Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE300-1 Profs. Steven A. Demurjian Q. Jin, J. Nam, Z. Qian and C. Phillips Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The.

Published byDuncan Sedwick Modified over 9 years ago

Similar presentations

Presentation on theme: "CSE300-1 Profs. Steven A. Demurjian Q. Jin, J. Nam, Z. Qian and C. Phillips Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The."— Presentation transcript:

1 CSE300-1 Profs. Steven A. Demurjian Q. Jin, J. Nam, Z. Qian and C. Phillips Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The University of Connecticut Storrs, Connecticut 06269-3155 Security in a Distributed Resource Environment Security in a Distributed Resource Environment

2 CSE300-2 Paper Overview  1. Introduction and Motivation  2. JINI  3. System Architecture and Improvements  Merge Prototypes  Security Client Database  Dual Security Clients  Platform Independence  Leasing Enforcement  Negative Privileges  Architecture Improvements  Experimental Prototype  Related Work  Conclusions and Future Work

3 CSE300-3 Introduction and Motivation Research Goals  Incorporation of Role-Based Approach within Distributed Resource Environment  Make Distributed Applications Available Using Middleware Tools  Propose Software Architecture and Role-Based Security Model for  Authorization of Clients Based on Role  Authentication of Clients and Resources  Enforcement so Clients Only Use Authorized Services (of Resource)

4 CSE300-4 Introduction and Motivation Approach  Many Middleware Lookup Services  Successfully Dictates Service Utilization  Requires Programmatic Solution for Security  Does Not Selectively and Dynamically Control Access Based on Client Role  Security of a Distributed Resource Should Selectively and Dynamically Control Client Access to Services Based on the Role  Our Approach  Define Dedicated Resource to Authorize, Authenticate, and Enforce Security Policy based on Role of Client

5 CSE300-5 Introduction and Motivation Initial Architecture Resources Provide ServicesClients Using Services Figure 1.1: General Architecture of Clients and Resources. Role-Based Privileges Authorization List Security Registration Legacy COTS Database Lookup Service Lookup Service Java Client Java Client Legacy Client Database Client Software Agent COTS Client

6 CSE300-6 Introduction and Motivation Initial Prototypes  JINI Prototype of Role Based Approach  University Database (UDB)  Initial GUI for Sign In (Authorization List)  Student/faculty GUI Client (Coursedb)  Access to Methods Limited Based on Role (Ex: Only Student Can Enroll in a Course)  Security Client Prototype  Generic Tool  Uses Three Resources and Their Services  Role-Based Privileges  Authorization-List  Security Registration

7 CSE300-7 Introduction and Motivation Security System Resources and Services  Role-Based Privileges Resource  Define User-role  Grant/Revoke Access of Role to Resource  Register Services  Authorization List Resource  Maintains Client Profile (Many Client Types)  Client Profile and Authorize Role Services  Security Registration Resource  Register Client Service  Identity Registration at Startup  Uses IP Address  Services of Resource  Functionally Separated and Organized  Resemble Method Definitions (OO)

8 CSE300-8 Introduction and Motivation Initial Security Client and Resource Interactions Figure 1.2. Security Client and Database Resource Interactions. Role-Based Privileges Authorization List Security Registration Lookup Service Security Client Find_Client(C_Id, IP_Addr); Find_All_Active_Clients(); Discover Service Return Proxy General Resource Grant_UR_Client(UR_Id, C_Id); Revoke_UR_Client(UR, C_Id); Find_AllUR_Client(C_Id); Find_All_Clients_UR(UR); Create_New_Role(UR_Name, UR_Disc, UR_Id); Delete_Role(UR_Id); Find_UR_Name(UR_Name); Find_UR_Id(UR_Id); Grant_Resource(UR_Id, R_Id); Grant_Service(UR_Id, R_Id, S_Id); Grant_Method(UR_Id, R_Id, S_Id, M_Id); Revoke_Resource(UR, R_Id); Revoke_Service(UR, R_Id, S_Id); Revoke_Method(UR, R_Id, S_Id, M_Id); Find_AllUR_Resource(UR,R_Id); Find_AllUR_Service(UR,R_Id,S_Id); Find_AllUR_Method(UR,R_Id,S_Id,M_Id); Find_UR_Privileges(UR); Register_Resource(R_Id); Register_Service(R_Id, S_Id); Register_Method(R_Id, S_Id, M_Id); UnRegister_Resource(R_Id); UnRegister_Service(R_Id, S_Id); UnRegister_Method(R_Id, S_Id, M_Id); Create_New_Client(C_Id); Delete_Client(C_Id); Find_Client(C_Id); Find_All_Clients();

