We propose to enhance the Next Generation Internet by creating a secure and scalable communication infrastructure that mirrors the structure of the real world: people talk to people, objects, objects between themselves and, in general, entities denoted by digital identities communicating with each other. We start from the digital identity and create a view in the communication sphere which is singular, unique, and optimized for that particular digital identity, building an identity plane that allows entities to address each other in an "identity to identity" approach. We use stackable overlay networks to deliver messages among communication parties and we look at the performance issues related with such kind of networks, being able to come halfway to the optimum.

Keywords: digital identity, identity-to-identity, next generation internet, overlay network

Electronic transactions are becoming more important everyday. Several tasks like buying goods, booking flights or hotel rooms, or paying for streaming a movie, for instance, can be carried out through the Internet. Nevertheless, they are still some drawbacks due to security threats while performing such operations. Trust and reputation management rises as a novel way of solving some of those problems. In this paper we present our work TRIMS (a privacy-aware trust and reputation model for identity management systems), which applies a trust and reputation model to guarantee an acceptable level of security when deciding if a different domain might be considered reliable when receiving certain sensitive user’s attributes. Specifically, we will address the problems which surfaces when a domain needs to decide whether to exchange some information with another possibly unknown domain to effectively provide a service to one of its users. This decision will be determined by the trust deposited in the targeting domain. As far as we know, our proposal is one of the first approaches dealing with trust and reputation management in a multi-domain scenario. Finally, the performed experiments have demonstrated the robustness and accuracy of our model in a wide variety of scenarios.

This paper describes an identity based mobility architecture, which relies on the Identity Management System for mobility decision and execution. This is achieved by clearly separating mobility into a two step procedure: decision and action. The decisions are outsourced on the Identity plane, while the action (moving) is carried out by a protocol agnostic mobility architecture.

A proposed identity management framework provides privacy protection, by means of virtual identities, and cross-layer single sign-on for users who subscribe to multiple service and identity providers.

There are two problem areas of the current Internet to be solved in Future Internet scenarios - security and putting the user back in control despite the move to the Internet of things. With this in mind, we address problems associated with the diversifying of the Internet towards an Internet of things, and with increased ways to be reachable, whether the user wants it or not, in the digital world. The paper presents two approaches to cope with the problem: The Identinet and a concept designated by the digital shadow. The paper presents an architecture based on these concepts.

Keywords: Digital identity, Digital shadow, Future Internet, Identinet, Identity, Internet of things, Privacy, Security, Virtual identity

Making pervasive computing reality is a challenging task mainly due to the multitude of functional requirements and technological constraints. In parallel to the honourable research progress in specific technologies, the Daidalos project assessed that in future there will be the need for a pervasive service platform with open interfaces in order to simplify service development and provisioning. The success of such a platform depends on the balance of different aspects, e.g. operational costs with revenue potentials, collection of personal data for context-awareness with privacy protection, manual control and transparency with enhanced user experience and simplicity. In this paper we show the Daidalos approach to privacy protection and identity management for a future pervasive service platform and its architecture. We show how user identities are structured to support dynamic context information while following regulations for privacy protection in Europe. Special focus is put on the trade-off between access control for privacy protection and user experience. This is achieved by automated identity selection, automatic derivation of fine-grained access control policies and their deployment. We also present gathered performance data and implementation details of our ID Broker concept.

Identity Management has so far been a field mainly applications and Web focused. This paper describes a novel approach to cross layer identity management that extends digital identities to the network, the virtual identity (VID) framework. The VID framework provides strong privacy to the user, while easily supporting personalization cross-service providers. While other identity management solutions are tailored to one specific application and/or protocol domain, the proposed framework extends the use of one's digital identity to all aspects of the network and services architecture. It is also the first to consider legal constrains, such as ownership of data and legal intercept issues, in such a broad scope. One major aspect reported here is the relevance for operators.

Keywords: Digital identity, Identity, Privacy, Security, Telecommunications, Virtual identity

User privacy is a growing requirement in the evolution of communication networks. In this sense, the concept of virtual personae, which corresponds at different identities of the same user, starts getting much attention. However, to provide privacy and non-linkage between these virtual users, a cross-layer approach to identity needs to be supported. This paper proposes a solution to preserve the application layer privacy models by applying the virtual personae concept throughout the network stack. It also proposes mechanisms for non-correlation between identities in 4G mobile environments, and addresses the benefits of the evolving multi-homing characteristics of 4G networks to enrich the non-linkage between identities support of our privacy solution.

