Graphic summary
  • Show / hide key
  • Information


Scientific and technological production
  •  

1 to 50 of 109 results
  • PPREM: Privacy Preserving REvocation Mechanism for Vehicular Ad Hoc Networks

     Hernández Gañan, Carlos; Muñoz Tapia, Jose Luis; Esparza Martin, Oscar; Mata Diaz, Jorge; Alins Delgado, Juan Jose
    Computer Standards & Interfaces
    Vol. 36, num. 3, p. 513-523
    DOI: 10.1016/j.csi.2013.08.002
    Date of publication: 2014-03-01
    Journal article

    Read the abstract Read the abstract View View Open in new window  Share Reference managers Reference managers Open in new window

    One of the critical security issues of Vehicular Ad Hoc Networks (VANETs) is the revocation of misbehaving vehicles. While essential, revocation checking can leak potentially sensitive information. Road Side Units (RSUs) receiving the certificate status queries could infer the identity of the vehicles posing the query. An important loss of privacy results from the RSUs ability to tie the checking vehicle with the query's target. We propose a Privacy Preserving Revocation mechanism (PPREM) based on a universal one-way accumulator. PPREM provides explicit, concise, authenticated and unforgeable information about the revocation status of each certificate while preserving the users' privacy.

  • Certificate revocation list distribution system for the KAD network

     Caubet Fernandez, Juan; Hernández Gañan, Carlos; Esparza Martin, Oscar; Muñoz Tapia, Jose Luis; Mata Diaz, Jorge; Alins Delgado, Juan Jose
    The Computer journal (paper)
    Vol. 57, num. 2, p. 273-280
    DOI: 10.1093/comjnl/bxt037
    Date of publication: 2014-02-01
    Journal article

    Read the abstract Read the abstract View View Open in new window  Share Reference managers Reference managers Open in new window

    Many peer-to-peer (p2p) overlays require certain security services which could be provided through a Public Key Infrastructure. However, these infrastructures are bound up with a revocation system, such as Certificate Revocation Lists (CRLs). A system with a client/server structure, where a Certificate Authority plays a role of a central server, is prone to suffer from common problems of a single point of failure. If only one Authority has to distribute the whole CRL to all users, perhaps several millions in a structured p2p overlay, a bottleneck problem appears. Moreover, in these networks, users often have a set of pseudonyms that are bound to a certificate, which gives rise to two additional issues: issuing the CRL and assuring its freshness. On the one hand, the list size grows exponentially with the number of network users. On the other hand, these lists must be updated more frequently; otherwise the revocation data will not be fresh enough. To solve these problems, we propose a new distributed revocation system for the Kademlia network. Our system distributes CRLs using the overlay itself and, to not compromise the storage of nodes, lists are divided into segments. This mechanism improves the accessibility, increases the availability and guarantees the freshness of the revocation data.

  • A simple closed-form approximation for the packet loss rate of a TCP connection over wireless links

     Mata Diaz, Jorge; Alins Delgado, Juan Jose; Muñoz Tapia, Jose Luis; Esparza Martin, Oscar
    IEEE communications letters
    Vol. 18, num. 9, p. 1595-1598
    DOI: 10.1109/LCOMM.2014.2336844
    Date of publication: 2014-09-15
    Journal article

    Read the abstract Read the abstract View View Open in new window  Share Reference managers Reference managers Open in new window

    This letter presents a new and simple model for a TCP flow experiencing random packet losses due to both trans- mission errors and congestion events. From this model, we will derive a straightforward expression of a unified loss probability (ULP). This ULP gives the opportunity to reuse classical analytic models to analyze the performance of TCP and to size the buffer to optimize the wireless link utilization. Extensive simulations using TCP Reno in ns-2 demonstrate that our model is valid not only for the extreme cases where either transmission errors or congestion losses dominate but also in the situations where both types of losses are significant.

    This letter presents a new and simple model for a TCP flow experiencing random packet losses due to both transmission errors and congestion events. From this model, we will derive a straightforward expression of a unified loss probability (ULP). This ULP gives the opportunity to reuse classical analytic models to analyze the performance of TCP and to size the buffer to optimize the wireless link utilization. Extensive simulations using TCP Reno in ns-2 demonstrate that our model is valid not only for the extreme cases where either transmission errors or congestion losses dominate but also in the situations where both types of losses are significant.

  • MHT-based mechanism for certificate revocation in VANETs

     Muñoz Tapia, Jose Luis; Esparza Martin, Oscar; Hernández Gañan, Carlos; Mata Diaz, Jorge; Alins Delgado, Juan Jose; Ganchev, Ivan
    DOI: 10.1007/978-3-319-10834-6
    Date of publication: 2014-07
    Book chapter

    Read the abstract Read the abstract View View Open in new window  Share Reference managers Reference managers Open in new window

    Vehicular Ad Hoc Networks (VANETs) require mechanisms to authenticate messages, identify valid vehicles, and remove misbehaving vehicles. A Public Key Infrastructure (PKI) can be utilized to provide these functionalities using digital certificates. However, if a vehicle is no longer trusted, its certificates have to be immediately revoked and this status information has to be made available to other vehicles as soon as possible. The goal of this chapter is to introduce and describe in detail a certificate revocation mechanism based on the Merkle Hash Tree (MHT), which allows to efficiently distribute certificate revocation information in VANETs. For this, an extended-CRL is created by embedding a hash tree in each standard certificate revocation list (CRL). A node possessing an extended-CRL can respond to certificate status requests without having to send the complete CRL. Instead, the node can send a short response (less than 1 KB) that fits in a single UDP message. This means that any node possessing an extended-CRL, including Road Side Units (RSUs) or intermediate vehicles, can produce short certificate-status responses that can be easily authenticated. The main procedures involved in the proposed mechanism are described in detail. General security issues related to the mechanism are treated as well.

  • UBIQUITOUS SECURE ELECTRONIC VOTING (u-SEV): Sistema de voto electrónico seguro para entornos sin infraestructuras de telecomunica.

     León Abarca, Olga; Muñoz Tapia, Jose Luis; Soriano Ibáñez, Miguel
    Competitive project

     Share

  • COACH: COllaborative certificate stAtus CHecking mechanism for VANETs

     Hernández Gañan, Carlos; Muñoz Tapia, Jose Luis; Esparza Martin, Oscar; Mata Diaz, Jorge; Hernández Serrano, Juan Bautista; Alins Delgado, Juan Jose
    Journal of network and computer applications
    Vol. 36, num. 5, p. 1337-1351
    DOI: 10.1016/j.jnca.2012.02.006
    Date of publication: 2013-09
    Journal article

    Read the abstract Read the abstract View View Open in new window  Share Reference managers Reference managers Open in new window

    Vehicular Ad Hoc Networks (VANETs) require mechanisms to authenticate messages, identify valid vehicles, and remove misbehaving vehicles. A public key infrastructure (PKI) can be used to provide these functionalities using digital certificates. However, if a vehicle is no longer trusted, its certificates have to be revoked and this status information has to be made available to other vehicles as soon as possible. In this paper, we propose a collaborative certificate status checking mechanism called COACH to efficiently distribute certificate revocation information in VANETs. In COACH, we embed a hash tree in each standard Certificate Revocation List (CRL). This dual structure is called extended-CRL. A node possessing an extended-CRL can respond to certificate status requests without having to send the complete CRL. Instead, the node can send a short response (less than 1 kB) that fits in a single UDP message. Obviously, the substructures included in the short responses are authenticated. This means that any node possessing an extended-CRL can produce short responses that can be authenticated (including Road Side Units or intermediate vehicles). We also propose an extension to the COACH mechanism called EvCOACH that is more efficient than COACH in scenarios with relatively low revocation rates per CRL validity period. To build EvCOACH, we embed an additional hash chain in the extended-CRL. Finally, by conducting a detailed performance evaluation, COACH and EvCOACH are proved to be reliable, efficient, and scalable.

