We have implemented and deployed an access control mechanism that uses digitally-signed certificates to define and enforce an access policy for a set of distributed resources that have multiple, independent and geographically dispersed stakeholders. The stakeholders assert their access requirements in use-condition certificates and designate those trusted to attest to the corresponding user attributes. Users are identified by X.509 identity certificates. During a request to use a resource, a policy engine collects all the relevant certificates and decides if the user satisfies all the requirements. This paper describes the model, architecture and implementation of this system. It also includes some preliminary performance measurements and our plans for future development of the system. 1. Motivation: Distributed Computing Environments In distributed computing environments such as research collaborations spanning several institutions, there may be independent and geographically dispe...

Public key infrastructures and authentication protocols, in the sense they are currently known, have been publicly studied since 1978 [23]. In this work I demonstrate how I, together with the research group I have had the privilege to direct, have further developed these concepts in the Object-Oriented field. In our research, we have implemented a public key based system that allows distributed agents to securely co-operate in an insecure network. In this thesis, I focus on the following four interrelated aspects. First, I define a concrete secure software architecture for distributed software agents. Second, I describe our implementation of an Object-Oriented protocol framework for cryptographic protocols. Third, I show how an authorization based Public Key Infrastructure can be used to manage the security of Java based, Object-Oriented software Agents. And finally, I describe how this infrastructure can be extended to support distributed, secure agent execution and permission delega...

The Java Development Kit (JDK) has included the concepts of cryptographic keys, signatures and certificates since version 1.0, and they have been improved and extended in JDK 1.2. However, the certificate interfaces still only cover identity certificates. As more and more security software makes use of authorization certificates, we feel that the concept of an authorization certificate and its implementation need to be added to the Java Security API. In this paper, we analyze the certificate model of the JDK 1.2. We also describe an extension to the JDK 1.2 cryptography architecture, providing support for authorization certificates in general and SPKI certificates in particular. In the future, we intend to use the extensions described in this paper to customize the JDK 1.2 policy management to be easier to distribute. In particular, we are going to replace the identity based security management that is configured through a configuration file, with a capability base...

Wireless Local Area Networks (WLAN) are one of the most promising approaches for IP based mobile network access. In this paper, we present a security and accounting architecture for WLAN based public Internet access. Our scheme is based on the use of Simple Public Key Infrastructure (SPKI) certificates supporting all kinds of prepayment mechanisms. The architecture provides the possibility to grant fully anonymous Internet access for users while using strong cryptography in checking the access rights. As an example implementation of our concept, we describe an Internet cafe where the users buy Internet access time for their portable terminals together with other products. The access rights are presented as SPKI certificates and transferred to the users through an infrared link which is secure due to its locality. The user requesting the Internet access presents the required certificates through WLAN link to the access controller. Routing to the external Internet is granted if the acces...

Security people are accustomed to asking "What is this person trusted to do? " Java technology started out being concerned primarily with "What is this code trusted to do? " With the rise in distributed Java applications and the use of Java technology in multi-user environments, applications often need to make access control decisions based on who is making a particular request. Java 2 Standard Edition (J2SE™) incorporates multiple access control mechanisms, including user identity based access control. These mechanisms can be used to implement a variety of security models, and can be extended to implement additional requirements.

In a distributed system, dynamically dividing execution between nodes is essential for service robustness. However, when all of the nodes cannot be equally trusted, and when some users are more honest than others, controlling where code may be executed and by whom resources may be consumed is a nontrivial problem. In this paper we describe a generic authorisation certificate architecture that allows dynamic control of resource consumption and code execution in an untrusted distributed network. That is, the architecture allows the users to specify which network nodes are trusted to execute code on their behalf and the servers to verify the users ’ authority to consume resources, while still allowing the execution to span dynamically from node to node, creating delegations on the fly as needed. The architecture scales well, fully supports mobile code and execution migration, and allows users to remain anonymous. We are implementing a prototype of the architecture using SPKI certificates and ECDSA signatures in Java 1.2. In the prototype, agents are represented as Java JAR packages.