1 Vigil : Enforcing Security in Ubiquitous Environments Authors : Lalana Kagal, Jeffrey Undercoffer, Anupam Joshi, Tim Finin Presented by : Amit Choudhri.

Slides:



Advertisements
Similar presentations
DAML PI Meeting Status Briefing UMBC, JHU APL, MIT Sloan Tim Finin Jim Mayfield Benjamin Grosof February 12, 2002 tell register JHU APL Haircut retrieval.
Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Cobalt: Separating content distribution from authorization in distributed file systems Kaushik Veeraraghavan Andrew Myrick Jason Flinn University of Michigan.
CSE300-1 Profs. Steven A. Demurjian Q. Jin, J. Nam, Z. Qian and C. Phillips Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The.
© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Report on Attribute Certificates By Ganesh Godavari.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
A Security Architecture Based on Trust Management for Pervasive Computing Systems Lalana Kagal, Jeffrey Undercoffer, Filip Perich, Anupam Joshi, Tim Finin.
Public Key Infrastructure Ben Sangster February 23, 2006.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Secure and Efficient Key Management in Mobile Ad Hoc Networks Bing Wu, Jie Wu, Eduardo B. Fernandez, Mohammad Ilyas, Spyros Magliveras Department of Computer.
SMUCSE 5349/7349 Public-Key Infrastructure (PKI).
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Understanding Active Directory
PAWN: A Novel Ingestion Workflow Technology for Digital Preservation
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
PAWN: A Novel Ingestion Workflow Technology for Digital Preservation Mike Smorul, Joseph JaJa, Yang Wang, and Fritz McCall.
Security Management.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Understanding Active Directory
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Intelligent Agents Meet the Semantic Web in Smart Spaces Harry Chen,Tim Finin, Anupam Joshi, and Lalana Kagal University of Maryland, Baltimore County.
Digital Object Architecture
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
Software Architecture Framework for Ubiquitous Computing Divya ChanneGowda Athrey Joshi.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Distributed systems – Part 2  Bluetooth 4 Anila Mjeda.
Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
Module 9: Fundamentals of Securing Network Communication.
Lecture 10 Single Sign-On systems. What is Single Sign-on? Lets users authenticate themselves once and access different applications without re-authentication.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
Integrating security services with the automatic processing of content TERENA 2001 Antalya, May 2001 Francesco Gennai, Marina Buzzi Istituto.
Enabling Peer-to-Peer SDP in an Agent Environment University of Maryland Baltimore County USA.
Scalability in a Secure Distributed Proof System Kazuhiro Minami and David Kotz May 9, 2006 Institute for Security Technology Studies Dartmouth College.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
Cerberus: A Context-Aware Security Scheme for Smart Spaces presented by L.X.Hung u-Security Research Group The First IEEE International Conference.
Security (and privacy) Larry Rudolph With help from Srini Devedas, Dwaine Clark.
National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.
A Policy Based Approach to Security for the Semantic Web Lalana Kagal, Tim Finin and Anupam Joshi.
Windows Role-Based Access Control Longhorn Update
Scalable Grid system– VDHA_Grid: an e-Science Grid with virtual and dynamic hierarchical architecture Huang Lican College of Computer.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
Semantic Web in Context Broker Architecture Presented by Harry Chen, Tim Finin, Anupan Joshi At PerCom ‘04 Summarized by Sungchan Park
NSF Cyber Trust Annual Principal Investigator Meeting September 2005 Newport Beach, California UMBC an Honors University in Maryland Trust and Security.
Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore
Integrating Access Control with Intentional Naming Sanjay Raman MIT Laboratory for Computer Science January 8, 2002 With help from: Dwaine.
Building Preservation Environments with Data Grid Technology Reagan W. Moore Presenter: Praveen Namburi.
 Attacks and threats  Security challenge & Solution  Communication Infrastructure  The CA hierarchy  Vehicular Public Key  Certificates.
Designing a Federated Testbed as a Distributed System Robert Ricci, Jonathon Duerig, Gary Wong, Leigh Stoller, Srikanth Chikkulapelly, Woojin Seok 1.
X-Road as a Platform to Exchange MyData
Chapter 4 Cryptography / Encryption
A Component-based Architecture for Mobile Information Access
Presentation transcript:

1 Vigil : Enforcing Security in Ubiquitous Environments Authors : Lalana Kagal, Jeffrey Undercoffer, Anupam Joshi, Tim Finin Presented by : Amit Choudhri CMSC 628 Spring 2002 UMBC

2 Introduction Focal point of paper : Focal point of paper : Ubiquitous / pervasive computing.i.e. : access to services and information ANYWHERE and EVERYWHERE Existing technologies for security in such environments : Existing technologies for security in such environments : Simple Public Key Infrastructure ( SPKI ) Simple Public Key Infrastructure ( SPKI ) Role Based Access Control ( RBAC ) Role Based Access Control ( RBAC )

3 Vigil complements these with “ distributed trust management “ Vigil complements these with “ distributed trust management “ Vigil is applied to Smart Spaces Vigil is applied to Smart Spaces Smart Space : Smart Space : provides services and resources accessible by short-range wireless communication.

4 Vigil uses the Centaurus model for the SmartSpace architecture. Vigil uses the Centaurus model for the SmartSpace architecture. Centaurus SM proxies for clients Centaurus SM proxies for clients Vigil infrastructure : Vigil infrastructure :  reduce load on mobile devices  media independent  provides services and information

5 Security Challenges Cannot provide unique user id and login for everyone  not scalable. Cannot provide unique user id and login for everyone  not scalable. Cannot have a central authority per space. Cannot have a central authority per space. No access control information available when new users are authenticated. No access control information available when new users are authenticated. Heterogeneity of environments and inconsistent interpretations of policy. Heterogeneity of environments and inconsistent interpretations of policy.

6Architecture Clients can move, attach, detach and re – attach at any point in the framework. Clients can move, attach, detach and re – attach at any point in the framework. Vigil uses “ trust management “ Vigil uses “ trust management “  Establishing trust relationships  NOT quantifying trust Similar to RBAC Similar to RBAC Access rights are computed from its properties ! Access rights are computed from its properties !

7Components Vigil has 6 components : Vigil has 6 components : Service Broker Service Broker Communication Manager Communication Manager Certificate Controller Certificate Controller Security Agent Security Agent Role Assignment Manager Role Assignment Manager Clients ( users & services ) Clients ( users & services )

8

9 Service Broker The Service Broker is responsible for : Processing Client Registration/De-Registration requests responding to registered Client requests for a listing of available services, brokering Subscribe/Un-Subscribe and Command requests from users to services sending service updates to all subscribed users

10 Service brokers in different spaces form a tree hierarchy  core of the Vigil system Service brokers in different spaces form a tree hierarchy  core of the Vigil system Identified by their handles, i.e. position in the hierarchy Identified by their handles, i.e. position in the hierarchy Trust between clients in transitive through the Service Brokers Trust between clients in transitive through the Service Brokers

11Client All users and services are clients All users and services are clients Clients register with a Service Broker in a space. Clients register with a Service Broker in a space. Digital certificate and Showall flag sent during registration Digital certificate and Showall flag sent during registration Clients can request services from brokers and other clients, via service brokers. Clients can request services from brokers and other clients, via service brokers.

12 Certificate Controller Generates x.509 version 3 digital certificates for system entities Generates x.509 version 3 digital certificates for system entities Verifies certificates presented by entities Verifies certificates presented by entities These certificates are stored on the clients smartcard These certificates are stored on the clients smartcard Verification is based on a list of trusted CA’s and a set of verification rules and policies. Verification is based on a list of trusted CA’s and a set of verification rules and policies.

13 Role Assignment Manager Assigns roles to entities in a space Assigns roles to entities in a space Maintains an Access Control List ( ACL ) Maintains an Access Control List ( ACL ) Uses rules from the security policy to assign roles. Uses rules from the security policy to assign roles. Allows multiple roles for an entity and dynamic updating of roles. Allows multiple roles for an entity and dynamic updating of roles.

