Large-scale integrating projects (IP) - GTA - UFRJ

peaceshiveringΤεχνίτη Νοημοσύνη και Ρομποτική

24 Οκτ 2013 (πριν από 3 χρόνια και 10 μήνες)

313 εμφανίσεις

FP7
-
ICT
-
20011
-
EU
-
Brazil


STREP proposal



SecFuNet

Proposal Part B: page
1

of
105


Small or medium
-
scale focused research projects
STREP

proposal

ICT


EU Brazil Coordinated Call

FP7
-
ICT
-
2011
-
EU
-
Brazil


Security for Futur
e

Networks


SecFuNet


Work programme topics addressed

Objective ICT
-

2011.10.1 EU
-
Brazil

Future Internet
-

security

Research and

Development cooperation
:
Future Internet
-

security


Name of the coordinating person
:
Michel Betirac

e
-
mail
:
Michel.Betirac
@
ethertrust.com


Participant no.

Participant organisation name

Part. short
name

Country

1

(Coordinator)

EtherTrust

ET

France

2

T
winteq

TWI

Poland

3

Université

Pierre et Marie Curie

-
LIP6

UPMC

France

4

Telecom ParisTech

TPT

France

5

Ecole Normale Supérieure

ENS

France

6

Implementa

IMP

Germany

7

Technische Universität München

TUM

Germany

8

Infineon

INF

Germany

9

Fundação da Faculda
de

de Ciências da
Universidade de
Lisboa

FFC
UL

Portugal





10

(Coordinator)

Universidade Federal de Pernambuco

UFPE

Brazil

1
1

Universidade Federal do Rio de Janeiro

UFRJ

Brazil

1
2

Universidade Estadual do Ceará

UECE

Brazil

1
3

Universidade Federal do Amazonas

UF
A
M

Brazil

1
4

Universidade Federal de Santa Catarina

UFSC

Brazil

1
5

Universidade Fed
e
ral do Rio Grande do Sul

UFRGS

Brazil

1
6

DWA

DWA

Brazil

FP7
-
ICT
-
20011
-
EU
-
Brazil


STREP proposal



SecFuNet

Proposal Part B: page
2

of
105

Proposal abstract

The future Internet will rely
heavily
on virtualization and
c
loud networking
. Therefore
, one of
the main challenges
for the future Internet
is to
provide such

virtual networks and
c
loud
accesses

with a high degree of security
. Th
is project
proposes the design of a framework
providing
secure id
entification

and

authentication,
secure data transfer
,
secure virtualized
infrastructure,
and privacy in virtual network and clouds, exploring
techniques

such as
microcontrollers, resource management,
intrusion tolerant algorithms, and
cryptographic
protocols
.
This framework will be realized through

the

design and develop
ment of

a
coherent security architecture for virtual networks and
c
loud accesses.
The proposed
architecture
will provide

solutions allowing
t
he

manage
ment of the

security of
communica
tions for all machines connected to a public
c
loud using virtual networks.
Hence,
we need a coherent and robust
identification

scheme

as we
l
l as a strong

authentication

system. Algorithms robust to intrusions are also needed for creating a secure environment.
Besides, the proposed architecture must guarantee security in the virtualized infrastructure
,

through
isolation of virtual networks

and access control for users and

managers.

The
identification of authorized users, however,
must not compromise
their

privacy. Moreover, it
is necessary to bring an ergonomic security scheme that is acceptable for all users, even
those unknowledgeable in computer science.
And f
inally, th
e proposed scheme must take
into account the heterogeneity of equipment (wireless and wired) to preserve
interoperability.

The proposed architecture will address every one of these challenges by using
,

among other
tools, secure “island
s
” of computation (s
ecure microcontrollers like those used on
Trusted
Platform Module

-

TPM and smart cards) for identification, authentication and privacy.
Another important tool that will be used to address the
afore
mentioned challenges is
virtualization.

The
secure
virtualized
infrastructure and the algorithms robust to intrusions
will guarantee the basis for creating a secure environment. A secure environment and
strong access control are the main pillars for building the proposed security architecture.

The propose
d security architecture is

split into at least two
virtual
networks: the
legacy
Internet
we know today and a new
premium

Internet
based on strong identification
,
maintaining
client
privacy
. Eventually a new Post
-
IP network could be
introduced
.
Th
e
proposed

architecture will allow t
hese
virtual
networks
to

share the same substrate using
virtualization
, as shown in Figure

1
.



Figure
1

-

The future virtualized network.

The architecture will enforce the
isolation between the two (or
three) networks. Moreover,
the secure microcontroller
s

may

allow the introduction of new security schemes
to

the
FP7
-
ICT
-
20011
-
EU
-
Brazil


STREP proposal



SecFuNet

Proposal Part B: page
3

of
105

legacy Internet
,
avoid
ing some

attacks against customers who
are
identified

using a secure
procedure
.

The
challenges addressed by
this project
can be organized in the following
work
-
package
s:

1
-

WP1
:
N
ew general security architecture based on
secure microcontroller
s
.
The
deployment of

d
ifferent
security schemes
, such as

EAP
-
TLS

(
Extensible
Authentication Protocol
-
Transport Layer Security
)
,
can
take
advantage

of the secure
“islands”,

and coexist with

legacy
scheme
s

such as

EAP
-
SIM

(
Extensible
Authentication Protocol
-
Subscriber Identity Module
)
. The
increase on

security
is
derived

from

the execution of the algorithms

within the
boundaries of the
secure

microcontroller

instead
of

running on
an

unsafe
PC
.
Th
e

microcontroller
s

could be
used to access
each

of

the virtual networks (legacy,
premium
, and Post
-
IP)
,
helping

encryp
tion

and other algorithms
, beyond what is proposed by the Trusted Platform
Modules
.

2
-

WP2
:
H
ighly secure authentication server with an array of secure microcontrollers
allowing user
s’

privacy
for networks
.

3
-

WP3
:
H
ighly secure identification scheme
,
using the secure microcontroller
s

and
Authentication and Authorization infrastructures
(AAIs)
,

such as OpenID
, Higgins

and
Shibboleth,
allow
ing the
develop
ment of
a Management System of Federated
Identities.

4
-

WP4
:
S
ecure scheme for guaranteeing isolation
among
the virtual networks so that
one network cannot reduce other virtual network
performance through an attack.
Also, provide a secure management and control of virtual netwo
r
k resources using
the developed identification scheme, guaranteeing isolat
i
on and privacy
of

resources

allocated
to
the virtual network
s
.

5
-

WP5
:
Infrastructure resilience
against attacks or
faults
.

6
-

WP6
:
Cryptographic

schemes for the
legacy

Internet
and
premium

one
.

7
-

WP7
:
Testbed for the evaluation of the devised schemes, as well as the publication of
website, documents and scientific papers
.




FP7
-
ICT
-
20011
-
EU
-
Brazil


STREP proposal



SecFuNet

Proposal Part B: page
4

of
105

Table of contents

Sommaire

Section 1:

Scientific and/or technical quality, relevant to the topics addressed by the call
..............

5

1.1

Concept and objectives

................................
................................
................................
...

5

1.
1.1.

Relevance to the FP7
-
ICT
-
2011

EU
-
Brazil Objectives
................................
..........
11

1.2

Progress beyond the state
-
of
-
the
-
art

................................
................................
................
12

1.2.1.

