Naming and sharing resources across administrative boundaries

I tackle the problem of naming and sharing resources across administrative boundaries. Conventional systems manifest the hierarchy of typical administrative structure in the structure of their own mechanism. While natural for communication that follows hierarchical patterns, such systems interfere with naming and sharing that cross administrative boundaries, and therefore cause headaches for both users and administrators. I propose to organize resource naming and security, not around administrative domains, but around the sharing patterns of users. The dissertation is organized into four main parts. First, I discuss the challenges and tradeoffs involved in naming resources and consider a variety of existing approaches to naming. Second, I consider the architectural requirements for user-centric sharing. I evaluate existing systems with respect to these requirements. Third, to support the sharing architecture, I develop a formal logic of sharing that captures the notion of restricted delegation. Restricted delegation ensures that users can use the same mechanisms to share resources consistently, regardless of the origin of the resource, or with whom the user wishes to share the resource next. A formal semantics gives unambiguous meaning to the logic. I apply the formalism to the Simple Public Key Infrastructure and discuss how the formalism either supports or discourages potential extensions to such a system. Finally, I use the formalism to drive a user-centric sharing implementation for distributed systems. I show how this implementation enables end-to-end authorization, a feature that makes heterogeneous distributed systems more secure and easier to audit. Conventionally, gateway services that bridge administrative domains, add abstraction, or translate protocols typically impede the flow of authorization information from client to server. In contrast, end-to-end authorization enables us to build gateway services that preserve authorization information, hence we reduce the size of the trusted computing base and enable more effective auditing. I demonstrate my implementation and show how it enables end-to-end authorization across various boundaries. I measure my implementation and argue that its performance tracks that of similar authorization mechanisms without end-to-end structure. I conclude that my user-centric philosophy of naming and sharing benefits both users and administrators

Secure Hardware Enhanced MyProxy: A Ph.D. Thesis Proposal

In 1976, Whitfield Diffie and Martin Hellman demonstrated how New Directions In Cryptography could enable secure information exchange between parties that do not share secrets. In order for public key cryptography to work in modern distributed environments, we need an infrastructure for finding and trusting other parties\u27 public keys (i.e., a PKI). A number of useful applications become possible with PKI. While the applications differ in how they use keys (e.g., S/MIME uses the key for message encryption and signing, while client-side SSL uses the key for authentication), all applications share one assumption: users have keypairs. In previous work, we examined the security aspects of some of the standard keystores and the their interaction with the OS. We concluded that desktops are not safe places to store private keys, and we demonstrated the permeability of keystores such as the default Microsoft keystore and the Mozilla keystore. In addition to being unsafe, these desktop keystores have the added disadvantage of being immobile. In other previous work, we examined trusted computing. In industry, a new trusted computing initiative has emerged: the Trusted Computing Platform Alliance (TCPA) (now renamed the Trusted Computing Group (TCG)). The goal of the TCG design is lower-assurance security that protects an entire desktop platform and is cheap enough to be commercially feasible. Last year, we built a trusted computing platform based on the TCG specifications and hardware. The picture painted by these previous projects suggests that common desktops are not secure enough for use as PKI clients, and trusted computing can improve the security of client machines. The question that I propose to investigate is: Can I build a system which applies trusted computing hardware in a reasonable manner in order to make desktops usable for PKI? My design begins with the Grid community\u27s MyProxy credential repository, and enhances it to take advantage of secure hardware on the clients, at the repository, and in the policy framework. The result is called Secure Hardware Enhanced MyProxy

