CSE300-1 Profs. Steven A. Demurjian Q. Jin, J. Nam, Z. Qian and C. Phillips Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The.

Slides:

Advertisements

Similar presentations

IFIP Profs. Steven A. Demurjian and T.C. Ting J. Balthazar, H. Ren, and C. Phillips Computer Science & Engineering Department 191 Auditorium Road,

Advertisements

Cobalt: Separating content distribution from authorization in distributed file systems Kaushik Veeraraghavan Andrew Myrick Jason Flinn University of Michigan.

MyProxy: A Multi-Purpose Grid Authentication Service

ISSEA Security Engineering for Roles and Resources in a Distributed Environment Security Engineering for Roles and Resources in a Distributed Environment.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Analyzing the Performance of Authentication Protocols 1 A Methodology for Analyzing the performance of Authentication Protocols Alan Harbitter Daniel A.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

INTEGRATING NETWORK CRYPTOGRAPHY INTO THE OPERATING SYSTEM BY ANTHONY GABRIELSON HAIM LEVKOWITZ Mohammed Alali | CS – Dr. RothsteinSummer 2013.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Understanding Active Directory

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Design, Implementation, and Experimentation on Mobile Agent Security for Electronic Commerce Applications Anthony H. W. Chan, Caris K. M. Wong, T. Y. Wong,

APPLAUS: A Privacy-Preserving Location Proof Updating System for Location-based Services Zhichao Zhu and Guohong Cao Department of Computer Science and.

Windows Server WHAT IS ACTIVE DIRECTORY? FUNDAMENTALS OF THE ACTIVE DIRECTORY – Benefits of Using the Active Directory in an Enterprise Environment.

The Architecture of Transaction Processing Systems

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Pay As You Go – Associating Costs with Jini Leases By: Peer Hasselmeyer and Markus Schumacher Presented By: Nathan Balon.

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

Intranet, Extranet, Firewall. Intranet and Extranet.

These materials are prepared only for the students enrolled in the course Distributed Software Development (DSD) at the Department of Computer.

Concepts of Database Management Sixth Edition

1 Security and Agent Based Computing Environment Presented by: Feng Zhang, Markus Kaiser, Hien Nguyen, and Shu Wang.

Switch off your Mobiles Phones or Change Profile to Silent Mode.

Implementing Network Access Protection

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

IFIP Profs. Steven A. Demurjian Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The University of Connecticut Storrs, Connecticut.

© Oxford University Press 2011 DISTRIBUTED COMPUTING Sunita Mahajan Sunita Mahajan, Principal, Institute of Computer Science, MET League of Colleges, Mumbai.

MagicNET: Security Architecture for Creation, Classification, and Validation of Trusted Mobile Agents Presented By Mr. Muhammad Awais Shibli.

Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.

The VEGA Approach to Grid Security Grid System Software Group, ICT, CAS Security In VEGA GOS v2 Li ZHA

1 Vigil : Enforcing Security in Ubiquitous Environments Authors : Lalana Kagal, Jeffrey Undercoffer, Anupam Joshi, Tim Finin Presented by : Amit Choudhri.

Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.

Security Protection on Trust Delegated Medical Data in Public Mobile Networks Dasun Weerasinghe, Muttukrishnan Rajarajan and Veselin Rakocevic Mobile Networks.

9 Systems Analysis and Design in a Changing World, Fourth Edition.

Configuring Network Access Protection

Jini Architecture Introduction System Overview An Example.

Jini Architectural Overview Li Ping

Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.

Features Of SQL Server 2000: 1. Internet Integration: SQL Server 2000 works with other products to form a stable and secure data store for internet and.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Distributed Systems Ryan Chris Van Kevin. Kinds of Systems Distributed Operating System –Offers Transparent View of Network –Controls multiprocessors.

SQL Server 2012 Session: 1 Session: 4 SQL Azure Data Management Using Microsoft SQL Server.

Doc.: IEEE /0098r0 Submission July 2010 Alex Reznik, et. al. (InterDigital)Slide Security Procedures Notice: This document has been.

Building Preservation Environments with Data Grid Technology Reagan W. Moore Presenter: Praveen Namburi.

SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.

A Multi-Dimensional Configurable Access Control Framework for Mobile Applications By: Yaira K. Rivera Sánchez Major Advisor: Steven A. Demurjian.

ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.

DigitalHC-1 CSE 5810 Digital Healthcare Security Prof. Steven A. Demurjian, Sr. Computer Science & Engineering Department The University of Connecticut.

Training for developers of X-Road interfaces

Hardware-rooted Trust for Secure Key Management & Transient Trust

Data and database administration

CSE300-2 Distributed Object Computing

Building Distributed Educational Applications using P2P

High Performance Computing Lab.