9 CSE300-9 8. Check_Privileges(UR,R_Id,S_Id,M_Id); Introduction and Motivation Client Interactions and Processing Database Resource Figure 3.1: Client Interactions and Service Invocations. Role-Based Privileges Authorization List Security Registration Lookup Service GUI Client 1. Register_Client(C_Id, IP_Addr,UR); 2. Verify_UR_Client(UR,C_Id); Discover Service Return Proxy 3. Client OK? 4. Registration OK? 5. ModifyAttr(C_ID,UR,Value) 6.IsClient_Registered(C_ID) 7. Registration OK? 9. Privileges OK? 10. Modification OK?

10 CSE300-10 Introduction and Motivation Objectives  Merge Prototypes  Implement Different DBMS  Use Multiple Different Computing Platforms  Establish Dual Security Clients  Leasing Enforcement  Implement Negative Privilege Policy  Improve Architecture

11 CSE300-11 JINI Lookup Service, Client and Resource Interactions

12 CSE300-12 System Architecture and Improvements Merge Prototypes

13 CSE300-13 System Architecture and Improvements JINI Prototype of Role Based Approach Figure 3.3. University Database System Architecture Java GUI Client1 JINI Lookup Service Author. List Res. (copy 2) Author. List Res. (copy 1) Role-Based Privileges & Sec. Reg. Java GUI Client2 CourseDB Resource (copy 1) CourseDB Resource (copy 2) Role-Based Privileges & Sec. Reg. DBServer Service GetClasses(); PreReqCourse(); GetVacantClasses(); EnrollCourse(); AddCourse(); RemoveCourse(); UpdateCourse().

14 CSE300-14 System Architecture and Improvements Security Policy and Enforcement

15 CSE300-15 System Architecture and Improvements Security System Database

16 CSE300-16 System Architecture and Improvements Leasing, Negative Privilege Enforcement

17 CSE300-17 Legacy COTS Database Resources Provide Services Java Client Legacy Client Database Client Clients Using Services Figure 3.7: New Architecture of Clients and Resources. Enforcement Client SECURITY SYSTEM Policy Client Database Lookup Service Software Agent COTS Client Lookup Service SECURITY SYSTEM General Resource System Architecture and Improvements New Security Model

18 CSE300-18 System Architecture and Improvements New Database Scheme

19 CSE300-19 Experimental Prototype Security Client Prototype Figure 4.1. Authentication GUI.

20 CSE300-20 Experimental Prototype Policy Client Prototype Figure 4.2. Policy Client, Role, Create Role

21 CSE300-21 Experimental Prototype Policy Client Prototype Figure 4.3. Policy Client, Role, Grant IP

22 CSE300-22 Experimental Prototype Policy Client Prototype Figure 4.4. Policy Client, Resource, Method

23 CSE300-23 Experimental Prototype Policy Client Prototype Figure 4.5. Policy Client, Resource, Resource

24 CSE300-24 Experimental Prototype Policy Client Prototype Figure 4.6. Policy Client, Resource, Add Method to Service

25 CSE300-25 Experimental Prototype Enforcement Client Prototype Figure 4.7. Enforcement Client, User, Create User

26 CSE300-26 Experimental Prototype Enforcement Client Prototype Figure 4.8. Enforcement Client, User, Grant Role

27 CSE300-27 Experimental Prototype Enforcement Client Prototype Figure 4.9. Enforcement Client, User, Negative Privileges

28 CSE300-28 Experimental Prototype Enforcement Client Prototype Figure 4.10. Enforcement Client, Token, Unregister Token

29 CSE300-29 Experimental Prototype University Database Prototype Figure 4.11. University Database, Query Database

30 CSE300-30 Experimental Prototype University Database Prototype Figure 4.12. University Database, Update Course

31 CSE300-31 Experimental Prototype University Database Prototype Figure 4.13. University Database, Register Courses

32 CSE300-32 Related Work  Security Policy & Enforcement (OS Security)  Security Filters and Screens  Header Encryption  User-level Authen.  IP Encapsulation  Key Mgmt. Protocols  Browser Security  Use of Encryption  Access Control  Securing Comm. Channel  Establishing a Trusted Computer Base  Network Services  Kerberos and Charon  Security: Mobile Agents  Saga Security Architecture  Access Tokens  Control Vectors  Security Monitor  Concordia  Storage Protection  Transmission Protection  Server Resource Protection  Other Topics  Trust Appraisal  Metric Analysis  Short-lived Certificates  Seamless Object Authentication

