Title: Research Project
1Research Project
- Techniques and Tools for Supporting Secure
Information Sharing and Collaborative Work - C. Edward Chow, PIGanesh Godavari,
GRADepartment of Computer ScienceUniversity of
Colorado at Colorado Springs - Sponsored by NISSC - AFSOR
2USNORTHCOM Research Question Addressed
3Research Focus and Purpose
- Research Focus Investigate Critical Techniques
and Tools for Supporting Secure Information
Sharing (SIS) and Collaborative Work - Tasks
- Investigate efficient key and attributed
certificate management for large-scale
information sharing and collaborative
work?easier/faster to share. - Study Infrastructure support for secure web-based
collaborative applications?fast to setup,
reliable, secure - Research ubiquitous computing for sharing sensor
and web information?access/distribute info
anywhere, anytime, anyway
4Schedule Update
- Follow the same schedule.
5Current Project Status Task 1
- Investigate efficient key and attributed
certificate management for large-scale
information sharing and collaborative work - Studied issues in large scale web-based secure
access control using Public Key Infrastructure
(PKI) and Privilege Management Infrastructure
(PMI). - Developed a concept prototype that demonstrate
secure web access control with enhanced LDAP and
Apache web servers. - Working on distributed directory server systems
for supporting information sharing among multiple
agencies -
6Current Project Status Task 2
- Study Infrastructure support for secure web-based
collaborative applications - Explored the use of Content Delivery Network
(CDN) Infrastructure to support secure web-based
collaborative applications. - Idea ? Utilize existing CDN such as Akamai
extend existing web document caching functions to
soft real-time collaborative applications (IM). - Investigating the solutions for resolving
security issues between Java applets and cache
servers.
7Current Project Status Task 3
- Research ubiquitous computing for sharing sensor
and web information - Keeping track of current sensor network and
ubiquitous computing literature. - Investigated new MicaZ sensor based on new
802.15.4 standard. - Plan to focus on this task Spring 2005.
8Current Funding Status
- Paid for one faculty summer month salary.
- Paid for two GRA summer month salary.
- Paid for a Sony VGN-A170B notebook.
9Anticipated Results
- Identify issues and present solutions for
creating and managing a large scale secure
web-based information sharing system among
multiple independent agencies ? Sharing results
through publications. - Design prototypes for demonstrating the key
concepts from the above research ? Sharing
software developed in this project by posting on
CS and NISSC web sites.
10Preliminary Findings
- Attribute certificate (RFC 328) based Privilege
Management Infrastructure (PMI) make it easy to
implement the secure role based access control
in large scale SIS. - Web Servers can be enhanced with LDAP module to
allow role-based access control. - LDAP can be extended to include attributed
certificates. - LDAP can function as a central place for creating
and managing the roles of users.
11Privilege Management Infrastructure (PMI)
- Privilege Management Infrastructure
- Similar to Public Key Infrastructure
- Function is to specify the policy for the
attribute certificate issuance and management
Comparison of PKIs and PMIs 2
12PKC vs. AC
PKC binds a subject (DN) to a public key AC's
binds permission (attributes) to an entity
13Unanticipated Results
- Single LDAP is easy to configure.
- Ganesh had a tough time to extend LDAP to include
attribute certificates to work with the current
stable version of openldap 2.2-15. We use an
older version 2.0.27-8 instead. - Octetstringmatch does not work in new version and
the suggestions of Dr. Chadwick of Permis Group
for adding new object ID type was not accepted by
openldap group (wait for standard?). - But it is really a pain to configure a set of
LDAP server for cooperation (delegation/trust).
14Unanticipated Results Performance Results on a
single agency scenario
15Issues and Challenges
- Automated tools for setting up SIS infrastructure
with LDAP/Web servers/clients from multiple
agencies. - Further Investigation on Federated Identity, RBAC
policy and Security Assertion Markup Language
(SAML) - Study policy-based systems and policy enforcing
mechanisms, e.g., Michigans Antigone. - It is difficult to set up secure information
sharing prototype without a real CA. Need tools
to speed up the creation of certificates and the
installation of fake CA certificates on every
client/server.
16Needed Assistance
- Large scale multiple agencies field trials to
obtain real benchmarking results. - Help obtain samples of policies used in agencies,
in terms of - Data sent over non-secure channels (such as
Internet, wireless access) - Account creation
- Certificate issuing
17Expectations Moving Forward
- Explore issues in supporting large scale
notification systems. - Potential new funding(DHS,DoD,NSF)
- Submit results to conferences IDCS/USENIX.
18SIS Testbed
19Directory Information Tree for sis-canada
dcsis-canada, dcedu
oucoordinationExcercise
ouResearch
Similar DIT is for all the servers
alpha-sis-canada
epsilon-sis-canada
20Demo
- alpha-sis-nissc access information from
sis-connecticut.csnet.uccs.edu (level1 directory
requires level1 manager role, which alpha is) - https//sis-connecticut.csnet.uccs.edu/level1/revi
ew.txt - https//sis-connecticut.csnet.uccs.edu/level1/uplo
ad.html - beta-sis-connecticut access information from
sis-nissc.csnet.uccs.edu and sis-canada.csnet.uccs
.edu (level2 directory requires level2
asstmanager role, which beta is) - https//sis-nissc.csnet.uccs.edu/level2/review.txt
- https//sis-canada.csnet.uccs.edu/level2/review.tx
t - epsilon-sis-newjersey access information from
sis-newjersey.csnet.uccs.edu (level3 directory
requires level3 submanager role, which epsilon
is) - https//sis-newjersey.csnet.uccs.edu/level3/review
.txt