An Approach for Adapting Moodle into a Secure Infrastructure

Moodle is one of the most popular open source e-learning platforms. It makes available a very easy-to-deploy environment, which once installed, is ready to be used. These two characteristics, make it a very attractive choice. But regarding information security and privacy, it presents several and important drawbacks. This is mainly due to the fact that it leaves the most serious tasks, like server configuration or access control in the hands of the system administrator or third-party module developers. This approach is understandable, as is that very fact what makes Moodle easy and therefore attractive. The aim of this paper is not to discredit this option, but to enhance it by means of standard cryptographic and information security infrastructures. We focus in the registration process, which ends with the distribution of a user certificate. To link the users' real identity with their virtual one, we have taken an approach that merges EBIAS (Email Based Identification and Authentication System) with a kind of challenge-response method involving secure pseudo random number generation based in a fast chaos-based Pseudo Random Number Generator.

[1]  Jordi Torres,et al.  Designing an overload control strategy for secure e-commerce applications , 2007, Comput. Networks.

[2]  Tihomir Orehovački,et al.  Determination of optimal security settings for LMS Moodle , 2010 .

[3]  Jonathan Moore,et al.  Moodle 1.9 Extension Development , 2010 .

[4]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[5]  Gonzalo Álvarez,et al.  Trident, a New Pseudo Random Number Generator Based on Coupled Chaotic Maps , 2010, CISIS.

[6]  Gonzalo Álvarez,et al.  Some Basic Cryptographic Requirements for Chaos-Based Cryptosystems , 2003, Int. J. Bifurc. Chaos.

[7]  Andreas Pfitzmann,et al.  Towards Privacy-Aware eLearning , 2005, Privacy Enhancing Technologies.

[8]  E. Aimeur,et al.  Anonymous Credentials for Privacy-Preserving E-learning , 2008, 2008 International MCETECH Conference on e-Technologies (mcetech 2008).

[9]  Álvaro Herrero,et al.  Computational Intelligence in Security for Information Systems - CISIS'09, 2nd International Workshop, Burgos, Spain, 23-26 September 2009 Proceedings , 2009, CISIS.

[10]  Edgar R. Weippl Security in e-learning , 2005, ELERN.

[11]  Raphael C.-W. Phan Review of Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd Edition by Ross J. Anderson , 2009, Cryptologia.

[12]  Gonzalo Alvarez,et al.  Cryptanalysis of a family of self-synchronizing chaotic stream ciphers , 2009, 0903.2928.

[13]  Ronald L. Rivest,et al.  Lightweight email signatures , 2006 .

[14]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[15]  José M. Amigó,et al.  Chaos-Based Cryptography , 2009, Intelligent Computing Based on Chaos.

[16]  Gary Stoneburner,et al.  SP 800-27 Rev. A. Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A , 2004 .

[17]  Julie-Marie Foss,et al.  Web Application Security , 2005 .

[18]  Aggelos Kiayias,et al.  BiTR: Built-in Tamper Resilience , 2011, IACR Cryptol. ePrint Arch..

[19]  Simson L. Garfinkel,et al.  Email-Based Identification and Authentication: An Alternative to PKI? , 2003, IEEE Secur. Priv..

[20]  Ronald L. Rivest,et al.  Lightweight Email Signatures (Extended Abstract) , 2006, SCN.

[21]  Tatsuaki Okamoto,et al.  Advances in Cryptology — ASIACRYPT 2000 , 2000, Lecture Notes in Computer Science.

[22]  Kamlesh Dutta,et al.  INVESTIGATION ON SECURITY IN LMS MOODLE , 2011 .

[23]  Gary Stoneburner,et al.  Engineering principles for information technology security (a baseline for achieving security) :: recommendations of the National Institute of Standards and Technology , 2001 .

[24]  S. Li,et al.  On the security of a new image encryption scheme based on chaotic map lattices. , 2008, Chaos.

[25]  Wanlei Zhou,et al.  Security in the online e-learning environment , 2005, Fifth IEEE International Conference on Advanced Learning Technologies (ICALT'05).

[26]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[27]  David Watson,et al.  Web App Attacks: Web application attacks , 2007 .

[28]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[29]  Ahmad-Reza Sadeghi,et al.  Anonymous Fingerprinting with Direct Non-repudiation , 2000, ASIACRYPT.