Virtualization

................................
................................
................................
.......
13

1.2.2.

EAP
-
TLS

................................
................................
................................
............
16

1.2.3.

Authent
ication server

................................
................................
...........................
18

1.2.4.

Identification Scheme

................................
................................
...........................
22

1.2.5.

I
ntrusion tolerant algorithms

................................
................................
.................
25

1.2.6.

Cryptographic

schemes
................................
................................
.........................
27

1.3

S/T methodology and associated work plan

................................
................................
.....
3
2

1.3.1.

Overall strategy of the work plan
................................
................................
...........
32

1.3.2.

Work
-
packages and components timing

................................
................................
.
34

1.3.3.

Work
-
packages and components interdependencies

................................
................
35

1.3.4.

Overall approach to risk management

................................
................................
....
38

1.3.5.

List of Work
-
packages
................................
................................
..........................
41

1.3.6.

List of Deliverables

................................
................................
..............................
42

1.3.7.

Work
-
packages descriptions

................................
................................
.................
43

1.3.8.

Summary of staff effort

................................
................................
........................
68

1.3.9.

Template
-

List of milestones

................................
................................
................
69

Section 2.

Implementation

................................
................................
................................
........
70

2.1

Management structure and procedures

................................
................................
............
70

2.2.1.

Integrated Project Consortium Agreement Governance

................................
...........
70

2.2

Individual participants

................................
................................
................................
...
74

2.3

Consortium as a whole
................................
................................
................................
...
95

2.4

Resources to be committed
................................
................................
.............................
97

Section 3.

Impact

................................
................................
................................
.....................
99

3.1

Expected impacts listed in the work programme

................................
..............................
99

3.2

Dissemination and/or exploitation of project results, and management of intellectual
property
................................
................................
................................
................................
.

100

3.2.1.

Dissemination and
Exploitation

of Results

................................
...........................

100

3.2.2.

Contribution to standards

................................
................................
....................

101

3.2.3.

Intellectual Property Rights (IPR) management

................................
....................

102

Section 4.

Ethical Issues
................................
................................
................................
.........

104




FP7
-
ICT
-
20011
-
EU
-
Brazil


STREP proposal



SecFuNet

Proposal Part B: page
5

of
105

Section 1:

Scientific

and/or technical quality, relevant to the topics
addressed by the call


1.1

Concept and objectives

The future Internet will rely on virtualization and
c
loud networking, and one of the main
challenges is to achieve highly secure virtual networks and
c
loud accesses. The main
problems
addressed by
this project are secure identification
, secure authentication,
secure
data transfer,
secure virtualized infrastructure, and privacy in virtual networks and clouds,
exploring techniques such as the usage of micr
ocontrollers, resource management,
intrusion
tolerant algorithms, and
cryptographic protocols
. The goal of the
SecFuNet

project is to
design and develop a coherent security architecture for virtual networks and
c
loud accesses.
This

architecture
must allow

the management of

security
with respect to

communications
for all machines connected to a public
c
loud using virtual networks.
Hence, we need a
coherent and robust
identification

scheme as well as a strong

authentication

system.
Algorithms robust to intrusions are also needed for creating a secure environment. Besides,
the proposed architecture must guarantee security in the virtualized infrastructure
,

through
isolation of virtual networks

and access control for users and

managers.

These aspects must
not compromise user
s’

privacy. Moreover, it is necessary to bring an ergonomic security
scheme that is acceptable for all users, even those unknowledgeable in computer science.
Finally, the proposed scheme must take into accou
nt the heterogeneity of equipment
(wireless and wired) to preserve interoperability.


Virtualization will bring additional complexity to networks.
The risk is that
security

become
s a

limiting factor to the evolution of networks into the future, and to the
rollout

of the enriched services they are expected to deliver.

In future networks all resources will be virtualized. This
is a new challenge for security.
Instead
of providing

a specific algorithm for each security scheme, we would like to propose
a unifie
d secure architecture
built upon two key concepts:
secure microcontroller
s

to help
identifying and authenticating users and nodes
,

and strong security on virtualized networks.
The secure

microcontroller can be a smart
card
,

for example
,

or

a
specific token built for
future Internet networks.
S
trong s
ecurity of virtual networks is based on isolation
among

the
different virtual networks
,

using the
Xen platform

for instance as the basis for this
investigation
.

Secure
M
icrocontroller

The smart ca
rd technology
[1,2]
has been used recently for deploying and managing security
applications inside tiny microprocessors. These tiny microprocessors are part of secure
microcontrollers, which are small tamper
-
resistant devices that store some secret
informa
tion and perform operations such
authentication using cryptography
.

The dimension
of a smartcard with a microcontroller is in the order of
millimetres
.

A

smartcard
or a secure

microcontroller

are

ideal for security applications, because it has a secure
cry
pto processor

and
a secure file

system
,

and protects in
-
memory information. In this project, the secure
microcontroller is used for identifying and
authenticating
users
before
grant
ing

access to the
network, which could be the premium Internet, the legacy
Internet, and any post
-
IP

FP7
-
ICT
-
20011
-
EU
-
Brazil


STREP proposal



SecFuNet

Proposal Part B: page
6

of
105

network. Because micro
con
trollers can be eas
i
ly programmed, it can be used with any
security scheme, such as the EAP
-
TLS or the EAP
-
SIM.


EAP
-
TLS and EAP
-
SIM

The Extensible Authentication Protocol (EAP) is a fle
xible framework
standardized

by the

Internet Engineering Task Force (IETF).
All manufacturers, software editors, and
operators
recognize EAP
-
TLS

as the solution for strong and global authentication for all terminals. So,
one of the goals of
t
his project
is to
design

an op
en framework, free of proprietary
technologies, that

addresses the following items
:

-

Specifications of smartcard services and associated binary encoding rules (ISO 7816
APDUs) in the IETF organization, which
have
set up the Internet protocols for
the last
t
wenty years.

-

Release of open software (
OpenEapSmartcard
) for
java cards
and
dotnet
smart cards.
The codes of EAP smart cards may be freely downloaded through the
World
-
Wide
W
eb
.

-

Design of architectures based on EAP clients and EAP servers, in order to
enhance the

global network security.


H
ighly
S
ecure
A
uthentication
S
erver


In recent months, some
major

players have had serious problems with the theft

of hundreds
of thousands of passwords,
en
danger
ing

some of their
corporate customers who are
vulnerable

to

hackers. Highly secured access
control is a
mandatory
prerequisite for
organizations offering services ov
er
the Internet.

A
Radius SIM array provides cloud
-
computing

providers with a unique strong
authentication
solution protecting them against these n
ew attacks. A single

SIM Array stores up to 416 EAP
-
TLS SIMs
and SIM Arrays can be clustered
to provide storage for any number of SIMs as
needed.

This solution brings:

-

T
he end of Phishing: customers do not enter
any more

logins and

passwords;

hence
this
c
ritical information cannot be stolen
.

-

F
aster Connections:
less hassle to the user, who does not need
to remember which
combination of
login and

password
is

needed for each
W
eb
site
.

-

Easy user management: adding a new use
r
would only
require

the

inserti
o
n

of

a new
SIM

card.

-

Privacy
:

a
pair
of associated smartcards
guarantees that

nobody can detect who is
connected
to
the network.