14 Security Agent Maintains “ distributed trust ” in the system. Maintains “ distributed trust ” in the system. Policy has rules for : Policy has rules for : Role assignment Role assignment Access control Access control Delegation Delegation Revocation Revocation Policies Policies Global – organization level Global – organization level Local – Space level Local – Space level

15 Policy has Policy has Permissions Permissions Prohibitions  negative access rights Prohibitions  negative access rights Knowledge base is created using Prolog Knowledge base is created using Prolog All queries are converted to Prolog All queries are converted to Prolog More complex than RBAC or ACL because access rights can be delegated. More complex than RBAC or ACL because access rights can be delegated. Delegations are not random  from authorized entity to authorized entities, follow policy. Delegations are not random  from authorized entity to authorized entities, follow policy.

16 Service Access On registration, user gets an interface to all accessible services Also services that have their ShowAll flag set are displayed  User cannot access them, but can request access for them User can get a list of services from its Service Broker. Service Broker grants access after checking clients role and querying the Security Agent for the users rights. If valid request, it forwards request to the service. If valid request, it forwards request to the service.

17Delegation User can see services, but cannot use them  Showall flag User can see services, but cannot use them  Showall flag User can request another user or service to delegate it the required access rights. User can request another user or service to delegate it the required access rights. To request delegation, user sends request with digital certificate To request delegation, user sends request with digital certificate If delegated rights, Security Agent is informed If delegated rights, Security Agent is informed

18 Delegated rights are valid only for a specific time. Delegated rights are valid only for a specific time. Delegated rights can be re-delegated if allowed Delegated rights can be re-delegated if allowed When time expires  renew rights again When time expires  renew rights again Delegating user can revoke delegated rights by informing Security agent. Delegating user can revoke delegated rights by informing Security agent.

19 Terms Role Based Access Control ( RBAC ) : Role Based Access Control ( RBAC ) : Rights are associated with pre-defined roles, and not with users. Rights are associated with pre-defined roles, and not with users. Roles can change in different environments, while user remains the same  context – dependent semantics ! Roles can change in different environments, while user remains the same  context – dependent semantics ! Rules for assigning roles are the main access control mechanism Rules for assigning roles are the main access control mechanism Dynamic creation of roles is possible, based on inferences Dynamic creation of roles is possible, based on inferences Drawback : dynamic delegation of rights not possible Drawback : dynamic delegation of rights not possible

20 Public Key Infrastructure (PKI) Public Key Infrastructure (PKI) PKI uses on-line repository for certificates PKI uses on-line repository for certificates PKI provides on-line Certificate Revocation List (CRL) PKI provides on-line Certificate Revocation List (CRL) PKI imposes a high overhead and increased traffic. PKI imposes a high overhead and increased traffic. Simplified Public Key Infrastructure (SPKI) Simplified Public Key Infrastructure (SPKI) Entities send their certificate to SA Entities send their certificate to SA SA sends back its own certificate to entity SA sends back its own certificate to entity Certificates verified using certificate controller Certificates verified using certificate controller Certificate has list of CA’s and rules for verification Certificate has list of CA’s and rules for verification All entities can communicate by attaching their certificates to initial message. All entities can communicate by attaching their certificates to initial message.

21Implementation Security Agent uses Prolog for reasoning Security Agent uses Prolog for reasoning Java was the development platform Java was the development platform Centaurus framework which is used uses Centaurus Capability ML (CCML) Centaurus framework which is used uses Centaurus Capability ML (CCML) CCML is used as data exchange format between service requester and provider CCML is used as data exchange format between service requester and provider

22 Related Research Unisys Corporation / Orange experimental house ( Hertford, England ) Unisys Corporation / Orange experimental house ( Hertford, England ) UC Berkeley’s Ninja Project UC Berkeley’s Ninja Project Uwash’s Portolano project Uwash’s Portolano project Stanford’s Interactive Workspaces Project Stanford’s Interactive Workspaces Project

23 Further Work Implementing distributed belief based on gossip for the SA Implementing distributed belief based on gossip for the SA Using RDF or DAML instead of Prolog for encoding the trust information Using RDF or DAML instead of Prolog for encoding the trust information

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.