Valtuutus-sertifikaattipohjainen pääsynhallinta sulautetuissa järjestelmissä

Tässä diplomityössä tutkin hajautetun pääsynhallinnan toteuttamista sulautetuissa järjestelmissä. Esimerkkinä käytän pysäköintipalvelua, joka hyödyntää edullisia sulautettuja laitteita palvelun hallitsemien pysäköintialueiden luvattoman käytön estämiseen. Mittauksia varten toteutin prototyypin SPKI-valtuutussertifikaatteihin perustuvasta pääsynhallintajärjestelmästä käyttäen sulautettua alustaa. Järjestelmän asiakaslaitteena on älypuhelin, ja langaton tiedonsiirtoyhteys asiakaslaitteen ja sulautetun alustan välillä on toteutettu Bluetooth Low Energyllä. Järjestelmä toteuttiin kahta eri alustaa käyttäen, jotta voitiin paremmin tutkia sulautetuilla laitteilla saavutettavissa olevaa suorituskykyä. Ketjureduktiota ja julkisten avainten pakkausta tutkittiin mahdollisina keinoina parantaa järjestelmän suorituskykyä. Tulokset osoittavat, että esimerkissämme nopeampi alusta kykenee tarkastamaan pääsyoikeudet 1.3 sekunnin kuluessa siitä, kun asiakaslaite aloittaa Bluetooth Low Energy -laitteiden löytämisen. Hitaampi alusta kykenee samaan 3.2 sekunnissa. Ketjureduktiolla saavutettiin merkittäviä etuja: tarkastukseen kulunut aika lyheni 40%, 0.8 sekuntiin nopeammalla alustalla. Pakattujen julkisten avainten käyttö taas lyhensi aikaa vain kymmenellä prosentilla. Molemmat tulokset kuitenkin riippuvat käytettävissä olevista sulautetuistaja tiedonsiirtoalustoista. Yhteenvetona totean, että SPKI-valtuutussertifikaatit sopivat hyvin hajautetun pääsynhallintajärjestelmän perustaksi, ja nykyaikaisten sulautettujen laitteiden nopeus mahdollistaa riittävän palvelutason myös silloin, kun salaustekniikka toteutetaan kokonaan ohjelmistolla. Tämän teknologian yksi mahdollinen sovelluskohde ovat "esineiden internetiin" kytkeytyvät laitteet, jotka hyötyisivät suuresti hajautetusta pääsynhallinnasta

SPKI/SDSI HTTP Server / Certificate Chain Discovery in SPKI/SDSI

Thesis (M.Eng.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2001.Includes bibliographical references (leaves 155-160).The issue of trust is of growing importance as our communities become increasingly interconnected. When resources are shared over an untrusted network, how are decisions on which principals are authorized to perform particular actions determined? SPKI/SDSI, a security infrastructure based on public-keys, is designed to facilitate the development of scalable, secure, distributed computing systems. It provides fine-grained access control, using a local name space hierarchy, and a simple, flexible, trust policy model; these features allow for the ability to create groups and delegate authorizations. Project Geronimo, named after the famous Native-American Apache chief, explores the viability of SPKI/SDSI by using it to provide access control over the Web. The infrastructure was integrated into the Netscape web client and Apache web server, using a previously developed SPKI/SDSI C Library. This thesis focuses on the server implementation. An SPKI/SDSI Apache module was designed and implemented: its principle functions are to protect web objects using SPKI/SDSI ACLs, and to determine whether HTTP client requests should be permitted to perform particular operations on protected objects. An administrative tool was developed to enable ACLs to be created, and updated, securely. The thesis also describes the algorithm for certificate chain discovery in SPKI/SDSI. Finally, the demonstration developed for Project Geronimo is outlined. The demo was successfully shown to our sponsors and various groups within the Laboratory for Computer Science.by Dwaine E. Clarke.M.Eng

Managing Access Control in Virtual Private Networks

Virtual Private Network technology allows remote network users to benefit from resources on a private network as if their host machines actually resided on the network. However, each resource on a network may also have its own access control policies, which may be completely unrelated to network access. Thus users� access to a network (even by VPN technology) does not guarantee their access to the sought resources. With the introduction of more complicated access privileges, such as delegated access, it is conceivable for a scenario to arise where a user can access a network remotely (because of direct permissions from the network administrator or by delegated permission) but cannot access any resources on the network. There is, therefore, a need for a network access control mechanism that understands the privileges of each remote network user on one hand, and the access control policies of various network resources on the other hand, and so can aid a remote user in accessing these resources based on the user\u27s privileges. This research presents a software solution in the form of a centralized access control framework called an Access Control Service (ACS), that can grant remote users network presence and simultaneously aid them in accessing various network resources with varying access control policies. At the same time, the ACS provides a centralized framework for administrators to manage access to their resources. The ACS achieves these objectives using VPN technology, network address translation and by proxying various authentication protocols on behalf of remote users

