| dc.contributor.author | Robles González, Antonio |
| dc.contributor.author | Parra Arnau, Javier |
| dc.contributor.author | Forné Muñoz, Jorge |
| dc.contributor.other | Universitat Politècnica de Catalunya. Doctorat en Enginyeria Telemàtica |
| dc.contributor.other | Universitat Politècnica de Catalunya. Departament d'Enginyeria Telemàtica |
| dc.date.accessioned | 2020-06-15T10:24:57Z |
| dc.date.available | 2022-02-19T01:29:33Z |
| dc.date.issued | 2020 |
| dc.identifier.citation | Robles, A.; Parra-Arnau, J.; Forne, J. A LINDDUN-based framework for privacy threat analysis on identification and authentication processes. "Computers and security", 2020, vol. 94, núm. June 2020, p. 101755:1-101755:22. |
| dc.identifier.issn | 0167-4048 |
| dc.identifier.uri | http://hdl.handle.net/2117/190711 |
| dc.description | © <2020>. This manuscript version is made available under the CC-BY-NC-ND 4.0 license http://creativecommons.org/licenses/by-nc-nd/4.0/ |
| dc.description.abstract | Identification and authentication (IA) are security procedures that are ubiquitous in
our online life, and that constantly require disclosing personal, sensitive information to non-fully
trusted service providers, or to fully trusted providers that unintentionally may fail to protect such information. Although user IA processes are extensively supported by heterogeneous software and hardware, the simultaneous protection of user privacy is an open problem.
From a legal point of view, the European Union legislation requires protecting the processing
of personal data and evaluating its impact on privacy throughout the whole IA procedure. Privacy Threat Analysis (PTA) is one of the pillars for the required Privacy Impact Assessment (PIA). Among the few existing approaches for conducting a PTA, LINDDUN is a very promising framework, although generic, in the sense that it has not been specifically conceived for IA.
In this work, we investigate an extension of LINDDUN that allows performing a reliable and
systematically-reproducible PTA of user IA processes, thereby contributing to one of the cornerstones of PIA. Specifically, we propose a high-level description of the IA verification process, which we illustrate with an UML use case. Then, we design an identification and authentication modelling framework, propose an extension of two critical steps of the LINDDUN scheme, and adapt and tailor the trust boundary concept applied in the original framework. Finally, we propose a systematic methodology aimed to help auditors apply the proposed improvements to the LINDDUN framework. |
| dc.description.sponsorship | The authors are thankful for the support through the research project “INRISCO”, ref. TEC2014-54335-C4-1-R, “MAGOS”, TEC2017-84197-C4-3-R, and the project “Sec-MCloud”, ref. TIN2016-80250-R. J. Parra-Arnau is the recipient of a Juan de la Cierva postdoctoral fellowship, IJCI-2016–28239, from the Spanish Ministry of Economy and Competitiveness. J. Parra-Arnau is with the UNESCO Chair in Data Privacy, but the views in this paper are his own and are not necessarily shared by UNESCO. |
| dc.language.iso | eng |
| dc.rights | Attribution-NonCommercial-NoDerivs 3.0 Spain |
| dc.rights.uri | http://creativecommons.org/licenses/by-nc-nd/3.0/es/ |
| dc.subject | Àrees temàtiques de la UPC::Informàtica::Seguretat informàtica |
| dc.subject.lcsh | Computer security |
| dc.subject.other | Privacy threat analysis |
| dc.subject.other | Privacy impact assessment |
| dc.subject.other | LINDDUN |
| dc.subject.other | Trust boundary |
| dc.subject.other | authenticable attribute |
| dc.subject.other | Trust-based attribute |
| dc.title | A LINDDUN-based framework for privacy threat analysis on identification and authentication processes |
| dc.type | Article |
| dc.subject.lemac | Seguretat informàtica |
| dc.contributor.group | Universitat Politècnica de Catalunya. SISCOM - Smart Services for Information Systems and Communication Networks |
| dc.identifier.doi | 10.1016/j.cose.2020.101755 |
| dc.description.peerreviewed | Peer Reviewed |
| dc.relation.publisherversion | https://www.sciencedirect.com/science/article/pii/S0167404820300390 |
| dc.rights.access | Open Access |
| local.identifier.drac | 26887838 |
| dc.description.version | Postprint (author's final draft) |
| dc.relation.projectid | info:eu-repo/grantAgreement/MINECO//TEC2014-54335-C4-1-R/ES/MONITORIZACION DE INCIDENTES EN COMUNIDADES INTELIGENTES/ |
| dc.relation.projectid | info:eu-repo/grantAgreement/AEI/2PE/TEC2017-84197-C4-3-R |
| dc.relation.projectid | info:eu-repo/grantAgreement/MINECO/2PE/TIN2016-80250-R |
| local.citation.author | Robles, A.; Parra-Arnau, J.; Forne, J. |
| local.citation.publicationName | Computers and security |
| local.citation.volume | 94 |
| local.citation.number | June 2020 |
| local.citation.startingPage | 101755:1 |
| local.citation.endingPage | 101755:22 |
