Filter by type:

Sort by year:

Contemporary Cryptography: Theory and Applications

John Iliadis
Book Chapter M. Burmester, S. Gritzalis, S. Katsikas, V. Chrissikopoulos (Eds) | Papasotiriou Publications | March 2011 | ISBN-10: 9607182766
image

Message Authentication Codes, Chapter 11, pp. 423-439

Η αυθεντικοποίηση ενός μηνύματος διακρίνεται στην επαλήθευση της ακεραιότητας του περιεχόμενού του (data integrity) και την επαλήθευση της προέλευσής του (data origin authentication). Οι μηχανισμοί που χρησιμοποιούνται για την υλοποίηση της υπηρεσίας αυθεντικοποίησης μηνυμάτων φέρουν την ονομασία Message Authentication Codes - MAC (Κώδικες Αυθεντικοποίησης Μηνύματος)...

Information Systems Security

John Iliadis
Book Chapter Katsikas S., Gritzalis D., Gritzalis S. (Eds.) | New Technology Publications | January 2004 ISBN-10: 9608105579
image

Malicious Software, Chapter 8, pp.235-265

Κακόβουλο είναι το λογισμικό που περιέχει τις απαιτούμενες εντολές για μία επίθεση σε ένα υπολογιστικό σύστημα. Το Κακόβουλο Λογισμικό διακρίνεται σε κατηγορίες, ανάλογα με τον τρόπο αναπαραγωγής του και την αυτονομία του από άλλα προγράμματα-ξενιστές, και σε επιμέρους είδη ανάλογα με τον τρόπο δράσης του. Τα αντίμετρα κατά του Κακόβουλου Λογισμικού διακρίνονται σε τρεις κατηγορίες: αντίμετρα πρόληψης, ανίχνευσης και επανόρθωσης. Κάθε κατηγορία περιλαμβάνει διάφορα είδη αντιμέτρων, εκ των οποίων το πλέον γνωστό είναι το αντιβιοτικό λογισμικό. Το Κακόβουλο Λογισμικό απασχολεί -πλέον- ιδιαίτερα τόσο την επιστημονική κοινότητα, όσο και τους υπεύθυνους διαχείρισης Πληροφοριακών Συστημάτων, λόγω της μεγάλης εξάπλωσής του. Η μεγάλη εξάπλωση του Κακόβουλου Λογισμικού οφείλεται σε τρεις -κυρίως- λόγους: η εξάπλωση των δικτύων δεδομένων, μέσω των οποίων το Κακόβουλο Λογισμικό αναπαράγεται με γρήγορους ρυθμούς, το γεγονός ότι δεν υπάρχει πλέον σαφής διαχωρισμός μεταξύ των εννοιών "δεδομένα" και "εκτελέσιμο πρόγραμμα" (εξαιτίας της εμφάνισης αρχείων δεδομένων που περιέχουν και μακρο-εντολές), και η έλλειψη επίγνωσης των χρηστών σχετικά με τους τρόπους αντιμετώπισης του Κακόβουλου Λογισμικού Σε αυτό το κεφάλαιο παρουσιάζουμε μία κατηγοριοποίηση του Κακόβουλου Λογισμικού και αναλύουμε τα επιμέρους είδη του. Επιπλέον, παρουσιάζουμε τα αντίμετρα που χρησιμοποιούνται κατά του Κακόβουλου Λογισμικού και αναλύουμε ειδικότερα τον τρόπο λειτουργίας του αντιβιοτικού λογισμικού. Τέλος, παρουσιάζουμε συγκεκριμένες μελέτες περιπτώσεων Κακόβουλου Λογισμικού.

A Critical View on Internet Voting Technology

E. Tsekmezoglou, J. Iliadis
Journal PaperThe Electronic Journal for E-Commerce Tools & Applications (eJETA.org), Vol 1, Issue 4, January 2006

Abstract

We present a set of requirements for Internet voting protocols. We also present a short overview of the most prominent Internet voting protocols published so far, and we provide a comparative evaluation of those protocols, using the set of requirements we have developed. We proceed with discussing our thoughts regarding possible improvements in e-voting protocols. Internet is an application with a vision to the future. Nevertheless, a lot of work needs to be done before it can be accepted for large-scale elections.

