My private cloud--granting federated access to cloud resources

We describe the research undertaken in the six month JISC/EPSRC funded My Private Cloud project, in which we built a demonstration cloud file storage service that allows users to login to it, by using their existing credentials from a configured trusted identity provider. Once authenticated, users are shown a set of accounts that they are the owners of, based on their identity attributes. Once users open one of their accounts, they can upload and download files to it. Not only that, but they can then grant access to their file resources to anyone else in the federated system, regardless of whether their chosen delegate has used the cloud service before or not. The system uses standard identity management protocols, attribute based access controls, and a delegation service. A set of APIs have been defined for the authentication, authorisation and delegation processes, and the software has been released as open source to the community. A public demonstration of the system is available online

Enhanced security architecture for support of credential repository in grid computing.

Grid Computing involves heterogeneous computers and resources, multiple administrative domains and the mechanisms and techniques for establishing and maintaining effective and secure communications between devices and systems. Both authentication and authorization are required. Current authorization models in each domain vary from one system to another, which makes it difficult for users to obtain authorization across multiple domains at one time. We propose an enhanced security architecture to provide support for decentralized authorization based on attribute certificates which may be accessed via the Internet. This allows the administration of privileges to be widely distributed over the Internet in support of autonomy for resource owners and providers. In addition, it provides a uniform approach for authorization which may be used by resource providers from various domains. We combine authentication with the authorization mechanism by using both MyProxy online credential repository and LDAP directory server. In our architecture, we use MyProxy server to store identity certificates for authentication, and utilize an LDAP server-based architecture to store attribute certificates for authorization. Using a standard web browser, a user may connect to a grid portal and allow the portal to retrieve those certificates in order to access grid resources on behalf of the user. Thus, our approach can make use of the online credential repository to integrate authentication, delegation and attribute based access control together to provide enhanced, flexible security for grid system. Paper copy at Leddy Library: Theses & Major Papers - Basement, West Bldg. / Call Number: Thesis2004 .C54. Source: Masters Abstracts International, Volume: 43-01, page: 0231. Adviser: R. D. Kent. Thesis (M.Sc.)--University of Windsor (Canada), 2004

Time-Based Account Policies in FreeIPA

Tato práce se zabývá běžnými problémy časových politik, které jsou využívány v rámci procesu přihlašování uživatelů. Jsou rozebrána řešení v některých jiných současných systémech. Dále je čtenáři představen projekt pro správu identit FreeIPA, autor se zaměřuje hlavně na správu uživatelů a politiky pro jejich autorizaci. Je také představen projekt SSSD se zaměřením na jeho propojení se systémem FreeIPA. Po vytvoření návrhu řešení problému časových politik je tento návrh implementován do systémů FreeIPA a SSSD.This thesis deals with the common problems when implementing account policies based on time in the user authorization process. The reader is shown how this problem is solved in some of the current systems. FreeIPA identity management project architecture is presented with the focus on its user management and user authorization policies. The SSSD project is described with aim on its connection to FreeIPA. The author creates a design for time-based account policies functionality and implements it in FreeIPA and SSSD systems.

Authentication and Authorization Modules for Open Messaging Interface (O-MI)

With the constant rise of new technology, developments in the fields of computer science, wireless networks, storage capabilities and sensing possibilities along with the demand for continuous connectivity have lead to the formation of the Internet of Things (IoT) concept. Today, there are numerous organizations working on the IoT technology aimed at developing smart products and services. Each company proposes its own methods directed for a particular field of industry thus, it ends up with having several protocols. This has poorly followed the concept of a unified system. The Open Group attempted to address this issue by proposing Open Messaging Interface (O-MI) and Open Data Format (O-DF) protocols and claimed O-MI to be an IoT messaging standard as that of HTTP for world-wide-web (WWW). The proposed protocols have been designed to ensure robust development, data standardization, and required security level. However, the security model needs to be upgraded with the recent security techniques. This thesis attempts to specify appropriate authentication and authorization (access control) mechanisms that manage various consumers and provide functionalities that fit into O-MI/O-DF standards. The thesis first discusses several challenges regarding IoT security and then different authentication and authorization techniques available today. It then describes in detail the design decisions and implementation technicalities of the autonomous services created for the reference implementation of O-MI and O-DF

