A LINDDUN-Based framework for privacy threat analysis on identification and authentication processes

Robles-González, Antonio; Parra-Arnau, Javier; Forné, Jordi

doi:10.1016/j.cose.2020.101755

Cited by 9 publications

(4 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this way, threat modeling can help developers to write secure code, and at the same time, it can help penetration testers to carry out effective security testing. Commonly used threat modeling methods and technologies include STRIDE [14] , LINDDUN [15] , TRIKE [16] , ATTACK TREE [17] , DREAD [18] , VAST [19] , ATT&CK [20] , etc.…”

Section: Ivi Threat Analysismentioning

confidence: 99%

SP-E: Security Evaluation Framework of In-vehicle Infotainment System based on Threat Analyses and Penetration Tests

Zhang

Zhou

et al. 2023

J. Phys.: Conf. Ser.

View full text Add to dashboard Cite

With the increasing requirement of people, the functions of in-vehicle infotainment systems are becoming more and more abundant, and their security also affects the safety of vehicles. Therefore, it is more and more important to evaluate the security of the IVI system. This paper proposes a security evaluation framework for in-vehicle infotainment systems based on threat analyses and penetration tests. By constructing the data flow diagram of application scenarios, analyzing threats, combing the attack link diagram, combining white-box audit and black-box test, we use the characteristics of high efficiency of automatic tools and high accuracy of manual methods to set factor sets, and then the whole IVI system is evaluated by Analytic Hierarchy Process and Fuzzy Comprehensive Evaluation.

show abstract

Section: Ivi Threat Analysismentioning

confidence: 99%

SP-E: Security Evaluation Framework of In-vehicle Infotainment System based on Threat Analyses and Penetration Tests

Zhang

Zhou

et al. 2023

J. Phys.: Conf. Ser.

View full text Add to dashboard Cite

show abstract

“…In [67], Jordi Forne, Javier Parra-Arnau and Antonio Robles-Gonzalez investigated a LINDDUN extension that allows for a robust and systematically reproducible PTA (privacy threat analysis) of custom IA (identification and authentication) processes.…”

mentioning

confidence: 99%

A Survey on Threat-Modeling Techniques: Protected Objects and Classification of Threats

et al. 2022

View full text Add to dashboard Cite

Information security is one of the most important attributes of distributed systems that often operate on unreliable networks. Enabling security features during the development of a distributed system requires the careful analysis of potential attacks or threats in different contexts, a process often referred to as «threat modeling». Information protection should be comprehensive, but it is also necessary to take into account the possibility of the emergence of threats specific to a certain information system. Many public and private organizations are still trying to implement system models and the threats directed at them on their own. The main reason for this is the lack of useful and high-quality methodologies that can help developers design system models. This review explores a variety of the literature on confidentiality- and integrity-aware system design methodologies, as well as threat classification methods, and identifies key issues that may be referenced by organizations to make design system processes easier. In particular, this article takes a look at the extent to which existing methodologies cover objects of protection and methods of classifying threats, as well as whether there are such models of systems in which the object itself and the threats directed at it are described. This includes whether the compiled models exhibit symmetry or asymmetry. This literature research shows that methodologies appear to be heterogeneous and versatile, since existing methodologies often only focus on one object of protection (a system). Based on the given analysis, it can be concluded that the existing methodologies only relate superficially to the description of system models and threats, and it is necessary to develop a more complete abstract model of the protected object and threats aimed at it in order to make this model suitable for any organization and protect it against most threats.

show abstract

“…Our guide scrutinizes the extension of the LINDDUN PTA framework [16] so that the auditor profit from the knowledge included by us and we also combine it with the decision support that we added. This second contribution is also in [26].…”

Section: Privacy Threat Analysis Of the Verification Process In The M...mentioning

confidence: 76%

“…We apply and discuss the extension of LINDDUN in a two-fold proof-of-concept (PoC) scenario, one with a password a second with smartcard authentication. This first contribution is in [26].…”

Section: Privacy Threat Analysis Of the Verification Process In The M...mentioning