Towards Secure Sealing of Privacy Policies

Kostas Moulinos, John Iliadis, Vassilis Tsoumas
Journal PaperInformation Management and Computer Security, Vol. 12, No. 4, pp. 350-361, MCB University Press, August 2004

Abstract

A common practice among companies with an online presence is to sign on to a "seal" programme in order to provide customers with a sense of security regarding the protection of their personal data. Companies must adhere to a set of rules, forming a privacy protection policy designed by the seal issuer in accordance to underlying laws, regulatory frameworks and related best practice. Some of the most widely used seal programmes are TRUSTe, BBOnline, WebTrust and BetterWeb. Using the functionality they offer a user can verify online that a specific organisation adheres to a published privacy policy. In this paper, we argue that the verifications means these programmes use are vulnerable to DNS spoofing attacks. Furthermore, we present a privacy policy verification ("seal") scheme, which is not vulnerable to the aforementioned attack. We also argue that there are disadvantages in operating seal schemes that attempt to publicly certify compliance levels with a self-regulatory privacy protection model. On the contrary, these disadvantages are softened when used in a regulatory model that has adopted comprehensive laws to ensure privacy protection.

Towards a Framework for Evaluating Certificate Status Information Mechanisms

John Iliadis, Stefanos Gritzalis, Diomidis Spinellis, Danny De Cock, Bart Preneel, Dimitris Gritzalis
Journal PaperComputer Communications, Vol.26, No.16, pp. 1839-1850, Elsevier Science, October 2003

Abstract

A wide spectrum of certificate revocation mechanisms is currently in use. A number of them have been proposed by standardisation bodies, while some others have originated from academic or private institutions. What is still missing is a systematic and robust framework for the sound evaluation of these mechanisms. We present a mechanism-neutral framework for the evaluation of certificate status information (CSI) mechanisms. These mechanisms collect, process and distribute CSI. A detailed demonstration of its exploitation is also provided. The demonstration is mainly based on the evaluation of Certificate Revocation Lists, as well as of the Online Certificate Status Protocol. Other well-known CSI mechanisms are also mentioned for completeness.

ADoCSI: Towards an Alternative Mechanism for Disseminating Certificate Status Information

John Iliadis, S. Gritzalis, D. Gritzalis
Journal PaperComputer Communications, Vol.26, No.16, pp. 1851-1862, Elsevier Science, October 2003

Abstract

Several mechanisms have been proposed for disseminating information regarding the status of a digital certificate, each one with its own advantages and disadvantages. We believe that what is still missing from such mechanisms is transparency. A user should not need to comprehend the mechanics of such mechanisms in order to verify a certificate. In this paper, we present a mechanism called ADoCSI that supports transparency in disseminating certificate status information.

Deploying a Secure Cyberbazaar by adding Trust on Commercial Transactions

D. Spinellis, K. Moulinos, J. Iliadis, D. Gritzalis, S. Gritzalis, S. Katsikas
Journal PaperThe Electronic Journal for E-Commerce Tools & Applications (eJETA.org), Vol. 1, Issue 2, November 2002

Abstract

Traditional business practice depends on trust relations between the transacting parties. One of the most important aspects of this trust is the quality of the offered services or products. The Web currently constitutes an enabler for Electronic Commerce, providing a global transaction platform that does not require physical presence. However, transferring trust from the physical world to the electronic one is a process that requires a trust infrastructure to be provided by the electronic world. We believe that current infrastructure models based on Trusted Third Parties can be enhanced. We introduce the notion of Digital Seals and we provide a mechanism for transferring the trust placed by users to companies in the physical world, to the electronic one

Distributed Component Software Security Issues on Deploying a Secure Electronic Environment

Gritzalis S., Iliadis J., Oikonomopoulos S.
Journal PaperLibrary Computing (formerly Library Software Review), Vol.19, No.3, pp. 212-221, MCB University Press, April 2001

An integrated Architecture for deploying a Virtual Private Medical Network over the Web