The use of converge-cast traffic and in-network processing to minimize the amount of transmitted data is a frequently used approach to increase the lifetime of a wireless sensor network (WSN). Consequently, when aiming at security for WSNs, one has to focus primarily on protecting this type of traffic. Some recent proposals support the encryption of converge-cast traffic with in-network processing. However, they either require the transmission of the sensors’ IDs, creating additional data overhead linear in the number of sensors, or require an elaborate key pre-distribution mechanism. In this paper we propose a solution for end-to-end encryption of converge-cast traffic with a simple key pre-distribution scheme causing additional data only logarithmic in the number of sensors. The scheme is robust with respect to unreliable channels, exhausted nodes, and routing flexibility. It supports refreshing the keys at the nodes, which has so far been fully neglected.

This paper details a novel architecture, MobiSplit [17], for managing mobility in future IP based networks. The architecture separates mobility management in two levels, local and global, that are managed in completely independent ways. We describe how such a mobility architecture can be used to support a new paradigm in mobility. By combining the user's identity with a multi physical virtual terminal we treat the movement of people rather than their physical manifestations in one device. We conclude by analyzing the concrete system, built from this new architecture and existing protocols, in terms of scalability, flexibility and security.

Wireless LAN and other radio broadcast technologies are now in full swing. However, the widespread usage of these technologies comes at the price of location privacy, be it by observing the communication patterns or the interface identifiers. Although a number of network level solutions have been proposed , this paper describes a novel approach to location privacy at the link layer level. We present a generic mechanism and then map it to a real protocol, IEEE 802.11. The work also provides an analysis of the protocol in terms of privacy and performance considerations.

Aggregator nodes commonly have the ability to read, corrupt or disrupt the flow of information produced by a Wireless Sensor Network (WSN). Despite this fact, existing aggregator node election schemes do not address an adversary that strives to influence the election process towards candidate nodes that it controls. We discuss the requirements that need to be fulfilled by a non-manipulable aggregator node election protocol. We conclude that these requirements can be satisfied by a distributed random number generator function in which no node is able to determine the output of the function. We provide and compare three protocols that instantiate such function.

Privacy and security are key aspects in future network architectures. The Host Identity Protocol (HIP) is a new proposal which decouples identifiers from locators and may eventually replace conventional addressing and network transport. In this document we propose an architecture that provides location privacy, based on HIP. We further validate our work by implementation and support the feasibility of our protocol by experimentation.

The Internet is today's most used tool for work and leisure. Identity is no longer a matter of who you are but also of the use you are giving to a service or even just network connection. As a result, the unprepared architectures of today need to support users at service level and usually tend to create situations where the privacy of the user is in danger. Our proposal is that the user¿s real identity is never revealed to the network. Instead, the users' interests and personalities are split and never intersected by the architecture, providing a framework in which the users' control on their information is predominant. The Virtual Identity framework has as its main objectives the privacy of the users' data, the unification and uniformity of how the users' data is accessed and the vertical approach to identity in network architectures.

This paper describes secure solutions for collecting and processing data in Wireless Sensor Networks (WSNs). Adequate security capabilities for medium and large scale WSNs are a hard but necessary goal to achieve to prepare these networks for the market. In addition, a framework is needed to be able to develop sensor networks for various application domains. We introduce a toolbox concept to support such a framework. The paper also includes an overview on security and reliability challenges for WSNs.

Routing in wireless sensor networks is different from that in commonsense mobile ad-hoc networks. It mainly needs to support reverse multicast traffic to one particular destination in a multihop manner. For such a communication pattern, end-to-end encryption is a challenging problem. To save the overall energy resources of the network, sensed data needs to be consolidated and aggregated on its way to the final destination. We present an approach that 1) conceals sensed data end-to-end by 2) still providing efficient and flexible in-network data aggregation. The aggregating intermediate nodes are not required to operate on the sensed plaintext data. We apply a particular class of encryption transformations and discuss techniques for computing the aggregation functions "average" and "movement detection". We show that the approach is feasible for the class of "going down" routing protocols. We consider the risk of corrupted sensor nodes by proposing a key predistribution algorithm that limits an attacker's gain and show how key predistribution and a key-ID sensitive "going down" routing protocol help increase the robustness and reliability of the connected backbone.

Once a wireless sensor network (WSN) is stable and has been running for a while,sensors start to fail due to hardware problems, battery exhaustion or even due to their physical destruction. In any case, the administrator of the network may wish to replace the damaged nodes with new ones to reinforce the coverage area. In this paper we make use of an out of band channel (OOB) to bootstrap an authenticated symmetric key. The protocol ensures that the new sensor nodes are currently part of the region covered by the network before negotiating sensitive key material and making them a part of the system and its operations. We describe a novel approach to group admission for wireless sensor networks using an OOB secure channel and perform a security evaluation over this protocol.

