An online credential management service for InterGrid computing

Grid users and their jobs need credentials to access grid resources and services. It is important to minimize the exposure of credentials to adversaries. A practical solution is needed that works with existing software and is easy to deploy, administer, and maintain. Thus, credential management services are the wave of the future for virtual organizations such as Grid computing. This paper describes architecture of a scalable, secure and reliable on-line credential management service called SafeBox for InterGrid computing platform. SafeBox provides InterGrid users with secure mechanism for storing one or multiple credentials and access them based on need at anytime from anywhere.<br /

Hardware Security Module Cryptosystem Using Petri Net

An embedded system is a combination of hardware and software designed to perform specific functions. It consists of SoCs (system on chip) that it relies on to do its computing work. A key feature of an embedded system is that it consumes less power and components occupy less space on the IC (integrated circuit) thus, the use of SoCs. Embedded system manufacturers get these SoCs from third-party companies to reduce their time to market. That would increase the possibility of the systems to be compromised. In this paper, we present a novel approach to securing such critical systems. For that, we made a Hardware Security Module (HSM), which consists of secure SoC with encrypt/decrypt engine that use Petri net for algorithm modulation to secure data flow. We ensure that the system uses genuine firmware and data is secured since we use encrypt/decrypt algorithms only known to manufacturers

Secure Hardware Enhanced MyProxy: A Ph.D. Thesis Proposal

In 1976, Whitfield Diffie and Martin Hellman demonstrated how New Directions In Cryptography could enable secure information exchange between parties that do not share secrets. In order for public key cryptography to work in modern distributed environments, we need an infrastructure for finding and trusting other parties\u27 public keys (i.e., a PKI). A number of useful applications become possible with PKI. While the applications differ in how they use keys (e.g., S/MIME uses the key for message encryption and signing, while client-side SSL uses the key for authentication), all applications share one assumption: users have keypairs. In previous work, we examined the security aspects of some of the standard keystores and the their interaction with the OS. We concluded that desktops are not safe places to store private keys, and we demonstrated the permeability of keystores such as the default Microsoft keystore and the Mozilla keystore. In addition to being unsafe, these desktop keystores have the added disadvantage of being immobile. In other previous work, we examined trusted computing. In industry, a new trusted computing initiative has emerged: the Trusted Computing Platform Alliance (TCPA) (now renamed the Trusted Computing Group (TCG)). The goal of the TCG design is lower-assurance security that protects an entire desktop platform and is cheap enough to be commercially feasible. Last year, we built a trusted computing platform based on the TCG specifications and hardware. The picture painted by these previous projects suggests that common desktops are not secure enough for use as PKI clients, and trusted computing can improve the security of client machines. The question that I propose to investigate is: Can I build a system which applies trusted computing hardware in a reasonable manner in order to make desktops usable for PKI? My design begins with the Grid community\u27s MyProxy credential repository, and enhances it to take advantage of secure hardware on the clients, at the repository, and in the policy framework. The result is called Secure Hardware Enhanced MyProxy

A Hardware-secured Credential Repository for Grid PKIs

Public Key Infrastructures suffer from usability and security problems associated with the request for and secure management of end user credentials. Online credential repositories provide mechanisms to ease these shortcomings but pose attractive targets for attacks due to the accumulation of credentials and the need for remote access to these credentials. Through the extension of an existing credential repository with a cryptographic co-processor for secure storage of credentials an increase in the security of the service can be achieved. This higher security permits the use of online credential repositories with a wide variety of certificates without violating certification authority regulations. Also, the improved performance afforded by hardware support improves the scalability of a centralized credential storage

Three-dimensional security framework for BYOD enabled banking institutions in Nigeria.

