PKI Scalability Issues

This report surveys different PKI technologies such as PKIX and SPKI and the issues of PKI that affect scalability. Much focus is spent on certificate revocation methodologies and status verification systems such as CRLs, Delta-CRLs, CRS, Certificate Revocation Trees, Windowed Certificate Revocation, OCSP, SCVP and DVCS.Comment: 23 pages, 2 figure

Dynamic Trust Federation in Grids

Grids are becoming economically viable and productive tools. Grids provide a way of utilizing a vast array of linked resources such as computing systems, databases and services online within Virtual Organizations (VO). However, today’s Grid architectures are not capable of supporting dynamic, agile federation across multiple administrative domains and the main barrier, which hinders dynamic federation over short time scales is security. Federating security and trust is one of the most significant architectural issues in Grids. Existing relevant standards and specifications can be used to federate security services, but do not directly address the dynamic extension of business trust relationships into the digital domain. In this paper we describe an experiment in which we highlight those challenging architectural issues and we will further describe how the approach that combines dynamic trust federation and dynamic authorization mechanism can address dynamic security trust federation in Grids. The experiment made with the prototype described in this paper is used in the NextGRID project for the definition of requirements for next generation Grid architectures adapted to business application need

Obligations of trust for privacy and confidentiality in distributed transactions

Purpose – This paper aims to describe a bilateral symmetric approach to authorization, privacy protection and obligation enforcement in distributed transactions. The authors introduce the concept of the obligation of trust (OoT) protocol as a privacy assurance and authorization mechanism that is built upon the XACML standard. The OoT allows two communicating parties to dynamically exchange their privacy and authorization requirements and capabilities, which the authors term a notification of obligation (NoB), as well as their commitments to fulfilling each other's requirements, which the authors term signed acceptance of obligations (SAO). The authors seek to describe some applicability of these concepts and to show how they can be integrated into distributed authorization systems for stricter privacy and confidentiality control. Design/methodology/approach – Existing access control and privacy protection systems are typically unilateral and provider-centric, in that the enterprise service provider assigns the access rights, makes the access control decisions, and determines the privacy policy. There is no negotiation between the client and the service provider about which access control or privacy policy to use. The authors adopt a symmetric, more user-centric approach to privacy protection and authorization, which treats the client and service provider as peers, in which both can stipulate their requirements and capabilities, and hence negotiate terms which are equally acceptable to both parties. Findings – The authors demonstrate how the obligation of trust protocol can be used in a number of different scenarios to improve upon the mechanisms that are currently available today. Practical implications – This approach will serve to increase trust in distributed transactions since each communicating party receives a difficult to repudiate digitally signed acceptance of obligations, in a standard language (XACML), which can be automatically enforced by their respective computing machinery. Originality/value – The paper adds to current research in trust negotiation, privacy protection and authorization by combining all three together into one set of standardized protocols. Furthermore, by providing hard to repudiate signed acceptance of obligations messages, this strengthens the legal case of the injured party should a dispute arise

Strong Authentication for Web Services using Smartcards

The popularity of the Internet and the variety of services it provides has been immense. Unfortunately, many of these services require the user to register and subsequently login to the system in order to access them. This has resulted in the user having to remember a multitude of username and password combinations in order to use the service securely. However, literature has clearly demonstrated this is not an effective approach, as users will frequently choose simple passwords, write them down, share them or use the same password for multiple systems. This paper proposes a novel concept where Internet users authenticate to web services (service providers) by the use of a smartcard – taking away any requirement for the user to provide credentials. The smartcard is useful in this context as it is a trusted device that is capable of applying cryptography in a tamper resistant environment. The development of the concept is based upon an extension to Authentication Authorisation Infrastructure (AAI) models, where a trusted authority (Identity Provider) will provide and manage the smart card to end-users. In devices such as mobile phones, a smartcard is already present (e.g. the SIM) to facilitate this and it is envisaged such a card could also be produced for desktop environments – similarly to what many banks are currently implementing

A Shibboleth-protected privilege management infrastructure for e-science education

