RESUMEN
The distribution of Internet of Things (IoT) devices in remote areas and the need for network resilience in such deployments is increasingly important in smart spaces covering scenarios, such as agriculture, forest, coast preservation, and connectivity survival against disasters. Although Low-Power Wide Area Network (LPWAN) technologies, like LoRa, support high connectivity ranges, communication paths can suffer from obstruction due to orography or buildings, and large areas are still difficult to cover with wired gateways, due to the lack of network or power infrastructure. The proposal presented herein proposes to mount LPWAN gateways in drones in order to generate airborne network segments providing enhanced connectivity to sensor nodes wherever needed. Our LoRa-drone gateways can be used either to collect data and then report them to the back-office directly, or store-carry-and-forward data until a proper communication link with the infrastructure network is available. The proposed architecture relies on Multi-Access Edge Computing (MEC) capabilities to host a virtualization platform on-board the drone, aiming at providing an intermediate processing layer that runs Virtualized Networking Functions (VNF). This way, both preprocessing or intelligent analytics can be locally performed, saving communications and memory resources. The contribution includes a system architecture that has been successfully validated through experimentation with a real test-bed and comprehensively evaluated through computer simulation. The results show significant communication improvements employing LoRa-drone gateways when compared to traditional fixed LoRa deployments in terms of link availability and covered areas, especially in vast monitored extensions, or at points with difficult access, such as rugged zones.
RESUMEN
Despite the advantages that the Internet of Things (IoT) will bring to our daily life, the increasing interconnectivity, as well as the amount and sensitivity of data, make IoT devices an attractive target for attackers. To address this issue, the recent Manufacturer Usage Description (MUD) standard has been proposed to describe network access control policies in the manufacturing phase to protect the device during its operation by restricting its communications. In this paper, we define an architecture and process to obtain and enforce the MUD restrictions during the bootstrapping of a device. Furthermore, we extend the MUD model with a flexible policy language to express additional aspects, such as data privacy, channel protection, and resource authorization. For the enforcement of such enriched behavioral profiles, we make use of Software Defined Networking (SDN) techniques, as well as an attribute-based access control approach by using authorization credentials and encryption techniques. These techniques are used to protect devices' data, which are shared through a blockchain platform. The resulting approach was implemented and evaluated in a real scenario, and is intended to reduce the attack surface of IoT deployments by restricting devices' communication before they join a certain network.
RESUMEN
Privacy enhancing technologies (PETs) allow to achieve user's transactions unlinkability across different online Service Providers. However, current PETs fail to guarantee unlinkability against the Identity Provider (IdP), which becomes a single point of failure in terms of privacy and security, and therefore, might impersonate its users. To address this issue, OLYMPUS EU project establishes an interoperable framework of technologies for a distributed privacy-preserving identity management based on cryptographic techniques that can be applied both to online and offline scenarios. Namely, distributed cryptographic techniques based on threshold cryptography are used to split up the role of the Identity Provider (IdP) into several authorities so that a single entity is not able to impersonate or track its users. The architecture leverages PET technologies, such as distributed threshold-based signatures and privacy attribute-based credentials (p-ABC), so that the signed tokens and the ABC credentials are managed in a distributed way by several IdPs. This paper describes the Olympus architecture, including its associated requirements, the main building blocks and processes, as well as the associated use cases. In addition, the paper shows how the Olympus oblivious architecture can be used to achieve privacy-preserving M2M offline transactions between IoT devices.