Samba Openldap Performance in a Simulated Environment

The Information Technology world is developing so fast and it is been reported that Open Source tools will eventually take over proprietary tools in no to distant future. The Open Source Community is integrating its products with that of the proprietary ones and the integration of Windows machines into Linux network is evident of such practices. The purpose of this project is to implement Samba with OpenLDAP in a simulated environment. This implementation is conducted within a virtual environment by simulating the setup of Linux and Windows Operating systems by reducing physical setup of machines. Samba will act as an interface between Linux and Windows, files will be accessible to both server and client. OpenLDAP stores the user accounts and configuration files. A performance test carried out on Samba determining effect on CPU power and Memory usage shows a decrease in the CPU power and an increase in Memory usage

Security-oriented data grids for microarray expression profiles

Microarray experiments are one of the key ways in which gene activity can be identified and measured thereby shedding light and understanding for example on biological processes. The BBSRC funded Grid enabled Microarray Expression Profile Search (GEMEPS) project has developed an infrastructure which allows post-genomic life science researchers to ask and answer the following questions: who has undertaken microarray experiments that are in some way similar or relevant to mine; and how similar were these relevant experiments? Given that microarray experiments are expensive to undertake and may possess crucial information for future exploitation (both academically and commercially), scientists are wary of allowing unrestricted access to their data by the wider community until fully exploited locally. A key requirement is thus to have fine grained security that is easy to establish and simple (or ideally transparent) to use across inter-institutional virtual organisations. In this paper we present an enhanced security-oriented data Grid infrastructure that supports the definition of these kinds of queries and the analysis and comparison of microarray experiment results

Development of a web application to facilitate access to clients for catering

A web application is going to be implemented and designed in this thesis. I called the application UCOME and it is a platform specially thought for companies that have catering services like restaurants or cafes; or even it can be adapted to any restaurant. The main idea is that users can seat wherever they want because the administrator of the application configured the scenario of his local before and then, users will be able to order food without calling the waiter through their laptops or mobile phones. UCOME is developed with Spring Boot and it consists of three main pages: Administrator Page: the administrator of the application will be able to configure the scenario of the local, the login preferences (LDAP, Office 365…), the food menu, events, social networks, statistics, etc. Customers Page: the customers will choose the seat where they want to eat, and they will order the food. Employees Page: the employees of the local will receive the orders made by the customers and they will carry the food to their seats. All the data is stored in a MySQL database which provides the necessary capacity for this application.Ingeniería Informátic

New Innovations in eIDAS-compliant Trust Services: Blockchain

Los avances tecnológicos van a pasos agigantados, con ellos marcan nuevas tendencias que emergen para dominar el mercado, productos que antes era novedosos y que ahora deben adaptarse para seguir siendo competitivos. Por ello, el equipo compuesto por 3 estudiantes de la FIB ¿ UPC (Arthur Bernal, Marc Méndez y Xiaolei Lin) y dirigido por el profesor y director Francisco Jordan proponen en este proyecto nuevas tecnologías innovadoras que marcará el futuro tecnológico e incorporarlo en el producto TrustedX. Este proyecto se dividirá en dos partes, la primera que es la parte comuna es realizada por todos los integrantes del equipo y la segunda, la parte individual la realiza solo el autor de esta tesis. La parte comuna se basa en expandir e incorporar los componentes necesarios en el producto TrustedX on-premise para que pueda funcionar como TrustedX as a Service (TXaaS) y un sistema multi-tenant. Este nuevo producto tendrá la capacidad de cumplir los Reglamentos de eIDAS para ofrecer firmas digitales en el Cloud y tener la misma validez que las firmas notariales manuscritas. La parte individual consiste en crear un prototipo de archivado basado en timestamp utilizando la tecnología Blockchain e integrarlo en TXaaS. Para ello, se estudia el funcionamiento de esta tecnología y las diferentes opciones disponibles en el mercado. Además, se diseña e implementa todos los componentes requeridos para cumplir el objetivo.Technologies advance in leaps and bounds, they mark new trends that emerge to dominate the market, products that were previously novel and nowadays that must be adapted to remain competitive. For this reason, the team, that is made up of 3 students from the FIB - UPC (Arthur Bernal, Marc Méndez and Xiaolei Lin) and is led by the professor and director Francisco Jordan, proposes in this project new innovative technologies that will mark the technology of future and incorporate it into the TrustedX product. This project will be divided into two parts. The first consists of the communal part, which is carried out by all team members and the second, is the individual part that is realized only by the author of this thesis. The common part is based on expanding and incorporating all necessary components in the TrustedX on-premise product in order that it can function as TrustedX as a Service (TXaaS) and a multi-tenant system. This new product will have the ability to comply with eIDAS Regulation to offer digital signatures in the Cloud and have the same validity as the handwritten notarial signatures. The individual part consists of creating a timestamp-based archiving prototype by using Blockchain technology and, integrating it into TXaaS. To fulfill with this, the operation of this technology and the different available options in the market are studied. In addition, all components which are required will be designed and implemented in order to rach with the objective

