications produced to describe and analyse more complex systems.
3rd ACIS Int. Conf. on Software Engineering, Artificial Intelligence Networking and Parallel/Distributed Computing (SNPD’02), pp. 157-163, Junio, 2002.
Interaction of organizations and their clients by using the Internet can produce meaningful benefits in the accessibility, efficiency and availability of documents, regardless of time and location. However, some types of problems hinder a higher degree of communication. This paper presents some of the results of a Research Project that focuses on the influence of typical open networks risks in electronic interactions and on the need of creating software tools to manage electronic versions of the paper-based forms, as this is the traditional way of interaction through the Web.
IFIP Working Conference on User Identification and Privacy Protection, pp. 209-227, June, 1999.
While there is wide agreement on the immense potential of Internet, its growth and performance are adversely affected by security issues. Despite its impressive size, scope and reach, the Internet has not yet become a common vehicle for many of these new possibilities. Progress in fields as electronic commerce and government-citizen relationships have been limited by the open design of the network itself. Today, Public-Key Infrastructures are the basis of the protocols and tools needed to guarantee the security demanded in those fields. Trust management and user identification are also important issues that remain unresolved. This paper introduces a key management and user identification system, named Cert’eM, that is based on the electronic mail service. Cert’eM provides important advantages over existing Public-Key Infrastructures and user identification proposals.
2nd International Workshop on Security Privacy and Trust in Pervasive and Ubiquitous Computing (SecPerU’06), IEEE Press, pp. 1-6, June, 2006.
The extraordinary growth of the Information Society is originating a high dependency on ICT. This provokes that those strongly interrelated technological infrastructures, as well as the information systems that underpin them, become highly critical, since their disruption would lead to high economical, material and, sometimes, human loss. As a consequence, the protection of these Critical Information Infrastructures is becoming a major objective for governments and companies. In this paper, we give an overview of the main challenges and open research issues on Critical Information Infrastructure security, and introduce an on-going research project that, using wireless sensor networks as an underlying technology, is dealing with those problems. Our research project focuses on the development of protection, control, evaluation, maintenance and verification mechanisms, integrated into a secure service-oriented architecture.
Brain Processes, Theories and Models International Conference, pp. 478-482, October, 1995.
VII Reunión Española sobre Criptología y Seguridad de la Información (VII RECSI), pp. 485-497, Septiembre, 2002.
Simposio Español de Informática Distribuida (SEID’00), pp. 313-320, Septiembre, 2000.
La seguridad es uno de los aspectos más conflictivos del uso de Internet. La falta de una política de seguridad global está frenando el desarrollo de Internet en áreas tan interesantes y prometedoras como el comercio electrónico o la interacción con las administraciones públicas. Las técnicas criptográficas actuales proporcionan un alto grado de confidencialidad; no obstante, es difícil garantizar la identificación segura de los usuarios y, además, la gestión de las claves de los mismos es poco eficiente y presenta graves problemas de escalabilidad. Este trabajo describe las características de implementación de una solución a ambos problemas basada en una Infraestructura de Clave Pública (PKI) que proporciona una administración simple y eficiente de las claves de los usuarios y posibilita la autenticación segura de los mismos.
5th Intern. Conf. on Computer Aided Systems Theory and Technology (EUROCAST’97), pp. 183-189, February, 1997.
This paper is a first approach to the use of artificial neural networks as a tool to estimate the orientation of an object, and is mainly directed towards industrial applications. The capability of neural networks to generalise is a key element in the calculation of an object’s orientation. In this sense, a neural network can identify the angle of a part never seen before. To evaluate the efficiency of this method we have performed a series of tests with the different parts used in a car assembly line.
7th IFIP Conference on Multimedia and Communications Security (CMS’03), LNCS 2828, Springer-Verlag, pp. 158-171, October, 2003.
Security services are essential for ensuring secure communications. Typically no consideration is given to security requirements during the initial stages of system development. Security is only added latter as an afterthought in function of other factors such as the environment into which the system is to be inserted, legal requirements, and other kinds of constraints. In this work we introduce a methodology for the specification of security requirements intended to assist developers in the design, analysis, and implementation phases of protocol development. The methodology consists of an extension of the ITU-T standard requirements language MSC and HMSC, called SRSL, defined as a high level language for the specification of security protocols. In order to illustrate it and evaluate its power, we apply the new methodology to a real world example, the integration of an electronic notary system into a web-based multi-users service platform.
International Conference on Infrastructure Security (InfraSec’02), LNCS 2437, Springer-Verlag, pp. 246-259, October, 2002.
Every communication system requiring security properties is certainly critical. In order to study the security of communication systems, we have developed a methodology for the application of the formal analysis techniques of communication protocols to the analysis of cryptographic ones. We have extended the design and analysis phases with security properties. Our methodology uses a specification technique based on the HMSC/MSC requirement languages, and translates it into a generic schema for the SDL specification language, which is used for the analysis. Thus, the technique allows the specification of security protocols using a standard formal language and uses Object-Orientation for reusability purposes. The final goal is not only the formal specification of a security system, but to examine the possible attacks, and later use the specification in more complex systems.
