Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE300-1 Profs. Steven A. Demurjian Q. Jin, J. Nam, Z. Qian and C. Phillips Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The.

Similar presentations


Presentation on theme: "CSE300-1 Profs. Steven A. Demurjian Q. Jin, J. Nam, Z. Qian and C. Phillips Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The."— Presentation transcript:

1 CSE300-1 Profs. Steven A. Demurjian Q. Jin, J. Nam, Z. Qian and C. Phillips Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The University of Connecticut Storrs, Connecticut Security in a Distributed Resource Environment Security in a Distributed Resource Environment

2 CSE300-2 Paper Overview  1. Introduction and Motivation  2. JINI  3. System Architecture and Improvements  Merge Prototypes  Security Client Database  Dual Security Clients  Platform Independence  Leasing Enforcement  Negative Privileges  Architecture Improvements  Experimental Prototype  Related Work  Conclusions and Future Work

3 CSE300-3 Introduction and Motivation Research Goals  Incorporation of Role-Based Approach within Distributed Resource Environment  Make Distributed Applications Available Using Middleware Tools  Propose Software Architecture and Role-Based Security Model for  Authorization of Clients Based on Role  Authentication of Clients and Resources  Enforcement so Clients Only Use Authorized Services (of Resource)

4 CSE300-4 Introduction and Motivation Approach  Many Middleware Lookup Services  Successfully Dictates Service Utilization  Requires Programmatic Solution for Security  Does Not Selectively and Dynamically Control Access Based on Client Role  Security of a Distributed Resource Should Selectively and Dynamically Control Client Access to Services Based on the Role  Our Approach  Define Dedicated Resource to Authorize, Authenticate, and Enforce Security Policy based on Role of Client

5 CSE300-5 Introduction and Motivation Initial Architecture Resources Provide ServicesClients Using Services Figure 1.1: General Architecture of Clients and Resources. Role-Based Privileges Authorization List Security Registration Legacy COTS Database Lookup Service Lookup Service Java Client Java Client Legacy Client Database Client Software Agent COTS Client

6 CSE300-6 Introduction and Motivation Initial Prototypes  JINI Prototype of Role Based Approach  University Database (UDB)  Initial GUI for Sign In (Authorization List)  Student/faculty GUI Client (Coursedb)  Access to Methods Limited Based on Role (Ex: Only Student Can Enroll in a Course)  Security Client Prototype  Generic Tool  Uses Three Resources and Their Services  Role-Based Privileges  Authorization-List  Security Registration

7 CSE300-7 Introduction and Motivation Security System Resources and Services  Role-Based Privileges Resource  Define User-role  Grant/Revoke Access of Role to Resource  Register Services  Authorization List Resource  Maintains Client Profile (Many Client Types)  Client Profile and Authorize Role Services  Security Registration Resource  Register Client Service  Identity Registration at Startup  Uses IP Address  Services of Resource  Functionally Separated and Organized  Resemble Method Definitions (OO)

8 CSE300-8 Introduction and Motivation Initial Security Client and Resource Interactions Figure 1.2. Security Client and Database Resource Interactions. Role-Based Privileges Authorization List Security Registration Lookup Service Security Client Find_Client(C_Id, IP_Addr); Find_All_Active_Clients(); Discover Service Return Proxy General Resource Grant_UR_Client(UR_Id, C_Id); Revoke_UR_Client(UR, C_Id); Find_AllUR_Client(C_Id); Find_All_Clients_UR(UR); Create_New_Role(UR_Name, UR_Disc, UR_Id); Delete_Role(UR_Id); Find_UR_Name(UR_Name); Find_UR_Id(UR_Id); Grant_Resource(UR_Id, R_Id); Grant_Service(UR_Id, R_Id, S_Id); Grant_Method(UR_Id, R_Id, S_Id, M_Id); Revoke_Resource(UR, R_Id); Revoke_Service(UR, R_Id, S_Id); Revoke_Method(UR, R_Id, S_Id, M_Id); Find_AllUR_Resource(UR,R_Id); Find_AllUR_Service(UR,R_Id,S_Id); Find_AllUR_Method(UR,R_Id,S_Id,M_Id); Find_UR_Privileges(UR); Register_Resource(R_Id); Register_Service(R_Id, S_Id); Register_Method(R_Id, S_Id, M_Id); UnRegister_Resource(R_Id); UnRegister_Service(R_Id, S_Id); UnRegister_Method(R_Id, S_Id, M_Id); Create_New_Client(C_Id); Delete_Client(C_Id); Find_Client(C_Id); Find_All_Clients();

9 CSE Check_Privileges(UR,R_Id,S_Id,M_Id); Introduction and Motivation Client Interactions and Processing Database Resource Figure 3.1: Client Interactions and Service Invocations. Role-Based Privileges Authorization List Security Registration Lookup Service GUI Client 1. Register_Client(C_Id, IP_Addr,UR); 2. Verify_UR_Client(UR,C_Id); Discover Service Return Proxy 3. Client OK? 4. Registration OK? 5. ModifyAttr(C_ID,UR,Value) 6.IsClient_Registered(C_ID) 7. Registration OK? 9. Privileges OK? 10. Modification OK?