Highly
S
ecure
G
lobal
I
dentification

The use of smart cards (or secure microcontrollers) in the process of
user

identification and
authentication provides the necessary mechanisms for implementing user
-
centric
approaches to control the release of user information. Cards used in identification protocols
make use of tokens that contain or refer to a set of attributes

available on an authentication
server. These attributes, individually or collectively, identify the user and provide the
required information to achieve the authorization controls (access controls) needed to
enable the requested operations.

FP7
-
ICT
-
20011
-
EU
-
Brazil


STREP proposal



SecFuNet

Proposal Part B: page
7

of
105

Definition and

development of the
work
-
package
s WP1 and WP2 of this proposal should
introduce an identification system, where users and service (or resource) providers are
authenticated in their own authentication server (an authentication authority), featuring
local do
mains of authentication. For each user added to the system, a
pair

of associated
microcontrollers is introduced in the system, one for the user (in a card) and the second one
to be connected inside the authentication server. The EAP
-
TLS or a legacy solutio
n is
performed end
-
to
-
end, from one microcontroller to the other.

This centralized approach of identification makes use of an authentication authority (trusted
third party) to mediate trust between unknown parts: the clients and service providers. This
ap
proach is widely used in corporative systems. The access and interactions between
authenticated parts are achieved by the presentation of credentials issued by the trusted
authentication authority. These identification domains have policies and their own s
ecurity
infrastructures to
deal

with the principal identities.

For complex distributed applications that go beyond these local domains, this model of
simple intermediation
is limited
. It is necessary to expand this model to an identity
management system ba
sed on several of these local authentication servers. Our goal in this
work
-
package

is to use the concept of federated identities.
In this
approach
,

the identity
management is based on the distribution of user authentication
responsibilities

across
multipl
e authentication servers. These authentication servers are arranged in different
administrative domains (or local domains of identity).

In large applications of distributed systems such as clouds, grid computing and collaborative
networks, the identities m
anagement should be based on an integrated system of policies
and technologies crossing
the
domains

of organizations.

This

provid
es

resources in a safely
manner
,

i.e.

only to remote users with the appropriated credentials. The management of
identities that

follows the federated identity approach provides this integration of
authentication servers on trusted networks and provides the transposition of authentication
credentials between different domains.

The trusted relationships between authentication author
ities introduce, therefore, the
notions of federation and federated identities. In order to create a federation and federated
identities
,

it

is necessary to use Authentication and Authorization Infrastructures (IAAs).
Examples of these infrastructures are
Shibboleth, OpenSSO, OpenID, Liberty Alliance,
Microsoft CardSpace
,

and the Higgins Project.

In this
p
roposal, we
address
Shibboleth
,

which is a standard of the consortium Internet2, but
our
focus lies instead on two other
AAIs
:

OpenID and Higgins. These infrastructures will be
the subject of this
work
-
package

because they have support for i
-
cards and user
-
centric
models such as the identification model introduced in WP1 and WP2.

The management of federated identities that will be developed from one of these AAIs will
allow the use of authentication credentials in large
-
scale applications.
One possible scenario
would be
a cloud using
geographically distributed

physical machines. Al
though in the same
virtual network, these machines
m
ight

be
associated with

different authentication servers.
Using the federated system
,

the cloud could compose its computational
capacity

by creating
virtual machines on these physical machines. These virt
ual machines could migrate through
the network between available physical machines satisfying aspects of performance,
availability, etc. These virtual machines migrate using authentication credentials from their
principals (users for whom these virtual mac
hines were created). We
devise

a large
-
scale
FP7
-
ICT
-
20011
-
EU
-
Brazil


STREP proposal



SecFuNet

Proposal Part B: page
8

of
105

distributed environment
that is
completely dynamic
and
would be satisfied by the
identification scheme of this
work
-
package
.


The

structures of local domains defined in WP1 and WP2, when met by the management
me
chanisms of federated identities from WP3
,

create
a global authentication scheme
.
However, this
global authentication scheme

maintains
the characteristics of local domains
on which
it

is based. This should facilitate the aspects of resilience in WP5. The t
echniques
and algorithms for fault tolerance and intrusion usually do not scale well. The application of
these techniques must be done over the local domains infrastructure in order to obtain the
efficiency that is expected of them
.

Virtual
N
etworks
I
solation and
T
estbed

One of the main goals of SecFuNet project

is t
o develop a secure infrastructure for the
virtualized networks and clouds.
This

infrastructure must
provide both
high availability and
reliability

for users.

A secure infrastructure for v
irtual networks demands strong
isolation
among
virtual
networks. This means that one virtual network cannot interfere
with

others. Moreover, a
secure infrastructure must be able to
assign
different physical resources
to
each virtual
network, guaranteeing Q
oS and
assuring

that QoS parameters will be respected

regardless
of
the number of virtual networks hosted in a node and even attacks to virtual/physical
networks.

Hence, this project addresses the following:

-

Development of schemes for guaranteeing an isola
ted infrastructure for virtualized
networks.

-

Development of a scheme for sharing physical resources among virtual networks,
guaranteeing a robust management interface as well as the
Q
uality of Service
of each
virtual network, according to the service level

agreements of each network.

-

Develop
ment of management tools for controlling resource usage,
to prevent

networks
or clouds under attack
from damaging
the performance of other virtual environments
located at the same physical infrastructure.


Infrastructure

R
esilience

The infrastructure can be made resilient by technical means that protect against challenges
that may arise from
accidental

faults or from malicious attackers.


SecFuNet

aims to implement mechanisms for robust provisioning of IP services that ensure
the availability of IP services in the presence of link failures, or node failures
, which may
either result from accidents or from deliberate attacks
. These mechanisms
are aim
ed at
provid
ing

resilience of the network, and of higher layer services that are built on top of
network services. Among these mechanisms,
we foresee replication combined with diversity
to achieve intrusion tolerance. The mechanisms will be enhanced with s
elf
-
healing
mechanisms based on
proactive and reactive approaches.
In addition,
SecFuNet

also
aims to
address specific threats originating from malicious users or groups of users, and methods
that either (proactively) may prevent specific attacks, or (reac
tively) allow to restore
functioning of the network, and of higher
-
level services, after detecting and diagnosing
specific attacks.
The combination of these mechanisms aims at providing what may be seen
as
automatic
security
, enhancing the effectiveness of

basic cryptographic schemes to be
deployed.

FP7
-
ICT
-
20011
-
EU
-
Brazil


STREP proposal



SecFuNet

Proposal Part B: page
9

of
105


Cryptographic Schemes for Future Networks


Even though cloud computing and virtual networks provide cheap access to a variety of
services such as private remote storage or secure outsourcing of computation, the user no
longer has control over the platform on which these services are run. For instan
ce, in the
case of private remote storage, users are
at the mercy of their storage providers
with
respect to the continued availability of
their data.

In the case of secure outsourcing of
computation,

users may not have any guarantees that the computation

has been performed
correctly or that it has not leaked important private information about the data. Hence, a

secure infrastructure
should provide strong guarantees of the users’ privacy and the
integrity of their data and computation.

To address this
requirement, in this project we will

develop cryptographic schemes that are
especially adapted to virtual network and cloud environments. In particular, we plan to
develop cryptographic schemes to address issues identified in other
work
-
package
s, such as
s
ecure user identification and the isolation of virtual networks and their protection from
cross
-
virtual
-
network attacks. In addition to these, we also plan to design cryptographic
protocols that can improve the security and verifiability of the outsourced
computation
, the
integrity of remote storage, the resilience against side
-
channel attacks, and overall security
of virtual networks and clouds.