Applying wireless sensor networks to a broad variety of applications requires, without a doubt, end-user acceptance. End-users from various computer network unrelated disciplines, like for example from the agriculture sector, geography, health care, or biology, will only be able to use wireless sensor networks to support their daily work if the overall benefit beats the overhead of getting in touch with this new paradigm. This means, first and foremost, that once the WSN is deployed, it is easy to collect data also for a technical unexperienced audience. However, the trust in the system's confidentiality and its reliability should not be underestimated. Since for end-users from various disciplines the monitored data are of highest value they will only apply WSN technology to their professional activities if a proper and safe access control mechanism to the WSN is ensured. For FIPS 140-02 level 2 or level 3 conform sensor devices we provide an access control protocol for end-users of civilian WSN applications that i) ensures access to the monitored data only for authorized parties, ii) supports user-friendly data queries and iii) is DoS resilient to save the sensor nodes' battery capacity.

This paper describes secure solutions for collecting and processing data in Wireless Sensor Networks (WSNs) to provide useful information based on sensed data. WSNs have large potential in areas which range from agriculture to traffic safety and security in public places, generating new opportunities for industry. Adequate security capabilities for medium and large scale WSNs are a hard but necessary goal to achieve to prepare these networks for the market. In addition, a framework is needed to be able to develop sensor networks for various application domains. The paper introduces a toolbox concept to support such a framework. It also includes an overview on security and reliability challenges for wireless sensor networks.

In-network data aggregation is a popular technique for reducing the energy consumption tied to data transmission in a multi-hop wireless sensor network. However, data aggregation in untrusted or even hostile environments becomes problematic when end-to-end privacy between sensors and the sink is desired. In this paper we revisit and investigate the applicability of additively homomorphic public-key encryption algorithms for certain classes of wireless sensor networks. Finally, we provide recommendations for selecting the most suitable public key schemes for different topologies and wireless sensor network scenarios.

Privacy and security are important features for the future mobile wireless Internet since users expect a privacy level comparable to that of today's cellular networks. Separating identifiers from locators is a current practice in today's new network protocols and is a small step on the right direction. However, the separation must be maintained in the presence of an intruder who eavesdrops or manipulates the traffic. In this paper we present a generic framework that targets these problems at the network layer. We further instantiate this framework with an example architecture using well-known protocols which support mobility.

In wireless sensor networks there is a need to securely store monitored data in a distributed way whenever it is either not desired or simply not possible to transmit regional volatile information to an authorised recipient in real-time. In particular, for wireless sensor network applications with an asynchronous character, the wireless sensor network itself needs to store the monitored data. Since nodes may disappear over time, a replicated and read-protected, but yet space- and energy-efficient, data storage is mandatory. In this work we provide and analyse an approach for a tiny Persistent Encrypted Data Storage (tinyPEDS) of the environmental fingerprint for asynchronous wireless sensor networks. Even if parts of the network are exhausted, restoring rules ensure that, with a high probability, environmental information from past is still available.

This paper describes the Ad-hoc network integration architecture being developed inside the IST project Daidalos. This architecture contains the required functionalities to support efficient delivery of services, unicast and multicast, legacy and multimedia, to users connected to the ad-hoc network. For this purpose, several functionalities need to be in place. First, efficient routing and mobility mechanisms are proposed to decrease the overhead in the ad-hoc network. Second, distributed QoS mechanisms need to be developed to support service differentiation and resources control responsive to nodes mobility. Finally, security, charging and rewarding mechanisms are proposed to guarantee that only authorized users access the requested services, to increase the operators interest, and to ensure the correct behaviour of the users in the ad-hoc network.

This paper formally defines recognition as a new security principle closely related to authentication. Low-power, clean environments require the less authoritative security of recognition. We give general properties of recognition protocols based on the method of key disclosure. We examine previously proposed low-power protocols according to the environment and security model presented. Finally, we give measurements from an implementation of a recognition protocol called Zero Common- Knowledge and discuss how well this proof-of-concept satisfies the properties of the environment.

Keywords: Ad-hoc Networks, Security, Authentication, Identification, Low-Power

End-to-end encryption for wireless sensor networks is a challenging problem. To save the overall energy resources of the network it is agreed that sensed data need to be consolidated and aggregated on their way to the final destination. For such circumstances we present an approach that (1) conceals sensed data end-to-end, by (2) still providing efficient in-network data aggregation. The aggregating intermediate nodes are not required to operate on the sensed plaintext data. We apply a particular class of encryption transformation and exemplarily discuss the approach on the basis of two aggregation functions. We use actual implementation to show that the approach is feasible and flexible and frequently even more energy efficient than hop-by-hop encryption.

