An architecture for certification-aware service discovery

Service-orientation is an emerging paradigm for building complex systems based on loosely coupled components, deployed and consumed over the network. Despite the original intent of the paradigm, its current instantiations are limited to a single trust domain (e.g., a single organization). Also, some of the key promises of service-orientation - such as the dynamic orchestration of externally provided software services, using runtime service discovery and deployment - are still unachieved. One of the main reasons for this is the trust gap that normally arises when software services, offered by previously unknown providers, are to be selected at run-time, without any human intervention. To close this gap, the concept of machine-readable security certificates (called asserts) has been recently introduced, which paves the way to automated processing about security properties of services. Similarly to current security certification schemes, the assessment of the security properties of a service is delegated to an independent third party (certification authority), who issues a corresponding assert, bound to the service. In this paper, we propose an architecture, which exploits the assert concept to realise a certification-aware service discovery framework. The architecture supports the discovery of single services based on certified security properties (in additional to the usual functional properties), as well as the dynamic synthesis of service compositions, that satisfy the given security properties. The architecture is extensible, thus allowing for a range of domain specific matchmaking components, to cover dimensions related to, e.g., performance, cost and other non-functional characteristics

Smart Ticket Protection: An Architecture for Cyber-Protecting Physical Tickets Using Digitally Signed Random Pattern Markers

In order to counter forgeries of tickets for public transport or mass events, a method to validate them, using printed unique random pattern markers was developed. These markers themselves are unforgeable by their physically random distribution. To assure their authenticity, however, they have to be cryptographically protected and equipped with an environment for successful validation, combining physical and cyber security protection. This paper describes an architecture for cryptographically protecting these markers, which are stored in Aztec codes on physical tickets, in order to assure that only an authorized printer can generate a valid Aztec code of such a pattern, thus providing forge protection in combination with the randomness and uniqueness of the pattern. Nevertheless, the choice of the signature algorithm is heavily constrained by the sizes of the pattern, ticket provider data, metadata and the signature confronted by the data volume the code hold. Therefore, this paper also defines an example for a signature layout for the proposed architecture. This allows for a lightweight ticket validation system that is both physically and cryptographically secured to form a smart solution for mass access verification for both shorter to longer periods at relatively low cost.Comment: 4 pages, 2 figure

Fine Grained Component Engineering of Adaptive Overlays: Experiences and Perspectives

Recent years have seen significant research being carried out into peer-to-peer (P2P) systems. This work has focused on the styles and applications of P2P computing, from grid computation to content distribution; however, little investigation has been performed into how these systems are built. Component based engineering is an approach that has seen successful deployment in the field of middleware development; functionality is encapsulated in ‘building blocks’ that can be dynamically plugged together to form complete systems. This allows efficient, flexible and adaptable systems to be built with lower overhead and development complexity. This paper presents an investigation into the potential of using component based engineering in the design and construction of peer-to-peer overlays. It is highlighted that the quality of these properties is dictated by the component architecture used to implement the system. Three reusable decomposition architectures are designed and evaluated using Chord and Pastry case studies. These demonstrate that significant improvements can be made over traditional design approaches resulting in much more reusable, (re)configurable and extensible systems