  • Performance evaluation of selected transmission control protocol variants over a digital video broadcasting-second generation broadband satellite multimedia system with QoS

     Rendon Morales, Elizabeth; Mata Diaz, Jorge; Alins Delgado, Juan Jose; Muñoz Tapia, Jose Luis; Esparza Martin, Oscar
    International journal of communication systems
    Vol. 26, num. 12, p. 1579-1598
    DOI: 10.1002/dac.2333
    Date of publication: 2013-11-07
    Journal article

    Read the abstract Read the abstract View View Open in new window  Share Reference managers Reference managers Open in new window

    This paper presents an analysis of several Transmission Control Protocol (TCP) variants working over a digital video broadcasting-second generation (DVB-S2) satellite link with the support of the Differentiated Services (DiffServ) architecture to provide quality of service (QoS). This analysis is carried out using the NS-2 simulator tool. Three TCP variants are considered: SACK TCP, Hybla TCP, and CUBIC TCP. These TCP variants are taken as a starting point because they have proven to be the most suitable variants to deal with long delays present in satellite links. The DVB-S2 link also introduces the challenge of dealing with variable bandwidth, whereas the DiffServ architecture introduces the challenge of dealing with different priorities. In this paper, we propose a DiffServ model that includes a modified queuing mechanism to enhance the goodput of the assured forwarding traffic class. This modified DiffServ model is simulated and tested, considering the interaction of the selected TCP variants. In addition, we present evaluation metrics, significant simulations results, and conclusions about the performance of these TCP variants evaluated over the proposed scenario. As a general conclusion, we show that CUBIC TCP is the TCP variant that shows the best performance in terms of goodput, latency, and friendliness. Copyright © 2012 John Wiley & Sons, Ltd.

  • BECSI: Bandwidth efficient certificate status information distribution mechanism for VANETs

     Hernandez Gañan, Carlos; Muñoz Tapia, Jose Luis; Esparza Martin, Oscar; Loo, Jonathan; Mata Diaz, Jorge; Alins Delgado, Juan Jose
    Mobile information systems
    Vol. 9, num. 4, p. 347-370
    DOI: 10.3233/MIS-130167
    Date of publication: 2013-12-04
    Journal article

    Read the abstract Read the abstract  Share Reference managers Reference managers Open in new window

    Certificate revocation is a challenging task, especially in mobile network environments such as vehicular ad Hoc networks (VANETs). According to the IEEE 1609.2 security standard for VANETs, public key infrastructure (PKI) will provide this functionality by means of certificate revocation lists (CRLs). When a certificate authority (CA) needs to revoke a certificate, it globally distributes CRLs. Transmitting these lists pose a problem as they require high update frequencies and a lot of bandwidth. In this article, we propose BECSI, a Bandwidth Efficient Certificate Status Information mechanism to efficiently distribute certificate status information (CSI) in VANETs. By means of Merkle hash trees (MHT), BECSI allows to retrieve authenticated CSI not only from the infrastructure but also from vehicles acting as mobile repositories. Since these MHTs are significantly smaller than the CRLs, BECSI reduces the load on the CSI repositories and improves the response time for the vehicles. Additionally, BECSI improves the freshness of the CSI by combining the use of delta-CRLs with MHTs. Thus, vehicles that have cached the most current CRL can download delta-CRLs to have a complete list of revoked certificates. Once a vehicle has the whole list of revoked certificates, it can act as mobile repository.

  • VSPLIT: a cross-layer architecture for V2I TCP services over 802.11

     Reñé Vicente, Sergi; Esparza Martin, Oscar; Alins Delgado, Juan Jose; Mata Diaz, Jorge; Muñoz Tapia, Jose Luis
    Mobile networks and applications
    Vol. 18, num. 6, p. 831-843
    DOI: 10.1007/s11036-013-0473-8
    Date of publication: 2013-12
    Journal article

    Read the abstract Read the abstract View View Open in new window  Share Reference managers Reference managers Open in new window

    This article proposes VSPLIT, a new architecture based on TCP cross-layering and splitting techniques for optimizing the transport layer performance in vehicular networks for Internet-based Vehicle-to-Infrastructure (V2I) communications. Our architecture mainly pretends to enhance the performance of TCP handovers in 802.11 networks. VSPLIT includes a cross-layer TCP protocol, called VSPLIT-TCP, that adapts the congestion control during the handover, learning the new characteristics of the network after the handover using the mechanisms provided by the IEEE 802.21 Media Independent Handover (MIH) services. VSPLIT has been implemented and tested in the NS-3 simulator. We include the some of the most interesting performance evaluation results, which show a good performance of our proposal for the intended scenario.

    This article proposes VSPLIT, a new architecture based on TCP cross-layering and splitting techniques for optimizing the transport layer performance in vehicular networks for Internet-based Vehicle-to-Infrastructure (V2I) communications. Our architecture mainly pretends to enhance the performance of TCP handovers in 802.11 networks. VSPLIT includes a cross-layer TCP protocol, called VSPLIT-TCP, that adapts the congestion control during the handover, learning the new characteristics of the network after the handover using the mechanisms provided by the IEEE 802.21 Media Independent Handover (MIH) services. VSPLIT has been implemented and tested in the NS-3 simulator. We include the some of the most interesting performance evaluation results, which show a good performance of our proposal for the intended scenario.

  • Deploying internet protocol security in satellite networks using transmission control protocol performance enhancing proxies

     Caubet Fernandez, Juan; Muñoz Tapia, Jose Luis; Alins Delgado, Juan Jose; Mata Diaz, Jorge; Esparza Martin, Oscar
    International journal of satellite communications and networking
    Vol. 31, num. 2, p. 51-76
    DOI: 10.1002/sat.1017
    Date of publication: 2013-03-01
    Journal article

    View View Open in new window  Share Reference managers Reference managers Open in new window

  • UBIQUITOUS SECURE ELECTRONIC VOTING (u-SEV): Sistema de voto electrónico seguro para entornos sin infraestructuras de telecomunica.

