Securing tuple space: secure ad hoc group communication using PKI

Secure group communication in an ad hoc network is a largely unexplored research area. Currently available key exchange protocols were not designed to be implemented in an ad hoc network where nodes sporadically enter and leave the group. This project explores establishing secure group communication in an ad hoc network through public key infrastructure. Public key infrastructure (PKI) provides a framework for establishing and authenticating secure communication between users. A trusted certificate authority (CA) generates an identifying token, or certificate, for an authorized user. The certificate contains the user\u27s public key and other identifying information and is digitally signed by the CA to prevent forging. This public key may then be used to initiate secure communication with the user. This project uses the tuple space distributed computing paradigm for all ad hoc group communication. A tuple space is a store of tuples, or lists of objects, from which consumers may read tuples matching filter criteria and to which producers may post new tuples. An easily made physical analogy to this concept is that of an announcement board, where people may read flyers and post new ones. Professor Alan Kaminsky\u27s TupleBoard API is an implementation of tuple space designed for developing ad hoc distributed applications in Java. This project extends this library by adding a public key framework enabling dynamic group key exchange, public key encryption and digital signatures. To showcase the newly added security features an ad hoc music distribution application was developed in which all communication is encrypted and authenticated and users may only share or download songs authorized by certificates in their possession. Finally, a performance analysis was done to evaluate the impact of the new security features

Encrypted Shared Data Spaces

The deployment of Share Data Spaces in open, possibly hostile, environments arises the need of protecting the confidentiality of the data space content. Existing approaches focus on access control mechanisms that protect the data space from untrusted agents. The basic assumption is that the hosts (and their administrators) where the data space is deployed have to be trusted. Encryption schemes can be used to protect the data space content from malicious hosts. However, these schemes do not allow searching on encrypted data. In this paper we present a novel encryption scheme that allows tuple matching on completely encrypted tuples. Since the data space does not need to decrypt tuples to perform the search, tuple confidentiality can be guaranteed even when the data space is deployed on malicious hosts (or an adversary gains access to the host). Our scheme does not require authorised agents to share keys for inserting and retrieving tuples. Each authorised agent can encrypt, decrypt, and search encrypted tuples without having to know other agents’ keys. This is beneficial inasmuch as it simplifies the task of key management. An implementation of an encrypted data space based on this scheme is described and some preliminary performance results are given

End-to-end security for mobile devices

Thesis (Master)--Izmir Institute of Technology, Computer Engineering, Izmir, 2004Includes bibliographical references (leaves: 120)Text in English; Abstract: Turkish and Englishix, 133 leavesEnd-to-end security has been an emerging need for mobile devices with the widespread use of personal digital assistants and mobile phones. Transport Layer Security Protocol (TLS) is an end-to-end security protocol that is commonly used in Internet, together with its predecessor, SSL protocol. By using TLS protocol in mobile world, the advantage of the proven security model of this protocol can be taken.J2ME (Java 2 Micro Edition) has been the de facto application platform used in mobile devices. This thesis aims to provide an end-to-end security protocol implementation based on TLS 1.0 specification and that can run on J2ME MIDP (Mobile Information Device Profile) environment. Because of the resource intensive public-key operations used in TLS, this protocol needs high resources and has low performance. Another motivation for the thesis is to adapt the protocol for mobile environment and to show that it is possible to use the protocol implementation in both client and server modes. An alternative serialization mechanism is used instead of the standard Java object serialization that is lacking in MIDP. In this architecture, XML is used to transmit object data.The mobile end-to-end security protocol has the main design issues of maintainability and extensibility. Cryptographic operations are performed with a free library, Bouncy Castle Cryptography Package. The object-oriented architecture of the protocol implementation makes the replacement of this library with another cryptography package easier.Mobile end-to-end security protocol is tested with a mobile hospital reservation system application. Test cases are prepared to measure the performance of the protocol implementation with different cipher suites and platforms. Measured values of all handshake operation and defined time spans are given in tables and compared with graphs