The
spec
ific

objectives

of
SecFuNet

are briefly summarized in the following:


Objective
1
:

Design
SecFuNet

as
an

extensible

context framework
for the security of the
future networks based on a secure microcontroller
.

S
ecurity

is
a central requirement

for
future networks.

The goal is to bring this framework for
virtual networking and
c
loud access
such
that
it

will be the basis of future networking. The
project will choose a secure microcontroller adapted for the future that will be able to
support execution of several secure algorithms concerning authentication, identity,
encryption, intrusion tolerant algorit
hms, and
the
ability
to provide solution
s

for isolation
among

virtual networks.

The objective will be achieved within
WP1
,

which specifies a detailed list of research
challenges and approaches, and related deliverables.


Objective
2
:

Authentication wit
h EAP
-
TLS and
legacy solutions

A
uthentication is mandatory for future network environment
s

and for accessing the
clouds
.
EAP
-
TLS is recognized as a strong solution adapted for fixed or mobile open terminals. The
project will
propose
a solution
based on

secure microcontroller
s

that
will be
simple to use
(no password required)
and capa
ble
of

avoid
ing

attacks (no
phishing
, etc.)

The objec
tive will be achieved within WP1
,

which specifies a detailed list of research
challenges and approaches, and related del
iverables.


FP7
-
ICT
-
20011
-
EU
-
Brazil


STREP proposal



SecFuNet

Proposal Part B: page
10

of
105


Objective 4
:

Develop a highly secure identification scheme based on
Authentication and
Authorization
Infrastructures (AAIs)

A particularly innovative aspect of SecFuNet is related to the identity management. The
proposed scheme is important for the security of
the entire
framework. The identification
system is based on secure microcontroller
s

and local a
uthentication authorities. The use of
Authentication and Authorization Infrastructures (AAIs)
,

such as OpenID and Higgings
,

allows a global scheme of federated identities

to be built from local authorities
. In this way,
authentication credentials
obtained
from

local authentication
servers
can be used in virtual
networks for accessing resources in different local domains during
their

validity.

One of the ambitious goals of
Se
c
FuNet
is
to demonstrate and experiment
with
these
proposals of identity management
in
order to reach a standard solution for identifying users
and nodes in the SecFuNet architecture.
.

The objective will be pursued within
WP3
.


Objective 5
:

Design a secure network infrastructure for
SecFuNet

that provides a reliable
and
secure
environment for the virtual networks and clouds.

A secure infrastructure is the basis for any application running over a virtual network or
cloud. The goal is to develop schemes to create secure, isolate
d
, and
highly

reliable
virtual
environments that
can

also provide QoS according to
application
requirements.
S
ecurity
solutions for
the virtualization technology

will be developed

relying on the proposed
microcontroller
-
based identification and authentication schemes
.


This objective will be developed
within WP4.


Objective
6
:

A
chieve resilience
of
the communications and

authentication/authorisation
infrastructure

against

severe
attack
s or accidents.

Even with the cryptographic mechanisms envisaged and the authentication schemes to be
deployed, it is
clear enough that parts of the infrastructure (e.g.
, microcontrollers
) may
progressively fall into the hands of attackers, which may gain leverage to subvert the former.
Objective 3
:

Develop a highly secure authentication server based on an array of secure
microcontroller
s

Authentication server
s are quite o
ften a
point of weakness inside the chain of security in a
network. We propose in this project
a novel

solution

to this problem:

an authentication
server based on an array of secure microcontrollers. A user
is introduced in the network
by
using a
pair
of associated microcontroller
s
, one for the user and the
other

to be connected
inside the authentication s
erver. The EAP
-
TLS or legacy solution is performed end
-
to
-
end,
from one microcon
troller to the other
,

hence

all

authentication
messages

are

encrypted
along

the
entire end
-
to
-
end
communication process.
Moreover, this solution provides a
strong privacy since

the authentication process can never deliver identity.

The objective will be achieved within
WP2
,

which defines a list of deliverables.

FP7
-
ICT
-
20011
-
EU
-
Brazil


STREP proposal



SecFuNet

Proposal Part B: page
11

of
105

The same may happen with escalating failures. In these severe conditions, the project
plans
to develop mechanisms which ensure that secure operation is preserved in an automatic
way, for example through intrusion tolerant and self
-
healing algorithms which reconfigure
the network and service subsystems as intrusions develop, achieving perpet
ual operation in
the presence of severe and continued faults or attacks (e.g., DDoS).

This
objective will be achieved within
WP5
.


Objective
7
:

Provide cryptographic algorithms for future networks.

Current cryptographic schemes are generally designed for use in trusted terminals. We
propose in this project the development of new cryptographic protocols specially adapted to
virtual network and cloud environments that can
guarantee users’ privacy and/o
r WU攠
inW敧riWX anT privacX of WU敩r TaWa anT compuWaWion.

Som攠of WU敳攠Vol uWi onV wi l l r敬X on WU攠
uV攠 of V散ur攠 mi croconWrol l 敲VⰠ 敳p散i al l X for acUi 敶i ng WU攠 goal of V散ur攠i T敮Wi fi caWi on anT
auWU敮Wi caWi on.

TUi V
obj 散Wi v攠wi l l b攠acUi 敶敤 wi WUi n PP6.




The
SecFuNet

proj ect
s peci fi cal l y

covers

Topi c 3
:
Futur
e

Internet
-

security


As a specific targeted project,
SecFuNet

particularly

addresses the following target outcome



Objective
ICT
-
2007.1.6: New Paradigms and Experimental Facilities


Targeted Outcomes of the Objective

SecFuNet

Project S&T Objectives

The development of trusted
com
-
munication

infrastructures providing
consistent user access to services
independent
ly

of cost, location, service
type,
and
access device. Addressing
control and security of personal data,
device independent access,
and user

profile management,
ensur
ing

the
same
quality of experience irrespective of
chosen access device
.

Q
uality
of service
and accessibility are import
ant

element
s

of this challenge.

SecFuNet

proposal is based on the realization
and the experimentation
of
new highly secure
solutions
that are made possible by

a secure
microcontroller.

The
use

of secure
microcontrollers is an ea
sy way to manage
security in the Internet

without restricting user
access and
at the same time
simplifying the
password and identity management. Besides,
the use of a secure infrastructure that
guarantees isolation and quality of service
increases the qual
ity of experience
for
users.
V
irtualization allows the creation of different
networks, simplifying the accessibility to the
network with different devices and
technologies.
The first challenge is definitely
under the scope of the project.

1.1.1
.
Relevance to the
FP7
-
ICT
-
2011

EU
-
Brazil
Objectives

FP7
-
ICT
-
20011
-
EU
-
Brazil


STREP proposal



SecFuNet

Proposal Part B: page
12

of
105

The development

of application service
environment(s) providing secure and
consistent access functionality
irrespective of access device

type,

access
network
,

or

service
network
provider.
Issues associated with citizen data
management and handling
,

such as
access, storag
e, protection
,

and
accountability
;

are key elements of this
challenge
.

SecFuNet

provides secure access to
c
loud
s
(indeed, to
any kind of service using secure
networks
)

and strong secure identification of
clients
,

who can be

using any kind of terminal
(the secure microcontroller
can
use
a
USB
connection but also
a
NFC interface).