     León Abarca, Olga; Muñoz Tapia, Jose Luis; Soriano Ibáñez, Miguel
    Competitive project

     Share

  • Certificate Status Information Distribution and Validation in Vehicular Networks

     Hernandez Gañan, Carlos
    Universitat Politècnica de Catalunya
    Theses

    Read the abstract Read the abstract  Share Reference managers Reference managers Open in new window

    GañánLas redes vehiculares ad hoc (VANETs) se están convirtiendo en una tecnología funcional para proporcionar una amplia gama de aplicaciones para vehículos y pasajeros. Garantizar un funcionamiento seguro es uno de los requisitos para el despliegue de las VANETs. Sin seguridad, los usuarios podrían ser potencialmente vulnerables a la mala conducta de los servicios prestados por la VANET. La solución básica prevista para lograr estos requisitos es el uso de certificados digitales gestionados a través de una autoridad de certificación (CA). De acuerdo con la norma IEEE 1609.2, las redes vehiculares dependerán de la infraestructura de clave pública (PKI). Sin embargo, el proceso de distribución del estado de los certificados, así como el propio proceso de revocación, es un problema abierto para VANETs.En esta tesis, en primer lugar se analiza el proceso de revocación y se desarrolla un modelo preciso y riguroso que modela este proceso conluyendo que el proceso de revocación de certificados es estadísticamente auto-similar. Como ninguno de los modelos formales actuales para la revocación es capaz de capturar la naturaleza auto-similar de los datos de revocación, desarrollamos un modelo ARFIMA que recrea este patrón. Mostramos que ignorar la auto-similitud del proceso de revocación lleva a estrategias de emisión de datos de revocación ineficientes. El modelo propuesto permite generar trazas de revocación sintéticas con las cuales los esquemas de revocación actuales pueden ser mejorados mediante la definición de políticas de emisión de datos de revocación más precisas. En segundo lugar, se analiza la forma de implementar un mecanismo de emisión de datos de estado de los certificados para redes móviles y se propone un nuevo criterio basado en una medida del riesgo para evaluar los datos de revocación almacenados en la caché. Con esta medida, la PKI es capaz de codificar la información sobre el proceso de revocación en las listas de revocación. Así, los usuarios pueden estimar en función del riesgo si un certificado se ha revocado mientras no hay conexión a un servidor de control de estado. Por otra parte, también se propone una metodología sistemática para construir un sistema difuso que ayuda a los usuarios en el proceso de toma de decisiones relacionado con la comprobación de estado de certificados.En tercer lugar, se proponen dos nuevos mecanismos para la distribución y validación de datos de estado de certificados en VANETs. El primer mecanismo está basado en el uso en una extensión de las listas estandares de revocación. La principal ventaja de esta extensión es que las unidades al borde de la carretera y los vehículos repositorio pueden construir una estructura eficiente sobre la base de un árbol de hash autenticado para responder a las peticiones de estado de certificados. El segundo mecanismo tiene como objetivo optimizar el equilibrio entre el ancho de banda necesario para descargar los datos de revocación y la frescura de los mismos. Este mecanismo se basa en el uso de un esquema híbrido de árboles de Merkle y delta-CRLs, de modo que el riesgo de operar con certificados revocados desconocidos permanece por debajo de un umbral durante el intervalo de validez de la CRL base, y la CA tiene la capacidad de gestionar este riesgo mediante el ajuste del tamaño de las delta-CRL. Para cada uno de estos mecanismos, llevamos a cabo el análisis de la

  • A Cross-layer architecture for DVB-S2 Broadband Satellite systems with QoS support

     Rendon Morales, Elizabeth; Mata Diaz, Jorge; Muñoz Tapia, Jose Luis
    European Conference European Wireless
    Presentation's date: 2013-04-16
    Presentation of work at congresses

    Read the abstract Read the abstract View View Open in new window  Share Reference managers Reference managers Open in new window

    In this paper we propose an architecture to provide Quality of Service (QoS) guarantees for DVB-S2 broadband satellite systems. The proposed architecture provides low complexity on its implementation and can seamlessly inter-operate with terrestrial IP networks. The solution is designed in compliance with the ETSI-BSM-QoS framework and provides a detailed design at the Satellite Independent- Satellite Dependent (SI-SD) layers in order to provide QoS guarantees by means of traffic priorities. Particularly, at the SI layers several mechanism are defined to deal with QoS differentiation based on the DiffServ framework. Conversely, at the SD layers the application of different DVB-S2 channel adaptations are assumed. The proposed architecture is evaluated using the NS-2 simulator. The key results show that the implementation of this architecture, enables to keep control of the satellite system load while guaranteeing the QoS levels for the high priority traffic classes even though bandwidth variations due to rain events are experienced.

    In this paper we propose an architecture to provide Quality of Service (QoS) guarantees for DVB-S2 broadband satellite systems. The proposed architecture provides low complexity on its implementation and can seamlessly inter-operate with terrestrial IP networks. The solution is designed in compliance with the ETSI-BSM-QoS framework and provides a detailed design at the Satellite Independent- Satellite Dependent (SI-SD) layers in order to provide QoS guarantees by means of traffic priorities. Particularly, at the SI layers several mechanism are defined to deal with QoS differentiation based on the DiffServ framework. Conversely, at the SD layers the application of different DVB-S2 channel adaptations are assumed. The proposed architecture is evaluated using the NS-2 simulator. The key results show that the implementation of this architecture, enables to keep control of the satellite system load while guaranteeing the QoS levels for the high priority traffic classes even though bandwidth variations due to rain events are experienced.

  • Nuevo sistema de emisión de CRLs para la red KAD

     Caubet, Juan; Hernández Gañan, Carlos; Esparza Martin, Oscar; Muñoz Tapia, Jose Luis
    Jornadas de Ingeniería Telemática
    p. 123-130
    Presentation's date: 2013-10
    Presentation of work at congresses

    Read the abstract Read the abstract View View Open in new window  Share Reference managers Reference managers Open in new window

    Muchas overlays P2P requieren ciertos servicios de seguridad para poder ser utilizadas como aplicaciones comerciales, y una simple Infraestructura de Clave P´ublica (PKI) podr´ia solucionar el problema. Sin embargo, estas infraestructuras tienen que estar vinculadas a un sistema de revocaci´on, como por ejemplo las Listas de Certificados Revocados (CRLs). Un sistema con una estructura cliente/servidor, donde una Autoridad de Certificaci´on (CA) juega el papel de servidor central. Por lo tanto, propenso a sufrir problemas en grandes redes por el hecho de tener un ´unico punto de fallo. Y si adem´as tenemos en cuenta que los usuarios de muchas redes P2P pueden cambiar de identidad, o incluso disponer de m´as de una, los problemas crecen. El tama¿no de las CRLs crecer´a exponencialmente con el n´umero de usuarios y deberemos actualizarlas con mucha frecuencia para garantizar la frescura de la informaci´on que contienen. Nosotros proponemos un nuevo sistema de revocaci´on distribuido para la red KAD. La distribuci´on de las CRLs se lleva a cabo utilizando la propia overlay, y para no comprometer la capacidad de almacenamiento de los nodos, las CRLs son divididas en segmentos. Este mecanismo mejora la accesibilidad de la informaci´on de revocaci´on, incrementa la disponibilidad de los segmentos, y garantiza la frescura de la informaci´on mediante la emisi´on de los segmentos de forma independiente.

    Muchas overlays P2P requieren ciertos servicios de seguridad para poder ser utilizadas como aplicaciones comerciales, y una simple Infraestructura de Clave P´ublica (PKI) podr´ia solucionar el problema. Sin embargo, estas infraestructuras tienen que estar vinculadas a un sistema de revocaci´on, como por ejemplo las Listas de Certificados Revocados (CRLs). Un sistema con una estructura cliente/servidor, donde una Autoridad de Certificaci´on (CA) juega el papel de servidor central. Por lo tanto, propenso a sufrir problemas en grandes redes por el hecho de tener un ´unico punto de fallo. Y si adem´as tenemos en cuenta que los usuarios de muchas redes P2P pueden cambiar de identidad, o incluso disponer de m´as de una, los problemas crecen. El tama˜no de las CRLs crecer´a exponencialmente con el n´umero de usuarios y deberemos actualizarlas con mucha frecuencia para garantizar la frescura de la informaci´on que contienen. Nosotros proponemos un nuevo sistema de revocaci´on distribuido para la red KAD. La distribuci´on de las CRLs se lleva a cabo utilizando la propia overlay, y para no comprometer la capacidad de almacenamiento de los nodos, las CRLs son divididas en segmentos. Este mecanismo mejora la accesibilidad de la informaci´on de revocaci´on, incrementa la disponibilidad de los segmentos, y garantiza la frescura de la informaci´on mediante la emisi´on de los segmentos de forma independiente.

