Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trusted CoordinationTAPAS Workshop, 25-26/09/031 Building Blocks for Trusted Coordination Nick Cook University of Newcastle.

Published byBruce Benson Modified over 8 years ago

Similar presentations

Presentation on theme: "Trusted CoordinationTAPAS Workshop, 25-26/09/031 Building Blocks for Trusted Coordination Nick Cook University of Newcastle."— Presentation transcript:

1 Trusted CoordinationTAPAS Workshop, 25-26/09/031 Building Blocks for Trusted Coordination Nick Cook University of Newcastle

2 Trusted CoordinationTAPAS Workshop, 25-26/09/032 Trusted Coordination  Two aspects: Higher level mechanisms for policy specification and enforcement –Contract representation and monitoring Lower level mechanisms for non- repudiable interaction - the scope of this presentation

3 Trusted CoordinationTAPAS Workshop, 25-26/09/033 Outline  Building blocks for trusted coordination Non-repudiable service invocation Non-repudiable information sharing  Infrastructure requirements  Implementations  References

4 Trusted CoordinationTAPAS Workshop, 25-26/09/034 Building blocks for trusted coordination  Trusted coordination addresses VE requirement to regulate interactions (service access, update to shared information, etc.)  Regulation implies an audit trail to monitor interaction and for dispute resolution  Evidence generated is of little value unless irrefutably attributable to its source (non-repudiable)  Implies two building blocks for trusted coordination: Non-repudiable service invocation Non-repudiable information sharing

5 Trusted CoordinationTAPAS Workshop, 25-26/09/035 Service invocation  2-party, client-server interaction  Server needs evidence that: The request originated at the client: non-repudiation of origin (NRO) of the request The response was received by the client: non-repudiation of receipt (NRR) of the response  Client needs evidence that: The request was received by the server (NRR req.) The response originated at the server (NRO resp.) Client request response Server

6 Trusted CoordinationTAPAS Workshop, 25-26/09/036 Non-repudiable service invocation req Client Interceptor req, NROreq resp, NRRreq, NROresp NRRresp Interceptor Server resp req

7 Trusted CoordinationTAPAS Workshop, 25-26/09/037 Observations  To guarantee protocol compliance, interceptors must be trusted  Degenerate case is that the interceptors are a trusted third party (or parties) protocol resembles fair exchange as discussed in the literature  Interceptors can be configured to execute any non-repudiation protocol For example: to meet different evidentiary requirements req Client Interceptor req, NROreq resp, NRRreq, NROresp NRRresp Interceptor Server resp req

8 Trusted CoordinationTAPAS Workshop, 25-26/09/038 Evidence for non-repudiable service invocation  Request evidence includes the service invoked and any parameters to the invocation  Response evidence is the result of the invocation  3 different types to consider: 1.Values: require the state of the value at invocation time (or at response time for result). Before evidence generation, must resolve references to local values to an agreed representation of their state. 2.Service references: require a globally resolvable name for the service, e.g. URL (not the state of the service) 3.Shared information references: require the state of the information at invocation time (or at response time for result) and a reference to the shared information that is resolvable by the remote party

9 Trusted CoordinationTAPAS Workshop, 25-26/09/039 Access and update to shared information  Multi-party, peer-peer interaction  For an update proposed by A: B and C need evidence that update originated at A (NRO update) A needs evidence that B and C received the update (NRR update) A, B and C need evidence that, after update, the information will be in a consistent, agreed state (NRO agreement, NRR agreement) A update i B C

10 Trusted CoordinationTAPAS Workshop, 25-26/09/0310 upd (5) Evidence required:  State transition proposed by A (propose: step 2)  Decisions on validity of transition from B and C (respond: step 3)  Collective decision (resolve: step 4) Shared information is only updated if the collective decision is that A’s proposal is valid Incentives to good behaviour stronger than for one-off service invocation Non-repudiable information sharing upd (1) C B prop (2) resp (3) reslv (4) prop (2) resp (3) A i reslv (4)