The
proposed security architecture guarantees
secure authentication as well as
users’ data

privacy, even in the presence of attacks to the
network o
r if some malicious users have an
identity to access the network.

Personalization
, usability
,

and accessibility
regardless of educational and technical
background
are

key to citizen
empowerment. Addressing the issues of
trust and security up front
is

nece
ssary for
the successful acceptance and uptake of
the digital inclusion environments.
Citizens will benefit from these
environments; however, in order to use
them, they will need to trust them
without undue technical burdens and they
must satisfy
citizens


needs and
circumstances.

This challenge is one of the strong
responses

of
the
SecFuNet

project: indeed, the secure
microcontroller and the different schemes
developed by the project
allow
a user to access
the network just plugging the microcontroller
or e
ven with the microcontroller in his pocket.
Current

phishing
and
other well
-
known attacks
will not be
possible with
SecFuNet
. Simplicity
and security are at the basis of the project.

1.
2

Progress beyond the state
-
of
-
the
-
art

The vision for
network security

was the basis for several research activities in the past years
in both industry and academia. These activities spawn across the definition, design
,

and
deployment of
different

features in emerging communication systems and devices,
enhancing the standard

functions of existing systems, thus posing new requirements
regarding their functionality.

Access to corporate network resources (email, VPN, Intranet
, etc.
) using the traditional
login/password method is a major threat to company security policy. Indeed
,

passwords can
be stolen or broken into or can give rise to difficulty in memorization by users or generate
the need for constant renewal. Due to their low cost
,

passwords are used in situations where
there is no need for a high level of security,
but
the
y fall short in an environment where a
high level of security is required.

T
he
SecFuNet

project w
ill

develop
technologies
that

provide

strong authentication based on
the use of a secure microcontroller working with different operating systems
,

with focus

on

Microsoft operating systems associated with EAP
-
TLS technology. The user
possess
es

a
microcontroller
that

securely stor
es

digital certificates
and
run
s

the
SecFuNet

software. The
secure microcontroller
independently handles the entire authentication operation. Mobility
is enhanced whilst identity theft by malicious programs
becomes

impossible.

During the last quarter of the twentieth century, the world of information technologies
elected

the IP protocol as a
de facto
standard for electronic data exchange. In a similar way,
the

Extensible Authentication Protocol
(EAP) appears as a new
common framework

for users’

FP7
-
ICT
-
20011
-
EU
-
Brazil


STREP proposal



SecFuNet

Proposal Part B: page
13

of
105

identification and access control in IP networks. It is a flexible framework
st
andardized

by
the Internet Engineering Task Force (IETF)

[3,4
]
, which implies users’ authentication before

any IP address allocation.
EAP

applies to the following areas
:

-

Authentication for PPP (Point to Point Protocol [
4
]) accesses.

-

Authentication
(according to the IEEE 802.1x model [
5
]) in wired or wireless LANs such as

Ethernet or Wi
-
Fi networks.

-

Authentication in
WiMAX

infrastructures (thanks to the PKM
-
EAP protocol

defined in
IEEE 802.16e [
6
]).

-

Authentication in Virtual Private Network (VPN) tec
hnologies, such as PPT
P [7] L2TP [
7
],

and IKEv2 [
8
].

-

Authentication in emerging Voice Over Wi
-
Fi services, such as the UMA [9
] architecture
,

which

supports the IKEv2 [
10
] protocol.

-

Authentication in
A
uthentication, Authorization and Accounting

(
AAA
)

servers, designed
accordin
g to protocols such as RADIUS [
11
] or

DIAMETER [1
2
].


State of the Art and Limitations

SecFuNet

Innovation

EAP
-
TLS

and legacy SIM are executed in
a
non secure
the terminal
.

EAP
-
TLS and legacy SIM
will be
executed
within
a
secure microcontroller.

Secure Authentication
requires

a large
number of secure device
s

and
software
.

SecFuNet

will
bring very simple
Authentication servers with high privacy.

Identi
fication

processes are unsecure and
demand

numerous software and hardwa
re
.

The SecFuNet proposed solution is simple
and highly secure. The system will be
scalable and security of payment on a
website will be provided.

IP network security has been largely based
on prevention and processing of known
attacks.

SecFuNet proposes
new solutions based on
intrusion tolerance that will allow
virtualization to be more secure and
dependable, in an automatic way.

Most cryptographic schemes rely heavily on
the availability of trusted terminals for their
execution and on reliable data
storages.

SecFuNet

will

provide new cryptographic
solutions that

are better adapted for future
networking based on virtual networks and
clouds.


The following

section
s are

dev
o
ted to

a review of the state of the art of some of
SecFuNet

related technologie
s.



Virtual

networks

The development of a proper future Inter
net re
quires
security
demands

to be satisfied
[
1
3,
1
4
]
. Regardless of the environment,
location
,

and cost conditions, users must
be offered

a
1.2.1.
Virtualization

FP7
-
ICT
-
20011
-
EU
-
Brazil


STREP proposal



SecFuNet

Proposal Part B: page
14

of
105

friendly and trustable environment that takes the
trad
e
-
off between
convenience

and
security into account. Besides, all the user data, information and behaviour must remain
secure

and private. The
SecFuNet

project defines and develops
an approach

for secur
ely
managing and controlling the network infrastructure,
and
supporting all security demands of
virtualized networks. This
approach

takes into account the identification scheme and the
authentication control,
both devised

in this project, for controlling t
he access to the
management interface of each virtual network as well as for controlling the access to the
virtual networks by each user. Hence, a
ccess to each virtual network is always secure
independent of user location or
type of device used. The
approa
ch
developed
(in WP4)

efficiently manages virtual network data
, guaranteeing secure access to the network,
accountability in the management actions, a high quality of service to each virtual network
,

and also a high quality of experience
to
each user.

The
SecFuNet

project
deals with

the
secure
management and control of virtual networks.
In
this context, virtualization mechanisms will be used to virtualize entire networks.

A single
physical network is
virtualiz
ed to a number of concurrent virtual networks, s
haring the same
physical
resources. Each virtual network consists of virtual routers
and virtual links
and has
its own protocol stack.

X
en

[
1
5
]
is an example of virtualization
platform
enabling such
features
,

and
given its qualities,
will be
adopted

in thi
s project
. The virtu
alization

software
(hypervisor) of XEN runs as
the

OS directly on the hardware.
Figure 1 s
hows how a physical
machine
can be shared by multiple virtual machine
s
, also called Domain,

with

X
en
.

The Xen
hypervisor schedules the physical
resource accesses and handles the I/O operations
performed by the

domains. Dom0 is a privileged domain that directly accesses the hardware.
Since Dom0 is a driver domain, it stores all physical device drivers and creates an interface
between the virtual dr
ivers placed in the unprivileged domains and the physical devices. In
addition, Dom0 is also the management interface between the administrator and the
hypervisor to create virtual machines, modify Xen parameters, and manage Xen operation.


Th
e virtualizat
ion

enables a physical network to support several different network
architectures simultaneously. Each virtual machine works as a virtual router running over the
same physical router, which is computer running Xen.

Virtual routers may be created,
destroyed
, moved, cloned, started, and stopped on the underlying hardware.




Figure
2

-

Example of two virtual networks running over the same physical substrate, assuming the Xen
virtualization platform

is used
.


