Special issue | Security and Trust in Ubiquitous Systems

Vol. 76, n° 3-4, March-April 2021
Content available on Springerlink

Guest editors

Samia Bouzefrane, Conservatoire National Des Arts Et Métiers, Paris, France
Jenny Gabriela Torres Olmedo, Escuela Politécnica Nacional, Quito, Ecuador
Gongxuan Zhang, Nanjing University of Science and Technology (NJUST),
Nanjing, China

Editorial

Security and trust in ubiquitous systems

Samia Bouzefrane · Jenny Gabriela Torres Olmedo · Gongxuan Zhang · Nicolas Puech

Toward unified trust and reputation messaging in ubiquitous systems

David Jelenc1

(1) Faculty of Computer and Information Science, University of Ljubljana, Ljubljana, Slovenia

Abstract The fifth mobile generation (5G) will enable massive distributed applications that run on various platforms and cater diverse and interacting entities. If such interactions are to be successful, the entities will have to learn to trust each other and one way of addressing this is to use trust and reputation systems. These systems estimate the trustworthiness of potential interaction partners and are now being increasingly deployed. However, their inability to share information across applications is concerning: as entities traverse application boundaries their trust and reputation information does not. Instead, it is kept in silos forcing entities to remake it in every application they join. The lack of appropriate standards further impedes such sharing attempts. To address this, we propose a general framework for facilitating the exchange of trust and reputation information. The framework defines messages and a protocol that allows trust and reputation systems to query each other for ratings, provide responses, and signal errors. We analyze the proposal and provide an implementation as free software.

Keywords Trust · Reputation · Messaging · Standardization · Interoperability

A decision tree for building IT applications
What to choose: blockchain or classical systems?

Nour El Madhoun1 · Julien Hatin2 · Emmanuel Bertin2,

(1) LISITE Laboratory, ISEP, 10 Rue de Vanves, Issy-les-Moulineaux, France
(2) Orange Labs, 42 rue des Coutures, Caen, France

Abstract Blockchain technology has gained increasing attention from research and industry over the recent years. It allows implementing in its environment the smart-contracts technology which is used to automate and execute agreements between users. The blockchain is proposed today as a new technical infrastructure for several types of IT applications. This interest is mainly due to its core property that allows two users to perform transactions without going through a Trusted Third Party, while offering a transparent and fully protected data storage. However, a blockchain comes along a number of other intrinsic properties, which may not be suitable or beneficial in all the envisaged application cases. Consequently, we propose in this paper to design a new tool which is “a decision tree” that allows identifying when a blockchain may be the appropriate technical infrastructure for a given IT application, and when another classical system (centralized or distributed peer-to-peer) is more adapted. The proposed decision tree allows also identifying whether or not it is necessary to use the smart-contracts
technology.

Keywords Blockchain · IT · Permissioned · Peer-to-peer · Permissionless · Security · Smart-contracts · TTP

A modified LOF-based approach for outlier characterization in IoT

Lynda Boukela1 · Gongxuan Zhang1 · Meziane Yacoub2 · Samia Bouzefrane2 ·
Sajjad Bagheri Baba Ahmadi1 · Hamed Jelodar1

(1) School of Computer Science and Engineering, Nanjing University of Science and Technology,
Nanjing, China
(2) CEDRIC Lab, Conservatoire National des Arts et Metiers, Paris, France

Abstract The Internet of Things (IoT) is a growing paradigm that is revolutionary for information and communication technology (ICT) because it gathers numerous application domains by integrating several enabling technologies. Outlier detection is a field of tremendous importance, including in IoT. In previous works on outlier detection, the proposed methods mainly tackled the efficacy and the efficiency challenges. However, a growing interest in the interpretation of the detected anomalies has been noticed by the research community, and only a few works have contributed in this direction. Furthermore, characterizing anomalous events in IoT-related problems has not been conducted. Hence, in this paper, we introduce our modified Local Outlier Factor (LOF)–based outlier characterization approach and apply it to enhance the IoT security and reliability. Experiments on both synthetic and real-world datasets show the good performance of our solution.

Keywords Outlier characterization · Internet of Things · Local Outlier Factor · Cyber security

Survey on physical layer security for 5G wireless networks

José David Vega Sánchez1 · Luis Urquiza-Aguiar1 · Martha Cecilia Paredes Paredes1 · Diana Pamela Moya Osorio2

(1) Departamento de Electrónica, Telecomunicaciones y Redes de Información, Escuela Politécnica Nacional (EPN), Quito, Ecuador
(2) Centre for Wireless Communications (CWC), University of Oulu, Oulu, Finland

Abstract Physical layer security is a promising approach that can benefit traditional encryption methods. The idea of physical layer security is to take advantage of the propagation medium’s features and impairments to ensure secure communication in the physical layer. This work introduces a comprehensive review of the main information-theoretic metrics used to measure the secrecy performance in physical layer security. Furthermore, a theoretical framework related to the most commonly used physical layer security techniques to improve secrecy performance is provided. Finally, our work surveys physical layer security research over several enabling 5G technologies, such as massive multiple-input multiple-output, millimeter-wave communications, heterogeneous networks, non-orthogonal multiple access, and full-duplex. We also include the key concepts of each of the technologies mentioned above. Also identified are future fields of research and technical challenges of physical layer security.