  • Secure handoffs for V2I communications in 802.11 networks

     Hernández Gañan, Carlos; Reñe Vicente, Sergi; Muñoz Tapia, Jose Luis; Esparza Martin, Oscar; Mata Diaz, Jorge; Alins Delgado, Juan Jose
    ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, and Ubiquitous Networks
    p. 49-56
    DOI: 10.1145/2507248.2507274
    Presentation's date: 2013-11-04
    Presentation of work at congresses

    Read the abstract Read the abstract View View Open in new window  Share Reference managers Reference managers Open in new window

    Vehicular ad hoc networks (VANETs) are emerging as a novel paradigm for safety services, supporting real-time applications (e.g., video-streaming, Internet browsing, online gaming, etc.). However, maintaining ubiquitous connectivity remains a challenge due to both high vehicle speed, and non-homogeneous nature of the network access infrastructure. Getting access to the network infrastructure must be controlled and only authorized users should be able to use it. However, the authentication process incurs in a not-negligible delay which can result in packet losses and other issues during handoffs. Hence, a fast and secure handoff scheme is essential. Although some solutions have been given in IEEE 802.11i and 802.11r standards, the handoff latency is still above 50 ms. Other protocols such as CAPWAP and HOKEY include support for fast handoff but have not been evaluated in a vehicular network. In this article, we analyze the security properties and performance of current proposals. Finally, simulations are conducted to date the effectiveness of the handoffs schemes.

  • XPLIT: A cross-layer architecture for TCP services over DVB-S2/ETSI QoS BSM

     Alins Delgado, Juan Jose; Mata Diaz, Jorge; Muñoz Tapia, Jose Luis; Rendon Morales, Elizabeth; Esparza Martin, Oscar
    Computer networks
    Vol. 56, num. 1, p. 412-434
    DOI: 10.1016/j.comnet.2011.09.005
    Date of publication: 2012-01-12
    Journal article

    Read the abstract Read the abstract View View Open in new window  Share Reference managers Reference managers Open in new window

    This article proposes XPLIT, a new architecture based on TCP cross-layering and splitting for optimizing the transport layer performance in a DVB-S2 satellite link that employs the ETSI QoS Broadband Satellite Multimedia Services (BSM) standard. The main novelty of our proposal is a complete architecture that perfectly fits this new DVB-S2/ETSI QoS BSM scenario. Our architecture includes the design of satellite-optimized cross-layer TCP protocol, called XPLIT-TCP that uses two control loops to properly manage the system load. The proposal has been implemented to be tested in the NS-2 simulator and we include the most interesting performance evaluation results, which show the excellent performance of our architecture for the intended scenario

  • Optimal tag suppression for privacy protection in the semantic Web

     Parra Arnau, Javier; Rebollo Monedero, David; Forné, Jordi; Muñoz Tapia, Jose Luis; Esparza Martin, Oscar
    Data and knowledge engineering
    Vol. 81-82, p. 46-66
    DOI: 10.1016/j.datak.2012.07.004
    Date of publication: 2012
    Journal article

    View View Open in new window  Share Reference managers Reference managers Open in new window

  • Risk-based decision-making for public key infrastructures using fuzzy logic

     Hernández Gañan, Carlos; Muñoz Tapia, Jose Luis; Esparza Martin, Oscar; Mata Diaz, Jorge; Alins Delgado, Juan Jose
    International journal of innovative computing information and control
    Vol. 8, num. 11, p. 7925-7942
    Date of publication: 2012-11-01
    Journal article

     Share Reference managers Reference managers Open in new window

  • QoSatAr: a cross-layer architecture for E2E QoS provisioning over DVB-S2 broadband satellite systems

     Rendon Morales, Elizabeth; Mata Diaz, Jorge; Alins Delgado, Juan Jose; Muñoz Tapia, Jose Luis; Esparza Martin, Oscar
    Eurasip journal on wireless communication and networking
    Vol. 2012, num. 302, p. 1-25
    DOI: 10.1186/1687-1499-2012-302
    Date of publication: 2012-10-01
    Journal article

    Read the abstract Read the abstract View View Open in new window  Share Reference managers Reference managers Open in new window

    his article presents QoSatAr, a cross-layer architecture developed to provide end-to-end quality of service (QoS) guarantees for Internet protocol (IP) traffic over the Digital Video Broadcasting-Second generation (DVB-S2) satellite systems. The architecture design is based on a cross-layer optimization between the physical layer and the network layer to provide QoS provisioning based on the bandwidth availability present in the DVB-S2 satellite channel. Our design is developed at the satellite-independent layers, being in compliance with the ETSI-BSM-QoS standards. The architecture is set up inside the gateway, it includes a Re-Queuing Mechanism (RQM) to enhance the goodput of the EF and AF traffic classes and an adaptive IP scheduler to guarantee the high-priority traffic classes taking into account the channel conditions affected by rain events. One of the most important aspect of the architecture design is that QoSatAr is able to guarantee the QoS requirements for specific traffic flows considering a single parameter: the bandwidth availability which is set at the physical layer (considering adaptive code and modulation adaptation) and sent to the network layer by means of a cross-layer optimization. The architecture has been evaluated using the NS-2 simulator. In this article, we present evaluation metrics, extensive simulations results and conclusions about the performance of the proposed QoSatAr when it is evaluated over a DVB-S2 satellite scenario. The key results show that the implementation of this architecture enables to keep control of the satellite system load while guaranteeing the QoS levels for the high-priority traffic classes even when bandwidth variations due to rain events are experienced. Moreover, using the RQM mechanism the user's quality of experience is improved while keeping lower delay and jitter values for the high-priority traffic classes. In particular, the AF goodput is enhanced around 33% over the drop tail scheme (on average).

  • A modeling of certificate revocation and its application to synthesis of revocation traces

     Hernández Gañan, Carlos; Mata Diaz, Jorge; Muñoz Tapia, Jose Luis; Hernández Serrano, Juan Bautista; Esparza Martin, Oscar; Alins Delgado, Juan Jose
    IEEE transactions on information forensics and security
    Vol. 7, num. 6, p. 1673-1686
    DOI: 10.1109/TIFS.2012.2209875
    Date of publication: 2012-12
    Journal article

    Read the abstract Read the abstract View View Open in new window  Share Reference managers Reference managers Open in new window

    One of the hardest tasks of a public key infrastructure (PKI) is to manage revocation. New communication paradigms push the revocation system to the limit and an accurate resource assessment is necessary before implementing a particular revocation distribution system. In this context, a precise modeling of certificate revocation is necessary. In this article, we analyze empirical data from real CAs to develop an accurate and rigorous model for certificate revocation. One of the key findings of our analysis is that the certificate revocation process is statistically self-similar. The proposed model is based on an autoregressive fractionally integrated moving average (ARFIMA) process. Then, using this model, we show how to build a synthetic revocation generator that can be used in simulations for resource assessment. Finally, we also show that our model produces synthetic revocation traces that are indistinguishable for practical purposes from those corresponding to actual revocations.

