Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Vigil : Enforcing Security in Ubiquitous Environments Authors : Lalana Kagal, Jeffrey Undercoffer, Anupam Joshi, Tim Finin Presented by : Amit Choudhri.

Published byJewel Rogers Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Vigil : Enforcing Security in Ubiquitous Environments Authors : Lalana Kagal, Jeffrey Undercoffer, Anupam Joshi, Tim Finin Presented by : Amit Choudhri."— Presentation transcript:

1 1 Vigil : Enforcing Security in Ubiquitous Environments Authors : Lalana Kagal, Jeffrey Undercoffer, Anupam Joshi, Tim Finin Presented by : Amit Choudhri CMSC 628 Spring 2002 UMBC

2 2 Introduction Focal point of paper : Focal point of paper : Ubiquitous / pervasive computing.i.e. : access to services and information ANYWHERE and EVERYWHERE Existing technologies for security in such environments : Existing technologies for security in such environments : Simple Public Key Infrastructure ( SPKI ) Simple Public Key Infrastructure ( SPKI ) Role Based Access Control ( RBAC ) Role Based Access Control ( RBAC )

3 3 Vigil complements these with “ distributed trust management “ Vigil complements these with “ distributed trust management “ Vigil is applied to Smart Spaces Vigil is applied to Smart Spaces Smart Space : Smart Space : provides services and resources accessible by short-range wireless communication.

4 4 Vigil uses the Centaurus model for the SmartSpace architecture. Vigil uses the Centaurus model for the SmartSpace architecture. Centaurus SM proxies for clients Centaurus SM proxies for clients Vigil infrastructure : Vigil infrastructure :  reduce load on mobile devices  media independent  provides services and information

5 5 Security Challenges Cannot provide unique user id and login for everyone  not scalable. Cannot provide unique user id and login for everyone  not scalable. Cannot have a central authority per space. Cannot have a central authority per space. No access control information available when new users are authenticated. No access control information available when new users are authenticated. Heterogeneity of environments and inconsistent interpretations of policy. Heterogeneity of environments and inconsistent interpretations of policy.

6 6Architecture Clients can move, attach, detach and re – attach at any point in the framework. Clients can move, attach, detach and re – attach at any point in the framework. Vigil uses “ trust management “ Vigil uses “ trust management “  Establishing trust relationships  NOT quantifying trust Similar to RBAC Similar to RBAC Access rights are computed from its properties ! Access rights are computed from its properties !

7 7Components Vigil has 6 components : Vigil has 6 components : Service Broker Service Broker Communication Manager Communication Manager Certificate Controller Certificate Controller Security Agent Security Agent Role Assignment Manager Role Assignment Manager Clients ( users & services ) Clients ( users & services )

8 8

9 9 Service Broker The Service Broker is responsible for : Processing Client Registration/De-Registration requests responding to registered Client requests for a listing of available services, brokering Subscribe/Un-Subscribe and Command requests from users to services sending service updates to all subscribed users

10 10 Service brokers in different spaces form a tree hierarchy  core of the Vigil system Service brokers in different spaces form a tree hierarchy  core of the Vigil system Identified by their handles, i.e. position in the hierarchy Identified by their handles, i.e. position in the hierarchy Trust between clients in transitive through the Service Brokers Trust between clients in transitive through the Service Brokers

11 11Client All users and services are clients All users and services are clients Clients register with a Service Broker in a space. Clients register with a Service Broker in a space. Digital certificate and Showall flag sent during registration Digital certificate and Showall flag sent during registration Clients can request services from brokers and other clients, via service brokers. Clients can request services from brokers and other clients, via service brokers.

12 12 Certificate Controller Generates x.509 version 3 digital certificates for system entities Generates x.509 version 3 digital certificates for system entities Verifies certificates presented by entities Verifies certificates presented by entities These certificates are stored on the clients smartcard These certificates are stored on the clients smartcard Verification is based on a list of trusted CA’s and a set of verification rules and policies. Verification is based on a list of trusted CA’s and a set of verification rules and policies.

13 13 Role Assignment Manager Assigns roles to entities in a space Assigns roles to entities in a space Maintains an Access Control List ( ACL ) Maintains an Access Control List ( ACL ) Uses rules from the security policy to assign roles. Uses rules from the security policy to assign roles. Allows multiple roles for an entity and dynamic updating of roles. Allows multiple roles for an entity and dynamic updating of roles.

14 14 Security Agent Maintains “ distributed trust ” in the system. Maintains “ distributed trust ” in the system. Policy has rules for : Policy has rules for : Role assignment Role assignment Access control Access control Delegation Delegation Revocation Revocation Policies Policies Global – organization level Global – organization level Local – Space level Local – Space level

15 15 Policy has Policy has Permissions Permissions Prohibitions  negative access rights Prohibitions  negative access rights Knowledge base is created using Prolog Knowledge base is created using Prolog All queries are converted to Prolog All queries are converted to Prolog More complex than RBAC or ACL because access rights can be delegated. More complex than RBAC or ACL because access rights can be delegated. Delegations are not random  from authorized entity to authorized entities, follow policy. Delegations are not random  from authorized entity to authorized entities, follow policy.

16 16 Service Access On registration, user gets an interface to all accessible services Also services that have their ShowAll flag set are displayed  User cannot access them, but can request access for them User can get a list of services from its Service Broker. Service Broker grants access after checking clients role and querying the Security Agent for the users rights. If valid request, it forwards request to the service. If valid request, it forwards request to the service.