Keywords 5G systems · Full-duplex · Heterogeneous networks · Massive MIMO · Millimeter-wave · Non-orthogonal multiple access · Physical layer security techniques

Novel user authentication method based on body composition analysis

Pawel Laka1 · Zbigniew Korzeb2 · Wojciech Mazurczyk1

(1) Institute of Computer Science, Warsaw University of Technology, Warsaw, Poland
(2) Department of Finance and Accounting, Bialystok University of Technology, Bialystok, Poland

Abstract Authentication is the process of confirming one’s identity. There is a steadily growing need to protect confidential, especially financial, data, as banks provide their services online through their ubiquitous systems. This paper presents a novel authentication method based on the analysis of body composition. A trusted system that relies on the biometric authentication has been designed, implemented, and evaluated, showing a false accept rate (FAR) of 0%, while its false reject rate (FRR) is 2.65%. As the proposed solution requires virtually no special action from the user during the authentication process, it can be seen as suitable for incorporation into existing multifactor authentication solutions.

Keywords User authentication . Body analysis . Bioelectrical impedance . Biometry . Security

Transparency of SIM profiles for the consumer remote SIM provisioning protocol

Abu Shohel Ahmed1,2 · Mukesh Thakur2,3 · Santeri Paavolainen1,2 · Tuomas Aura1

(1) Aalto University, Espoo, Finland
(2) Ericsson, Kirkkonummi, Finland
(3) University of Helsinki, Helsinki, Finland

Abstract In mobile communication, User Equipment (UE) authenticates a subscriber to a Mobile Network Operator (MNO) using credentials from the MNO specified SIM profile that is securely stored inside the SIM card. Traditionally, a change in a subscriber’s SIM profile, such as a change in a subscription, requires replacement of the physical SIM card. To address this shortcoming, the GSM Association (GSMA) has specified the consumer Remote SIM Provisioning (RSP) protocol. The protocol enables remote provisioning of SIM profiles from a server to SIM cards, also known as the embedded Universal Integrated Circuit Card (eUICC). In RSP, any GSMA-certified server is trusted by all eUICCs, and consequently any server can provision SIM profiles to all eUICCs, even those not originating from the MNO associated with the GSMA-certified RSP server. Consequently, an attacker, by compromising a server, can clone a genuine SIM profile and provision it to other eUICCs. To address this security problem, we present SIM Profile Transparency Protocol (SPTP) to detect malicious provisioning of SIM profiles. SPTP assures to the eUICC and the MNO that all SIM provisioning actions—both approved and unapproved—leave a permanent, non-repudiatable trail. We evaluate security guarantees provided by SPTP using a formal model, implement a prototype for SPTP, and evaluate the prototype against a set of practical requirements.

Keywords Consumer RSP · SIM profile cloning · eSIM security · Transparency

Towards more secure EMV purchase transactions
A new security protocol formally analyzed by the Scyther tool

Nour El Madhoun1 · Emmanuel Bertin2 · Mohamad Badra3 · Guy Pujolle4

(1) LISITE Laboratory, ISEP, 10 Rue de Vanves, Issy-les-Moulineaux, France
(2) Orange Labs, 42 rue des Coutures, Caen, France
(3) Zayed University, Dubai, United Arab Emirates
(4) Sorbonne Université – Sciences, CNRS, LIP6, 4 place Jussieu, Paris, France

Abstract EMV is the protocol implemented to secure the communication, between a client’s payment device and a merchant’s payment device, during a contact or an NFC purchase transaction. It represents a set of security messages and rules, exchanged between the different transaction actors, guaranteeing several important security properties, such as authentication, non-repudiation and integrity. Indeed, researchers, in various studies, have analyzed the operation of this protocol in order to verify its safety: unfortunately, they have identified two security vulnerabilities that lead to multiple attacks and dangerous risks threatening both clients and merchants. In this paper, we are firstly interested in presenting a general overview of the EMV protocol and secondly, in proposing a new security solution that enhances the EMV protocol by solving the two dangerous EMV vulnerabilities. We verify the accuracy of our solution by using the Scyther security verification tool.