10 CSE Introduction and Motivation Objectives  Merge Prototypes  Implement Different DBMS  Use Multiple Different Computing Platforms  Establish Dual Security Clients  Leasing Enforcement  Implement Negative Privilege Policy  Improve Architecture

11 CSE JINI Lookup Service, Client and Resource Interactions

12 CSE System Architecture and Improvements Merge Prototypes

13 CSE System Architecture and Improvements JINI Prototype of Role Based Approach Figure 3.3. University Database System Architecture Java GUI Client1 JINI Lookup Service Author. List Res. (copy 2) Author. List Res. (copy 1) Role-Based Privileges & Sec. Reg. Java GUI Client2 CourseDB Resource (copy 1) CourseDB Resource (copy 2) Role-Based Privileges & Sec. Reg. DBServer Service GetClasses(); PreReqCourse(); GetVacantClasses(); EnrollCourse(); AddCourse(); RemoveCourse(); UpdateCourse().

14 CSE System Architecture and Improvements Security Policy and Enforcement

15 CSE System Architecture and Improvements Security System Database

16 CSE System Architecture and Improvements Leasing, Negative Privilege Enforcement

17 CSE Legacy COTS Database Resources Provide Services Java Client Legacy Client Database Client Clients Using Services Figure 3.7: New Architecture of Clients and Resources. Enforcement Client SECURITY SYSTEM Policy Client Database Lookup Service Software Agent COTS Client Lookup Service SECURITY SYSTEM General Resource System Architecture and Improvements New Security Model

18 CSE System Architecture and Improvements New Database Scheme

19 CSE Experimental Prototype Security Client Prototype Figure 4.1. Authentication GUI.

20 CSE Experimental Prototype Policy Client Prototype Figure 4.2. Policy Client, Role, Create Role

21 CSE Experimental Prototype Policy Client Prototype Figure 4.3. Policy Client, Role, Grant IP

22 CSE Experimental Prototype Policy Client Prototype Figure 4.4. Policy Client, Resource, Method

23 CSE Experimental Prototype Policy Client Prototype Figure 4.5. Policy Client, Resource, Resource

24 CSE Experimental Prototype Policy Client Prototype Figure 4.6. Policy Client, Resource, Add Method to Service

25 CSE Experimental Prototype Enforcement Client Prototype Figure 4.7. Enforcement Client, User, Create User

26 CSE Experimental Prototype Enforcement Client Prototype Figure 4.8. Enforcement Client, User, Grant Role

27 CSE Experimental Prototype Enforcement Client Prototype Figure 4.9. Enforcement Client, User, Negative Privileges

28 CSE Experimental Prototype Enforcement Client Prototype Figure Enforcement Client, Token, Unregister Token

29 CSE Experimental Prototype University Database Prototype Figure University Database, Query Database

30 CSE Experimental Prototype University Database Prototype Figure University Database, Update Course

31 CSE Experimental Prototype University Database Prototype Figure University Database, Register Courses

32 CSE Related Work  Security Policy & Enforcement (OS Security)  Security Filters and Screens  Header Encryption  User-level Authen.  IP Encapsulation  Key Mgmt. Protocols  Browser Security  Use of Encryption  Access Control  Securing Comm. Channel  Establishing a Trusted Computer Base  Network Services  Kerberos and Charon  Security: Mobile Agents  Saga Security Architecture  Access Tokens  Control Vectors  Security Monitor  Concordia  Storage Protection  Transmission Protection  Server Resource Protection  Other Topics  Trust Appraisal  Metric Analysis  Short-lived Certificates  Seamless Object Authentication

33 CSE300-33Conclusions  For a Distributed Resource Environment  Proposed & Explained a Role-Based Approach  Presented Software Architecture Containing  Role-Based Security Model for a Distributed Resource Environment  Improved Prototype  Merged Prototypes  Improved Security Client  Token  Time Stamps  Negative Privileges  Dual Security Clients  Achieved Platform Independence

34 CSE Future Work  More on Negative Privileges  Chaining of Resource Invocations  Client Uses S1 on R1 that Calls S2 on R2  Multiple Security Clients  What Happens When Multiple Security Clients Attempt to Modify Privileges at Same Time?  Security Client Hierarchy  Testing  Analysis Tool  Track Chaining of resources  Mandatory Access Control

35 CSE Future Work  Introduce Cryptography Technology  Location of Client vs. Affect on Service  What if Client in on Local Intranet?  What if Client is on WAN?  Are Privileges Different?  Tracking Computation for Identification Purposes  Currently Require Name, Role, IP Addr, Port #  How is this Tracked when Dynamic IP Addresses are Utilized?


Download ppt "CSE300-1 Profs. Steven A. Demurjian Q. Jin, J. Nam, Z. Qian and C. Phillips Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The."

Similar presentations


Ads by Google