Foundations of Security Analysis and Design 2009, LNCS 5705, Springer Berlin/Heidelberg, pp. 289-338, August, 2009. DOI
As sensor networks are more and more being implemented in real world settings, it is necessary to analyze how the different requirements of these real-world applications can influence the security mechanisms. This paper offers both an overview and an analysis of the relationship between the different security threats, requirements, applications, and security technologies. Besides, it also overviews some of the existing sensor network standards, analyzing their security mechanisms.
X Symposium Nacional de la Unión Científica Internacional de Radio (URSI’95), pp. 147-150, Septiembre, 1995.
VII Reunión Española sobre Criptología y Seguridad de la Información (VII RECSI), pp. 471-483, Septiembre, 2002.
La aplicación de los métodos formales para el diseño y análisis de sistemas críticos está ampliamente aceptada en el desarrollo de estos sistemas. Los protocolos de seguridad abordan el objetivo de garantizar servicios y derechos como el de la confidencialidad de los datos personales o el de garantizar la identidad de acceso a un sistema. Por lo tanto, ya que un protocolo de seguridad es un sistema crítico, es necesario utilizar métodosformales para su diseño y análisis. Debido a las características especiales que presentan este tipo de protocolos, se deben utilizar métodos que no son los tradicionales utilizados para los protocolos de comunicaciones, sino que deben utilizarse otros específicos. En este artículo vamos a hacer un estudio de las principales propiedades de seguridad que poseen los protocolos criptográficos y de la manera de aplicar los métodos formales en su diseño y análisis.
I Congreso Internacional Sociedad de la Información, pp. 423-428, 2002.
The important role of Public Key Infrastructures (PKIs) inside the general scope of Internet communication, and more precisely, inside electronic commerce, has driven us to the revision of actual procedures followed in the development of software of these elements that provide security and trust to the digital certification environment. In this work we introduce the actual results of a joint research project of the Security Group of the University of Malaga and the Department of Technology Innovation of Banesto regarding a PKI implementation. The originality of this work is that we have paid attention not only to functional aspects of the infrastructure, but also to the programming techniques used. Basically, we have developed a solution in which implementation has been guided by the increase in the study of software architectures and those paradigms that have emerged in parallel, as component orientation, software frameworks, and design patterns. The correct use of these techniques provide a different point of view that allows the development of every PKI building block in a modular and independent way.
International Conference on Imaging Science, Systems, and Technology (CISST’98), pp. 418-424, July, 1998.
We present in this paper a first approach to the use of artificial neural as a tool to determine the orientation of objects moving on a conveyor belt in a car assembly line. The capability of neural networks to generalise is a key element in the calculation of an object’s orientation. In this sense, a neural network with Competitive Hebbian Learning can identify the angle of a part never used in its training process. The equilibrium between exactitude and processing time is also studied.
TERENA Networking Conference, June, 2004.
In this work we elaborate on a taxonomy of systems that provide either joint solutions for both authentication and authorization problems, or solutions for only one of the problems. Basically, we do not focus our work on theoretical systems that have been proposed only in the literature. On the other hand, we focus on: (i) systems that are already developed; (ii) systems that are under development or deployment; and (iii) systems that are still in the initial stages of design but are supported by international working groups or bodies. More precisely, we elaborate on a taxonomy of systems that are (or will be soon) available to final users.
International Conference on Infrastructure Security (InfraSec’02), LNCS 2437, Springer-Verlag, pp. 325-337, October, 2002.
The main aims of Virtual Private Network (VPN) are to isolate a distributed network from outsiders, as well as to protect the confidentiality and integrity of sensitive information traversing a non-trusted network such as the Internet. However, some problems arise when security is considered as the unique problem because VPN users suffer from restrictions in their access to the network. They are not free to use traditional Internet services such as electronic mail exchange with non-VPN users, and to access Web and FTP servers external to the organization. This paper presents a new solution that allows the open use of traditional network services running over TCP and UDP layers, while maintaining strong security features. The new scheme works at the TCP/IP transport layer and does not require the addition of new hardware because it is a totally software solution. As a consequence, the application is totally portable. Moreover, and because of its implementation at the transport layer, there is no need to modify any traditional communication applications previously installed in the network system.
IEEE International Carnahan Conference on Security Technology, IEEE Press, pp. 354-362, October, 1999.
An Extranet is used to connect businesses with their suppliers, customers or other businesses that share common goals in a way that automates their administrative interactions using Internet technology. The security of the communications over Internet is considered an essential feature. To guarantee secure operation the aid of some user authentication infrastructure is needed. This paper introduces a Public Key Infrastructure (PKI) and user identification scheme to be used in extranet applications. The flexibility of the system allows it to fit the usual hierarchical organization structure.