Keywords Authentication · Bank · Card · Confidentiality · EMV · Vulnerabilities · NFC · Security

Mobile money traceability and federation using blockchain services

Kodjo Edem Agbezoutsi1 · Pascal Urien1 · Toundé Mesmin Dandjinou2

(1) LTCI – Telecom ParisTech, 19 Place Marguerite Perey, Palaiseau, France
(2) Université Nazi BONI 01 BP 1091, Bobo-Dioulasso 01, Burkina Faso

Abstract This paper discusses a new approach to mobile money, a money transfer solution via mobile phone, which uses accounts associated with Subscriber Identity Module (SIM) identifiers, and which is managed by the Mobile Network Operators (MNOs). The first solution M-PESA launched in Kenya in 2007 is one of the world’s major mobile money services. Mobile money becomes the new monopoly of MNOs in an economic system where the rate of unbanked adults is very high. Currently, in 2019 Orange Money makes nearly 1.5 million transactions per day, which corresponds to a monetary value of nearly 15 billion CFA francs (CFA franc, officially African Financial Community franc) per day. The Unstructured Supplementary Service Data (USSD) is the heart technology of mobile money transactions. Blockchain, which is the underlying technology of the first cryptocurrency, Bitcoin, has drawn a lot of global attention in recent years. Blockchain does not stop seeing its field of action widen. The rate of unbanked is so high in developing countries that it does not favor economy development. According to the World Bank, mobile money contributes to skip this obstacle. In this paper, we present the state-of-the-art of mobile money and its underlying technologies in the sub-Saharan countries in general, and in Burkina-Faso particularly. We propose a mobile money solution based on the blockchain, in order to increase security, trust, and move towards a federation of mobile money platforms.

Keywords Security . Blockchain . Payments . Mobile Money . USSD . Traceability . Trust

Understanding cyberbullying as an information security attack—life cycle modeling

Patricio Zambrano1 · Jenny Torres1 · Ángel Yánez1 · Alexandra Macas1 ·
Luis Tello-Oquendo2

(1) Department of Informatics Computer Science, Escuela Politécnica Nacional, Quito, Ecuador
(2) College of Engineering, Universidad Nacional de Chimborazo, Riobamba, Ecuador

Abstract Nowadays, cyberbullying cases are more common due to free access to technological resources. Studies related to this phenomenon from the fields of computer science and computer security are still limited. Several factors such as the access to specific databases on cyberbullying, the unification of scientific criteria that assess the nature of the problem, or the absence of real proposals that prevent and mitigate this problem could motivate the lack of interest by researchers in the field of information security to generate significant contributions. This research proposes a cyberbullying life cycle model through topic modeling and conceptualizes the different stages of the attack considering criteria associated with computer attacks. This proposal is supported by a review of the specific literature and knowledge bases gained from experiences of victims of online harassment and tweets from attackers.

Keywords Cyberbullying · Pattern behavior · APT · Social engineering

Information security management frameworks and strategies in higher education institutions: a systematic review

Jorge Merchan-Lima1 · Fabian Astudillo-Salinas1 · Luis Tello-Oquendo2 ·
Franklin Sanchez3,4 · Gabriel Lopez-Fonseca3,4 · Dorys Quiroz5

(1) Departamento de Eléctrica Electrónica y Telecomunicaciones, Universidad de Cuenca, Cuenca, Ecuador
(2) College of Engineering, Universidad Nacional de Chimborazo, Riobamba, Ecuador
(3) Departamento de Electrónica Telecomunicaciones y Redes de Información, Escuela Politécnica Nacional, Quito, Ecuador
(4) Facultad de Informática, Universidad Nacional de la Plata, La Plata, Argentina
(5) Departamento de Ciencia de la Computación, Universidad de las Fuerzas Armadas, Quito, Ecuador

Abstract Effective information security management (ISM) practices to protect the information assets of organizations from security intrusions and attacks is imperative. In that sense, a systematic literature review of academic articles focused on ISM in higher education institutions (HEIs) is conducted. For this purpose, an empirical study was performed. Studies carried out from 2012 onward reporting results from HEIs data that perform the ISM through various means, such as a set of framework functions, implementation phases, infrastructure services, and securities to their assets, have been explored. The articles found were then analyzed following a methodological procedure consisting of a systematic mapping study with their research questions, inclusion and exclusion criteria, selection of digital libraries, and analysis of the respective search strings. A set of competencies, resources, directives, and strategies that contribute to designing and to developing an ISM framework (ISMF) for HEIs is identified based on standards such as ISO 27000, COBIT, ITIL, NIST, and EDUCAUSE. This study introduces a strategic reference that guides HEIs on the development of an ISMF and provides recommendations that should be considered for its implementation in an era of ever-evolving security threats.

Keywords Higher education institution · Framework · Information security · ISMF