SECURING NETWORK TRAFFIC WITH IPSEC

Implementing Network Access Protection

Radius, LDAP, Radius used in Authenticating Users

Role-Based Security in a Distributed Resource Environment*

Module 8: Securing Network Traffic by Using IPSec and Certificates

Authentication and Access:

Distributed Systems Bina Ramamurthy 11/30/2018 B.Ramamurthy.

JINI ICS 243F- Distributed Systems Middleware, Spring 2001

Module 8: Securing Network Traffic by Using IPSec and Certificates

Web Information Systems Engineering (WISE)

Presentation transcript:

CSE300-1 Profs. Steven A. Demurjian Q. Jin, J. Nam, Z. Qian and C. Phillips Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The University of Connecticut Storrs, Connecticut Security in a Distributed Resource Environment Security in a Distributed Resource Environment

CSE300-2 Paper Overview  1. Introduction and Motivation  2. JINI  3. System Architecture and Improvements  Merge Prototypes  Security Client Database  Dual Security Clients  Platform Independence  Leasing Enforcement  Negative Privileges  Architecture Improvements  Experimental Prototype  Related Work  Conclusions and Future Work

CSE300-3 Introduction and Motivation Research Goals  Incorporation of Role-Based Approach within Distributed Resource Environment  Make Distributed Applications Available Using Middleware Tools  Propose Software Architecture and Role-Based Security Model for  Authorization of Clients Based on Role  Authentication of Clients and Resources  Enforcement so Clients Only Use Authorized Services (of Resource)

CSE300-4 Introduction and Motivation Approach  Many Middleware Lookup Services  Successfully Dictates Service Utilization  Requires Programmatic Solution for Security  Does Not Selectively and Dynamically Control Access Based on Client Role  Security of a Distributed Resource Should Selectively and Dynamically Control Client Access to Services Based on the Role  Our Approach  Define Dedicated Resource to Authorize, Authenticate, and Enforce Security Policy based on Role of Client

CSE300-5 Introduction and Motivation Initial Architecture Resources Provide ServicesClients Using Services Figure 1.1: General Architecture of Clients and Resources. Role-Based Privileges Authorization List Security Registration Legacy COTS Database Lookup Service Lookup Service Java Client Java Client Legacy Client Database Client Software Agent COTS Client

CSE300-6 Introduction and Motivation Initial Prototypes  JINI Prototype of Role Based Approach  University Database (UDB)  Initial GUI for Sign In (Authorization List)  Student/faculty GUI Client (Coursedb)  Access to Methods Limited Based on Role (Ex: Only Student Can Enroll in a Course)  Security Client Prototype  Generic Tool  Uses Three Resources and Their Services  Role-Based Privileges  Authorization-List  Security Registration

CSE300-7 Introduction and Motivation Security System Resources and Services  Role-Based Privileges Resource  Define User-role  Grant/Revoke Access of Role to Resource  Register Services  Authorization List Resource  Maintains Client Profile (Many Client Types)  Client Profile and Authorize Role Services  Security Registration Resource  Register Client Service  Identity Registration at Startup  Uses IP Address  Services of Resource  Functionally Separated and Organized  Resemble Method Definitions (OO)

CSE300-8 Introduction and Motivation Initial Security Client and Resource Interactions Figure 1.2. Security Client and Database Resource Interactions. Role-Based Privileges Authorization List Security Registration Lookup Service Security Client Find_Client(C_Id, IP_Addr); Find_All_Active_Clients(); Discover Service Return Proxy General Resource Grant_UR_Client(UR_Id, C_Id); Revoke_UR_Client(UR, C_Id); Find_AllUR_Client(C_Id); Find_All_Clients_UR(UR); Create_New_Role(UR_Name, UR_Disc, UR_Id); Delete_Role(UR_Id); Find_UR_Name(UR_Name); Find_UR_Id(UR_Id); Grant_Resource(UR_Id, R_Id); Grant_Service(UR_Id, R_Id, S_Id); Grant_Method(UR_Id, R_Id, S_Id, M_Id); Revoke_Resource(UR, R_Id); Revoke_Service(UR, R_Id, S_Id); Revoke_Method(UR, R_Id, S_Id, M_Id); Find_AllUR_Resource(UR,R_Id); Find_AllUR_Service(UR,R_Id,S_Id); Find_AllUR_Method(UR,R_Id,S_Id,M_Id); Find_UR_Privileges(UR); Register_Resource(R_Id); Register_Service(R_Id, S_Id); Register_Method(R_Id, S_Id, M_Id); UnRegister_Resource(R_Id); UnRegister_Service(R_Id, S_Id); UnRegister_Method(R_Id, S_Id, M_Id); Create_New_Client(C_Id); Delete_Client(C_Id); Find_Client(C_Id); Find_All_Clients();

CSE Check_Privileges(UR,R_Id,S_Id,M_Id); Introduction and Motivation Client Interactions and Processing Database Resource Figure 3.1: Client Interactions and Service Invocations. Role-Based Privileges Authorization List Security Registration Lookup Service GUI Client 1. Register_Client(C_Id, IP_Addr,UR); 2. Verify_UR_Client(UR,C_Id); Discover Service Return Proxy 3. Client OK? 4. Registration OK? 5. ModifyAttr(C_ID,UR,Value) 6.IsClient_Registered(C_ID) 7. Registration OK? 9. Privileges OK? 10. Modification OK?