II Jornadas de Informática y Automática, pp. 305-314, Julio, 1996.
In this paper we first compare Parikh’s condition to various pumping conditions - Bar-Hillel’s pumping lemma, Ogden’s condition and Bader-Moura’s condition; secondly, to interchange condition; and finally, to Sokolowski’s and Grant’s conditions. In order to carry out these comparisons we present some properties of Parikh’s languages. The main result is the orthogonality of the previously mentioned conditions and Parikh’s condition.
IEEE International Workshop on Web Semantics (WebS’03), IEEE Press, pp. 622-626, 2003.
First International Workshop on Security in Information Systems (SIS’02), pp. 61-71, April, 2002.
Authentication between protocol agents is widely studied in the cryptographic protocol analysis area. It is essential in a virtual environment to rely on protocol parties’ identity. In the academic literature there are many protocols that provide the authentication property. We present in this paper a new mechanism to verify authentication using SDL, general purpose specification language. We have defined a generic schema in SDL that allow us to specify a security system and check system behavior when a malicious agent ( the intruder ) is present. We have used the EKE authentication protocol to illustrate how the mechanism works.
International Conference on Imaging Science, Systems, and Technology (CISST’98), July, 1998.
2nd European PKI Workshop: Research and Applications (EuroPKI’05), LNCS 3545, Springer, pp. 135-143, June, 2005.
In spite of the fact that there are several companies that (try to) sell public key certificates, there is still no unified or standardized classification scheme that can be used to compare and put into perspective the various offerings. In this paper, we try to start filling this gap and propose a four-dimensional scheme that can be used to uniformly describe and classify public key certificates. The scheme distinguishes between (i) who owns a certificate, (ii) how the certificate owner is registered, (iii) on what medium the certificate (or the private key, respectively) is stored, and (iv) what type of functionality the certificate is intended to be used for. We think that using these or similar criteria to define and come up with unified or even standardized classes of public key certificate is useful and urgently needed in practice.
Information Security Practice and Experience (ISPEC 2014), vol. 8434, Springer, pp. 15-27, 05/2014. DOI
Wireless sensor networks (WSNs) are exposed to many different types of attacks. Among these, the most devastating attack is to compromise or destroy the base station since all communications are addressed exclusively to it. Moreover, this feature can be exploited by a passive adversary to determine the location of this critical device. This receiver-location privacy problem can be reduced by hindering traffic analysis but the adversary may still obtain location information by capturing a subset of sensor nodes in the field. This paper addresses, for the first time, these two problems together in a single solution
Third International Conference on E-Commerce and Web Technologies (ECWeb’02), LNCS 2455, Springer, pp. 203-213, September, 2002.
The use of attribute certificates and the concept of mobile policies have been proposed to overcome some of the limitations of the role based access control (RBAC) paradigm and to implement security requirements such as the ‘‘originator controlled’’ (ORCON) policy. Mobile policies are attached to the data that they control and enforced by their execution in trusted servers. In this paper we extend this idea to allow the execution of the policies in untrusted systems. Our extension allows that policies are bound to the data but not attached to it. By this modification security administrators are able to change policies dynamically and transparently. Additionally, we introduce X-ACS, an XML-based language designed to express policies in a simple and unambiguous way overcoming the limitations of other approaches. Important features of X-ACS are that it can be used by processors with limited capabilities such as smart cards while allowing the automated validation of policies.
Information Security Solutions Europe 2012, N. Pohlmann, H. Reimer, and W. Schneider Eds., Springer Vieweg, pp. 195-206, 2012. DOI
The paper describes the experience with integration of automatic cyber identity technology with policy controlled virtualisation environment. One identity technology has been used to enable strong authentication of users (human beings) as well as machines (host systems) to the virtualization management system. The real experimental evaluation has been done in PASSIVE project (Policy-Assessed system-level Security of Sensitive Information processing in Virtualised Environments - SEVENTH FRAMEWORK PROGRAMME THEME ICT-2009.1.4 INFORMATION AND COMMUNICATION TECHNOLOGIES - Small or medium-scale focused research project - Grant agreement no.: 257644).
Workshop on Wireless Cooperative Network Security (WCNS’11), Springer, May, 2011. DOI
Cognitive Radio Networks (CRNs) arise as a promising solution to the scarcity of spectrum. By means of cooperation and smart decisions influenced by previous knowledge, CRNs are able to detect and profit from the best spectrum opportunities without interfering primary licensed users. However, besides the well-known attacks to wireless networks, new attacks threat this type of networks. In this paper we analyze these threats and propose a set of intrusion detection modules targeted to detect them. Provided method will allow a CRN to identify attack sources and types of attacks, and to properly react against them.
International Conference on Imaging Science, Systems and Technology (CISST’99), pp. 547-550, June, 1999.