33 CSE300-33Conclusions  For a Distributed Resource Environment  Proposed & Explained a Role-Based Approach  Presented Software Architecture Containing  Role-Based Security Model for a Distributed Resource Environment  Improved Prototype  Merged Prototypes  Improved Security Client  Token  Time Stamps  Negative Privileges  Dual Security Clients  Achieved Platform Independence

34 CSE300-34 Future Work  More on Negative Privileges  Chaining of Resource Invocations  Client Uses S1 on R1 that Calls S2 on R2  Multiple Security Clients  What Happens When Multiple Security Clients Attempt to Modify Privileges at Same Time?  Security Client Hierarchy  Testing  Analysis Tool  Track Chaining of resources  Mandatory Access Control

35 CSE300-35 Future Work  Introduce Cryptography Technology  Location of Client vs. Affect on Service  What if Client in on Local Intranet?  What if Client is on WAN?  Are Privileges Different?  Tracking Computation for Identification Purposes  Currently Require Name, Role, IP Addr, Port #  How is this Tracked when Dynamic IP Addresses are Utilized?

Download ppt "CSE300-1 Profs. Steven A. Demurjian Q. Jin, J. Nam, Z. Qian and C. Phillips Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The."

Similar presentations

IFIP 2000-1 Profs. Steven A. Demurjian and T.C. Ting J. Balthazar, H. Ren, and C. Phillips Computer Science & Engineering Department 191 Auditorium Road,

IFIP Profs. Steven A. Demurjian and T.C. Ting J. Balthazar, H. Ren, and C. Phillips Computer Science & Engineering Department 191 Auditorium Road,
Cobalt: Separating content distribution from authorization in distributed file systems Kaushik Veeraraghavan Andrew Myrick Jason Flinn University of Michigan.

Cobalt: Separating content distribution from authorization in distributed file systems Kaushik Veeraraghavan Andrew Myrick Jason Flinn University of Michigan.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
ISSEA 2002-1 Security Engineering for Roles and Resources in a Distributed Environment Security Engineering for Roles and Resources in a Distributed Environment.

ISSEA Security Engineering for Roles and Resources in a Distributed Environment Security Engineering for Roles and Resources in a Distributed Environment.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Analyzing the Performance of Authentication Protocols 1 A Methodology for Analyzing the performance of Authentication Protocols Alan Harbitter Daniel A.

Analyzing the Performance of Authentication Protocols 1 A Methodology for Analyzing the performance of Authentication Protocols Alan Harbitter Daniel A.
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
INTEGRATING NETWORK CRYPTOGRAPHY INTO THE OPERATING SYSTEM BY ANTHONY GABRIELSON HAIM LEVKOWITZ Mohammed Alali | CS 69995 – Dr. RothsteinSummer 2013.

INTEGRATING NETWORK CRYPTOGRAPHY INTO THE OPERATING SYSTEM BY ANTHONY GABRIELSON HAIM LEVKOWITZ Mohammed Alali | CS – Dr. RothsteinSummer 2013.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Understanding Active Directory

Understanding Active Directory
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Design, Implementation, and Experimentation on Mobile Agent Security for Electronic Commerce Applications Anthony H. W. Chan, Caris K. M. Wong, T. Y. Wong,

Design, Implementation, and Experimentation on Mobile Agent Security for Electronic Commerce Applications Anthony H. W. Chan, Caris K. M. Wong, T. Y. Wong,
APPLAUS: A Privacy-Preserving Location Proof Updating System for Location-based Services Zhichao Zhu and Guohong Cao Department of Computer Science and.

APPLAUS: A Privacy-Preserving Location Proof Updating System for Location-based Services Zhichao Zhu and Guohong Cao Department of Computer Science and.
Windows Server 2003. WHAT IS ACTIVE DIRECTORY? FUNDAMENTALS OF THE ACTIVE DIRECTORY – Benefits of Using the Active Directory in an Enterprise Environment.

Windows Server WHAT IS ACTIVE DIRECTORY? FUNDAMENTALS OF THE ACTIVE DIRECTORY – Benefits of Using the Active Directory in an Enterprise Environment.
The Architecture of Transaction Processing Systems

The Architecture of Transaction Processing Systems
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
Pay As You Go – Associating Costs with Jini Leases By: Peer Hasselmeyer and Markus Schumacher Presented By: Nathan Balon.

Pay As You Go – Associating Costs with Jini Leases By: Peer Hasselmeyer and Markus Schumacher Presented By: Nathan Balon.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Similar presentations

Ads by Google