    Postprint (author’s final draft)

  • DECADE: Distributed Emergent Cooperation through ADaptive Evolution in mobile ad hoc networks

     Mejía Fajardo, Marcela; Peña Traslaviña, Néstor; Muñoz Tapia, Jose Luis; Esparza Martin, Oscar; Alzate Monroy, Marco
    Ad hoc networks
    Vol. 10, num. 7, p. 1379-1398
    DOI: 10.1016/j.adhoc.2012.03.017
    Date of publication: 2012-09
    Journal article

    View View Open in new window  Share Reference managers Reference managers Open in new window

  • Adaptive IP scheduler design to support QoS guarantees over satellite systems

     Rendon Morales, Elizabeth; Mata Diaz, Jorge; Alins Delgado, Juan Jose; Muñoz Tapia, Jose Luis; Esparza Martin, Oscar
    Journal of Internet Engineering
    Vol. 5, num. 1, p. 310-317
    Date of publication: 2012-06
    Journal article

    View View Open in new window  Share Reference managers Reference managers Open in new window

  • Arquitectura de transporte segura y robusta para servicios de infotainment en redes vehiculares

     Alins Delgado, Juan Jose; Muñoz Tapia, Jose Luis; Mata Diaz, Jorge; Martin Faus, Isabel Victoria; Forga Alberich, Jordi; Esparza Martin, Oscar
    Competitive project

     Share

  • RAR: Un mecanismo "Risk-Aware" para redes vehiculares

     Hernández Gañan, Carlos; Muñoz Tapia, Jose Luis; Hinarejos Campos, M. Francisca; Isern Deyà, Andreu; Alins Delgado, Juan Jose
    Reunión Española sobre Criptología y Seguridad de la Información
    p. 1-6
    Presentation's date: 2012-09-05
    Presentation of work at congresses

    Read the abstract Read the abstract View View Open in new window  Share Reference managers Reference managers Open in new window

    Las redes vehiculares requieren de alg ́ un meca- nismo para autenticar los mensajes, identificar a los veh ́ ıculos leg ́ ıtimos y sacar de la red aqu ́ ellos que no presenten un comportamiento adecuado. La infrastructura de clave p ́ ublica (PKI) puede proporcionar estos requisitos mediante el uso de certificados digitales. Sin embargo, la adopci ́ on de una PKI, conlleva la necesidad de gestionar no tan s ́ olo la emisi ́ on de certificados sino tambi ́ en su revocaci ́ on. El est ́ andar IEEE 1609.2 apunta que la revocaci ́ on de certificados en redes vehiculares debe depender del uso de Listas de Certificados Revocados (CRLs). En este art ́ ıculo, analizamos los problemas derivados del uso de CRLs en este tipo de redes. Asimismo, proponemos un mecanismo para gestionar el riesgo inherente del uso de estas listas el cual mejora el uso tradicional de las CRLs. Ayud ́ andose del canal de control de este tipo de redes, nuestro mecanismo es capaz de dar a conocer la frescura de los datos de revocaci ́ on en tiempo real. Adem ́ as, este mecanismo permite a los usuarios estimar el riesgo operacional que asumen al usar las CRLs.

  • Analysis of inter-RSU beaconing interference in VANETs

     Hernandez Gañan, Carlos; Loo, J.; Ghosh, A.; Esparza Martin, Oscar; Reñé, Sergi; Muñoz Tapia, Jose Luis
    International Workshop on Multiple Access Communications
    p. 49-59
    DOI: 10.1007/978-3-642-34976-8_5
    Presentation's date: 2012
    Presentation of work at congresses

    View View Open in new window  Share Reference managers Reference managers Open in new window

  • On the self-similarity nature of the revocation data

     Hernández Gañan, Carlos; Mata Diaz, Jorge; Muñoz Tapia, Jose Luis; Esparza Martin, Oscar; Alins Delgado, Juan Jose
    International Conference on Information Security
    p. 387-400
    DOI: 10.1007/978-3-642-33383-5_24
    Presentation's date: 2012-09
    Presentation of work at congresses

    Read the abstract Read the abstract View View Open in new window  Share Reference managers Reference managers Open in new window

    One of the hardest tasks of a Public Key Infrastructure (PKI) is to manage revocation. Different revocation mechanisms have been proposed to invalidate the credentials of compromised or misbe- having users. All these mechanisms aim to optimize the transmission of revocation data to avoid unnecessary network overhead. To that end, they establish release policies bas ed on the assumption that the revoca- tion data follows uniform or Poisson distribution. Temporal distribution of the revocation data has a significant influence on the performance and scalability of the revocation service. In this paper, we demonstrate that the temporal distribution of the daily number of revoked certificates is statistically self-similar, and that the currently assumed Poisson distribu- tion does not capture the statistical properties of the distribution. None of the commonly used revocation models takes into account this fractal behavior, though such behavior has serious implications for the design, control, and analysis of revocation protocols such as CRL or delta-CRL.

  • RAR: Risk aware revocation mechanism for vehicular networks

     Hernández Gañan, Carlos; Muñoz Tapia, Jose Luis; Esparza Martin, Oscar; Mata Diaz, Jorge; Alins Delgado, Juan Jose; Silva Cárdenas, Carlos; Bartra Gardini, Gumercindo
    IEEE Vehicular Technology Conference
    p. 1-5
    DOI: 10.1109/VETECS.2012.6239941
    Presentation's date: 2012
    Presentation of work at congresses

    Read the abstract Read the abstract View View Open in new window  Share Reference managers Reference managers Open in new window

    Vehicular Ad Hoc Networks (VANETs) require some mechanism to authenticate messages, identify valid vehicles, and remove misbehaving ones. A Public Key Infrastructure (PKI) can provide this functionality using digital certificates. In PKI, key management and corresponding issuance and revocation of digital certificates is one of the key issues that have to be solved. The IEEE 1609.2 standard states that VANETs will rely on the use of certificate revocation lists (CRLs) to achieve revocation. In this paper, we analyze the problems of using CRLs in these type of networks. Moreover, we describe the Risk Aware Revocation (RAR) mechanism that improves the traditional use of CRLs. RAR takes advantage of the two distinct channel types in VANETs to increase the freshness of the revocation information. Moreover, RAR allows users to gauge the risk of operating in a VANET when using CRLs.