11 Trusted CoordinationTAPAS Workshop, 25-26/09/0311 Infrastructure Requirements  Cryptographic primitives Digital signatures, secure message digest (hash), secure random number generation  Credential (certificate) management  Access control services Intra-organisation: map user to role Inter-organisation: map credential to role  Non-repudiation log protocol-specific include signed hash of state in evidence  State store map hash of state to persistent representation of state

12 Trusted CoordinationTAPAS Workshop, 25-26/09/0312 Infrastructure contd.  Coordination service to execute NR protocols (configurable to specific protocol)  Membership service (for information sharing only) Maintain group membership information (mapping members to credentials) Membership is coordinated using NR protocols executed by coordination service  Communication subsystem  Trusted time-stamping service To verify a signing key was not compromised at time of use (evidence generation) Recent results from Zhou et al may make this unnecessary  Trusted Third Parties for strong fairness guarantees

13 Trusted CoordinationTAPAS Workshop, 25-26/09/0313 Implementations  NR service invocation Wichert et al’s CORBA service –Lacks protocol detail, (naturally) only addresses value types Paul Robinson is working on J2EE implementation  NR information sharing B2BObjects –Realise shared information as object replicas at each member of coordinating group –Regulate access to and update of object state –Group membership and object state only change if all parties agree –Implemented in Java using RMI (also have initial version running on JBOSS)

14 Trusted CoordinationTAPAS Workshop, 25-26/09/0314 References  M. Wichert, D. Ingham, S. Caughey. Non-repudiation Evidence Generation for CORBA using XML, In Proc. IEEE Annual Comp. Security Applications Conf., Phoenix, US, 1999.  N. Cook, S. Shrivastava, S. Wheater. Distributed Object Middleware to Support Dependable Information Sharing between Organisations, In Proc. IEEE DSN02, Washington, US, Jun 2002.  N. Cook, S. Shrivastava, S. Wheater. Middleware Support for Non- repudiable Transactional Information Sharing between Enterprises, To appear as Work in Progress in: Proc. 4 th IFIP DAIS, Paris, France, Nov 2003.  J. Zhou, F. Bao, R. Deng. Validating Digital Signatures without TTPs Time-stamping and Certificate Revocation, To appear in Proc. 2003 Inf. Security Conf., Bristol, UK, Oct 2003.  Jianying Zhou’s non-repudiation bibliography: http://www.geocities.com/zhou_jianying/non-repudiation.html

Download ppt "Trusted CoordinationTAPAS Workshop, 25-26/09/031 Building Blocks for Trusted Coordination Nick Cook University of Newcastle."

Similar presentations

Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.
Page 1 Policy-Driven Systems for Enterprise-Wide Security Using PKI and Policies to build Trusted Distributed Authorization Systems Joe Pato Marco Casassa.

Page 1 Policy-Driven Systems for Enterprise-Wide Security Using PKI and Policies to build Trusted Distributed Authorization Systems Joe Pato Marco Casassa.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 3.3: Fair Exchange.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 3.3: Fair Exchange.
TAPASDelivMarch04 1 TAPAS Deliverables for March 04 (Trusted and QoS-Aware Provision of Application Services) Santosh Shrivastava Newcastle University.

TAPASDelivMarch04 1 TAPAS Deliverables for March 04 (Trusted and QoS-Aware Provision of Application Services) Santosh Shrivastava Newcastle University.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Understanding WebLogic Security

Understanding WebLogic Security
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Securing the Broker Pattern Patrick Morrison 12/08/2005.

Securing the Broker Pattern Patrick Morrison 12/08/2005.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.

6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
1 Quality Objects: Advanced Middleware for Wide Area Distributed Applications Rick Schantz Quality Objects: Advanced Middleware for Large Scale Wide Area.

1 Quality Objects: Advanced Middleware for Wide Area Distributed Applications Rick Schantz Quality Objects: Advanced Middleware for Large Scale Wide Area.
1 Digital Signatures CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 12, 2004.

1 Digital Signatures CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 12, 2004.
Chapter 12 USING TECHNOLOGY TO ENHANCE BUSINESS PROCESSES.

Chapter 12 USING TECHNOLOGY TO ENHANCE BUSINESS PROCESSES.

Similar presentations

Ads by Google