9/23/2004SIS/chow1 Research Project Techniques and Tools for Supporting Secure Information Sharing and Collaborative Work C. Edward Chow, PI Ganesh Godavari,

Slides:



Advertisements
Similar presentations
Campus Based Authentication & The Project Presented By: Tim Cameron National Council of Higher Education Loan Programs.
Advertisements

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Secure Information Sharing Using Attribute Certificates and Role Based Access Control Ganesh Godavari, C. Edward Chow 06/22/2005 University of Colorado.
Report on Attribute Certificates By Ganesh Godavari.
Chapter 9 Deploying IIS and Active Directory Certificate Services
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
Wednesday, June 03, 2015 © 2001 TrueTrust Ltd1 PERMIS PMI David Chadwick.
The EC PERMIS Project David Chadwick
Understanding Active Directory
SIS: Secure Information Sharing for Windows Systems Osama Khaleel CS526 Semester Project.
1 Secure Information Sharing Manager (SIS-M) Thesis 2007 Stephen D. Wise
Design of Web Interface for Advanced Content Switch Thesis proposal by Jayant Patil Department of Computer Science Univ. of Colorado at Colorado Springs.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
CS526 – Advanced Internet And Web Systems Semester Project Public Key Infrastructure (PKI) By Samatha Sudarshanam.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
21 June 2006Copyright 2006 University of Kent1 Delegation of Authority (DyVOSE project) David Chadwick University of Kent.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Windows 2003 and 802.1x Secure Wireless Deployments.
Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
PKI in Higher Education: Dartmouth PKI Lab Update Internet2 Virtual Meeting 5 October 2001.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
Donkey Project Technologies and Target applications March 6, 2003, Vrije Universiteit Yuri Demchenko.
Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Chow6/23/2003 sgfr1 SFGR: Secure Groupware for First Responder C. Edward Chow Chip Benight Ganesh Godavari.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Configuring Directory Certificate Services Lesson 13.
Nov 1, 2000Site report DESY1 DESY Site Report Wolfgang Friebel DESY Nov 1, 2000 HEPiX Fall
Middleware Support for Virtual Organizations Internet 2 Fall 2006 Member Meeting Chicago, Illinois Stephen Langella Department of.
Module 9: Fundamentals of Securing Network Communication.
Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick
Sponsored by the National Science Foundation Distributed Identity & Authorization Mechanisms Spiral 2 Year-end Project Review SPARTA, Inc. PI: Stephen.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
Delegation of Authority David Chadwick
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.
Creating and Managing Digital Certificates Chapter Eleven.
29 October 2001Terena TF-LSD1 Certificate Retrieval With OpenLDAP David Chadwick.
X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Adding Distributed Trust Management to Shibboleth Srinivasan Iyer Sai Chaitanya.
1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Key management issues in PGP
Adding Distributed Trust Management to Shibboleth
O. Otenko PERMIS Project Salford University © 2002
Presentation transcript:

9/23/2004SIS/chow1 Research Project Techniques and Tools for Supporting Secure Information Sharing and Collaborative Work C. Edward Chow, PI Ganesh Godavari, GRA Department of Computer Science University of Colorado at Colorado Springs Sponsored by NISSC - AFSOR

9/23/2004SIS/chow2 USNORTHCOM Research Question Addressed

9/23/2004SIS/chow3 Research Focus and Purpose Research Focus: Investigate Critical Techniques and Tools for Supporting Secure Information Sharing (SIS) and Collaborative Work Tasks: Investigate efficient key and attributed certificate management for large-scale information sharing and collaborative work  easier/faster to share. Study Infrastructure support for secure web-based collaborative applications  fast to setup, reliable, secure Research ubiquitous computing for sharing sensor and web information  access/distribute info anywhere, anytime, anyway

9/23/2004SIS/chow4 Schedule Update Follow the same schedule.

9/23/2004SIS/chow5 Current Project Status: Task 1 Investigate efficient key and attributed certificate management for large-scale information sharing and collaborative work Studied issues in large scale web-based secure access control using Public Key Infrastructure (PKI) and Privilege Management Infrastructure (PMI). Developed a concept prototype that demonstrate secure web access control with enhanced LDAP and Apache web servers. Working on distributed directory server systems for supporting information sharing among multiple agencies

9/23/2004SIS/chow6 Current Project Status: Task 2 Study Infrastructure support for secure web-based collaborative applications Explored the use of Content Delivery Network (CDN) Infrastructure to support secure web-based collaborative applications. Idea  Utilize existing CDN such as Akamai; extend existing web document caching functions to soft real-time collaborative applications (IM). Investigating the solutions for resolving security issues between Java applets and cache servers.

