NameAndré Nuno Cirne
Since15th November 2018
CentreAdvanced Computing Systems
Cirne A.; Sousa P.R.; Resende J.S.; Antunes L.;
IEEE Communications Surveys and Tutorials
With the proliferation of Internet of Things (IoT) devices, there is an increasing need to prioritize their security, especially in the context of identity and authentication mechanisms. However, IoT devices have unique limitations in terms of computational capabilities and susceptibility to hardware attacks, which pose significant challenges to establishing strong identity and authentication systems. Paradoxically, the very hardware constraints responsible for these challenges can also offer potential solutions. By incorporating hardware-based identity implementations, it is possible to overcome computational and energy limitations, while bolstering resistance against both hardware and software attacks. This research addresses these challenges by investigating the vulnerabilities and obstacles faced by identity and authentication systems in the IoT context, while also exploring potential technologies to address these issues. Each identified technology underwent meticulous investigation, considering known security attacks, implemented countermeasures, and an assessment of their pros and cons. Furthermore, an extensive literature survey was conducted to identify instances where these technologies have effectively supported device identity. The research also includes a demonstration that evaluates the effectiveness of hardware trust anchors in mitigating various attacks on IoT identity. This empirical evaluation provides valuable insights into the challenges developers encounter when implementing hardware-based identity solutions. Moreover, it underscores the substantial value of these solutions in terms of mitigating attacks and developing robust identity frameworks. By thoroughly examining vulnerabilities, exploring technologies, and conducting empirical evaluations, this research contributes to understanding and promoting the adoption of hardware-based identity and authentication systems in secure IoT environments. The findings emphasize the challenges faced by developers and highlight the significance of hardware trust anchors in enhancing security and facilitating effective identity solutions.
Barbosa, M; Cirne, A; Esquível, L;
Proceedings of the 18th International Conference on Availability, Reliability and Security, ARES 2023, Benevento, Italy, 29 August 2023- 1 September 2023
FIDO2 is becoming a defacto standard for passwordless authentication. Using FIDO2 and WebAuthn, web applications can enable users to associate cryptographic credentials to their profiles, and then rely on an external authenticator (e.g., a hardware token plugged into the USB port) to perform strong signature-based authentication when accessing their accounts. The security of FIDO2 has been theoretically validated, but these analyses follow the threat model adopted in the FIDO2 design and explicitly exclude some attack vectors as being out of scope. In this paper we show that two of these attacks, which appear to be folklore in the community, are actually straightforward to launch in practice (user PIN extraction, impersonation and rogue key registration). We demonstrate a deployment over vanilla Linux distributions and commercial FIDO2 authenticators. We discuss the potential impact of our results, which we believe will contribute to the improvement of future versions of the protocol. © 2023 ACM.
Cirne, A; Sousa, PR; Resende, JS; Antunes, L;
COMPUTERS & SECURITY
The Internet of Things (IoT) has changed how we interact with the world around us. Many devices are moving from offline to online mode, connecting between them and the Internet, offering more functionality to users. Despite the increase in the quality of life for users provided by IoT devices, it is also necessary to establish trust in the privacy and security of end-users. With this level of connectivity, the amount of data exchanged between devices also increases, inducing malicious activities. One of the main problems is the lack of regulation in the IoT industry, especially between different manufacturers. There are no formal security rules, and manufacturers may not choose to install security mechanisms. Therefore, it is necessary to promote the adoption of security measures. One way to do this is by using IoT devices and systems certification. In recent years, IoT certifications have emerged. Meanwhile, the European Union has passed the Cyber Security Act to unify and regulate security certifications in member states. Our work collects the requirements that different IoT environments and application scenarios impose on certifications and discusses the current certifications' status according to those requirements. In addition, we also explored how EU measures apply to IoT and, where applicable, how certifications implement them, highlighting future research challenges.
Sousa, PR; Cirne, A; Resende, JS; Martins, R; Antunes, L;
ICDCN '19: PROCEEDINGS OF THE 2019 INTERNATIONAL CONFERENCE ON DISTRIBUTED COMPUTING AND NETWORKING
The number of devices connected to the Internet has been increasing exponentially. There is a substantial amount of data being exchanged among numerous connected devices. The added convenience brought by these devices spans across multiple facets of everyday life, such as drivers reporting an accident through dash cams, patients monitoring their own health, and companies controlling the safety of their facilities. However, it is critical to increase safety and privacy across the data generated and propagated by these devices. Previous works have focused mainly on device management and relied on centralized solutions namely Public Key Infrastructure (PKI). This paper describes a novel mechanism that ensures secure autonomous communication between Internet of Things (IoT) devices, while using a completely decentralized solution that mitigates the classical single points-of-failure problem. This is accomplished by a new peer-to-peer protocol using Short Authentication Strings (SAS), in which verification is made through a Limited-Location Channel (LLC).
The access to the final selection minute is only available to applicants.
Please check the confirmation e-mail of your application to obtain the access code.