  • CRL distribution system for KAD network

     Caubet Fernandez, Juan; Hernández Gañan, Carlos; Esparza Martin, Oscar; Muñoz Tapia, Jose Luis; Mata Diaz, Jorge; Alins Delgado, Juan Jose
    FTRA World Convergence Conference
    Presentation's date: 2012-11-22
    Presentation of work at congresses

    View View Open in new window  Share Reference managers Reference managers Open in new window

  • Toward revocation data handling efficiency in VANETs

     Hernández Gañan, Carlos; Muñoz Tapia, Jose Luis; Esparza Martin, Oscar; Mata Diaz, Jorge; Alins Delgado, Juan Jose
    International Workshop on Communication Technologies for Vehicles
    p. 80-90
    DOI: 10.1007/978-3-642-29667-3_7
    Presentation's date: 2012
    Presentation of work at congresses

    View View Open in new window  Share Reference managers Reference managers Open in new window

  • Impact of the revocation service in PKI prices

     Hernandez Gañan, Carlos; Muñoz Tapia, Jose Luis; Esparza Martin, Oscar; Mata Diaz, Jorge; Alins Delgado, Juan Jose
    International Conference on Information and Communications Security
    p. 22-32
    DOI: 10.1007/978-3-642-34129-8_3
    Presentation's date: 2012
    Presentation of work at congresses

    Read the abstract Read the abstract View View Open in new window  Share Reference managers Reference managers Open in new window

    The ability to communicate securely is needed for many network applications. Public key infrastructure (PKI) is the most extended solution to verify and confirm the identity of each party involved in any secure transaction and transfer trust over the network. One of the hardest tasks of a certification infrastructure is to manage revocation. Research on this topic has focused on the trade-offs that different revocation mechanisms offer. However, less effort has been paid to understand the benefits of improving the revocation policies. In this paper, we analyze the behavior of the oligopoly of certificate providers that issue digital certificates to clients facing identical independent risks. We found the prices in the equilibrium, and we proof that certificate providers that offer better revocation information are able to impose higher prices to their certificates without sacrificing market share in favor of the other oligarchs. In addition, we show that our model is able to explain the actual tendency of the SSL market where providers with worst QoS are suffering loses.

  • Un esquema de pago seguro mediante multicupones para escenarios multi-comerciante

     Isern Deyà, Andreu; Hinarejos Campos, M. Francisca; Ferrer Gomila, Josep Lluis; Palleras Capellà, Magda; Hernández Gañan, Carlos; Muñoz Tapia, Jose Luis; Forné, Jordi; Esparza Martin, Oscar
    Reunión Española sobre Criptología y Seguridad de la Información
    Presentation's date: 2012-09-06
    Presentation of work at congresses

    View View Open in new window  Share Reference managers Reference managers Open in new window

  • A game theoretic trust model for on-line distributed evolution of cooperation in MANETs

     Mejía Fajardo, Marcela; Peña Traslaviña, Néstor; Muñoz Tapia, Jose Luis; Esparza Martin, Oscar; Alzate Monroy, Marco
    Journal of network and computer applications
    Vol. 1, num. 34, p. 39-51
    DOI: 10.1016/j.jnca.2010.09.007
    Date of publication: 2011-01-13
    Journal article

    Read the abstract Read the abstract View View Open in new window  Share Reference managers Reference managers Open in new window

    Cooperation among nodes is fundamental for the operation of mobile ad hoc networks(MANETs). In such networks, there could be selfish nodes that use resources from other nodes to send their packets but that do not offer their resources to forward packets for other nodes.Thus,a cooperation enforcement mechanism is necessary. Trust models have been proposed as mechanisms to incentive cooperation in MANET sand some of them are based on game theory concepts. Among game theoretic trust models, those that make nodes’ strategies evolve genetically have shown promising results for cooperation improvement. However,current approaches propose a highly centralized genetic evolution which render them unfeasible for practical purposes in MANETs. In this article, we propose a trust model based on a non-cooperative game that uses a bacterial-like algorithm to let the nodes quickly learn the appropriate cooperation behavior. Our model is completely distributed, achieves optimal cooperation values in a small fraction of time compared with centralized algorithms,and adapts effectively to environmental changes.

  • Access to the full text
    An infrastructure for detecting and punishing malicious hosts using mobile agent watermarking  Open access

     Esparza Martin, Oscar; Muñoz Tapia, Jose Luis; Tomas Buliart, Joan; Soriano Ibáñez, Miguel
    Wireless communications and mobile computing
    Vol. 11, num. 11, p. 1446-1462
    DOI: 10.1002/wcm.941
    Date of publication: 2011-11-01
    Journal article

    Read the abstract Read the abstract Access to the full text Access to the full text Open in new window  Share Reference managers Reference managers Open in new window

    Mobile agents are software entities consisting of code, data, and state that can migrate autonomously from host to host executing their code. In such scenario there are some security issues that must be considered. In particular, this paper deals with the protection of mobile agents against manipulation attacks performed by the host, which is one of the main security issues to solve in mobile agent systems. This paper introduces an infrastructure for mobile agent watermarking (MAW). MAW is a lightweight approach that can efficiently detect manipulation attacks performed by potentially malicious hosts that might seek to subvert the normal agent operation. MAW is the first proposal in the literature that adapts software watermarks to verify the execution integrity of an agent. The second contribution of this paper is a technique to punish a malicious host that performed a manipulation attack by using a trusted third party (TTP) called host revocation authority (HoRA). A proof-of-concept has also been developed and we present some performance evaluation results that demonstrate the usability of the proposed mechanisms.

  • Evolución Genética de Estrategias para Modelos de Confianza en Redes Móviles Ad Hoc Basados en Teoría de Juegos

     Mejía Fajardo, Marcela
    Department of Telematics Engineering, Universitat Politècnica de Catalunya
    Theses

    View View Open in new window  Share Reference managers Reference managers Open in new window

  • Analysis of TCP variants over a QoS DVB-S2 system

     Rendon Morales, Elizabeth; Mata Diaz, Jorge; Alins Delgado, Juan Jose; Muñoz Tapia, Jose Luis; Esparza Martin, Oscar
    ACM International Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, and Ubiquitous Networks
    p. 121-124
    DOI: 10.1145/2069063.2069085
    Presentation's date: 2011-10-01
    Presentation of work at congresses

    Read the abstract Read the abstract View View Open in new window  Share Reference managers Reference managers Open in new window

    This paper presents a performance analysis of the TCP protocol considering the DiffServ architecture to provide Quality of Service guarantees working over a Digital Video Broadcasting - Second Generation (DVB-S2) satellite system. The analysis is carried out using the NS-2 simulator tool where three TCP variants are considered: Sack TCP, Hybla TCP and Cubic TCP. The objective is to evaluate the TCP performance taking in to account goodput, friendliness and fairness parameters and the most typical problems presented in a DVB-S2 satellite link such as delay, losses and bandwidth variations.

  • Analysis of video streaming performance in vehicular networks

     Reñé, Sergi; Hernández Gañan, Carlos; Caubet Fernandez, Juan; Alins Delgado, Juan Jose; Mata Diaz, Jorge; Muñoz Tapia, Jose Luis
    International Conference on Advanced Communications and Computation
    p. 92-97
    Presentation's date: 2011-10-28
    Presentation of work at congresses

    Read the abstract Read the abstract View View Open in new window  Share Reference managers Reference managers Open in new window

    Vehicular Ad-hoc Networks (VANETs) have been mainly motivated for safety applications, but non-safety applications can also be very helpful to impulse vehicular networks. Among non-safety applications, video streaming services can provide attractive features to many applications and can attract a great number of users. However, VANETs high mobility characteristics and packet loss during communications blackouts difficult the deployment of video services in vehicular networks. In this paper, the performance of a video streaming service has been analyzed to study the deployability of a video on demand service in a highway environment for vehicular users. It has been analyzed the packet loss produced by network reconfiguration during handoffs and its influence in the video streamed quality. Using Mobile IP without and with fast handoffs we have gauge the effects of mobility over the video transmission. We show that although fast handoffs techniques minimize blackouts, they limit the deployment of video streaming services in vehicular networks.