Proceedings of the 2nd International Workshop on Security in Mobile Multiagent Systems

This report contains the Proceedings of the Second Workshop on Security on Security of Mobile Multiagent Systems (SEMAS2002). The Workshop was held in Montreal, Canada as a satellite event to the 5th International Conference on Autonomous Agents in 2001. The far reaching influence of the Internet has resulted in an increased interest in agent technologies, which are poised to play a key role in the implementation of successful Internet and WWW-based applications in the future. While there is still considerable hype concerning agent technologies, there is also an increasing awareness of the problems involved. In particular, that these applications will not be successful unless security issues can be adequately handled. Although there is a large body of work on cryptographic techniques that provide basic building-blocks to solve specific security problems, relatively little work has been done in investigating security in the multiagent system context. Related problems are secure communication between agents, implementation of trust models/authentication procedures or even reflections of agents on security mechanisms. The introduction of mobile software agents significantly increases the risks involved in Internet and WWW-based applications. For example, if we allow agents to enter our hosts or private networks, we must offer the agents a platform so that they can execute correctly but at the same time ensure that they will not have deleterious effects on our hosts or any other agents / processes in our network. If we send out mobile agents, we should also be able to provide guarantees about specific aspects of their behaviour, i.e., we are not only interested in whether the agents carry out-out their intended task correctly. They must defend themselves against attacks initiated by other agents, and survive in potentially malicious environments. Agent technologies can also be used to support network security. For example in the context of intrusion detection, intelligent guardian agents may be used to analyse the behaviour of agents on a firewall or intelligent monitoring agents can be used to analyse the behaviour of agents migrating through a network. Part of the inspiration for such multi-agent systems comes from primitive animal behaviour, such as that of guardian ants protecting their hill or from biological immune systems

A trusted execution platform for multiparty computation

Thesis (S.M.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2000.Includes bibliographical references (p. 92-94).by Sameer Ajmani.S.M

Subterfuge-safe trust management for delegation of permissions in open environments

Open environments involve distributed entities interacting with each other in an open manner. Many distributed entities are unknown to each other but need to collaborate and share resources in a secure fashion. Usually resource owners alone decide who is trusted to access their resources. Since resource owners in open environments do not have a complete picture of all trusted entities, trust management frameworks are used to ensure that only authorized entities will access requested resources. Every trust management system has limitations, and the limitations can be exploited by malicious entities. One vulnerability is due to the lack of globally unique interpretation for permission specifications. This limitation means that a malicious entity which receives a permission in one domain may misuse the permission in another domain via some deceptive but apparently authorized route; this malicious behaviour is called subterfuge. This thesis develops a secure approach, Subterfuge Safe Trust Management (SSTM), that prevents subterfuge by malicious entities. SSTM employs the Subterfuge Safe Authorization Language (SSAL) which uses the idea of a local permission with a globally unique interpretation (localPermission) to resolve the misinterpretation of permissions. We model and implement SSAL with an ontology-based approach, SSALO, which provides a generic representation for knowledge related to the SSAL-based security policy. SSALO enables integration of heterogeneous security policies which is useful for secure cooperation among principals in open environments where each principal may have a different security policy with different implementation. The other advantage of an ontology-based approach is the Open World Assumption, whereby reasoning over an existing security policy is easily extended to include further security policies that might be discovered in an open distributed environment. We add two extra SSAL rules to support dynamic coalition formation and secure cooperation among coalitions. Secure federation of cloud computing platforms and secure federation of XMPP servers are presented as case studies of SSTM. The results show that SSTM provides robust accountability for the use of permissions in federation. It is also shown that SSAL is a suitable policy language to express the subterfuge-safe policy statements due to its well-defined semantics, ease of use, and integrability