9/23/2004 SIS/chow 1

Research Project

Techniques and Tools for Supporting Secure Information Sharing and

Collaborative Work

C. Edward Chow, PIGanesh Godavari, GRA

Department of Computer ScienceUniversity of Colorado at Colorado Springs

Sponsored by NISSC - AFSOR

9/23/2004 SIS/chow 2

USNORTHCOM Research Question Addressed

9/23/2004 SIS/chow 3

Research Focus and Purpose

Research Focus: Investigate Critical Techniques and Tools for Supporting Secure Information Sharing (SIS) and Collaborative Work

Tasks:• Investigate efficient key and attributed certificate

management for large-scale information sharing and collaborative workeasier/faster to share.

• Study Infrastructure support for secure web-based collaborative applicationsfast to setup, reliable, secure

• Research ubiquitous computing for sharing sensor and web informationaccess/distribute info anywhere, anytime, anyway

9/23/2004 SIS/chow 4

Schedule Update

• Follow the same schedule.

9/23/2004 SIS/chow 5

Current Project Status: Task 1

Investigate efficient key and attributed certificate management for large-scale information sharing and collaborative work

• Studied issues in large scale web-based secure access control using Public Key Infrastructure (PKI) and Privilege Management Infrastructure (PMI).

• Developed a concept prototype that demonstrate secure web access control with enhanced LDAP and Apache web servers.

• Working on distributed directory server systems for supporting information sharing among multiple agencies

9/23/2004 SIS/chow 6

Current Project Status: Task 2

Study Infrastructure support for secure web-based collaborative applications

• Explored the use of Content Delivery Network (CDN) Infrastructure to support secure web-based collaborative applications.

• Idea Utilize existing CDN such as Akamai; extend existing web document caching functions to soft real-time collaborative applications (IM).

• Investigating the solutions for resolving security issues between Java applets and cache servers.

9/23/2004 SIS/chow 7

Current Project Status: Task 3

Research ubiquitous computing for sharing sensor and web information

• Keeping track of current sensor network and ubiquitous computing literature.

• Investigated new MicaZ sensor based on new 802.15.4 standard.

• Plan to focus on this task Spring 2005.

9/23/2004 SIS/chow 8

Current Funding Status

• Paid for one faculty summer month salary.

• Paid for two GRA summer month salary.

• Paid for a Sony VGN-A170B notebook.

9/23/2004 SIS/chow 9

Anticipated Results

• Identify issues and present solutions for creating and managing a large scale secure web-based information sharing system among multiple independent agencies Sharing results through publications.

• Design prototypes for demonstrating the key concepts from the above research Sharing software developed in this project by posting on CS and NISSC web sites.

9/23/2004 SIS/chow 10

Preliminary Findings

• Attribute certificate (RFC 328) based Privilege Management Infrastructure (PMI) make it easy to implement the secure role based access control in large scale SIS.

• Web Servers can be enhanced with LDAP module to allow role-based access control.

• LDAP can be extended to include attributed certificates.

• LDAP can function as a central place for creating and managing the roles of users.

9/23/2004 SIS/chow 11

Privilege Management Infrastructure (PMI)

• Privilege Management Infrastructure– Similar to Public

Key Infrastructure– Function is to

specify the policy for the attribute certificate issuance and management

Concept PKI entity PMI entity

Certificate Public Key Certificate (PKC)

Attribute Certificate (AC)

Certificate issuer

CertificationAuthority (CA)

Attribute Authority (AA)

Certificate user Subject Holder

Certificatebinding

Subject’s Name to Public Key

Holder’s Name to Privilege Attribute(s)

Revocation CertificateRevocation List(CRL)

Attribute CertificateRevocation List

(ACRL)

Root of trust Root CA or TrustAnchor

Source of Authority (SOA)

SubordinateAuthority

SubordinateCertificationAuthority

Attribute Authority (AA)

Comparison of PKIs and PMIs [2]

9/23/2004 SIS/chow 12

PKC vs. AC

PKC binds a subject (DN) to a public keyAC's binds permission (attributes) to an entity

9/23/2004 SIS/chow 13

Unanticipated Results

• Single LDAP is easy to configure. • Ganesh had a tough time to extend LDAP to

include attribute certificates to work with the current stable version of openldap 2.2-15. We use an older version 2.0.27-8 instead.

• Octetstringmatch does not work in new version and the suggestions of Dr. Chadwick of Permis Group for adding new object ID type was not accepted by openldap group (wait for standard?).

• But it is really a pain to configure a set of LDAP server for cooperation (delegation/trust).

9/23/2004 SIS/chow 14

Unanticipated Results Performance Results on a single agency scenario

Total timetaken for

LDAPaccess (ms)

Total Time taken forAttribute certificateretrieval and validation

(ms)

1 13.871 43.850001

2 13.778 43.734001

3 13.912 43.720021

Avg. 13.853667 43.76800767

9/23/2004 SIS/chow 15

Issues and Challenges

• Automated tools for setting up SIS infrastructure with LDAP/Web servers/clients from multiple agencies.

• Further Investigation on Federated Identity, RBAC policy and Security Assertion Markup Language (SAML)

• Study policy-based systems and policy enforcing mechanisms, e.g., Michigan’s Antigone.

• It is difficult to set up secure information sharing prototype without a real CA. Need tools to speed up the creation of certificates and the installation of fake CA certificates on every client/server.

9/23/2004 SIS/chow 16

Needed Assistance

• Large scale multiple agencies field trials to obtain real benchmarking results.

• Help obtain samples of policies used in agencies, in terms of– Data sent over non-secure channels (such as

Internet, wireless access)– Account creation– Certificate issuing

9/23/2004 SIS/chow 17

Expectations Moving Forward

• Explore issues in supporting large scale notification systems.

• Potential new funding…(DHS,DoD,NSF)

• Submit results to conferences IDCS/USENIX.

9/23/2004 SIS/chow 18

alpha-sis-connecticut

Internet Internet

Internet

Web Server

LDAP Server

sis-nissc.csnet.uccs.edu

LDAP Server

sis-connecticut.csnet.uccs.edu

Internet

alpha-sis-nissc

PKC

LDAP Server

sis-canada.csnet.uccs.edu

LDAP Server

sis-newjersy.csnet.uccs.edu

SIS Testbed

9/23/2004 SIS/chow 19

Directory Information Tree for sis-canada

ou=coordinationExcercise

dc=sis-canada, dc=edu

ou=Research

alpha-sis-canada

epsilon-sis-canada

Similar DIT is for all the servers

9/23/2004 SIS/chow 20

Demo• alpha-sis-nissc access information from sis-

connecticut.csnet.uccs.edu (level1 directory requires level1 manager role, which alpha is)– https://sis-connecticut.csnet.uccs.edu/level1/review.txt– https://sis-connecticut.csnet.uccs.edu/level1/upload.html

• beta-sis-connecticut access information from sis-nissc.csnet.uccs.edu and sis-canada.csnet.uccs.edu (level2 directory requires level2 asstmanager role, which beta is)– https://sis-nissc.csnet.uccs.edu/level2/review.txt– https://sis-canada.csnet.uccs.edu/level2/review.txt

• epsilon-sis-newjersey access information from sis-newjersey.csnet.uccs.edu (level3 directory requires level3 submanager role, which epsilon is)– https://sis-newjersey.csnet.uccs.edu/level3/review.txt