Laborde Romain

Bio: Laborde Romain is an academic researcher from Paul Sabatier University. The author has contributed to research in topics: Computer security model & Network Access Control. The author has an hindex of 2, co-authored 3 publications receiving 23 citations.

A formal model of trust for calculating the quality of X.509 certificate

Abstract: The growing number of Public Key Infrastructure (PKI) and the increasing number of situations where partners of a transaction may carry certificates signed by different certification authority (CA) points out the problematic of trust between the different CAs. Several trust models, like the hierarchy model, cross-certification model, and bridge CA model were proposed in order to establish and extend the domain of trust of relying parties (RP). However, each model has disadvantages and especially the scalability in large open networks like Internet. In this paper, we provide users with quantitative information of the confidence a relying party can have about a certificate. We call this information quality of certificate (QoCER). QoCER depends on two parameters which are the quality of procedures announced in the certificate policy (CP) and the quality of CA (QoCA) that represents the evaluation of the CA commitment to its policy. QoCA is calculated based on the recommendation of different actors (audit agency, RP, etc.). QoCER is balanced by another information that represents the confidence on QoCA calculation. We present a formal model of trust to calculate these values. Copyright © 2010 John Wiley & Sons, Ltd.

A specification method for analyzing fine grained network security mechanism configurations

Abstract: Quick evolution, heterogeneity, interdependence between equipment, and many other factors induce high complexity to network security analysis. Although several approaches have proposed different analysis tools, achieving this task requires experienced and proficient security administrators who can handle all these parameters. The challenge is not to propose a temporary solution but to offer a building block for this large domain, though no approach can be optimal for all tasks. In previous papers, we have proposed a novel formal model of equipment configuration built on data flow attribute-based approach to detect network security conflicts. In this paper, we extend the previous proposed model in order to make it more generic by proving it can handle microscopic analysis. We define a formal analysis method for network security mechanisms. Therefore, we specify our approach in Colored Petri Networks to automate the conflicts analysis and test it on a fine-grained firewall scenario.

A generic data flow security model

Abstract: Network security policy enforcement consists in configuring heterogeneous security mechanisms (IPsec gateways, ACLs on routers, stateful firewalls, proxies, etc) that are available in a given network environment. The complexity of this task resides in the number, the nature, and the interdependence of the mechanisms. We propose in this paper a formal data flow model focused on detecting multi-layer inconsistencies between security mechanisms. This model is independent from specific security mechanisms to admit the security technology diversity and evolution.

A logic for uncertain probabilities

Abstract: We first describe a metric for uncertain probabilities called opinion, and subsequently a set of logical operators that can be used for logical reasoning with uncertain propositions. This framework which is called subjective logic uses elements from the Dempster-Shafer belief theory and we show that it is compatible with binary logic and probability calculus.

INCOME – Multi-scale Context Management for the Internet of Things

Abstract: Nowadays, context management solutions in ambient networks are well-known. However, with the IoT paradigm, ambient information is not anymore the only source of context. Context management solutions able to address multiple network scales ranging from ambient networks to the Internet of Things (IoT) are required. We present the INCOME project whose goal is to provide generic software and middleware components to ease the design and development of mass market context-aware applications built above the Internet of Things. By revisiting ambient intelligence (AmI) context management solutions for extending them to the IoT, INCOME allows to bridge the gap between these two very active research domains. In this landscape paper, we identify how INCOME plans to advance the state of the art and we briefly describe its scientific program which consists of three main tasks: (i) multi-scale context management, (ii) management of extrafunctional concerns (quality of context and privacy), and (iii) autonomous deployment of context management entities.

CA trust management for the Web PKI

Abstract: The steadily growing number of certification authorities (CAs) assigned to the Web Public Key Infrastructure (Web PKI) and trusted by current browsers imposes severe security issues. Apart from being impossible for relying entities to assess whom they actually trust, the current binary trust model implemented with the Web PKI makes each CA a single point of failure and creates an enormous attack surface. In this article, we present CA-TMS, a user-centric CA trust management system based on trust views. CA-TMS can be used by relying entities to individually reduce the attack surface. CA-TMS works by restricting the trust placed in CAs of the Web PKI to trusting in exactly those CAs actually required by a relying entity. This restriction is based on locally collected information and does not require the alteration of the existing Web PKI. CA-TMS is complemented by an optional reputation system that allows to utilize the knowledge of other entities while maintaining the minimal set of trusted CAs. Our evaluation of CA-TMS with real world data shows that an attack surface reduction by more than 95% is achievable.

A User-Centric Identity Management Framework based on the W3C Verifiable Credentials and the FIDO Universal Authentication Framework

Abstract: We present a user-centric and decentralized digital identity system that allows anyone to easily benefit from an enriched digital identity made of multi-purpose and multi-origin attributes. It increases usability by the elimination of user passwords. It also makes this digital identity highly trustworthy both for the user (in terms of privacy and sovereignty) and the service provider who requires highly certified information about the user being enrolled to and/or authenticated on its services. We built our system based on the Universal Authentication Framework specified by the FIDO Alliance and the data model proposed by the W3C Verifiable Credentials WG. The whole system has been implemented in a banking scenario.

Trust Management for Public Key Infrastructures: Implementing the X.509 Trust Broker

Abstract: A Public Key Infrastructure (PKI) is considered one of the most important techniques used to propagate trust in authentication over the Internet. This technology is based on a trust model defined by the original X.509 (1988) standard and is composed of three entities: the certification authority (CA), the certificate holder (or subject), and the Relying Party (RP). The CA plays the role of a trusted third party between the certificate holder and the RP. In many use cases, this trust model has worked successfully. However, we argue that the application of this model on the Internet implies that web users need to depend on almost anyone in the world in order to use PKI technology. Thus, we believe that the current TLS system is not fit for purpose and must be revisited as a whole. In response, the latest draft edition of X.509 has proposed a new trust model by adding new entity called the Trust Broker (TB). In this paper, we present an implementation approach that a Trust Broker could follow in order to give RPs trust information about a CA by assessing the quality of its issued certificates. This is related to the quality of the CA’s policies and procedures and its commitment to them. Finally, we present our Trust Broker implementation that demonstrates how RPs can make informed decisions about certificate holders in the context of the global web, without requiring large processing resources themselves.