Keywords: Wireless sensor networks, data encryption, data aggregation, energy consumption, privacy homomorphism

End to end encryption schemes that support operations over ciphertext are of utmost importance for commercial private party Wireless Sensor Network (WSN) implementations to become meaningful and profitable. For WSNs we demonstrated in our previous work that homomorphic encryption schemes, when used for concealed data aggregation (CDA), offer two striking advantages apart from end-to-end concealment of data and ability to operate on ciphertexts: flexibility by keyless aggregation and conservation and balancing of aggregator backbone energy. We offered proof of concept by applying a certain Privacy Homomorphism for sensor network applications that rely on the addition operation. But a large class of aggregator functions like median computation or finding maximum/minimum rely exclusively on comparison operations. Unfortunately any Privacy Homomorpshism is insecure even against ciphertext only attacks, if they support comparsion operations. In this paper we show that a particular order preserving encryption scheme achieves the above mentioned energy benefits and flexibility when used to support comparison operations over encrypted texts for Wireless Sensor Networks, while also managing to hide the plaintext distribution and being secure against ciphertext only attacks. The scheme is shown to have reasonable memory and computation overhead when applied for WSNs.

Wireless sensor networks (WSN) are a particular class of ad hoc networks that attract more and more attention both in academia and industry. The sensor nodes themselves are preferably cost-cheap and tiny consisting of a) application specific sensors, b) a wireless transceiver, c) a simple processor, and d) an energy unit which may be battery or solar driven. Such sensor nodes are envisioned to be spread out over a geographical area to form in a truly self-organising manner a multi-hop network. Such a network may remain autonomous and local in nature, but also obtain gateway connectivity to larger area networks. Services provided by and within sensor networks may be pure data acquisition, but also derived added value services such as local hazard information broadcast. Potential applications for such a scenario can be found in monitoring environmental data with the objective to understand complex and geographical wide spread interdependencies of the nature. Examples are the detection of fire in huge forest areas, the monitoring of the road status (frosted, aquaplaning, oily, obstacle) at some particular points like bridges or curves, or the incremental shift of snow and rocks in the Alps. Within the IST-FP6 project Daidalos we intend to use WSNs for the Automobile scenario.

The classical network model where a user owns a device and the network wishes to provide a certain service with a certain Quality of Service (QoS), offering mobility, security and accounting for this specific device is now under siege. The device and the user are no longer the same. Users may not even own the devices they use, but rather lease them for a while. They may also want to just own a public screen at a public place ? say an airport ? for a few moments. Even the concept of user has changed tremendously. The idea that a user is a person has been overtaken by the abstraction of the concept where a user can be a person, a company, a University, a small shop or even a service.

End-to-end encryption for wireless sensor networks is a challenging problem. To save the overall energy resources of the network it is agreed that sensed data need to be consolidated and aggregated on their way to the final destination. For such circumstances we present an approach that conceals sensed and aggregated data end-to-end. Even the aggregating intermediate nodes are not enabled to read the sensed plaintext data. We apply a particular class of encryption transformation and exemplary discuss the approach on the basis of two aggregation functions. We show their appliance in hierarchical aggregator topologies and use actual implementation to show that the approach is feasible and frequently even more energy efficient than hop-by-hop encryption addressing a much weaker attacker model.

Keywords: Wireless sensor networks, Data encryption, Data aggregation, Energy consumption, Privacy Homomorphism

In order to keep up with new networking needs, it is necessary to adopt mechanisms for charging network usage in a universal way. The Secure Charging Protocol (SCP) aims at answering this complex authentication, authorization, accounting and charging (AAAC) problem. SCP fits business models especially adequate for ad-hoc networks. This document discusses SCP as a possible solution to the AAAC problems in MANETs and presents the improvements made to this protocol in terms of Quality of Service (QoS). An implementation of this protocol on PDAs and the results achieved are discussed.

The current state of today's networks allows us to take one step further in merging the research community's work with every day's life. Wireless ad hoc networks are already well developed for specific scenarios. This work shows how to build the link between the wired network and a wireless ad hoc infrastructure, in particular routing and AAAC aspects. Such integration might lead, for example, to a better spacial and resource distributed hotspot solution. We provide the basis for inter-operation of AAACAuthentication, Authorization, Accounting and Charging protocols known for the fixed network, with the accounting protocol that performs the accounting and charging functions in the ad hoc network. This paper further describes the implementation of the Secured Charging Protocol as an instantiation of a charging protocol for ad hoc networks and the features which were added to improve the interface to an external accounting system. It covers the interaction with the MANET routing protocol and how to deal with routes to or from outside the ad hoc cloud.