Different virtual networks
must be
separated from each other and
must be

un
aware of their
virtu
alization
,
of
the underlying physical network,
and of
their concurrency to other virtual
networks.
Isolation
of

the Input/Output operations, which are required i
n packet forwarding,
however, is a known issue in the Xen platform [
1
6

-

1
9
].

FP7
-
ICT
-
20011
-
EU
-
Brazil


STREP proposal



SecFuNet

Proposal Part B: page
15

of
105

Different communities can benefit from virtu
alization
: network managers would reduce their
operational costs; researchers should be able to conduct experiments that are flexible
,
realistic and controlled
,

and to
easily
deploy new protocols and architectures; users (maybe
running virtual machines) would choose and connect to different virtual networks, possibly
run by different service providers, over a physical connection to one
infrastructure provider

[
2
0
,
2
1
]
.

SecFuNet

Project creates mechanisms to manage the usage of resources by each virtual
network, guaranteeing
isolation through
a secure physical resource usage control and
management. Hence, relying on a secure identification and authentication,
the project will
develop a management interface for configuring the virtual network resources according to
the available physical
ones

in

each network node and link. This interface
protects

the privacy
of each virtual
network, guaranteeing that
neither
the control
nor

the data of a virtual
network
are

av
ailable to the other networks. A controller is also designed to control the
usage of the

physical resources by each virt
ual network, assuring that one vi
r
tual network
will not be able to

interfere
with

other networks. This can occur
in three situations:
if a
virtual network is under attack
,

increas
ing

the demand on
the virtual network
;

if the network
is malicious and

attempts
to prejudice

other networks
;

or

if the network demand increases
and the

service level agreements of that network
w
ere

not properly defined to deal with
dem
and variations. Hence, the controller isolates virtual netw
orks, securing the physical
infrastructure.

Other mechanisms are also developed to control the usage of the physical resources,
avoiding an overload that could break the isolation among virtual networks. A mechanism to
obtain the virtual network profile is developed to establish Service Level Agreem
ents (SLAs)
in a trustful way. Further, an intelligent manager monitors the profile and the usage of each
network, managing the mapping of the virtual networks over the physical network,
ensuring

a reliable environment for all networks. This manager is abl
e to detect

anomal
ous

situations

and
migrat
e

virtual networks that could disturb other virtual networks.

The scheme for a secure infrastructure
to be
developed in this project isolates virtual
networks and secures the physical infrastructure,
both of

which

essential for virtualization
and cloud computing usage.


State of the Art and Limitations

SecFuNet

Innovation

Xen
-
based networks
have isolation problems
that compromise the security of the virtual
network environments.

SecFuNet

will introduce
mechanisms for
guaranteeing a high isolation and QoS
among

virtual networks.

Instantiation

and management of virtual
networks
require

an entity that
can

directly
access physical nodes and
has the capability

to verify if the physical node is able to host
m
ore virtual networks.

SecFuNet

will
provide an interface
with two
purposes:
configuring physical nodes
according to
requirements of
each virtual
network
,

and for evaluating
whether
a virtual
node can be hosted by a physical node
according to the virtual ne
twork profile.




FP7
-
ICT
-
20011
-
EU
-
Brazil


STREP proposal



SecFuNet

Proposal Part B: page
16

of
105



The Extensible Authentication Protocol (EAP) is a fle
xible framework standardized

by the

Internet Engineering Task Force (IETF). According t
o RFC 3748, EAP implementations
conceptually consist (see Figure
2
) of the four
following components:


Figure
3

-

EAP implementation.


-

The lower layer
:

i
t

is responsible for transmitting and receiving EAP frames between the
peer

and
the
authenticator.

-

The EAP layer
:

i
t

receives and transmits EAP packets via the lower layer; i
t implements
duplicate detection and retransmission, and delivers and receives EAP messages to and
from

EAP methods.

-

EAP peer and authenticator layers
: b
ased

on the Code fiel
d, the EAP layer de
-
mult
iplexes
incoming EAP packets to the EAP peer and authenticator layers.

-

EAP methods
:

these

implement the authentication algorithms, and receive and transmit
EAP messages. EAP methods can be implemented in smart cards.


EAP packets (see
F
igure
3)

are made with a four byte ma
ndatory prefix, and an optional
payload. The prefix includes the three following attributes:


Figure
4

-

EAP packet.




Code (one byte
)
:

includes
the type of the EAP message, a
choice between request,
response, success and failure.

1.2.
2
.
EAP
-
TLS

FP7
-
ICT
-
20011
-
EU
-
Brazil


STREP proposal



SecFuNet

Proposal Part B: page
17

of
105



Identifier (one byte
)
:

a label associated to every EAP packet. A response includes an
identifier identical to a previous request.



Length (two bytes)
:

the total size of an EAP message.

An optional fifth

byte indicates the type of an EAP packet
,

e
.g. the class of authentication
method able to deal with remaining data (labeled
Type
-
Data
in). The identity type

(01) is a
special case that is not associated to any authentication method, but which is used to

c
ollect
an EAP
-
ID, whose meaning is either the user’
s identity or the domain of the
authentication
server. Success or failure packets comprise only

four bytes, with an identifier
set to the value
found in the
latest

response.

An EAP session (see
F
igure
4) begins with a
pair
of EAP
-
Re
quest

Identity and EAPIdentity
Response that transport either the user’s identity or the authentication server
address.
Afterwards a set of EAP
-
Request and EAP
-
Respon
se are exchanged between client
and
server entities. At the

end of a successful dialog, the

server produces an EAP
-
Success
packet.
A master session key (MSK) is then computed by client

and server, which is used as a
root
shared secret, for the computation of all remaining keys d
ealing with information privacy
and
integrity.

The main ac
hievement of EAP smart cards [22,
3
2
] is to
confine EAP methods in tamper
-

resistant devices (see
F
igure
5). The device has not direct acce
ss to a communication
resource,
which is provided by
Lower
-
Layer
. Packet recovery and identity

issues are
ma
naged by
the
EAP
-
Peer
or
EAP
-
Auth
entities.


Figure
5

-

Tamper resistant device.


The EAP smart card was born in 2003, and is described by an
I
nternet draft, whose
thirteenth
versi
on was issued in
August
,

2007
. Schematically

it processes EAP messages; EAP
clients process requests or notifications and return responses
; EAP servers analyse
responses
and deliver requests.

Its logical interface is a set of APDUs that call embedded
services, classified in four

categories (see
F
igure
6)
:

FP7
-
ICT
-
20011
-
EU
-
Brazil


STREP proposal



SecFuNet

Proposal Part B: page
18

of
105


Figure
6

-

Embedded services.


-

The
Identity S
ervice. A smart card manages several network accounts; the terminal
operating system performs an identity discovery process in order to browse
the smart card

contents.

-

The Network S
ervice. EAP messages are processed by the smart card. At the end of a
succe
ssful authentication method, a session key is computed.

-

The Security S
ervice. This service essentially manages PIN codes (Personal Identification
Number) needed for security purposes. There are two kinds of PIN code
:

one

is used by the

smart card issuer an
d protects data dealing with identities,
while the other

establishes the
link with the card bearer and unlocks the EAP device.

-

The
P
ersonalization
S
ervice. This service updates information stored in the smart card,
such as RSA private keys, certificates,
a
nd
symmetric secrets.


