Ensemble is a Group Communication System built at Cornell and the Hebrew universities. It allows processes to create process groups within which scalable reliable fifo-ordered multicast and point-to-point communication are supported. The system also supports other communication properties, such as causal and total multicast ordering, flow control, etc. This paper describes the security protocols and infrastructure of Ensemble. Applications using Ensemble with the extensions described here benefit from strong security properties. Under the assumption that trusted processes will not be corrupted, all communication is secured from tampering by outsiders. Our work extends previous work performed in the Horus system (Ensemble’s predecessor) by adding support for multiple partitions, efficient rekeying, and application defined security policies. Unlike Horus, which used its own security infrastructure with non-standard key distribution and timing services, Ensemble’s security mechanism is based on off-the shelf authentication systems, such as PGP and Kerberos. We extend previous results on group rekeying, with a novel protocol that makes use of diamond-like data structures. Our Diamond protocol allows the removal of untrusted members within milliseconds.

In this paper we describe an efficient algorithm for the management of group-keys for Group Communication Systems. Our algorithm is based on the notion of key-graphs, previously used for managing keys in large IP-multicast groups. The standard protocol requires a centralized key-server that has knowledge of the full key-graph. Our protocol does not delegate this role to any one process. Rather, members enlist in a collaborative eort to create the group key-graph. The key-graph contains n keys, of which each member learns log 2 n. We show how to balance the key-graph, a result that is applicable to the centralized protocol. We also show how to optimize our distributed protocol and provide a performance study of its capabilities.

The secure and efficient detection of process failures is an essential requirement of many distributed systems. In this paper, we present the design and analysis of a mechanism used for the detection of member failures in secure groups. Based on one-time passwords, our solution does not obviate the need for periodic statements from group members, but significantly reduces the cost of their generation and validation. A study comparing the costs of traditional mechanisms with our proposed approach is presented. Results of the study indicate the average case performance of the proposed scheme is ¤¦¥§¤©¨���� of traditional failure detection in trusted groups, and negligible in the untrusted groups. A discussion of security and performance tradeoffs made through mechanism policy is provided. 1

This paper focuses on two key requirements for using redundancy to improve survivability, the development of appropriate techniques and the availability of suitable system support. We begin by discussing some specific redundancy techniques for both communication security and other security services, and then turn to the issue of system support. As an example of a system that has the necessary characteristics, we give an overview of Cactus, a system for building modular and configurable protocols and services, and SecComm, a highly configurable secure communication service implemented using Cactus. Other important aspects of the problem such as quantifying levels of survivability remain as future work

Introduction A number of fundamental abstractions and supporting software mechanisms have been developed for simplifying the problems associated with programming highly dependable distributed systems. For example, transactions provide all or nothing execution despite failures, while ordered atomic multicast supports the replicated state machine approach to fault tolerance by ensuring that changes to the state machine are delivered atomically and in a consistent order despite failures. All of these provide a higher level virtual machine on which to build applications by abstracting away details such as the effect of failures, message reordering and losses, and unconstrained concurrent execution. Each is appropriate for different kinds of applications with different requirements. Many of the concrete realizations of these abstractions have been built as middleware services, i.e., software that is logically layered below the application and above the operating sy

Works in communication security policy have recently focused on general-purpose policy languages and evaluation algorithms. However, because the supporting frameworks often defer enforcement, the correctness of a realization of these policies in software is limited by the quality of domain-specific implementations. This paper introduces the Antigone communication security policy enforcement framework. The Antigone framework fills the gap between representations and enforcement by implementing and integrating the diverse security services needed by policy.