Recently, a number of approaches proposing various security aspects for routing protocols in mobile ad hoc networks have been proposed. In this work we do not introduce another proposal aiming at security in the context of ad hoc networks. Instead, we argue from a generalized view and answer the question: what security objectives are in principle achievable and what security features are not achievable at all, even when using unacceptable heavy weighted security features. Our contribution in this work is to derive from the available security mechanisms and from a reasonable ad hoc network specific attacker model a set of theoretically achievable security objectives. In particular we will also denote the majority of non practically achievable security objectives.

Keywords: Ad Hoc networks secure routing countermeasures

In order to keep up with new networking needs, it becomes necessary to adopt mechanisms for charging network usage in a universal way. The Secure Charging Protocol (SCP) aims at answering this complex authentication, authorization, accounting and charging (AAAC) problem, and provides a view based on a different business model, one that has been adjusted to cope with technological changes. This document discusses SCP as a possible solution to the AAAC problems in MANETs and addresses the improvements made to this protocol in terms of Quality of Service (QoS) and User Interfaces. An implementation of this protocol on PDAs is also described.

This paper describes the architecture and current capabilities of Carl, a prototype of an intelligent service robot, designed having in mind such tasks as serving food in a reception or acting as a host in an organization. The approach that has been followed in the design of Carl is based on an explicit concern with the integration of the major dimensions of intelligence, namely Communication, Action, Reasoning and Learning. The paper focuses on the multi-modal human-robot communication capabilities of Carl, since these have been significantly improved during the last year.

The development of robots capable of accepting instructions in terms of familiar concepts to the user is still a challenge. For these robots to emerge it s essential the development of natural language interfaces, since this is regarded as the only interface acceptable for a machine which expected to have a high level of interactivity with Man. Our group has been involved for several years in the development of a mobile intelligent robot, named Carl, designed having in mind such tasks as serving food in a reception or acting as a host in an organization. The approach that has been followed in the design of Carl is based on an explicit concern with the integration of the major dimensions of intelligence, namely Communication, Action, Reasoning and Learning. This paper focuses on the multi-modal human-robot language communication capabilities of Carl, since these have been significantly improved during the last year.

This paper describes the architecture and current capabilities of Carl, a prototype of an intelligent service robot, designed having in mind such tasks as serving food in a reception or acting as a host in an organization. The approach that has been followed in the design of Carl is based on an explicit concern with the integration of the major dimensions of intelligence, namely Communication, Action, Reasoning and Learning. The paper focuses on the multi-modal human-robot communication capabilities of Carl, since these have been significantly improved during the last year.

Keywords: human-robot communication, natural language processing, touch screen interaction, animated face

The paper presents the results of the project proposed to the authors (who are the 4th year students of LECT) and shows how the specified problem has been solved. The description of the project and the basic requirements have been considered in the papers [1,2].

This memo describes a framework for the Host Identity Protocol that provides location privacy and mobility to end hosts.

This memo describes a generic framework that aims at protecting the privacy of its users. It considers both the use of generic identifiers as well as concrete examples of applications. Furthermore, it provides a mobility framework with location privacy in mind.

This document proposes a security infrastructure for the NAT/FW traversal NSLP of the NSIS protocol. We begin with a description of the problem, followed by the proposed solution, based on public key infrastructure. The document finally deals with examples that clarify the proposed methods.

End-to-end encryption for wireless sensor networks is a challenging problem. To save the overall energy resources of the network it is agreed that sensed data need to be consolidated and aggregated on their way to the final destination. For such circumstances we present an approach that (1) conceals sensed data end-to-end, by (2) still providing efficient in-network data aggregation. The aggregating intermediate nodes are not required to operate on the sensed plaintext data. We apply a particular class of encryption transformation and discuss, using examples, the approach on the basis of two aggregation functions. This demonstrator consists of a prototype implementation of these functions in the actual sensors, together with visualization tools that make the solution visible.

In order to keep up with new networking needs, it is necessary to adopt mechanisms for charging network usage in a universal way. The Secure Incentive-based Charging Protocol (SICP) aims at answering this complex authentication, authorization, accounting and charging (AAAC) problem. This demonstrator focuses on SICP as a possible solution to the AAAC problems in MANETs and as an alternate business model.