Show simple item record

dc.contributor.authorRobles González, Antonio
dc.contributor.authorParra Arnau, Javier
dc.contributor.authorForné Muñoz, Jorge
dc.contributor.otherUniversitat Politècnica de Catalunya. Doctorat en Enginyeria Telemàtica
dc.contributor.otherUniversitat Politècnica de Catalunya. Departament d'Enginyeria Telemàtica
dc.identifier.citationRobles, A.; Parra-Arnau, J.; Forne, J. A LINDDUN-based framework for privacy threat analysis on identification and authentication processes. "Computers and security", 2020, vol. 94, núm. June 2020, p. 101755:1-101755:22.
dc.description© <2020>. This manuscript version is made available under the CC-BY-NC-ND 4.0 license
dc.description.abstractIdentification and authentication (IA) are security procedures that are ubiquitous in our online life, and that constantly require disclosing personal, sensitive information to non-fully trusted service providers, or to fully trusted providers that unintentionally may fail to protect such information. Although user IA processes are extensively supported by heterogeneous software and hardware, the simultaneous protection of user privacy is an open problem. From a legal point of view, the European Union legislation requires protecting the processing of personal data and evaluating its impact on privacy throughout the whole IA procedure. Privacy Threat Analysis (PTA) is one of the pillars for the required Privacy Impact Assessment (PIA). Among the few existing approaches for conducting a PTA, LINDDUN is a very promising framework, although generic, in the sense that it has not been specifically conceived for IA. In this work, we investigate an extension of LINDDUN that allows performing a reliable and systematically-reproducible PTA of user IA processes, thereby contributing to one of the cornerstones of PIA. Specifically, we propose a high-level description of the IA verification process, which we illustrate with an UML use case. Then, we design an identification and authentication modelling framework, propose an extension of two critical steps of the LINDDUN scheme, and adapt and tailor the trust boundary concept applied in the original framework. Finally, we propose a systematic methodology aimed to help auditors apply the proposed improvements to the LINDDUN framework.
dc.description.sponsorshipThe authors are thankful for the support through the research project “INRISCO”, ref. TEC2014-54335-C4-1-R, “MAGOS”, TEC2017-84197-C4-3-R, and the project “Sec-MCloud”, ref. TIN2016-80250-R. J. Parra-Arnau is the recipient of a Juan de la Cierva postdoctoral fellowship, IJCI-2016–28239, from the Spanish Ministry of Economy and Competitiveness. J. Parra-Arnau is with the UNESCO Chair in Data Privacy, but the views in this paper are his own and are not necessarily shared by UNESCO.
dc.rightsAttribution-NonCommercial-NoDerivs 3.0 Spain
dc.subjectÀrees temàtiques de la UPC::Informàtica::Seguretat informàtica
dc.subject.lcshComputer security
dc.subject.otherPrivacy threat analysis
dc.subject.otherPrivacy impact assessment
dc.subject.otherTrust boundary
dc.subject.otherauthenticable attribute
dc.subject.otherTrust-based attribute
dc.titleA LINDDUN-based framework for privacy threat analysis on identification and authentication processes
dc.subject.lemacSeguretat informàtica
dc.contributor.groupUniversitat Politècnica de Catalunya. SISCOM - Smart Services for Information Systems and Communication Networks
dc.description.peerreviewedPeer Reviewed
dc.rights.accessRestricted access - publisher's policy
dc.description.versionPostprint (author's final draft)
local.citation.authorRobles, A.; Parra-Arnau, J.; Forne, J.
local.citation.publicationNameComputers and security
local.citation.numberJune 2020

Files in this item


This item appears in the following Collection(s)

Show simple item record

Attribution-NonCommercial-NoDerivs 3.0 Spain
Except where otherwise noted, content on this work is licensed under a Creative Commons license : Attribution-NonCommercial-NoDerivs 3.0 Spain