Simplifying access to and usage of large scale compute resources via the grid is of critical importance to encourage the uptake of e-research. Security is one aspect that needs to be made as simple as possible for end users. The ESP-Grid and DyVOSE projects at the National e-Science Centre (NeSC) at the University of Glasgow are investigating security technologies which will make the end-user experience of using the grid easier and more secure. In this paper, we outline how simplified (from the user experience) authentication and authorization of users are achieved through single usernames and passwords at users' home institutions. This infrastructure, which will be applied in the second year of the grid computing module part of the advanced MSc in Computing Science at the University of Glasgow, combines grid portal technology, the Internet2 Shibboleth Federated Access Control infrastructure, and the PERMS role-based access control technology. Through this infrastructure inter-institutional teaching can be supported where secure access to federated resources is made possible between sites. A key aspect of the work we describe here is the ability to support dynamic delegation of authority whereby local/remote administrators are able to dynamically assign meaningful privileges to remote/local users respectively in a trusted manner thus allowing for the dynamic establishment of virtual organizations with fine grained security at their heart

Strong Electronic Identification: Survey & Scenario Planning

The deployment of more high-risk services such as online banking and government services on the Internet has meant that the need and demand for strong electronic identity is bigger today more than ever. Different stakeholders have different reasons for moving their services to the Internet, including cost savings, being closer to the customer or citizen, increasing volume and value of services among others. This means that traditional online identification schemes based on self-asserted identities are no longer sufficient to cope with the required level of assurance demanded by these services. Therefore, strong electronic identification methods that utilize identifiers rooted in real world identities must be provided to be used by customers and citizens alike on the Internet. This thesis focuses on studying state-of-the-art methods for providing reliable and mass market strong electronic identity in the world today. It looks at concrete real-world examples that enable real world identities to be transferred and used in the virtual world of the Internet. The thesis identifies crucial factors that determine what constitutes a strong electronic identity solution and through these factors evaluates and compares the example solutions surveyed in the thesis. As the Internet become more pervasive in our lives; mobile devices are becoming the primary devices for communication and accessing Internet services. This has thus, raised the question of what sort of strong electronic identity solutions could be implemented and how such solutions could adapt to the future. To help to understand the possible alternate futures, a scenario planning and analysis method was used to develop a series of scenarios from underlying key economic, political, technological and social trends and uncertainties. The resulting three future scenarios indicate how the future of strong electronic identity will shape up with the aim of helping stakeholders contemplate the future and develop policies and strategies to better position themselves for the future

Strong Electronic Identification: Survey & Scenario Planning

The deployment of more high-risk services such as online banking and government services on the Internet has meant that the need and demand for strong electronic identity is bigger today more than ever. Different stakeholders have different reasons for moving their services to the Internet, including cost savings, being closer to the customer or citizen, increasing volume and value of services among others. This means that traditional online identification schemes based on self-asserted identities are no longer sufficient to cope with the required level of assurance demanded by these services. Therefore, strong electronic identification methods that utilize identifiers rooted in real world identities must be provided to be used by customers and citizens alike on the Internet. This thesis focuses on studying state-of-the-art methods for providing reliable and mass market strong electronic identity in the world today. It looks at concrete real-world examples that enable real world identities to be transferred and used in the virtual world of the Internet. The thesis identifies crucial factors that determine what constitutes a strong electronic identity solution and through these factors evaluates and compares the example solutions surveyed in the thesis. As the Internet become more pervasive in our lives; mobile devices are becoming the primary devices for communication and accessing Internet services. This has thus, raised the question of what sort of strong electronic identity solutions could be implemented and how such solutions could adapt to the future. To help to understand the possible alternate futures, a scenario planning and analysis method was used to develop a series of scenarios from underlying key economic, political, technological and social trends and uncertainties. The resulting three future scenarios indicate how the future of strong electronic identity will shape up with the aim of helping stakeholders contemplate the future and develop policies and strategies to better position themselves for the future

Establishment of Public Key Infrastructure for Digital Signatures

Open Security Socket Layer (SSL) is a cryptographic library that uses appropriate security systems such as encryption, digital signatures, digital certificates, public/private key pairs, non-repudiation and time-stamping to participate in the cryptography. A Public Key Infrastructure (PKI) comprises a system of certificates, certificate authorities, subjects, relying partners, registration authorities and key repositories that provide for safe and reliable communications. In this paper, open SSL has been implemented to provide an alternative to the Transmission Control Protocol (TCP). Open SSL is a real time protocol in which the parties negotiate interactively to authenticate each other and establish a session key, in contrast to a protocol such as email in which one party prepares a message encrypt and send, that can later be decrypted and authenticated by the intended recipient. Keywords: Open SSL, Public Key Infrastructure, Digital signature