DyVOSE project: experiences in applying privilege management infrastructures

Privilege Management Infrastructures (PMI) are emerging as a necessary alternative to authorization through Access Control Lists (ACL) as the need for finer grained security on the Grid increases in numerous domains. The 2-year JISC funded DyVOSE Project has investigated applying PMIs within an e-Science education context. This has involved establishing a Grid Computing module as part of Glasgow University’s Advanced MSc degree in Computing Science. A laboratory infrastructure was built for the students realising a PMI with the PERMIS software, to protect Grid Services they created. The first year of the course centered on building a static PMI at Glasgow. The second year extended this to allow dynamic attribute delegation between Glasgow and Edinburgh to support dynamic establishment of fine grained authorization based virtual organizations across multiple institutions. This dynamic delegation was implemented using the DIS (Delegation Issuing) Web Service supplied by the University of Kent. This paper describes the experiences and lessons learned from setting up and applying the advanced Grid authorization infrastructure within the Grid Computing course, focusing primarily on the second year and the dynamic virtual organisation setup between Glasgow and Edinburgh

Integrating security solutions to support nanoCMOS electronics research

The UK Engineering and Physical Sciences Research Council (EPSRC) funded Meeting the Design Challenges of nanoCMOS Electronics (nanoCMOS) is developing a research infrastructure for collaborative electronics research across multiple institutions in the UK with especially strong industrial and commercial involvement. Unlike other domains, the electronics industry is driven by the necessity of protecting the intellectual property of the data, designs and software associated with next generation electronics devices and therefore requires fine-grained security. Similarly, the project also demands seamless access to large scale high performance compute resources for atomic scale device simulations and the capability to manage the hundreds of thousands of files and the metadata associated with these simulations. Within this context, the project has explored a wide range of authentication and authorization infrastructures facilitating compute resource access and providing fine-grained security over numerous distributed file stores and files. We conclude that no single security solution meets the needs of the project. This paper describes the experiences of applying X.509-based certificates and public key infrastructures, VOMS, PERMIS, Kerberos and the Internet2 Shibboleth technologies for nanoCMOS security. We outline how we are integrating these solutions to provide a complete end-end security framework meeting the demands of the nanoCMOS electronics domain

Performance Evaluation of Distributed Security Protocols Using Discrete Event Simulation

The Border Gateway Protocol (BGP) that manages inter-domain routing on the Internet lacks security. Protective measures using public key cryptography introduce complexities and costs. To support authentication and other security functionality in large networks, we need public key infrastructures (PKIs). Protocols that distribute and validate certificates introduce additional complexities and costs. The certification path building algorithm that helps users establish trust on certificates in the distributed network environment is particularly complicated. Neither routing security nor PKI come for free. Prior to this work, the research study on performance issues of these large-scale distributed security systems was minimal. In this thesis, we evaluate the performance of BGP security protocols and PKI systems. We answer the questions about how the performance affects protocol behaviors and how we can improve the efficiency of these distributed protocols to bring them one step closer to reality. The complexity of the Internet makes an analytical approach difficult; and the scale of Internet makes empirical approaches also unworkable. Consequently, we take the approach of simulation. We have built the simulation frameworks to model a number of BGP security protocols and the PKI system. We have identified performance problems of Secure BGP (S-BGP), a primary BGP security protocol, and proposed and evaluated Signature Amortization (S-A) and Aggregated Path Authentication (APA) schemes that significantly improve efficiency of S-BGP without compromising security. We have also built a simulation framework for general PKI systems and evaluated certification path building algorithms, a critical part of establishing trust in Internet-scale PKI, and used this framework to improve algorithm performance

A Proposed Cryptography-Based Identity Management Scheme for Enhancing Enterprise Information Systems Security

Enterprises are faced with the challenges of managing users’ identity across multiple systems and applications.User identity usually includes personal information such as names, contact information, and demographic data;legal information which is the information about legal relationship between the enterprise and the user; and logincredentials to managed systems for identification and authentication such as login ID and password, PKI certificate,tokens, biometrics, and so on. As a result of these challenges, enterprises contend with problems of datainconsistency, repetition of access to multiple systems, security exposure, unreliability of data, complexity insystems usage, and difficulty in managing large data. These problems are compounded as enterprises deploy moreIT infrastructures (systems and applications) and have more users (employees, customers, partners, contractors,vendors, and so on).Our research is aimed at addressing these challenges by building on existing identitymanagement technologies through the creation of a hybrid technology using Identity Management andCryptographic techniques. We present the research direction in this paper.Keywords: Enterprises, Identity Management, Identity Management Technology, Cryptograph

Enhanced security architecture for support of credential repository in grid computing.

