Research Project

1
Research Project

• Techniques and Tools for Supporting Secure
  Information Sharing and Collaborative Work
• C. Edward Chow, PIGanesh Godavari,
  GRADepartment of Computer ScienceUniversity of
  Colorado at Colorado Springs
• Sponsored by NISSC - AFSOR

2
USNORTHCOM Research Question Addressed
3
Research Focus and Purpose

• Research Focus Investigate Critical Techniques
  and Tools for Supporting Secure Information
  Sharing (SIS) and Collaborative Work
• Tasks
• Investigate efficient key and attributed
  certificate management for large-scale
  information sharing and collaborative
  work?easier/faster to share.
• Study Infrastructure support for secure web-based
  collaborative applications?fast to setup,
  reliable, secure
• Research ubiquitous computing for sharing sensor
  and web information?access/distribute info
  anywhere, anytime, anyway

4
Schedule Update

• Follow the same schedule.

5
Current Project Status Task 1

• Investigate efficient key and attributed
  certificate management for large-scale
  information sharing and collaborative work
• Studied issues in large scale web-based secure
  access control using Public Key Infrastructure
  (PKI) and Privilege Management Infrastructure
  (PMI).
• Developed a concept prototype that demonstrate
  secure web access control with enhanced LDAP and
  Apache web servers.
• Working on distributed directory server systems
  for supporting information sharing among multiple
  agencies

6
Current Project Status Task 2

• Study Infrastructure support for secure web-based
  collaborative applications
• Explored the use of Content Delivery Network
  (CDN) Infrastructure to support secure web-based
  collaborative applications.
• Idea ? Utilize existing CDN such as Akamai
  extend existing web document caching functions to
  soft real-time collaborative applications (IM).
• Investigating the solutions for resolving
  security issues between Java applets and cache
  servers.

7
Current Project Status Task 3

• Research ubiquitous computing for sharing sensor
  and web information
• Keeping track of current sensor network and
  ubiquitous computing literature.
• Investigated new MicaZ sensor based on new
  802.15.4 standard.
• Plan to focus on this task Spring 2005.

8
Current Funding Status

• Paid for one faculty summer month salary.
• Paid for two GRA summer month salary.
• Paid for a Sony VGN-A170B notebook.

9
Anticipated Results

• Identify issues and present solutions for
  creating and managing a large scale secure
  web-based information sharing system among
  multiple independent agencies ? Sharing results
  through publications.
• Design prototypes for demonstrating the key
  concepts from the above research ? Sharing
  software developed in this project by posting on
  CS and NISSC web sites.

10
Preliminary Findings

• Attribute certificate (RFC 328) based Privilege
  Management Infrastructure (PMI) make it easy to
  implement the secure role based access control
  in large scale SIS.
• Web Servers can be enhanced with LDAP module to
  allow role-based access control.
• LDAP can be extended to include attributed
  certificates.
• LDAP can function as a central place for creating
  and managing the roles of users.

11
Privilege Management Infrastructure (PMI)

• Privilege Management Infrastructure
• Similar to Public Key Infrastructure
• Function is to specify the policy for the
  attribute certificate issuance and management

Comparison of PKIs and PMIs 2
12
PKC vs. AC
PKC binds a subject (DN) to a public key AC's
binds permission (attributes) to an entity
13
Unanticipated Results

• Single LDAP is easy to configure.
• Ganesh had a tough time to extend LDAP to include
  attribute certificates to work with the current
  stable version of openldap 2.2-15. We use an
  older version 2.0.27-8 instead.
• Octetstringmatch does not work in new version and
  the suggestions of Dr. Chadwick of Permis Group
  for adding new object ID type was not accepted by
  openldap group (wait for standard?).
• But it is really a pain to configure a set of
  LDAP server for cooperation (delegation/trust).

14
Unanticipated Results Performance Results on a
single agency scenario
15
Issues and Challenges

• Automated tools for setting up SIS infrastructure
  with LDAP/Web servers/clients from multiple
  agencies.
• Further Investigation on Federated Identity, RBAC
  policy and Security Assertion Markup Language
  (SAML)
• Study policy-based systems and policy enforcing
  mechanisms, e.g., Michigans Antigone.
• It is difficult to set up secure information
  sharing prototype without a real CA. Need tools
  to speed up the creation of certificates and the
  installation of fake CA certificates on every
  client/server.

16
Needed Assistance

• Large scale multiple agencies field trials to
  obtain real benchmarking results.
• Help obtain samples of policies used in agencies,
  in terms of
• Data sent over non-secure channels (such as
  Internet, wireless access)
• Account creation
• Certificate issuing

17
Expectations Moving Forward

• Explore issues in supporting large scale
  notification systems.
• Potential new funding(DHS,DoD,NSF)
• Submit results to conferences IDCS/USENIX.

18
SIS Testbed
19
Directory Information Tree for sis-canada
dcsis-canada, dcedu
oucoordinationExcercise
ouResearch
Similar DIT is for all the servers
alpha-sis-canada
epsilon-sis-canada
20
Demo

• alpha-sis-nissc access information from
  sis-connecticut.csnet.uccs.edu (level1 directory
  requires level1 manager role, which alpha is)
• https//sis-connecticut.csnet.uccs.edu/level1/revi
  ew.txt
• https//sis-connecticut.csnet.uccs.edu/level1/uplo
  ad.html
• beta-sis-connecticut access information from
  sis-nissc.csnet.uccs.edu and sis-canada.csnet.uccs
  .edu (level2 directory requires level2
  asstmanager role, which beta is)
• https//sis-nissc.csnet.uccs.edu/level2/review.txt
  
• https//sis-canada.csnet.uccs.edu/level2/review.tx
  t
• epsilon-sis-newjersey access information from
  sis-newjersey.csnet.uccs.edu (level3 directory
  requires level3 submanager role, which epsilon
  is)
• https//sis-newjersey.csnet.uccs.edu/level3/review
  .txt