Gritzalis S., Gritzalis D., Moulinos K., Iliadis J.
Journal PaperMedical Informatics and the Internet in Medicine journal, Vol 26, Issue No 1, pp. 49-72, Taylor & Francis Publications, January 2001

Abstract

In this paper we describe a pilot architecture aiming at protecting Web-based medical applications through the development of a virtual private medical network. The basic technology, which is utilized by this integrated architecture, is the Trusted Third Party (TTP). In specific, a TTP is used to generate, distribute, and revoke digital certificates to/from medical practitioners and healthcare organizations wishing to communicate in a secure way. Digital certificates and digital signatures are, in particular, used to provide peer and data origin authentication and access control functionalities. We also propose a logical Public Key Infrastructure (PKI) architecture, which is robust, scalable, and based on standards. This architecture aims at supporting large-scale healthcare applications It supports openness, scalability, flexibility and extensibility, and can be integrated with existing TTP schemes and infrastructures offering transparency and adequate security. Finally, it is demonstrated that the proposed architecture enjoys all desirable usability characteristics, and meets the set of criteria, which constitutes an applicable framework for the development of trusted medical services over the Web.

Distributed Component Software Security Issues on Deploying a Secure Electronic Marketplace

S. Gritzalis, J. Iliadis, S. Oikonomopoulos
Journal PaperInformation Management and Computer Security, Vol. 8, Issue no. 1, pp. 5-13, MCB University Press, February 2000.

Abstract

A Secure Electronic Marketplace involves a significant number of real-time transactions between remote systems, either for commercial or for authentication purposes. The underlying infrastructure of choice to support these transactions seems to be a Distributed Component Architecture. Distributed Component Software (DCS) is the natural convergence of client/server network computing and object oriented technology in a mix providing reusability, scalability and maintainability for software constructs. In DCS a client acquires references to objects provided by components located to remote machines and invokes methods of them as if they were located in its native environment. One implementation [20] also provides the ability to pass objects by value, an approach recently examined also by others [18]. The three major models in the distributed component software industry are OMG’s CORBA, Sun’s Enterprise Java Beans, and Microsoft’s DCOM. Besides these, we will discuss the progress for interoperable DCS systems performed in TINA, an open architecture for telecommunication services based on CORBA distributed components. In this paper the security models of each architecture are described and their efficiency and flexibility are evaluated in a comparative manner. Finally, upcoming extensions are discussed.

Trusted Third Party Services for deploying Secure Telemedical Applications over the World Wide Web

Spinellis S., Iliadis J., Gritzalis S., Katsikas S., Gritzalis D.
Journal PaperComputers & Security, Vol. 18, no. 7, pp. 627-639, Elsevier Science, 1999

Abstract

The EUROMED-ETS schema provides a robust security framework for telemedical applications operating over the World Wide Web. It is based on a trusted third party architecture under which certificate authorities store the public-key certificates of participating hospitals and medical practitioners. Digital signatures are used to provide peer and data origin authentication, and, in combination with access control lists, to provide access control. The deployed infrastructure is based on off-the-shelf available clients and servers, and provides functions for electronic registration of participants, session initialisation, user authentication, key generation and personalisation, certificate generation, distribution, storage and retrieval, certificate revocation lists, and auditing. It was found that, as the underlying technologies mature, a Web-based trusted third party architecture provides a viable solution for delivering secure telemedical applications.

Developing Secure Web based Medical Applications

Gritzalis S., Iliadis J., Gritzalis D., Spinellis D., Katsikas S.
Journal PaperMedical Informatics and the Internet in Medicine Journal, vol.24, No.1, pp.75-90, Taylor & Francis Publications, 1999

Abstract

The EUROMED-ETS pilot system offers a number of security functionalities using off-the-shelf available products, in order to protect Web-based medical applications. The basic concept used by the proposed security architecture is the Trusted Third Party (TTP). A TTP is used in order to generate, distribute and revoke digital certificates to medical practitioners and healthcare organisations that wish communicate securely. Digital certificates and digital signatures are used to provide peer and data origin authentication and access control. The paper demonstrates how TTPs can be used effectively in order to develop medical applications that run securely over the World Wide Web.