State of the Art and Limitations

SecFuNet

Innovation

Authentication service is quite often limited
by the implementation in the terminal.


The authentication
will be performed
by a
microcontroller and
will
not depend on the
terminal.

The
SIM technology is not
appropriate for

future 4G (LTE
-
A)

ones
: terminal
s

would
be

pure IP.


The
SecFuNet

solution
will be
perfectly
suitable for

future 4G technologies.




Trust in authentication servers is a very critical topic that will be tackled the
SecFuNet

project. The main challenge is to deploy authentication infrastructures, whose credentials
(private keys) are still controlled by their legitimate owners
that

are no
t exposed to hijacking
attacks.

1.2.3.
Authentication server

FP7
-
ICT
-
20011
-
EU
-
Brazil


STREP proposal



SecFuNet

Proposal Part B: page
19

of
105

From a technical point of view
,

this target will be achieved
by using

grids of secure
microcontrollers (such as smart cards), each of them embedding server software, and the
global infrastructure being monitored and managed
by a dedicated operating system.

The first grid was designed in [
33
] and work
ed

with a cluster of java cards. A Mandelbrot set
was generated thanks to the combined calculation of smart cards.



Figure
7

-

Scheme of the first experiments (2005) in smart cards grid.


A second contribution (

smartcard enabled RADIUS server

)

dealing with grids of smart cards
[
34
,
35
] was published in 2006. This server is made of two parts:

-

A RADIUS authentication server, r
unning in a docking host. It offers Ethernet connectivity
and IP services. It receives and sends RADIUS packets over UDP sockets. It builds or parses
RADIUS messages, handles the RADIUS secret, checks or generates authentication attributes.
EAP messages, t
ransported by RADIUS payloads are forwarded to smartcards, running EAP
-
Servers.

-

EAP servers. Each smartcard runs an EAP
-
server, and fully handles an EAP
-
TLS
authentication procedure

[38
-
43]
. Each component stores a unique X
.
509 certificate and its
associ
ated RSA private key. It computes EAP responses and produces EAP requests. At the
end of a successful authentication session, a MSK is calculated and delivered to the RADIUS
entity
.


Figure
8

-

F
irst
generation (2006) of "smartcard enabled RADIUS server".


FP7
-
ICT
-
20011
-
EU
-
Brazil


STREP proposal



SecFuNet

Proposal Part B: page
20

of
105

An EAP session is a set of messages associated to an unique Session
-
Id value, which is
obtained by the concatenation of two values,
namely
the NAS
-
Identifier (RADIUS attribute
n°32) and the Calling
-
S
tation
-
Id (the client’s MAC address, corresponding to RADIUS
attribute n°31) as follows:

Session
-
Id = NAS
-
Identifier | Calling
-
Station
-
Id

A session begins with an
EAP
-
Identity response

and ends with an EAP notification (either
Success

or
Failure
). It is as
sociated to a unique smartcard. When no devices are available, the
incoming RADIUS packet (starting a session) is silently discarded.

Due to smartcard slowness, each EAP message is handled by a thread that forwards

the

EAP
response to the appropriate smart
card, waits for its response, builds a RADIUS packet and
finally transmits it towards the NAS.

An EAP server processes only once a particular message. The associated RADIUS packet is
recorded, and sent again when an incoming duplicated RADIUS packet is
detected.

AS is also in charge of session retries. If no activity is detected during a given timeout, a
retransmission occurs. After a few retries the session is released, and its associated
smartcard is ready for new allocations.

Figure
7

shows a plug and

play realization of a
smartcard enabled RADIUS server
. Several
USB smartcard readers, equipped with EAP servers, are plugged to a USB hub. A mass
storage device stores the AS code. The system works in a standalone way, and is used by the
docking host with
out any previous set
-
up.

A third generation of smart card grids was discussed in [
36
]. This new architecture
split
s the
RADIUS server

into two main components: a RADIUS authentication server and distributed
EAP servers.



Figure
8: T
hird generation (2010) of smart card grids
.


The RADIUS authentication server is located on a distant host and is in charge of the
following tasks:

-

It sends and receives RADIUS datagra
ms from and to the NAS, thanks to UDP sockets.

-

It builds or analyses RADIUS messages and more specifically encapsulates EAP messages
from the smartcard into RADIUS datagrams forwarded to the NAS, and reciprocally
extracts RADIUS datagrams from the NAS int
o EAP messages forwarded to the appropriate
server smartcard.

-

It parses and builds
APDUs, which

are communication units used to interact with the
smartcards
,

as explained below.

-

It handles the RADIUS secret and computes or checks the associated authentica
tion
digest and attributes.

-

It opens stream sockets with the smartcards grid and associates an incoming session with
a single smartcard and its related connection.

Figure
9

-

Third generation (2010) of smart card grids
.

FP7
-
ICT
-
20011
-
EU
-
Brazil


STREP proposal



SecFuNet

Proposal Part B: page
21

of
105

If
t
1

is the computing time for a process an authentication with a single computer, and
t
p

for
a grid of p smart cards, the acceleration factor (S
p
) is defined as

S
p

= t
1
/t
p
, with 1 ≤ S
p

≤ p

The acceleration factor ideal grid of p smart cards should be around p.

However
,

in [44] it
was observed that the acceleration factor was limited to 5, due
to hardware, software and
networking issues.

The SecFuNet project will define a new and innovative architecture, based on software,
hardware, and enhanced networking protocols, which
will be able to
deliver
high
-
speed
trusted authentication services.





State of the Art and Limitations

SecFuNet Innovation

Authentication server need
s

to be installed in
a
secure environment.

SecFuNet
will
provide a new generation of
Authentication servers that can be deployed
easily.

Privacy is difficult to
achieve
with
current
authentication servers.

The SecFuNet solution
will
provide a strong
kind of
privacy: closed privacy.

FP7
-
ICT
-
20011
-
EU
-
Brazil


STREP proposal



SecFuNet

Proposal Part B: page
22

of
105



In large distributed systems applications
,

such as

clouds, grid computing and collaborative
networks, identity management must be based on an integrated system of policies and
technologies that allows organizations, overpassing local domains, to securely provide
resources to remote users that own the
prop
er
credentials. Identity management to meet
the

requirements of these complex systems are composed by an authentication system
(usually a network of authentication authorities)
,

a
n attribute

management system (service
that provides additional information a
bout clients/users).

I
dentity management systems
[46]

are classified
as

conventional
, centralized, federated
,

or
user
-
centric.









Figure
10

-

Identification System approaches.



In
the
conventional
model, user ID
s

are

individually
handled by each service provider, which
also serves as an identity provider (see Figure
9a
).
A
user creates his
or
her

digital identity for
each service provider (SP)
with
which he
/she

interacts.
U
ser IDs
are not
shar
ed among

different service providers

an
d
this approach
tends to be costly for both users and service
providers. The centralized model is based on
two concepts:
the concentration of users


identities and attributes in an
identity provider (IdP)
,

and
on
single authentication (Single
Sign
-
on

-
SSO
)

[44
]
. All service providers that have trust relations
hips

with the IdP

(
an
authentication authority)

must rely completely on the information provided by the IdP of
this domain (see Figure
9c
). The concept of single authentication (SSO)
represents a great
advantage to
users,
since
they only need to perform the authentication process once
,

and
thereafter
can use the
obtained
credentials on all service providers
he/she wishes to access,
until these credentials expire. The main objection
against
the centralize
d model
is
the use of
a single identity provider, which
creates
a single point of failure

and

has full power over
users’ data.

