Nikos Fotiou

Nikos Fotiou, Vasilios A. Siris, George C. Polyzos

In IPFS content identifiers are constructed based on the item's data therefore the binding between an item's identifier and its data can be deterministically verified. Nevertheless, once an item is modified, its identifier also changes. Therefore when it comes to mutable content there is a need for keeping track of the "latest" IPFS identifier. This is achieved using naming protocols on top of IPFS, such as IPNS and DNSlink, that map a constant name to an IPFS identifier, allowing at the same time content owners to update these mappings. Nevertheless, IPNS relies on a cryptographic key pair that cannot be rotated, and DNSlink does not provide content authenticity protection. In this paper, we propose a naming protocol that combines DNSlink and decentralized identifiers to enable self-verifiable content items. Our protocol provides content authenticity without imposing any security requirement to DNSlink. Furthermore, our protocol prevent fake content even if attackers have access to the DNS server of the content owner or have access to the content owner secret keys. Our proof of concept implementation shows that our protocol is feasible and can be used with existing IPFS tools.

Nikos Fotiou, Vasilios A. Siris, George C. Polyzos

We propose a capability-based access control technique for sharing Web resources, based on Verifiable Credentials (VCs) and OAuth 2.0. VCs are a secure means for expressing claims about a subject. Although VCs are ideal for encoding capabilities, the lack of standards for exchanging and using VCs impedes their adoption and limits their interoperability. We mitigate this problem by integrating VCs into the OAuth 2.0 authorization flow. To this end, we propose a new form of OAuth 2.0 access token based on VCs. Our approach leverages JSON Web Tokens (JWT) to encode VCs and takes advantage of JWT-based mechanisms for proving VC possession. Our solution not only requires minimum changes to existing OAuth 2.0 code bases, but it also removes some of the complexity of verifying VC claims by relying on JSON Web Signatures: a simple, standardized, and well supported signature format. Additionally, we fill the gap of VC generation processes by defining a new protocol that leverages the OAuth 2.0 "client credentials" grant.

Christos Karapapas, Iakovos Pittaras, Nikos Fotiou et al.

Decentralized systems, such as distributed ledgers and the InterPlanetary File System (IPFS), are designed to offer more open and robust services. However, they also create opportunities for illegal activities. We demonstrate how these technologies can be used to launch a ransomware as a service campaign. We show that criminals can transact with affiliates and victims without having to reveal their identity. Furthermore, by exploiting the robustness and resilience to churn of IPFS, as well as the decentralized computing capabilities of Ethereum, criminals can remain offline during most procedures, with many privacy guarantees.

Nikos Fotiou, Iakovos Pittaras, Vasilios A. Siris et al.

OAuth 2.0 is the industry-standard protocol for authorization. It facilitates secure service provisioning, as well as secure interoperability among diverse stakeholders. All OAuth 2.0 protocol flows result in the creation of an access token, which is then used by a user to request access to a protected resource. Nevertheless, the definition of access tokens is transparent to the OAuth 2.0 protocol, which does not specify any particular token format, how tokens are generated, or how they are used. Instead, the OAuth 2.0 specification leaves all these as design choices for integrators. In this paper, we propose a new type of OAuth 2.0 token backed by a distributed ledger. Our construction is secure, and it supports proof-of-possession, auditing, and accountability. Furthermore, we provide added-value token management services, including revocation, delegation, and fair exchange by leveraging smart contracts. We realized a proof-of-concept implementation of our solution using Ethereum smart contracts and the ERC-721 token specification.

Nikos Fotiou, Vasilios A Siris, George C. Polyzos et al.

HTTPS enhances end-user privacy and is often preferred or enforced by over-the-top content providers, but renders inoperable all intermediate network functions operating above the transport layer, including caching, content/protocol optimization, and security filtering tools. These functions are crucial for the optimization of integrated satellite-terrestrial networks. Additionally, due to the use of end-to-end and per-session encryption keys, the advantages of a satellite's wide-area broadcasting capabilities are limited or even negated completely. This paper investigates two solutions for authorized TLS interception that involve TLS splitting. We present how these solutions can be incorporated into integrated satellite-terrestrial networks and we discuss their trade-offs in terms of deployment, performance, and privacy. Furthermore, we design a solution that leverages satellite broadcast transmission even in the presence of TLS (i.e. with the use of HTTPS) by exploiting application layer encryption in the path between the satellite terminal and the TLS server. Our findings indicate that even if no other operation than TLS splitting is performed, TLS handshake time, which involves roundtrips through possibly a Geosynchronous satellite, can be reduced by up to 94%. Moreover, by combining an application layer encryption solution with TLS splitting, broadcast transmissions can be exploited

Nikos Fotiou, Iakovos Pittaras, Vasilios A. Siris et al.