Using trusted third parties for secure telemedical applications over the WWW: The EUROMED-ETS approach

Sokratis K. Katsikas, Diomidis D. Spinellis, John Iliadis, Bernd Blobel
Journal PaperInternational Journal of Medical Informatics vol. 49, Issue 1, pp. 59-68, Elsevier Science, 1998.

Abstract

This paper reports on the results obtained by the pilot operation of Trusted Third Parties (TTP) for secure telemedical applications over the WWW The work reported on herein was carried out within the context of EUROMED-ETS, a R&D project funded by the INFOSEC office of Directorate General XIII of the European Union. The paper discusses the platform used, the security needs of the specific application, the TTP solution provided, the steps taken in order to implement the solution at a pilot scale and the results of the pilot opreration; it is compiled using material included in the project deliverables.

PyTHIA: Towards Anonymity in Authentication

D. Gritzalis, K. Moulinos, J. Iliadis, C. Lambrinoudakis, S. Xarhoulakos.
Conference PapersProceedings of the IFIP 16th International Conference on Information Security (Eds. M. Dupuy, P. Paradinas), pp. 1-17, Kluwer Academic Publishers, Paris-France, 2001

Abstract

There is a scale between authentication and anonymity, which is currently leaning towards the side of authentication, when it comes to e-commerce. Service providers and merchants are usually keeping track of user-related information in order to construct behavioural profiles of their customers. Service providers and merchants also correlate profiles of this kind, stemming from different sources, in order to increase their profit. This correlation is usually performed with the use of Unified Codes. Authentication, confidentiality, integrity, authentication, and non-repudiation are necessary functionalities for enabling e-commerce. Most of the currently used mechanisms that support these services do not provide anonymity. This paper presents PyTHIA, a mechanism, which is based on the use of Message Digest Algorithms and the intermediation of Trusted Third Parties in order to provide anonymity to e-commerce users who have to authenticate themselves in order to access services or buy goods from service providers and merchants respectively. With PyTHIA e-commerce users are able to authenticate without giving away any personal data and without using Unified Codes. In addition, PyTHIA ensures that service providers and merchants can effectively trace a customer in case he behaves maliciously.

Evaluating Certificate Status Information Mechanisms

J. Iliadis, D. Spinellis, S. Katsikas, D. Gritzalis, B. Preneel.
Conference PapersProceedings of the 7th ACM Conference on Computer and Communication Security (Ed. P. Samarati), pages 1-8. ACM Press, Athens-Greece, November 2000

Abstract

A wide spectrum of certificate revocation mechanisms is currently in use. A number of them have been proposed by standardisation bodies, while some others have originated from academic or private institutions. What is still missing is systematic and robust framework for the sound evaluation of these mechanisms. We present a mechanism-neutral framework for the evaluation of mechanisms, which collect, process and distribute certificate status information. A detailed demonstration of its exploitation is also provided. The demonstration is mainly based on the evaluation of Certificate Revocation Lists, as well as of the Online Certificate Status Protocol.

A Taxonomy of Certificate Status Information Mechanisms

Ioannis S. Iliadis, Diomidis Spinellis, Sokratis Katsikas and Bart Preneel
Conference PapersInformation Security Solutions Europe ISSE 2000, European Forum for Electronic Business, Barcelona, Spain, September 2000

Abstract

A number of mechanisms have been proposed for generating and disseminating information on the status of certificates. Their operation is different, if not contradicting sometimes, and advantages and disadvantages depend on the requirements of the underlying PKI. PKI designers and implementors should perform a small scale study before deploying such a mechanism in a specific PKI, in order to select the most suitable mechanism for their environment. This paper presents a method for categorising Certificate Status Information mechanisms, depending on their elementary functionality. This taxonomy can be used as a guide for selecting CSI mechanisms to be used in large-scale PKI deployment efforts.