  • Evaluación de prestaciones de diferentes variantes de TCP en un entorno satelital DVB-S2

     Rendon Morales, Elizabeth; Mata Diaz, Jorge; Alins Delgado, Juan Jose; Muñoz Tapia, Jose Luis; Esparza Martin, Oscar
    Jornadas de Ingeniería Telemática1
    p. 190-197
    Presentation's date: 2011-09-20
    Presentation of work at congresses

    View View Open in new window  Share Reference managers Reference managers Open in new window

  • Adaptive packet scheduling for the support of QoS over DVB-S2 satellite systems

     Rendon Morales, Elizabeth; Mata Diaz, Jorge; Alins Delgado, Juan Jose; Muñoz Tapia, Jose Luis; Esparza Martin, Oscar
    International Conference on Wired/Wireless Internet Communications
    p. 15-26
    DOI: DOI: 10.1007/978-3-642-21560-5_2
    Presentation's date: 2011-06-01
    Presentation of work at congresses

    Read the abstract Read the abstract View View Open in new window  Share Reference managers Reference managers Open in new window

    This paper presents an adaptive algorithm for managing the weights of a weighted round robin (WRR) scheduler. The weights calculation depends on the capacity variations present in a Digital Video Broadcasting-Second Generation (DVB-S2) satellite link. The algorithm optimizes the bandwidth utilization while satisfying the QoS requirements for different traffic classes. The operation of the proposed algorithm is demonstrated by using the NS-2 simulator environment. The results show that the proposed adaptive WRR algorithm optimizes the bandwidth utilization while enforcing the priority level of each service class even in an extreme reduction of bandwidth caused by rain events.

  • PREON: An efficient cascade revocation mechanism for delegation paths

     Hinarejos Campos, M. Francisca; Muñoz Tapia, Jose Luis; Forné, Jordi; Esparza Martin, Oscar
    Computers and security
    Vol. 29, num. 6, p. 697-711
    DOI: 10.1016/j.cose.2010.03.001
    Date of publication: 2010-09
    Journal article

    Read the abstract Read the abstract View View Open in new window  Share Reference managers Reference managers Open in new window

    In decentralized network-based environments, resource sharing occurs more frequently as computing becomes more pervasive. Access to shared resources must be protected allowing access only to authorized entities. Delegation is a powerful mechanism to provide flexible and distributed access control when a user acts on another user’s behalf. User’s rights/ attributes are contained in digital certificates and successive delegations generate chains of certificates.When an access control decision related to a delegation path has to be taken, its corresponding certificate chain has to be validated. Validation of long delegation paths is a costly process that might be critical when constrained devices are involved. In this article, we propose a mechanism called PREON (Prefix Revocation) which is based on prefix codes. PREON allows a privilege verifier to efficiently check a delegation chain when cascade revocation is enabled. We show by statistical analysis that our proposal outperforms delegation systems without prefix coding especially for long delegation paths and high revocation probabilities.

  • RDSR-V. Reliable dynamic source routing for video-streaming over mobile ad hoc networks

     Muñoz Tapia, Jose Luis; Esparza Martin, Oscar; Aguilar Igartua, Mónica; Carrascal Frias, F. Javier; Forné, Jordi
    Computer networks
    Vol. 54, num. 1, p. 79-96
    DOI: 10.1016/j.comnet.2009.08.015
    Date of publication: 2010-01
    Journal article

    Read the abstract Read the abstract View View Open in new window  Share Reference managers Reference managers Open in new window

    Mobile ad hoc networks (MANETs) are infrastructureless networks formed by wireless mobile devices with limited battery life. In MANETs for civilian applications, the network nodes may not belong to a single authority and they may not have a common goal. These MANETs are particularly vulnerable to selfish behavior, as some nodes may prefer saving resources to forward data. There are a few generic reputation-based systems for MANETs which could be used to enforce cooperation among nodes. However, we envision that the system performance can be highly improved by using cross-layer techniques that take into account the specific characteristics of each particular service. In this article, we propose a distributed and easy-to-implement routing mechanism based on reputation for the provision of MPEG-2 video-streaming services over MANETs. The main novelty that we introduce regarding the existent literature is that our proposal is service aware, that is to say, we consider the video-streaming service characteristics to develop a cross-layer design with the routing protocol. In addition, we do not introduce extra signaling overhead to monitor reputation because we use the standard video-streaming end-to-end signaling. Finally, simulation results show that our proposal clearly outperforms both standard Dynamic Source Routing (DSR) and OCEAN (a generic reputation-based mechanism).

  • 12th International Conference on Information and Comunications Security

     Muñoz Tapia, Jose Luis; Pegueroles Valles, Josep Rafel; Forné, Jordi; Fernandez Muñoz, Marcel; Soriano Ibáñez, Miguel
    Competitive project

     Share

  • Cost Action IC0906: Wireless Networking for Moving Objects (WiNeMO)

     Barceló Arroyo, Francisco; Koucheryavy, Yevgeni; Martin Escalona, Israel; Zola, Enrica Valeria; Esparza Martin, Oscar; Muñoz Tapia, Jose Luis; Mata Diaz, Jorge; Alins Delgado, Juan Jose
    Competitive project

     Share

  • Seguridad en redes de computación ubicua: contribución a la validación de credenciales  Open access

     Hinarejos Campos, M. Francisca
    Universitat Politècnica de Catalunya
    Theses

    Read the abstract Read the abstract Access to the full text Access to the full text Open in new window  Share Reference managers Reference managers Open in new window

    Technology progress in both user devices and networks allows communications anytime and anywhere. New communication environments offer a wide range of possibilities to users, but also generate new threats. For this reason, it is necessary to establish measures to find out who is establishing a communication and what actions is authorized to do. Currently proposed solutions in the literature are not completely adapted to the new features such as user mobility, network disconnections and constraints of devices and networks. Many of the existing proposals have focused in providing specific solutions to particular scenarios, but they do not consider a global heterogeneous scenario. Therefore, it is necessary to design security mechanisms able to adapt themselves to new scenarios. In this sense, digital certificates are a standardized and widely used solution. Digital certificates enable performing user authentication and authorization in a distributed way. The problem is that ubiquitous environments complicate the process of digital certificates validation. This complexity could result in a service being not accessible. The goal of this thesis is to contribute in making ubiquitous scenarios more secure. More specifically, the work proposes solutions for reducing the credential validation cost and for improving the availability of authentication and authorization services. In first place, we propose a solution for credential validation that works properly in environments with connection to on-line servers and also in environments where the connection to servers is sometimes not possible. In second place, we propose a cascade revocation system where the delegation is partially centralized. Delegation provides high flexibility to authorization systems, but adds complexity to the system. Our proposal reduces the burden on the verifier-side. In third place, we propose a revocation system for delegation chains based on prefix codes. This proposal deals with the problem of centralization of the previous proposal. In particular, the decentralized solution presented keeps the load reduction achieved in the partially centralized proposal, and also enables dynamic delegation and distribution of revocation data. While the user is connected, revocation data distribution can be done with a certificate revocation list. However, in scenarios where the connection can be lost temporally, this might not be possible. To address this issue, we have proposed a system in which users can perform the functions of revocation servers without being trusted entities. This will allow increasing the availability of validation service, and reduce resource consumption. Each proposal has been analyzed and compared with existing solutions to verify the improvements achieved.