9/23/2004SIS/chow7 Current Project Status: Task 3 Research ubiquitous computing for sharing sensor and web information Keeping track of current sensor network and ubiquitous computing literature. Investigated new MicaZ sensor based on new standard. Plan to focus on this task Spring 2005.

9/23/2004SIS/chow8 Current Funding Status Paid for one faculty summer month salary. Paid for two GRA summer month salary. Paid for a Sony VGN-A170B notebook.

9/23/2004SIS/chow9 Anticipated Results Identify issues and present solutions for creating and managing a large scale secure web-based information sharing system among multiple independent agencies  Sharing results through publications. Design prototypes for demonstrating the key concepts from the above research  Sharing software developed in this project by posting on CS and NISSC web sites.

9/23/2004SIS/chow10 Preliminary Findings Attribute certificate (RFC 328) based Privilege Management Infrastructure (PMI) make it easy to implement the secure role based access control in large scale SIS. Web Servers can be enhanced with LDAP module to allow role-based access control. LDAP can be extended to include attributed certificates. LDAP can function as a central place for creating and managing the roles of users.

9/23/2004SIS/chow11 Privilege Management Infrastructure (PMI) Privilege Management Infrastructure –Similar to Public Key Infrastructure –Function is to specify the policy for the attribute certificate issuance and management ConceptPKI entityPMI entity CertificatePublic Key Certificate (PKC) Attribute Certificate (AC) Certificate issuer Certification Authority (CA) Attribute Authority (AA) Certificate userSubjectHolder Certificate binding Subject’s Name to Public Key Holder’s Name to Privilege Attribute(s) RevocationCertificate Revocation List (CRL) Attribute Certificate Revocation List (ACRL) Root of trustRoot CA or Trust Anchor Source of Authority (SOA) Subordinate Authority Subordinate Certification Authority Attribute Authority (AA) Comparison of PKIs and PMIs [2]

9/23/2004SIS/chow12 PKC vs. AC PKC binds a subject (DN) to a public key AC's binds permission (attributes) to an entity

9/23/2004SIS/chow13 Unanticipated Results Single LDAP is easy to configure. Ganesh had a tough time to extend LDAP to include attribute certificates to work with the current stable version of openldap We use an older version instead. Octetstringmatch does not work in new version and the suggestions of Dr. Chadwick of Permis Group for adding new object ID type was not accepted by openldap group (wait for standard?). But it is really a pain to configure a set of LDAP server for cooperation (delegation/trust).

9/23/2004SIS/chow14 Unanticipated Results Performance Results on a single agency scenario Total time taken for LDAP access (ms) Total Time taken for Attribute certificate retrieval and validation (ms) Avg

9/23/2004SIS/chow15 Issues and Challenges Automated tools for setting up SIS infrastructure with LDAP/Web servers/clients from multiple agencies. Further Investigation on Federated Identity, RBAC policy and Security Assertion Markup Language (SAML) Study policy-based systems and policy enforcing mechanisms, e.g., Michigan’s Antigone. It is difficult to set up secure information sharing prototype without a real CA. Need tools to speed up the creation of certificates and the installation of fake CA certificates on every client/server.

9/23/2004SIS/chow16 Needed Assistance Large scale multiple agencies field trials to obtain real benchmarking results. Help obtain samples of policies used in agencies, in terms of –Data sent over non-secure channels (such as Internet, wireless access) –Account creation –Certificate issuing

9/23/2004SIS/chow17 Expectations Moving Forward Explore issues in supporting large scale notification systems. Potential new funding…(DHS,DoD,NSF) Submit results to conferences IDCS/USENIX.

9/23/2004SIS/chow18 SIS Testbed

9/23/2004SIS/chow19 Directory Information Tree for sis-canada ou=coordinationExcercise dc=sis-canada, dc=edu ou=Research alpha-sis-canada epsilon-sis-canada Similar DIT is for all the servers

9/23/2004SIS/chow20 Demo alpha-sis-nissc access information from sis- connecticut.csnet.uccs.edu (level1 directory requires level1 manager role, which alpha is) – – beta-sis-connecticut access information from sis- nissc.csnet.uccs.edu and sis-canada.csnet.uccs.edu (level2 directory requires level2 asstmanager role, which beta is) – – epsilon-sis-newjersey access information from sis- newjersey.csnet.uccs.edu (level3 directory requires level3 submanager role, which epsilon is) –

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.