Secure migration of WebAssembly-based mobile agents between secure enclaves

Cryptography and security protocols are today commonly used to protect data at-rest and in-transit. In contrast, protecting data in-use has seen only limited adoption. Secure data transfer methods employed today rarely provide guarantees regarding the trustworthiness of the software and hardware at the communication endpoints. The field of study that addresses these issues is called Trusted or Confidential Computing and relies on the use of hardware-based techniques. These techniques aim to isolate critical data and its processing from the rest of the system. More specifically, it investigates the use of hardware isolated Secure Execution Environments (SEEs) where applications cannot be tampered with during operation. Over the past few decades, several implementations of SEEs have been introduced, each based on a different hardware architecture. However, lately, the trend is to move towards architecture-independent SEEs. As part of this, Huawei research project is developing a secure enclave framework that enables secure execution and migration of applications (mobile agents), regardless of the underlying architecture. This thesis contributes to the development of the framework by participating in the design and implementation of a secure migration scheme for the mobile agents. The goal is a scheme wherein it is possible to transfer the mobile agent without compromising the security guarantees provided by SEEs. Further, the thesis also provides performance measurements of the migration scheme implemented in a proof of concept of the framework

A modularized electronic payment system for agent-based e-commerce

With the explosive growth of the Internet, electronic-commerce (e-commerce) is an increasingly important segment of commercial activities on the web. The Secure Agent Fabrication, Evolution & Roaming (SAFER) architecture was proposed to further facilitate e-commerce using agent technology. In this paper, the electronic payment aspect of SAFER will be explored. The Secure Electronic Transaction (SET) protocol and E-Cash were selected as the bases for the electronic payment system implementation. The various modules of the payment system and how they interface with each other are shown. An extensible implementation done using JavaTM will also be elaborated. This application incorporates agent roaming functionality and the ability to conduct e-commerce transactions and carry out intelligent e-payment procedures

Applying security features to GA4GH Phenopackets

Global Alliance for Genomic and Health has developed a standard file format called Phenopacket to improve the exchange of phenotypic information over the network. However, this standard does not implement any security mechanism, which allows an attacker to obtain sensitive information if he gets hold of it. This project aims to provide security features within the Phenopacket schema to ensure a secure exchange. To achieve this objective, it is necessary to understand the structure of the schema in order to classify which fields need to be protected. Once the schema has been designed, an investigation is conducted into which technologies are currently the most secure, leading to the implementation of three security mechanisms: digital signature, encryption, and hashing. To conclude, several verification tests are performed to ensure that both the creation of Phenopacket and the security measures applied have been correctly implemented, confirming that data exchange is possible without revealing any sensitive data

Secure Javascript Object Notation (SecJSON): Enabling granular confidentiality and integrity of JSON documents

Currently, web and mobile-based systems exchange information with other services, mostly through APIs that extend the functionality and enable multipart interoperable information exchange. Most of this is accomplished through the usage of RESTful APIs and data exchange that is conducted using JSON over the HTTP or HTTPS protocol. In the case of the exchange requires some specific security requirements, SSL/TLS protocol is used to create a secure authenticated channel between the two communication end-points. This is a scenario where all the content of the channels is encrypted and is useful if the sender and the receptor are the only communicating parties, however this may not be the case. The authors of this paper, present a granular mechanism for selectively offering confidentiality and integrity to JSON documents, through the usage of public-key cryptography, based on the mechanisms that have been used also to provide XML security. The paper presents the proposal of the syntax for the SecJSON mechanism and an implementation that was created to offer developers the possibility to offer this security mechanism into their own services and applications.info:eu-repo/semantics/acceptedVersio

Autonomic Systems

An autonomic system is defined as self-configuring, self-optimizing, self-healing, and self-protecting. We implemented the Autonomic Cluster Management System (ACMS), a low overhead Java application designed to manage and load balance a cluster, while working at NASA GSFC. The ACMS is a mobile multi-agent system in which each agent is designed to fulfill a specific role. The agents collaborate and coordinate their activities in order to achieve system management goals. The ACMS is scalable and extensible to facilitate future development