Towards Secure Downloadable Executable Content: The Java Paradigm

Iliadis J., Gritzalis S., Oikonomou V.
Conference PapersProceedings of the SAFECOMP '98 EWICS & IFIP 17th International Conference on Computer Safety, Reliability and Security (Ed. W. D. Ehrenberger), pp. 117-127, Lecture Notes in Computer Science 1516, Springer Verlag, Heidelberg-Germany, October 1998

Abstract

Java is a programming language that conforms to the concept of downloadable, executable content. Java offers a wide range of capabilities to the application programmer, the most important being that a program may be executed remotely, without any modification, on almost any computer regardless of hardware configuration and operating system differences. However, this advantage raises a serious concern : security. When one downloads and executes code from various Internet sources, he is vulnerable to attacks by the code itself. A security scheme must be applied in order to secure the operations of Java programs. In this paper, the Java security scheme is examined and current implementations are evaluated on the basis of their efficiency and flexibility. Finally, proposed enhancements and upcoming extensions to the security model are described.

Security issues surrounding the Java programming language

Gritzalis S., Iliadis J., Oikonomou V.
Conference PapersProceedings of the XV IFIP World Computer Congress: 14th IFIPSEC '98 International Information Security Conference (Eds. G. Papp, R. Posch), pp. 3-14, IFIP & Austrian Computer Society, Vienna-Austria, September 1998

Abstract

JAVA is claimed to be a programming language that introduces new methods for platform?independent development and remote execution. However, the ability to download, integrate, and execute code from a remote computer raises serious concerns about JAVA's effect on network security. In this paper, a brief introduction to the JAVA programming language is given, the potential security risks of downloadable executable content is discussed, the details of the proposed JAVA security mechanism are presented, and an evaluation of the current implementations is discussed. Finally, proposed enhancements and upcoming extensions to the security model are described.

Addressing security issues in programming languages for mobile code

Gritzalis S., Iliadis J.
Conference PapersProceedings of the DEXA '98 9th Workshop of Database and Expert Systems Applications (Ed. R. Wagner), pp. 288-293, IEEE Computer Society Press, Vienna-Austria, August 1998

Abstract

The services offered to the Internet community have been constantly increasing the last few years. This is mainly due to the fact that mobile code has matured enough in order to provide the Internet users with high quality applications that can be executed remotely. When a user downloads and executes code from various Internet sources, security issues arise. In this paper, we are addressing the latter and we present a comparative evaluation of the methods used by Java, Safe-Tcl and ActiveX in order to confront with these issues, based on current security functions and implementations as well as on future adjustments and extensions.

Using trusted third parties for secure telemedical applications over the WWW: The EUROMED-ETS approach

Sokratis K. Katsikas, Diomidis D. Spinellis, John Iliadis, Bernd Blobel
Conference PapersPre-Proceedings of the IMIA WG4 working Conference on Common Security Solutions for Communicating Patient Data, International Medical Informatics Association (IMIA), Osaka/Kobe, Japan, November 1997

Abstract

This paper reports on the results obtained by the pilot operation of Trusted Third Parties (TTP) for secure telemedical applications over the WWW The work reported on herein was carried out within the context of EUROMED-ETS, a R&D project funded by the INFOSEC office of Directorate General XIII of the European Union. The paper discusses the platform used, the security needs of the specific application, the TTP solution provided, the steps taken in order to implement the solution at a pilot scale and the results of the pilot opreration; it is compiled using material included in the project deliverables.

Trusted Third Parties: Technological Achievements and Focus on the Greek Case

Iliadis J., Kalentis K.
Trade PublicationsCommunication Solutions Journal (Greece), June 2004. In Greek.

Abstract

This paper reports on the results obtained by the pilot operation of Trusted Third Parties (TTP) for secure telemedical applications over the WWW The work reported on herein was carried out within the context of EUROMED-ETS, a R&D project funded by the INFOSEC office of Directorate General XIII of the European Union. The paper discusses the platform used, the security needs of the specific application, the TTP solution provided, the steps taken in order to implement the solution at a pilot scale and the results of the pilot opreration; it is compiled using material included in the project deliverables.

