210 likes | 332 Vues
Research Project. Techniques and Tools for Supporting Secure Information Sharing and Collaborative Work C. Edward Chow, PI Ganesh Godavari, GRA Department of Computer Science University of Colorado at Colorado Springs Sponsored by NISSC - AFSOR. USNORTHCOM Research Question Addressed.
E N D
Research Project Techniques and Tools for Supporting Secure Information Sharing and Collaborative Work C. Edward Chow, PIGanesh Godavari, GRADepartment of Computer ScienceUniversity of Colorado at Colorado Springs Sponsored by NISSC - AFSOR SIS/chow
Research Focus and Purpose Research Focus: Investigate Critical Techniques and Tools for Supporting Secure Information Sharing (SIS) and Collaborative Work Tasks: • Investigate efficient key and attributed certificate management for large-scale information sharing and collaborative workeasier/faster to share. • Study Infrastructure support for secure web-based collaborative applicationsfast to setup, reliable, secure • Research ubiquitous computing for sharing sensor and web informationaccess/distribute info anywhere, anytime, anyway SIS/chow
Schedule Update • Follow the same schedule. SIS/chow
Current Project Status: Task 1 Investigate efficient key and attributed certificate management for large-scale information sharing and collaborative work • Studied issues in large scale web-based secure access control using Public Key Infrastructure (PKI) and Privilege Management Infrastructure (PMI). • Developed a concept prototype that demonstrate secure web access control with enhanced LDAP and Apache web servers. • Working on distributed directory server systems for supporting information sharing among multiple agencies SIS/chow
Current Project Status: Task 2 Study Infrastructure support for secure web-based collaborative applications • Explored the use of Content Delivery Network (CDN) Infrastructure to support secure web-based collaborative applications. • Idea Utilize existing CDN such as Akamai; extend existing web document caching functions to soft real-time collaborative applications (IM). • Investigating the solutions for resolving security issues between Java applets and cache servers. SIS/chow
Current Project Status: Task 3 Research ubiquitous computing for sharing sensor and web information • Keeping track of current sensor network and ubiquitous computing literature. • Investigated new MicaZ sensor based on new 802.15.4 standard. • Plan to focus on this task Spring 2005. SIS/chow
Current Funding Status • Paid for one faculty summer month salary. • Paid for two GRA summer month salary. • Paid for a Sony VGN-A170B notebook. SIS/chow
Anticipated Results • Identify issues and present solutions for creating and managing a large scale secure web-based information sharing system among multiple independent agencies Sharing results through publications. • Design prototypes for demonstrating the key concepts from the above research Sharing software developed in this project by posting on CS and NISSC web sites. SIS/chow
Preliminary Findings • Attribute certificate (RFC 328) based Privilege Management Infrastructure (PMI) make it easy to implement the secure role based access control in large scale SIS. • Web Servers can be enhanced with LDAP module to allow role-based access control. • LDAP can be extended to include attributed certificates. • LDAP can function as a central place for creating and managing the roles of users. SIS/chow
Privilege Management Infrastructure (PMI) • Privilege Management Infrastructure • Similar to Public Key Infrastructure • Function is to specify the policy for the attribute certificate issuance and management Comparison of PKIs and PMIs [2] SIS/chow
PKC vs. AC PKC binds a subject (DN) to a public key AC's binds permission (attributes) to an entity SIS/chow
Unanticipated Results • Single LDAP is easy to configure. • Ganesh had a tough time to extend LDAP to include attribute certificates to work with the current stable version of openldap 2.2-15. We use an older version 2.0.27-8 instead. • Octetstringmatch does not work in new version and the suggestions of Dr. Chadwick of Permis Group for adding new object ID type was not accepted by openldap group (wait for standard?). • But it is really a pain to configure a set of LDAP server for cooperation (delegation/trust). SIS/chow
Unanticipated ResultsPerformance Results on a single agency scenario SIS/chow
Issues and Challenges • Automated tools for setting up SIS infrastructure with LDAP/Web servers/clients from multiple agencies. • Further Investigation on Federated Identity, RBAC policy and Security Assertion Markup Language (SAML) • Study policy-based systems and policy enforcing mechanisms, e.g., Michigan’s Antigone. • It is difficult to set up secure information sharing prototype without a real CA. Need tools to speed up the creation of certificates and the installation of fake CA certificates on every client/server. SIS/chow
Needed Assistance • Large scale multiple agencies field trials to obtain real benchmarking results. • Help obtain samples of policies used in agencies, in terms of • Data sent over non-secure channels (such as Internet, wireless access) • Account creation • Certificate issuing SIS/chow
Expectations Moving Forward • Explore issues in supporting large scale notification systems. • Potential new funding…(DHS,DoD,NSF) • Submit results to conferences IDCS/USENIX. SIS/chow
SIS Testbed SIS/chow
Directory Information Tree for sis-canada dc=sis-canada, dc=edu ou=coordinationExcercise ou=Research Similar DIT is for all the servers alpha-sis-canada epsilon-sis-canada SIS/chow
Demo • alpha-sis-nissc access information from sis-connecticut.csnet.uccs.edu (level1 directory requires level1 manager role, which alpha is) • https://sis-connecticut.csnet.uccs.edu/level1/review.txt • https://sis-connecticut.csnet.uccs.edu/level1/upload.html • beta-sis-connecticut access information from sis-nissc.csnet.uccs.edu and sis-canada.csnet.uccs.edu (level2 directory requires level2 asstmanager role, which beta is) • https://sis-nissc.csnet.uccs.edu/level2/review.txt • https://sis-canada.csnet.uccs.edu/level2/review.txt • epsilon-sis-newjersey access information from sis-newjersey.csnet.uccs.edu (level3 directory requires level3 submanager role, which epsilon is) • https://sis-newjersey.csnet.uccs.edu/level3/review.txt SIS/chow