Grid Computing involves heterogeneous computers and resources, multiple administrative domains and the mechanisms and techniques for establishing and maintaining effective and secure communications between devices and systems. Both authentication and authorization are required. Current authorization models in each domain vary from one system to another, which makes it difficult for users to obtain authorization across multiple domains at one time. We propose an enhanced security architecture to provide support for decentralized authorization based on attribute certificates which may be accessed via the Internet. This allows the administration of privileges to be widely distributed over the Internet in support of autonomy for resource owners and providers. In addition, it provides a uniform approach for authorization which may be used by resource providers from various domains. We combine authentication with the authorization mechanism by using both MyProxy online credential repository and LDAP directory server. In our architecture, we use MyProxy server to store identity certificates for authentication, and utilize an LDAP server-based architecture to store attribute certificates for authorization. Using a standard web browser, a user may connect to a grid portal and allow the portal to retrieve those certificates in order to access grid resources on behalf of the user. Thus, our approach can make use of the online credential repository to integrate authentication, delegation and attribute based access control together to provide enhanced, flexible security for grid system. Paper copy at Leddy Library: Theses & Major Papers - Basement, West Bldg. / Call Number: Thesis2004 .C54. Source: Masters Abstracts International, Volume: 43-01, page: 0231. Adviser: R. D. Kent. Thesis (M.Sc.)--University of Windsor (Canada), 2004

The Key Authority - Secure Key Management in Hierarchical Public Key Infrastructures

We model a private key`s life cycle as a finite state machine. The states are the key`s phases of life and the transition functions describe tasks to be done with the key. Based on this we define and describe the key authority, a trust center module, which potentiates the easy enforcement of secure management of private keys in hierarchical public key infrastructures. This is done by assembling all trust center tasks concerning the crucial handling of private keys within one centralized module. As this module resides under full control of the trust center`s carrier it can easily be protected by well-known organizational and technical measures.Comment: 5 pages, 2 figure

The Hosting Environment of the Advanced Resource Connector middleware

The central component of AR

The Development of a graduate course on identity management for the Department of Networking, Security, and Systems Administration

Digital identities are being utilized more than ever as a means to authenticate computer users in order to control access to systems, web services, and networks. To maintain these digital identities, administrators turn to Identity Management solutions to offer protection for users, business partners, and networks. This paper proposes an analysis of Identity Management to be accomplished in the form of a graduate level course of study for a ten-week period for the Networking, Security, and Systems Administration department at Rochester Institute of Technology. This course will be designed for this department because of its emphasis on securing, protecting, and managing the identities of users within and across networks. Much of the security-related courses offered by the department focus primarily on security within enterprises. Therefore, Identity Management, a topic that is becoming more popular within enterprises each day, would compliment these courses. Students that enroll in this course will be more equipped to satisfy the needs of modern enterprises when they graduate because they will have a better understanding of how to address security issues that involve managing user identities across networks, systems, and enterprises. This course will focus on several aspects of Identity Management and its use in enterprises today. Covered during the course will be the frameworks of Identity Management, for instance, Liberty Identity Federation Framework and OASIS SAML 2.0; the Identity Management models; and some of the major Identity Management solutions that are in use today such as Liberty Alliance, Microsoft Passport, and Shibboleth. This course will also provide the opportunity to gain hands on experience by facilitating exemplar technologies used in laboratory investigations

Improving the Security Levels of E-government Processes within Public Administration through the Establishment of Improved Security Systems

Processes that are related to the identification and the authentication of persons and other legal entities have been necessarily existing and functioning for a while in public administration and business. Information Society offers new e-services for citizens and businesses, which dramatically change the administration and results additional challenges, risks and opportunities. Citizen’s confidence and trust to services has to be improved, meanwhile several requirements, like data protection, privacy and legal requirements has to be satisfied. The usual business process of identification of the corresponding entity is generally based on some trivial control mechanism, typically password identification. In order to keep up the trust of the public in the public administration activities, the process for entity identification (both person and legal entity) should be amended taken in account the business and security consideration. Identity management solutions show intriguing variation of approaches in Europe, they are at a different maturity level of services. Our paper gives an overview about the most frequently cited identity management architectures (namely: Liberty Alliance Architecture, IDABC, Sibboleth, Government Gateway Model and Austrian Model) and presents an identity management framework (based on the PKI, but improved it), customized for the Hun-garian specialities, which offer possibilities to improve the related services quality. The goal of this paper is to show a solution for the improvement of the identity management solution for e-government processes through the development of security mechanisms making use of the readily avail-able technologies

Time-Based Account Policies in FreeIPA

Tato práce se zabývá běžnými problémy časových politik, které jsou využívány v rámci procesu přihlašování uživatelů. Jsou rozebrána řešení v některých jiných současných systémech. Dále je čtenáři představen projekt pro správu identit FreeIPA, autor se zaměřuje hlavně na správu uživatelů a politiky pro jejich autorizaci. Je také představen projekt SSSD se zaměřením na jeho propojení se systémem FreeIPA. Po vytvoření návrhu řešení problému časových politik je tento návrh implementován do systémů FreeIPA a SSSD.This thesis deals with the common problems when implementing account policies based on time in the user authorization process. The reader is shown how this problem is solved in some of the current systems. FreeIPA identity management project architecture is presented with the focus on its user management and user authorization policies. The SSSD project is described with aim on its connection to FreeIPA. The author creates a design for time-based account policies functionality and implements it in FreeIPA and SSSD systems.