In this work, we leverage advances in decentralized identifiers and permissioned blockchains to build a flexible user authentication and authorization mechanism that offers enhanced privacy, achieves fast revocation, and supports distributed "policy decision points" executed in mutually untrusted entities. The proposed solution can be applied in multi-tenant "IoT hubs" that interconnect diverse IoT silos and enable authorization of "guest" users, i.e., opportunistic users that have no trust relationship with the system, which has not encountered or known them before.

Nikos Fotiou, Iakovos Pittaras, Vasilios A. Siris et al.

Blockchains and smart contracts are an emerging, promising technology, that has received considerable attention. We use the blockchain technology, and in particular Ethereum, to implement a large-scale event-based Internet of Things (IoT) control system. We argue that the distributed nature of the "ledger," as well as, Ethereum's capability of parallel execution of replicated "smart contracts", provide the sought after automation, generality, flexibility, resilience, and high availability. We design a realistic blockchain-based IoT architecture, using existing technologies while by taking into consideration the characteristics and limitations of IoT devices and applications. Furthermore, we leverage blockchain's immutability and Ethereum's support for custom tokens to build a robust and efficient token-based access control mechanism. Our evaluation shows that our solution is viable and offers significant security and usability advantages.

Vasilios A. Siris, Dimitrios Dimopoulos, Nikos Fotiou et al.

We present models that utilize smart contracts and interledger mechanisms to provide decentralized authorization for constrained IoT devices. The models involve different tradeoffs in terms of cost, delay, complexity, and privacy, while exploiting key advantages of smart contracts and multiple blockchains that communicate with interledger mechanisms. These include immutably recording hashes of authorization information and policies in smart contracts, resilience through the execution of smart contract code on all blockchain nodes, and cryptographically linking transactions and IoT events recorded on different blockchains using hash and time-lock mechanisms. The proposed models are evaluated on the public Ethereum testnets Rinkeby and Ropsten, in terms of execution cost (gas), delay, and reduction of data that needs to be sent to the constrained IoT devices.

Vasilios A. Siris, Dimitrios Dimopoulos, Nikos Fotiou et al.

We present models for utilizing blockchain and smart contract technology with the widely used OAuth 2.0 open authorization framework to provide delegated authorization for constrained IoT devices. The models involve different tradeoffs in terms of privacy, delay, and cost, while exploiting key advantages of blockchains and smart contracts. These include linking payments to authorization grants, immutably recording authorization information and policies in smart contracts, and offering resilience through the execution of smart contract code on all blockchain nodes.

Nikos Fotiou, George C. Polyzos

With the Internet of Things (IoT), Things are expected to live in different "domains" and "contexts" during their lifetime. Information generated by and associated with Things should be manageable by multiple, diverse stakeholders accordingly. Moreover, the scope of the information related to Things can range from private and confidential to public and auditable. Identification, security, and interoperability in this vivid environment are expected to be challenging. In this paper we discuss how smart contracts and blockchain technologies create the potential for a viable solution. To this end, we present smart contract-based solutions that improve security and information management, we identify new opportunities and challenges, and we provide security recommendations and guidelines.

Nikos Fotiou, Vasilios A. Siris, George C. Polyzos

Despite technological advances, most smart objects in the Internet of Things (IoT) cannot be accessed using technologies designed and developed for interacting with powerful Internet servers. IoT use cases involve devices that not only have limited resources, but also they are not always connected to the Internet and are physically exposed to tampering. In this paper, we describe the design, development, and evaluation of a smart contract-based solution that allows end-users to securely interact with smart devices. Our approach enables access control, Thing authentication, and payments in a fully decentralized setting, taking at the same time into consideration the limitations and constraints imposed by both blockchain technologies and the IoT paradigm. Our prototype implementation is based on existing technologies, i.e., Ethereum smart contracts, which makes it realistic and fundamentally secure.

Nikos Fotiou, George C. Polyzos

The emerging Information-Centric Networking (ICN) paradigm is expected to facilitate content sharing among users. ICN will make it easy for users to appoint storage nodes, in various network locations, perhaps owned or controlled by them, where shared content can be stored and disseminated from. These storage nodes should be (somewhat) trusted since not only they have (some level of) access to user shared content, but they should also properly enforce access control. Traditional forms of encryption introduce significant overhead when it comes to sharing content with large and dynamic groups of users. To this end, proxy re-encryption provides a convenient solution. In this paper, we use Identity-Based Proxy Re-Encryption (IB-PRE) to provide confidentiality and access control for content items shared over ICN, realizing secure content distribution among dynamic sets of users. In contrast to similar IB-PRE based solutions, our design allows each user to generate the system parameters and the secret keys required by the underlay encryption scheme using their own Private Key Generator, therefore, our approach does not suffer from the key escrow problem. Moreover, our design further relaxes the trust requirements on the storage nodes by preventing them from sharing usable content with unauthorized users. Finally, our scheme does not require out-of-band secret key distribution.