ADoCSI: Alternative Dissemination of Certificate Status Information

John Iliadis
DissertationsPhD thesis, Department of Information & Communication System Engineering, University of the Aegean, Greece, 2008

Abstract

PKI seems to be here to stay. PKI does provide solutions to quite many problems but at the same time it introduces a new problem to be solved: certificate lifecycle management. In this thesis, we focus on certificate revocation and the way that Certificate Status Information (CSI) is being disseminated to the appropriate stakeholders. Quite many CSI mechanisms have been proposed already, each one attempting to improve some aspect or aspects of the CSI dissemination process. This is good for research, simply because this is how research moves on. Step after step, improvement over improvement, counter proposition over proposition, trial and error. However, there does not seem to exist a unified framework for the comparative evaluation (be it qualitative and/or quantitative) of the various CSI mechanisms already proposed in literature. We argue that such an evaluation framework could prove to be useful in further advancing research in the domain, especially now that many different CSI mechanisms have already appeared in the literature. Such an evaluation framework could also prove to be useful in real life scenarios (i.e. outside the research lab), when someone has to decide on the CSI mechanism to use, depending on the needs of the particular case.

Another issue with the proposed CSI mechanisms is that they focus on improving performance and timeliness of information, downsizing bandwidth requirements, meeting legal requirements. However, there is one actor in the PKI scene one almost always neglects to take into account: the end user. PKI addresses to the masses, but the average end user is probably not tech savvy. One should not expect the end user to comprehend the inner workings of the CSI mechanism in order to use it effectively. One should not probably expect as well the end user to appreciate the need for locating, retrieving and verifying CSI and to act upon that.

It seems that right now the weakest link in the chain of PKI is the end user who may (or may not) use the available CSI mechanisms to verify some signed piece of information or verify the authentication data some entity provides. CSI research should also focus on improving this aspect, i.e. the transparency of CSI mechanisms.

In this thesis, we present a taxonomy of CSI mechanisms and an evaluation framework for them. We also use our evaluation framework in order to present a comparative evaluation of the CSI mechanisms proposed in the literature. We believe our evaluation framework can be of use in further researching CSI mechanisms.

We then focus on the issue that most CSI mechanisms tend to neglect: that of CSI mechanism transparency. A user should not have to comprehend the mechanics of CSI mechanisms in order to use them and should not also be highly trained regarding security to be able to operate in the PKI world.

We develop a prototype for a CSI dissemination mechanism, which we call Alternative Dissemination of Certificate Status Information (ADoCSI). This mechanism uses Software Agents in order to disseminate CSI, and also uses some of the properties and functionality offered by the other CSI mechanisms. We believe that ADoCSI addresses some of the issues that emerge from the use of the other Certificate Status Information dissemination mechanisms. It certainly increases the level of transparency, thus providing a solution to the aforementioned β€œweakest link” problem, being the dependent entity, which one should not expect to have high levels of information security awareness.

On the Dissemination of Certificate Status Information

John Iliadis
DissertationsMSc dissertation, MSc in Information Security, Royal Holloway College, University of London, UK, 1999

Abstract

There has been an increasing interest in the deployment of Public Key Infrastructures, the past few years. Security issues emerge from the operation of Certification Authorities, as well as the operation of other PKI ‑ related security service providers. Most of them have been addressed and efficient solutions have been found. One of the areas which has to be studied further is the generation and dissemination of information regarding the status of a digital certificate. i In this dissertation, we present a set of evaluation criteria for mechanisms that are used to generate and disseminate Certificate Status Information (CSI). We evaluate the proposed CSI mechanisms according to the aforementioned criteria, and identify the security and performance issues that emerge from their use. i

Finally, we develop a prototype specification for a CSI dissemination mechanism, which we call Alternative Dissemination of Certificate Status Information (ADOCSI). This mechanism uses the functionality offered by Software Agents in order to disseminate CSI, and also uses some of the properties and functionality offered by the other CSI mechanisms. We believe that ADOCSI addresses some of the issues that emerge from the use of the other Certificate Status Information dissemination mechanisms.

ACT: Algorithm Comparison Tool

John Iliadis
DissertationsBSc dissertation, BSc in Software Engineering, Department of Informatics, Technological Educational Institute of Athens, Greece, 1996. In Greek