User Provisioning Processes in Identity Management addressing SAP Campus Management

This document is the report of the work of an ISWA working team on a WUSKAR case study. This study tackles on the desire of meta directory synchronisation with a proprietary SAP R/3 system in the context of an identity management system. Early tasks concern identifying exact desires and scenarios, modelling the synchronisation process, identifying what relevant data is to be processed, as well as proposing templates for the matching and transformation process. Intermediate tasks are related to the technical aspects of the case study, as well as problem task division and progress management, regular review of strategic and technical choices

Mobile identification as a service

Dissertação de mestrado integrado em Informatics EngineeringThe benefits of using mobile identification applications as substitutes for physical documents are obvious, whether these are university student cards, company employee identification cards, the citizen card or driving license. However, as these applications grow in popularity and complexity, new requirements and needs arise that need to be addressed without disturbing the normal behavior of the application. Often the data needed to provide an authentication service is spread across multiple servers, which need to be integrated. This becomes more complicated and complex when an application provides more than one form of authentication (a driving license and a student card require data provided by different services). In this dissertation we are going to look for solutions that allow to develop an architecture that is prepared to integrate new services at runtime and allows the management of the system, maintaining its dynamic and independence from third parties, regardless of the technology and form of communication used by them. So, this dissertation presents the state of the art regarding the integration of multiple service providers and the design and implementation a proposed solution, using the WSO2 products to do so. This process is performed in the context of the mobile ID, that is a implementation of a mobile driving license based on the ISO/IEC 18013-5:2021.São cada vez mais evidentes os benefícios do uso de aplicações de identificação móvel como substitutos aos documentos físicos, sejam estes cartões de estudantes universitários, cartões de identificação de funcionários de empresas, o cartão de cidadão ou a carta de condução. No entanto, à medida que estas aplicações se tornam mais populares e mais complexas, surgem novas ex igências e necessidades que precisam de ser colmatadas sem perturbar o normal funcionamento da aplicação. Muitas vezes os atributos necessários para fornecer um serviço de identificação encontram-se distribuídos por múltiplos servidores, que necessitam de ser integrados. Isto torna-se mais complicado e complexo quando uma aplicação disponibiliza mais de uma forma de identificação (uma carta de condução e um cartão de estudante requerem dados fornecidos por multiplos e diferentes serviços). Nesta dissertação vamos procurar soluções que permitam desenvolver uma arquitetura que esteja preparada para integrar novos serviços em runtime e permitir toda a gestão do sistema, mantendo a aplicação dinâmica e independente de entidades terceiras, independentemente da tecnologia e forma de comunicação usada pelo serviço. Assim, nesta dissertação é apresentado o estado da arte relativamente à integração de múltiplos fornece dores de serviço e o design e implementação da solução proposta, utilizando os produtos do WSO2 para fazê lo. Todo este processo é realizado no contexto do mobile ID, que é uma implementação da carta de condução digital baseada na ISO/IEC 18013-5:2021