confidence: 96%

Private user-centric management of electronic services in smart communities

Robles González

View full text Add to dashboard Cite

(English) Smart community services are reaching nearly every area of our daily life, often requiring private information from their users. The scope of all contributors to these services is to collaboratively share information for the benefit of all stakeholders, including citizens (user), organizations, schools, and governing institutions. User contribution can be participatory --flence intentionally given --0r smart community services can gather information opportunistically from user sensors and/or APls nearly automatically or with less user influence. The present dissertation focuses on participatory user contribution. SCS increasingly demand consciously undertaken participatory user contributions, that predominantly require a login-based user verification process based on an identification (I) and authentication (A) process. Throughout this process, the user logs in with a user identity, regardless of whether it is a real one or not. The verification process is associated with immanent privacy threats to users. The users can contribute with tagging, posting, or uploading information demanded by the SCS, which may need reliability guarantees linked to the trustworthiness of the users. Nowadays becoming more aware about their privacy and right to self-determine, users are not so willing to contribute unconditionally to the SCS, leading to a conflict between user privacy and the SCS requirements. The verification process for a user login as well as his contributions implies user privacy threats. Chapter 3 and 4 of the dissertation focus on the privacy threat analysis (PTA) of the user verification process and chapter 5 on user self-determined privacy aware contributions to the SCS. Chapter 3 focuses on the PTA of the verification process in the modelling phase. We extend the scientifically grounded LINDDUN PT A framework to be used systematically for modelling of the verification process to perform a user login. Our contribution includes the modelling of the I and A processes, considering IA methods, the extension of the trust boundary concept, and extensively extends the privacy threat mapping table. Our contributions are assembled in a systematic and reproducible step-by-step guide intended for privacy auditors including knowledge and decision support, whereby the results do not depend on the knowledge of the auditor or his intuition. The results provide the requirements for the authentication schemes (AS) to be implemented or selected. Chapter 4 focuses on the PTA of the verification process of realized AS. Bonneau et al. proposed a comparison framework to extensively evaluate AS for usability (U), deployability (D) and security (S), namely, the UDS framework. We extend it with a new defined privacy (P) category to become the UDSP framework. Our evaluation of the 38 AS -including biometrics -with the UDSP framework reveal inter alia fundamental privacy threats, for which we propose guidelines for more secure implementations. Chapter 5 focuses on self-determined and user accepted revocable privacy. The contributing user in particular is exposed to privacy threats when he contributes to a critical incident of a SCS, that requires evidence and trustworthiness for the contribution. That is the reason why we propose a taxonomy concept for classifying the criticality of incidents, including a mapping to enhanced privacy requirements and the cryptographic primitives that would support their realization in a privacy preserving fashion. The taxonomy for user self-determination comprising enforceable graded revocable privacy, which is nonetheless partially applicable to the right to be forgotten, is exemplified for two proofs-of-concepts applying cryptographic primitives alike blacklistable anonymous credentials and group signatures with distributed management. (Español) Los servicios de comunidades inteligentes o smart community services (SCS) están en casi todos los ámbitos de la vida cotidiana, y a menudo requieren información privada de sus usuarios. Estas contribuciones son para beneficiar todos los interesados, entre otros, ciudadanos (usuarios), organizaciones, escuelas e instituciones de gobierno. La contribución de usuarios puede ser participativa (intencionada) o los SCS pueden recoger casi automáticamente información de modo oportunista de sensores y/o APIs o con poca influencia por el usuario. La tesis doctoral se centra en contribuciones participativas de usuarios. Los SCS demandan más contribuciones participativas, que predominantemente requieren un proceso de verificación de usuario basado en una entrada al sistema (login) aplicando un proceso de identificación (I) y autentificación (A). En este proceso el usuario lleva a cabo un login con una identidad de usuario, sea una real o no. El proceso de verificación contiene amenazas inherentes para la privacidad del usuario. Este puede contribuir etiquetando, publicando o subiendo cualquier información solicitada. El SCS requiere evidencia con veracidad. En la actualidad los usuarios son más conscientes de su privacidad y del derecho de autodeterminación y no están dispuestos a contribuir incondicionalmente, llevando esto a un conflicto entre la privacidad del usuario y requerimientos de los SCS. El proceso de verificación del login del usuario y las contribuciones contienen amenazas de privacidad. Capítulo 3 y 4 de la tesis doctoral se centran en el análisis de amenazas de privacidad (privacy threat analysis (PTA)) del proceso de verificación y el capítulo 5 en contribuciones autodeterminadas por el usuario que respetan su privacidad. Capítulo 3 se centra en el PTA del proceso de verificación en la fase del modelamiento. Extendemos el LINDDUN PTA framework para ser aplicable sistemáticamente en el modelamiento del proceso de verificación del login de usuario. Nuestra contribución modela el proceso de I y A, considera métodos de IA, extiende los límites de confianza y amplía extensamente la tabla de mapeo de amenazas de privacidad. Hemos agrupado nuestras contribuciones en una guía paso a paso sistemática y reproducible, que incluye conocimiento y soporte de decisión, por lo cual los resultados no dependen del conocimiento o intuición del auditor. Los resultados facilitan los requerimientos para elegir o implementar sistemas de autentificación (authentication systems, AS). Capítulo 4 se centra en el PTA del proceso de verificación de los AS desarrollados. Los AS son evaluados ampliamente respecto a su usabilidad (U), posibilidad de despliegue (D) y seguridad (S) con el UDS framework de Bonneau et al. Extendemos UDS con una nueva categoría de privacidad (P) y se convierte en el UDSP framework. Nuestra evaluación de los 38 AS con el UDSP framework entre otras revela amenazas de privacidad elementales, así que proponemos pautas para una implementación más segura. Capítulo 5 se centra en la autodeterminación y revocabilidad de la privacidad del usuario, aceptada por este. Él está en particular expuesto a amenazas de privacidad cuando contribuye a incidentes críticos del SCS, que requieren una contribución con evidencia y veracidad. Esta es la razón por la que proponemos una taxonomía para la clasificación de la criticalidad de los incidentes incluyendo requerimientos de privacidad de usuario ampliados y primitivas criptográficas, que facilitan una realización manteniendo la privacidad. La taxonomía para la autodeterminación del usuario incluye – ejecutable por el usuario – privacidad escalonadamente revocable, que no obstante ya es parcialmente aplicable al derecho al olvido. Esta taxonomía se explica en dos pruebas de concepto aplicando ejemplarmente primitivas criptográficas como blacklistable anonymous credentials y group signatures with distributed management.

show abstract

A LINDDUN-Based framework for privacy threat analysis on identification and authentication processes

Cited by 9 publications

References 13 publications

SP-E: Security Evaluation Framework of In-vehicle Infotainment System based on Threat Analyses and Penetration Tests

SP-E: Security Evaluation Framework of In-vehicle Infotainment System based on Threat Analyses and Penetration Tests

A Survey on Threat-Modeling Techniques: Protected Objects and Classification of Threats

Private user-centric management of electronic services in smart communities

Contact Info

Product

Resources

About