Beyond Certificates: 6G-ready Access Control for the Service-Based Architecture with Decentralized Identifiers and Verifiable Credentials

In 6G, mobile networks are poised to transition from monolithic structures owned and operated by single mobile network operators into multi-stakeholder networks where various parties contribute with infrastructure, resources, and services. This shift brings forth a critical challenge: Ensuring secure and trustful cross-domain access control. This paper introduces a novel technical concept and a prototype, outlining and implementing a 5G Service-based Architecture that utilizes Decentralized Identifiers and Verifiable Credentials to authenticate and authorize network functions among each other rather than relying on traditional X.509 certificates or OAuth2.0 access tokens. This decentralized approach to identity and permission management for network functions in 6G reduces the risk of a single point of failure associated with centralized public key infrastructures, unifies access control mechanisms, and paves the way for lesser complex and more trustful cross-domain key management for highly collaborative network functions of a future Service-based Architecture in 6G.Comment: This work has been submitted to the IEEE for possible publication. Copyright may be transferred without notice, after which this version may no longer be accessibl

Authentication and authorisation in entrusted unions

This paper reports on the status of a project whose aim is to implement and demonstrate in a real-life environment an integrated eAuthentication and eAuthorisation framework to enable trusted collaborations and delivery of services across different organisational/governmental jurisdictions. This aim will be achieved by designing a framework with assurance of claims, trust indicators, policy enforcement mechanisms and processing under encryption to address the security and confidentiality requirements of large distributed infrastructures. The framework supports collaborative secure distributed storage, secure data processing and management in both the cloud and offline scenarios and is intended to be deployed and tested in two pilot studies in two different domains, viz, Bio-security incident management and Ambient Assisted Living (eHealth). Interim results in terms of security requirements, privacy preserving authentication, and authorisation are reported

E-infrastructures fostering multi-centre collaborative research into the intensive care management of patients with brain injury

Clinical research is becoming ever more collaborative with multi-centre trials now a common practice. With this in mind, never has it been more important to have secure access to data and, in so doing, tackle the challenges of inter-organisational data access and usage. This is especially the case for research conducted within the brain injury domain due to the complicated multi-trauma nature of the disease with its associated complex collation of time-series data of varying resolution and quality. It is now widely accepted that advances in treatment within this group of patients will only be delivered if the technical infrastructures underpinning the collection and validation of multi-centre research data for clinical trials is improved. In recognition of this need, IT-based multi-centre e-Infrastructures such as the Brain Monitoring with Information Technology group (BrainIT - www.brainit.org) and Cooperative Study on Brain Injury Depolarisations (COSBID - www.cosbid.de) have been formed. A serious impediment to the effective implementation of these networks is access to the know-how and experience needed to install, deploy and manage security-oriented middleware systems that provide secure access to distributed hospital based datasets and especially the linkage of these data sets across sites. The recently funded EU framework VII ICT project Advanced Arterial Hypotension Adverse Event prediction through a Novel Bayesian Neural Network (AVERT-IT) is focused upon tackling these challenges. This chapter describes the problems inherent to data collection within the brain injury medical domain, the current IT-based solutions designed to address these problems and how they perform in practice. We outline how the authors have collaborated towards developing Grid solutions to address the major technical issues. Towards this end we describe a prototype solution which ultimately formed the basis for the AVERT-IT project. We describe the design of the underlying Grid infrastructure for AVERT-IT and how it will be used to produce novel approaches to data collection, data validation and clinical trial design is also presented

Securing the Participation of Safety-Critical SCADA Systems in the Industrial Internet of Things

In the past, industrial control systems were ‘air gapped’ and isolated from more conventional networks. They used specialist protocols, such as Modbus, that are very different from TCP/IP. Individual devices used proprietary operating systems rather than the more familiar Linux or Windows. However, things are changing. There is a move for greater connectivity – for instance so that higher-level enterprise management systems can exchange information that helps optimise production processes. At the same time, industrial systems have been influenced by concepts from the Internet of Things; where the information derived from sensors and actuators in domestic and industrial components can be addressed through network interfaces. This paper identifies a range of cyber security and safety concerns that arise from these developments. The closing sections introduce potential solutions and identify areas for future research

Supporting security-oriented, collaborative nanoCMOS electronics research

Grid technologies support collaborative e-Research typified by multiple institutions and resources seamlessly shared to tackle common research problems. The rules for collaboration and resource sharing are commonly achieved through establishment and management of virtual organizations (VOs) where policies on access and usage of resources by collaborators are defined and enforced by sites involved in the collaboration. The expression and enforcement of these rules is made through access control systems where roles/privileges are defined and associated with individuals as digitally signed attribute certificates which collaborating sites then use to authorize access to resources. Key to this approach is that the roles are assigned to the right individuals in the VO; the attribute certificates are only presented to the appropriate resources in the VO; it is transparent to the end user researchers, and finally that it is manageable for resource providers and administrators in the collaboration. In this paper, we present a security model and implementation improving the overall usability and security of resources used in Grid-based e-Research collaborations through exploitation of the Internet2 Shibboleth technology. This is explored in the context of a major new security focused project at the National e-Science Centre (NeSC) at the University of Glasgow in the nanoCMOS electronics domain

Networked learning environments

This chapter introduces the idea of networked learning environments and argues that these environments provide the totality of surrounding conditions for learning in digital networks. It provides illustrative vignettes of the ways that students appropriate networked environments for learning. The chapter then examines the notion of networked learning environments in relation to the idea of infrastructure and infrastructures for learning and sets out some issues arising from this perspective. The chapter suggests that students and teachers selectively constitute their own contexts and that design can only have an indirect effect on learning. The chapter goes on to argue that design needs to be located at the meso level of the institution and that a solution to the problem of indirect design lies in refocusing design at the meso level and on the design of infrastructures for learning

A context for collaboration: The institutional selection of an infrastructure for learning

This paper discusses the role of institutional issues in the deployment of infrastructures for learning and the ways in which they can impact on the range of choices and opportunities for collaboration in university education. The paper is based on interviews with 12 key informants selected from relevant staff categories during the deployment of a new institutional infrastructure in a large UK based distance learning university. It is supplemented by participant observation by the author who was part of a group of advisors tasked with working with the project team developing and deploying the new infrastructure. The paper investigates the development and deployment of the infrastructure as a meso level phenomena and relates this feature to the discussion of emergence and supervenience as features of social interactions in education

Comparison of advanced authorisation infrastructures for grid computing

The widespread use of grid technology and distributed compute power, with all its inherent benefits, will only be established if the use of that technology can be guaranteed efficient and secure. The predominant method for currently enforcing security is through the use of public key infrastructures (PKI) to support authentication and the use of access control lists (ACL) to support authorisation. These systems alone do not provide enough fine-grained control over the restriction of user rights, necessary in a dynamic grid environment. This paper compares the implementation and experiences of using the current standard for grid authorisation with Globus - the grid security infrastructure (GSI) - with the role-based access control (RBAC) authorisation infrastructure PERMIS. The suitability of these security infrastructures for integration with regard to existing grid technology is presented based upon experiences within the JISC-funded DyVOSE project