Doctoral Degree. University of KwaZulu-Natal, Durban.Bring your own device (BYOD) has become a trend in the present day, giving employees the freedom to bring personal mobile devices to access corporate networks. In Nigeria, most banking institutions are increasingly allowing their employees the flexibility to utilize mobile devices for work-related activities. However, as they do so, the risk of corporate data being exposed to threats increases. Hence, the study considered developing a security framework for mitigating BYOD security challenges. The study was guided by organizational, socio-technical and mobility theories in developing a conceptual framework. The study was conducted in two phases, the threat identification and the framework evaluation, using a mixed-methods approach. The main research strategies used for the threat identification were a questionnaire and interviews while closed and open-ended questions were used for the framework evaluation. A sample consisted of 380 banking employees from four banks were involved in the study. In addition, the study conducted in-depth interviews with twelve management officials from the participating banks. As for the framework evaluation, the study sampled twelve respondents to assess the developed security framework for viability as far as mitigating security threats emanating from BYOD in the banking sector is concerned. The sample consisted of eight executive managers of the bank and four academic experts in information security. Quantitative data was analysed using SPSS version 21 while qualitative data was thematically analysed. Findings from the threat identification revealed that banking institutions must develop security systems that not only identify threats associated with technical, social and mobility domains but also provide adequate mitigation of the threats. For the framework evaluation, the findings revealed that the security framework is appropriate in mitigating BYOD security threats. Based on the findings of the study, the developed security framework will help banks in Nigeria to mitigate against BYOD security threats. Furthermore, this security framework will contribute towards the generation of new knowledge in the field of information security as far as BYODs are concerned. The study recommends ongoing training for banks’ employees as it relates to mitigation of security threats posed by mobile devices

Evolving a secure grid-enabled, distributed data warehouse : a standards-based perspective

As digital data-collection has increased in scale and number, it becomes an important type of resource serving a wide community of researchers. Cross-institutional data-sharing and collaboration introduce a suitable approach to facilitate those research institutions that are suffering the lack of data and related IT infrastructures. Grid computing has become a widely adopted approach to enable cross-institutional resource-sharing and collaboration. It integrates a distributed and heterogeneous collection of locally managed users and resources. This project proposes a distributed data warehouse system, which uses Grid technology to enable data-access and integration, and collaborative operations across multi-distributed institutions in the context of HV/AIDS research. This study is based on wider research into OGSA-based Grid services architecture, comprising a data-analysis system which utilizes a data warehouse, data marts, and near-line operational database that are hosted by distributed institutions. Within this framework, specific patterns for collaboration, interoperability, resource virtualization and security are included. The heterogeneous and dynamic nature of the Grid environment introduces a number of security challenges. This study also concerns a set of particular security aspects, including PKI-based authentication, single sign-on, dynamic delegation, and attribute-based authorization. These mechanisms, as supported by the Globus Toolkit’s Grid Security Infrastructure, are used to enable interoperability and establish trust relationship between various security mechanisms and policies within different institutions; manage credentials; and ensure secure interactions

AEGIS : a single-chip secure processor

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2005.Includes bibliographical references (p. 225-240).Trust in remote interaction is a fundamental challenge in distributed computing environments. To obtain a remote party's trust, computing systems must be able to guarantee the privacy of intellectual property and the integrity of program execution. Unfortunately, traditional platforms cannot provide such guarantees under physical threats that exist in distributed environments. The AEGIS secure processor enables a physically secure computing platform to be built with a main processor as the only trusted hardware component. AEGIS empowers a remote party to authenticate the platform and guarantees secure execution even under physical threats. To realize the security features of AEGIS with only a single chip, this thesis presents a secure processor architecture along with its enabling security mechanisms. The architecture suggests a technique called suspended secure processing to allow a secure part of an application to be protected separately from the rest. Physical random functions provide a cheap and secure way of generating a unique secret key on each processor, which enables a remote party to authenticate the processor chip.(cont.) Memory encryption and integrity verification mechanisms guarantee the privacy and the integrity of off-chip memory content, respectively. A fully-functional RTL implementation and simulation studies demonstrate that the overheads associated with this single-chip approach is reasonable. The security components in AEGIS consumes about 230K logic gates. AEGIS, with its off-chip protection mechanisms, is slower than traditional processors by 26% on average for large applications and by a few percent for embedded applications. This thesis also shows that using AEGIS requires only minor modifications to traditional operating systems and compilers.by Gookwon Edward Suh.Ph.D