17 17Delegation User can see services, but cannot use them  Showall flag User can see services, but cannot use them  Showall flag User can request another user or service to delegate it the required access rights. User can request another user or service to delegate it the required access rights. To request delegation, user sends request with digital certificate To request delegation, user sends request with digital certificate If delegated rights, Security Agent is informed If delegated rights, Security Agent is informed

18 18 Delegated rights are valid only for a specific time. Delegated rights are valid only for a specific time. Delegated rights can be re-delegated if allowed Delegated rights can be re-delegated if allowed When time expires  renew rights again When time expires  renew rights again Delegating user can revoke delegated rights by informing Security agent. Delegating user can revoke delegated rights by informing Security agent.

19 19 Terms Role Based Access Control ( RBAC ) : Role Based Access Control ( RBAC ) : Rights are associated with pre-defined roles, and not with users. Rights are associated with pre-defined roles, and not with users. Roles can change in different environments, while user remains the same  context – dependent semantics ! Roles can change in different environments, while user remains the same  context – dependent semantics ! Rules for assigning roles are the main access control mechanism Rules for assigning roles are the main access control mechanism Dynamic creation of roles is possible, based on inferences Dynamic creation of roles is possible, based on inferences Drawback : dynamic delegation of rights not possible Drawback : dynamic delegation of rights not possible

20 20 Public Key Infrastructure (PKI) Public Key Infrastructure (PKI) PKI uses on-line repository for certificates PKI uses on-line repository for certificates PKI provides on-line Certificate Revocation List (CRL) PKI provides on-line Certificate Revocation List (CRL) PKI imposes a high overhead and increased traffic. PKI imposes a high overhead and increased traffic. Simplified Public Key Infrastructure (SPKI) Simplified Public Key Infrastructure (SPKI) Entities send their certificate to SA Entities send their certificate to SA SA sends back its own certificate to entity SA sends back its own certificate to entity Certificates verified using certificate controller Certificates verified using certificate controller Certificate has list of CA’s and rules for verification Certificate has list of CA’s and rules for verification All entities can communicate by attaching their certificates to initial message. All entities can communicate by attaching their certificates to initial message.

21 21Implementation Security Agent uses Prolog for reasoning Security Agent uses Prolog for reasoning Java was the development platform Java was the development platform Centaurus framework which is used uses Centaurus Capability ML (CCML) Centaurus framework which is used uses Centaurus Capability ML (CCML) CCML is used as data exchange format between service requester and provider CCML is used as data exchange format between service requester and provider

22 22 Related Research Unisys Corporation / Orange experimental house ( Hertford, England ) Unisys Corporation / Orange experimental house ( Hertford, England ) UC Berkeley’s Ninja Project UC Berkeley’s Ninja Project Uwash’s Portolano project Uwash’s Portolano project Stanford’s Interactive Workspaces Project Stanford’s Interactive Workspaces Project

23 23 Further Work Implementing distributed belief based on gossip for the SA Implementing distributed belief based on gossip for the SA Using RDF or DAML instead of Prolog for encoding the trust information Using RDF or DAML instead of Prolog for encoding the trust information

Download ppt "1 Vigil : Enforcing Security in Ubiquitous Environments Authors : Lalana Kagal, Jeffrey Undercoffer, Anupam Joshi, Tim Finin Presented by : Amit Choudhri."

Similar presentations

DAML PI Meeting Status Briefing UMBC, JHU APL, MIT Sloan Tim Finin Jim Mayfield Benjamin Grosof February 12, 2002 tell register JHU APL Haircut retrieval.

DAML PI Meeting Status Briefing UMBC, JHU APL, MIT Sloan Tim Finin Jim Mayfield Benjamin Grosof February 12, 2002 tell register JHU APL Haircut retrieval.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Cobalt: Separating content distribution from authorization in distributed file systems Kaushik Veeraraghavan Andrew Myrick Jason Flinn University of Michigan.

Cobalt: Separating content distribution from authorization in distributed file systems Kaushik Veeraraghavan Andrew Myrick Jason Flinn University of Michigan.
CSE300-1 Profs. Steven A. Demurjian Q. Jin, J. Nam, Z. Qian and C. Phillips Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The.

CSE300-1 Profs. Steven A. Demurjian Q. Jin, J. Nam, Z. Qian and C. Phillips Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The.
© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.

© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
A Security Architecture Based on Trust Management for Pervasive Computing Systems Lalana Kagal, Jeffrey Undercoffer, Filip Perich, Anupam Joshi, Tim Finin.

A Security Architecture Based on Trust Management for Pervasive Computing Systems Lalana Kagal, Jeffrey Undercoffer, Filip Perich, Anupam Joshi, Tim Finin.
Public Key Infrastructure Ben Sangster February 23, 2006.

Public Key Infrastructure Ben Sangster February 23, 2006.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Secure and Efficient Key Management in Mobile Ad Hoc Networks Bing Wu, Jie Wu, Eduardo B. Fernandez, Mohammad Ilyas, Spyros Magliveras Department of Computer.

Secure and Efficient Key Management in Mobile Ad Hoc Networks Bing Wu, Jie Wu, Eduardo B. Fernandez, Mohammad Ilyas, Spyros Magliveras Department of Computer.
SMUCSE 5349/7349 Public-Key Infrastructure (PKI).

SMUCSE 5349/7349 Public-Key Infrastructure (PKI).
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

Similar presentations

Ads by Google