CSE Introduction and Motivation Objectives  Merge Prototypes  Implement Different DBMS  Use Multiple Different Computing Platforms  Establish Dual Security Clients  Leasing Enforcement  Implement Negative Privilege Policy  Improve Architecture

CSE JINI Lookup Service, Client and Resource Interactions

CSE System Architecture and Improvements Merge Prototypes

CSE System Architecture and Improvements JINI Prototype of Role Based Approach Figure 3.3. University Database System Architecture Java GUI Client1 JINI Lookup Service Author. List Res. (copy 2) Author. List Res. (copy 1) Role-Based Privileges & Sec. Reg. Java GUI Client2 CourseDB Resource (copy 1) CourseDB Resource (copy 2) Role-Based Privileges & Sec. Reg. DBServer Service GetClasses(); PreReqCourse(); GetVacantClasses(); EnrollCourse(); AddCourse(); RemoveCourse(); UpdateCourse().

CSE System Architecture and Improvements Security Policy and Enforcement

CSE System Architecture and Improvements Security System Database

CSE System Architecture and Improvements Leasing, Negative Privilege Enforcement

CSE Legacy COTS Database Resources Provide Services Java Client Legacy Client Database Client Clients Using Services Figure 3.7: New Architecture of Clients and Resources. Enforcement Client SECURITY SYSTEM Policy Client Database Lookup Service Software Agent COTS Client Lookup Service SECURITY SYSTEM General Resource System Architecture and Improvements New Security Model

CSE System Architecture and Improvements New Database Scheme

CSE Experimental Prototype Security Client Prototype Figure 4.1. Authentication GUI.

CSE Experimental Prototype Policy Client Prototype Figure 4.2. Policy Client, Role, Create Role

CSE Experimental Prototype Policy Client Prototype Figure 4.3. Policy Client, Role, Grant IP

CSE Experimental Prototype Policy Client Prototype Figure 4.4. Policy Client, Resource, Method

CSE Experimental Prototype Policy Client Prototype Figure 4.5. Policy Client, Resource, Resource

CSE Experimental Prototype Policy Client Prototype Figure 4.6. Policy Client, Resource, Add Method to Service

CSE Experimental Prototype Enforcement Client Prototype Figure 4.7. Enforcement Client, User, Create User

CSE Experimental Prototype Enforcement Client Prototype Figure 4.8. Enforcement Client, User, Grant Role

CSE Experimental Prototype Enforcement Client Prototype Figure 4.9. Enforcement Client, User, Negative Privileges

CSE Experimental Prototype Enforcement Client Prototype Figure Enforcement Client, Token, Unregister Token

CSE Experimental Prototype University Database Prototype Figure University Database, Query Database

CSE Experimental Prototype University Database Prototype Figure University Database, Update Course

CSE Experimental Prototype University Database Prototype Figure University Database, Register Courses

CSE Related Work  Security Policy & Enforcement (OS Security)  Security Filters and Screens  Header Encryption  User-level Authen.  IP Encapsulation  Key Mgmt. Protocols  Browser Security  Use of Encryption  Access Control  Securing Comm. Channel  Establishing a Trusted Computer Base  Network Services  Kerberos and Charon  Security: Mobile Agents  Saga Security Architecture  Access Tokens  Control Vectors  Security Monitor  Concordia  Storage Protection  Transmission Protection  Server Resource Protection  Other Topics  Trust Appraisal  Metric Analysis  Short-lived Certificates  Seamless Object Authentication

CSE300-33Conclusions  For a Distributed Resource Environment  Proposed & Explained a Role-Based Approach  Presented Software Architecture Containing  Role-Based Security Model for a Distributed Resource Environment  Improved Prototype  Merged Prototypes  Improved Security Client  Token  Time Stamps  Negative Privileges  Dual Security Clients  Achieved Platform Independence

CSE Future Work  More on Negative Privileges  Chaining of Resource Invocations  Client Uses S1 on R1 that Calls S2 on R2  Multiple Security Clients  What Happens When Multiple Security Clients Attempt to Modify Privileges at Same Time?  Security Client Hierarchy  Testing  Analysis Tool  Track Chaining of resources  Mandatory Access Control

CSE Future Work  Introduce Cryptography Technology  Location of Client vs. Affect on Service  What if Client in on Local Intranet?  What if Client is on WAN?  Are Privileges Different?  Tracking Computation for Identification Purposes  Currently Require Name, Role, IP Addr, Port #  How is this Tracked when Dynamic IP Addresses are Utilized?