T
he
federated
identity model was developed
to circumvent the difficulties
1.2.4.
Identification Scheme

(a)

Conventional
Traditional
Conventional
T
raditional

(b)

Federated Identity

(c)


Centralized


(d)

User
-
Centric Identity

(a)


FP7
-
ICT
-
20011
-
EU
-
Brazil


STREP proposal



SecFuNet

Proposal Part B: page
23

of
105

presented by the centralized model. It is
based on the
distribution of users
´

authentication in
multiple identity providers
, which

are arranged in different admin
istrative domains (see
Figure 9
b). The management of federated identities is an
approach that relies on

trust
relations
hips

being established

between

multiple
Identity Provider (
IdPs
)

[45
]
. The
trust
relations
hips

between identity providers ensure that authentication credentials issued
within a domain are recognized by SPs from other domains
,

and
that

the concept of unique
(SSO) authentication is guara
nteed even in applications that span different domains.
Authentication and Authorization Infrastructures (AAI) are necessary to create federations
and federated identities. Shibboleth, OpenID

[4
6
]
, OpenSSO, Liberty Alliance, Microsoft
CardSpace and Higging
s Project are examples of AAIs.
One drawback of the

federated
identity approach is
that it requires the
delivery of users’ attributes and credentials across
multiple service providers.

The user
-
centric model aims to give the user complete control over
his
/her

digital identities
and personal information. In this approach, the user identities for different service providers
are stored on a physical device that is held by the user, such as a smartcard or even a mobile
phone (see
Figure
9
d).
Hence, t
he user au
thentication is based
on
this physical device
,

which
is able to release appropriate information for each service provider that the user can access.
This approach
fully
respects the user's privacy preferences. OpenID, Microsoft CardSpace
and Higgins Project

all
follow this model.

In
the

federated identity scheme, we must work with two kinds of pseudonyms: transient
and persistent. The transient
kind
is created by an I
dP and is associated with
a
user identity
for the duration of
the
security context of this user. In this case, an SP can still decide
about

the client access based on attributes that are issued by the corresponding IdP,
but it can
maintain this information no longer than one user session
. In addition, different SPs canno
t
correlate users’ accesses, ensuring a certain level of anonymity.

OpenID
[
47
]

is an
approach
that

provides to the user the possibility of a single credential (an
OpenID) to access different websites.
The OpenID solution is a decentralized infrastructure
where no central authority approves or registers principals (users), websites, or OpenID
providers. A user can freely choose which OpenID provider to use, and can preserve his
/her

identifier even if he
/she

wants to change
his/her
OpenID provider. The alloc
ation of an
OpenID identifier
has no cost

and it does not
require

any type of registration or approval in
any organization
[
48
]
.
OpenID supports both URLs and XRIs (Extensible Resource Identifier)
as user identifiers,
and
adds more security with private an
d public identifiers.
The most
recent
version,
besides
adopt
ing

user
-
centric identity management, implements the concept
of federated identities
[
49
]
. According to [
50
], OpenID and its approach can pose a challenge
to user
s’

privacy: this architecture addr
esses a broad sharing of user information. OpenID
also allows and even encourages different relying parties to correlate information about
user's activities. However, OpenID 2.0 supports
user
login
through

pseudonyms.

T
he Higgins project
is

an identity ma
nagement system based on the user
-
centric approach
,
which

allow
s

t
he user
to
control

the
privacy
of
his identity and profile information. Users
should be able to decide what information they wish to share and with which SPs. Higgins is
a framework that ope
rates with all digital identity protocols, including WS
-
Trust, OpenID,
SAML, XDI,
and
LDAP. The Higgins framework defines a set of programming interfaces that
developers can use for linking their software to the identity management of this
infrastructure
[
51
]
. The Higgins project is concerned with the following areas
[
52
]
:

FP7
-
ICT
-
20011
-
EU
-
Brazil


STREP proposal



SecFuNet

Proposal Part B: page
24

of
105

-

Provid
ing

a consistent support to the user, based on i
-
Cards, for the management and
disclosure of identity and attribute information
.

-

Allow
ing

users
to
complete
ly

control the disclosure of personal informatio
n in interactions
with websites.

-

Provid
ing

an API and a data model for implementing federated identities, from a wide
variety of sources. Through this API, the Higgins project encourages developers to create
pl
ugins
to
operat
e

using

protocols and secur
ity tokens from legacy systems.

-

Provid
ing

plugins for the integration of this framework
with

existing data sources, including
directory services, communication systems, coll
aborating systems and databases.

Like in
CardSpace, the benefits of cards
-
centric logins are also available in the Higgins
Project. In this infrastructure, it is also possible to manage
(according to
the user
-
centric
approach
)

any kind of user information
such as
favourite

songs, driver

s license
, health plan,
or any other information that can be stored on a card.

To developers, the Higgins framework
introduces
identity providers (IdPs)
,

which use the services of STSs (Security Token Service)
based on
the

WS
-
Trust standard and the
Security Asserti
on Markup Language (SAML)
v2.0.

Privacy is a problem that must be addressed in identity management
[
53
-
55]
. In an ideal
scenario, users must exercise the right to determine how their information
is
handled,
stating
which
information they want to share wit
h third parties, how this
sharing
should be
accomplished, and also indicating the time
frame

within

which such information might be
available in the system. In SecFuNet, we
plan

to offer user
-
centric controls combined with
federated identities. OpenID and Higgins infrastructures enable the use of i
-
cards with user
-
centric policies
as well as

a federated identity system.

C
onsiderations about federated identity management

The main

academic federations in the world make use of Shibboleth
. In

many of these
federations

(
whose users are comprised of students and teachers
)
, business companies are
demanding
their inclusion to

offer personalized services.

Both
OpenID and Higgins implemen
t management of federated identities

and

follow the
user
-
centric approach
for

user authentication. One advantage of OpenID is that it requires
no special software on the client side. The Higgins Project adopts an active client proxy
(called selector of ide
ntities). The literature shows that these infrastructures are considered
more flexible and consistent
in terms of

security
, because they provide user
-
centric controls
and include support for i
-
cards

[
49
,
55
].

Privacy in federated identity management

The co
ncept of federated identities provides to the users a convenient way to create
identities and for having access to SPs
at

the corresponding federation.
Nevertheless
, the
management of federated identities becomes a crucial task
,

and
one needs

to take into
account the various threats to security and privacy of users’ data. Any identity management
infrastructure must adequately protect user information and must adhere properly to the
privacy policy of the system to users’ information.

Some properties and char
acteristics are
required to maintain user
s’

privacy in a
federation
. Security measures must ensure that user
attributes will not be disclosed unintentionally. Additional mechanisms are needed to
provide resistance to different types of misuse or possession

of stolen identities and
attributes. An important technique for privacy preservation is the use of pseudonyms, which
are user identifiers that do not allow inferences regarding the actual identity, properties or
attributes of users to whom they are associ
ated. Pseudonyms can have local meaning,
depending on the context between the user and SP, or global, independent of context and
FP7
-
ICT
-
20011
-
EU
-
Brazil


STREP proposal



SecFuNet

Proposal Part B: page
25

of
105

being valid for the whole federation. The validity can als
o be transient or persistent [5
4
].

The
pseudonyms used in SAML assert