    El avance tecnológico tanto de los dispositivos de usuario como de las redes permite que se puedan establecer comunicaciones en cualquier momento y en cualquier lugar. Si bien estos entornos ofrecen un gran abanico de posibilidades a los usuarios, también es cierto que generan nuevas amenazas. Por este motivo, son necesarias medidas que permitan saber con quién se está estableciendo la comunicación y qué acciones se pueden autorizar. Las soluciones propuestas en la literatura no se adaptan completamente a las nuevas características de movilidad, desconexión y limitaciones tanto de los dispositivos como de las redes. De hecho, muchas de las propuestas existentes se han centrado en ofrecer soluciones concretas a escenarios particulares, sin tener en cuenta que el usuario puede entrar a formar parte de entornos heterogéneos. Por lo tanto, se hace necesario diseñar mecanismos de seguridad que conviviendo con los estándares vigentes, se adapten a los nuevos escenarios. En este sentido, los certificados digitales son una solución estandarizada y ampliamente extendida. Los certificados digitales permiten llevar a cabo tanto la autenticación como la autorización de un usuario de forma distribuida. Sin embargo, las características de los entornos ubicuos complican el proceso de validación de certificados. Esta complejidad podría llevar a que no se puediera acceder a los servicios. El objetivo de esta tesis es contribuir a aumentar la seguridad en entornos ubicuos. Más concretamente, se proporcionan soluciones para reducir la carga en la validación de credenciales y aumentar la disponibilidad de los servicios de autenticación y autorización. En primer lugar se propone un sistema de verificación de credenciales que se adapta para funcionar tanto en entornos con conexión a servidores on-line, como en sistemas off-line. Por otra parte, el proceso de delegación en sistemas de autorización, aporta una gran flexibilidad a estos entornos, pero a su vez añade complejidad al sistema. Para reducir esta carga sobre el verificador se propone un sistema de revocación en cascada con delegación centralizada. Sin embargo, esta centralización del servicio limita la escalabilidad y flexibilidad de la solución. Para dar solución a ese inconveniente, se ha propuesto un sistema de revocación en cadenas de delegación basado en códigos prefijo. Esta solución permite mantener la reducción de la carga en la validación lograda en la propuesta centralizada, y además, hace posible la delegación dinámica y la distribución de la información de revocación. Esta distribución puede realizarse a través de listas de revocación de credenciales. En redes con desconexión temporal esta información podría no estar accesible. Para solventarlo, se ha propuesto un sistema en el que los usuarios pueden realizar las funciones de servidores de revocación sin ser entidades de confianza. De esta forma se permite aumentar la disponibilidad del servicio de validación, y reducir el consumo de los recursos. Cada una de las propuestas realizadas se ha analizado para verificar las mejoras proporcionadas frente a las soluciones existentes. Para ello, se han evaluado de forma analítica, por simulación y/o implementación en función de cada caso. Los resultados del análisis verifican el funcionamiento esperado y muestran las mejoras de las propuestas frente a las soluciones existentes.

  • Access to the full text
    Implementacion de Ipsec en una arquitectura TCP splitting  Open access

     Caubet Fernandez, Juan; Muñoz Tapia, Jose Luis; Alins Delgado, Juan Jose; Mata Diaz, Jorge; Esparza Martin, Oscar
    Reunión Española sobre Criptología y Seguridad de la Información
    p. 395-400
    Presentation's date: 2010-09-07
    Presentation of work at congresses

    Read the abstract Read the abstract Access to the full text Access to the full text Open in new window  Share Reference managers Reference managers Open in new window

    El rendimiento de las aplicaciones que utilizan el protocolo de transporte TCP (Transmission Control Protocol) sobre enlaces vía satélite tiene una degradación significativa. Esto se debe principalmente a que el algoritmo de control de congestión estándar de TCP no es adecuado para superar las deficiencias de las redes satelitales. TCP splitting es una solución prometedora para mejorar el rendimiento general de TCP, incluso en el segmento satelital. La división de la conexión TCP se logra mediante la instalación de dos PEPs (Performance Enhancement Proxies) en los extremos del segmento satelital. Sin embargo, la división de TCP entra en conflicto con IPsec. Si el cifrado y/o la autenticación son aplicados sobre los datagramas IP, el PEP no puede manipular las correspondientes cabeceras IP y TCP para dividir las conexiones TCP. En este trabajo presentamos tres propuestas para implementar IPsec en un escenario TCP splitting, proporcionando los servicios de seguridad habituales y un buen rendimiento en la conexión vía satélite. La idea básica es permitir a los PEPs manipular las cabeceras IP y TCP en función del nivel de confianza que los usuarios tengan en ellos.

  • Design and implementation of a lightweight online certificate validation service

     Muñoz Tapia, Jose Luis; Esparza Martin, Oscar; Forné, Jordi; Pallares Segarra, Esteve
    Telecommunication systems
    Vol. 41, num. 3, p. 229-241
    DOI: 10.1007/s11235-009-9144-2
    Date of publication: 2009-07
    Journal article

    View View Open in new window  Share Reference managers Reference managers Open in new window

  • GRUP SEGURETAT DE LA INFORMACIÓ (ISG)

     Fernandez Muñoz, Marcel; Pegueroles Valles, Josep Rafel; Hernández Serrano, Juan Bautista; Forné, Jordi; León Abarca, Olga; Pallares Segarra, Esteve; Esparza Martin, Oscar; Muñoz Tapia, Jose Luis; Parra Arnau, Javier; Soriano Ibáñez, Miguel
    Competitive project

     Share

  • SBV SECURE BIOMETRIC VOTING: SISTEMA BIOMETRICO PARA PROCESOS ELECTORALES SEGUROS

     Hernández Serrano, Juan Bautista; Esparza Martin, Oscar; Muñoz Tapia, Jose Luis; Soriano Ibáñez, Miguel
    Competitive project

     Share

  • PROVISION SEGURA DE SERVICIOS SOBRE EL P2P (P2PSEC)

     Mata Diaz, Jorge; Esparza Martin, Oscar; Martin Faus, Isabel Victoria; Pegueroles Valles, Josep Rafel; Alins Delgado, Juan Jose; Cruz Llopis, Luis Javier de La; Rico Novella, Francisco Jose; León Abarca, Olga; Hernández Serrano, Juan Bautista; Forga Alberich, Jordi; Fernandez Muñoz, Marcel; Muñoz Tapia, Jose Luis; Soriano Ibáñez, Miguel
    Competitive project

     Share

  • PKIX Certificate Status in Hybrid MANETs

     Muñoz Tapia, Jose Luis; Esparza Martin, Oscar; Hernández Gañan, Carlos; Parra Arnau, Javier
    Workshop in Information Security Theory and Practice
    p. 153-166
    Presentation of work at congresses

    View View Open in new window  Share Reference managers Reference managers Open in new window

  • A mechanism to avoid collusion attacks based on code passing in mobile agent systems

     Jaimez, Marc; Esparza Martin, Oscar; Muñoz Tapia, Jose Luis; Alins Delgado, Juan Jose; Mata Diaz, Jorge
    Workshop in Information Security Theory and Practice
    p. 12-27
    Presentation of work at congresses

    View View Open in new window  Share Reference managers Reference managers Open in new window