-
Integration of the Captive Portal paradigm with the 802.1X architecture
Authors:
Nuno Marques,
André Zúquete,
João Paulo Barraca
Abstract:
In a scenario where hotspot wireless networks are increasingly being used, and given the amount of sensitive information exchanged on Internet interactions, there is the need to implement security mechanisms that guarantee data confidentiality and integrity in such networks, as well as the authenticity of the hotspot providers.
However, many hotspots today use Captive Portals, which rely on auth…
▽ More
In a scenario where hotspot wireless networks are increasingly being used, and given the amount of sensitive information exchanged on Internet interactions, there is the need to implement security mechanisms that guarantee data confidentiality and integrity in such networks, as well as the authenticity of the hotspot providers.
However, many hotspots today use Captive Portals, which rely on authentication through Web pages (thus, an application-level authentication approach) instead of a link-layer approach. The consequence of this is that there is no security in the wireless link to the hotspot (it has to be provided at upper protocol layers), and is cumbersome to manage wireless access profiles (we need special applications or browsers' add-ons to do that).
This work exposes the weaknesses of the Captive Portals' paradigm, which does not follow a unique nor standard approach, and describes a solution that intends to suppress them, based on the 802.1X architecture. This solution uses a new EAP-compliant protocol that is able to integrate an HTTP-based registration or authentication with a Captive Portal within the 802.1X authentication framework.
△ Less
Submitted 26 August, 2019;
originally announced August 2019.
-
An Architecture to Support the Invocation of Personal Services in Web Interactions
Authors:
André Zúquete,
Fábio Marques
Abstract:
This paper proposes an architecture to enable Web service providers to interact with personal services. Personal services are vanilla HTTP services that are invoked from a browser, upon a request made by a service Provider, to deliver some service on the client side, i.e., on an execution environment defined by the browser's user. Personal services can be used both to handle content manipulation a…
▽ More
This paper proposes an architecture to enable Web service providers to interact with personal services. Personal services are vanilla HTTP services that are invoked from a browser, upon a request made by a service Provider, to deliver some service on the client side, i.e., on an execution environment defined by the browser's user. Personal services can be used both to handle content manipulation and presentation or to deliver request-response interactions with different goals (e.g. user authentication). Unlike plugins, that are described to service providers on each and every HTTP request, personal services are explicitly searched by service providers using a novel agent, a Broker, that works in close cooperation with each browser. We have implemented this architecture and implemented an HTTP proxy to cope with it. For demonstration purposes we show how we can use personal services for personal authentication with an electronic identification (eID) card
△ Less
Submitted 2 April, 2019;
originally announced April 2019.
-
Secure and trustworthy file sharing over cloud storage using eID tokens
Authors:
Eduardo Duarte,
Filipe Pinheiro,
André Zúquete,
Hélder Gomes
Abstract:
This paper presents a multi-platform, open-source application that aims to protect data stored and shared in existing cloud storage services. The access to the cryptographic material used to protect data is implemented using the identification and authentication functionalities of national electronic identity (eID) tokens. All peer to peer dialogs to exchange cryptographic material is implemented…
▽ More
This paper presents a multi-platform, open-source application that aims to protect data stored and shared in existing cloud storage services. The access to the cryptographic material used to protect data is implemented using the identification and authentication functionalities of national electronic identity (eID) tokens. All peer to peer dialogs to exchange cryptographic material is implemented using the cloud storage facilities. Furthermore, we have included a set of mechanisms to prevent files from being permanently lost or damaged due to concurrent modification, deletion and malicious tampering. We have implemented a prototype in Java that is agnostic relatively to cloud storage providers; it only manages local folders, one of them being the local image of a cloud folder. We have successfully tested our prototype in Windows, Mac OS X and Linux, with Dropbox, OneDrive, Google Drive and SugarSync.
△ Less
Submitted 13 January, 2015;
originally announced January 2015.
-
Security Policy Consistency
Authors:
Carlos Ribeiro,
Andre Zuquete,
Paulo Ferreira,
Paulo Guedes
Abstract:
With the advent of wide security platforms able to express simultaneously all the policies comprising an organization's global security policy, the problem of inconsistencies within security policies become harder and more relevant.
We have defined a tool based on the CHR language which is able to detect several types of inconsistencies within and between security policies and other specificat…
▽ More
With the advent of wide security platforms able to express simultaneously all the policies comprising an organization's global security policy, the problem of inconsistencies within security policies become harder and more relevant.
We have defined a tool based on the CHR language which is able to detect several types of inconsistencies within and between security policies and other specifications, namely workflow specifications.
Although the problem of security conflicts has been addressed by several authors, to our knowledge none has addressed the general problem of security inconsistencies, on its several definitions and target specifications.
△ Less
Submitted 30 June, 2000;
originally announced June 2000.