The Unmanaged Internet Architecture (UIA) provides zero-configuration connectivity among mobile devices through personal names. Users assign personal names through an ad hoc device introduction process requiring no central allocation. Once assigned, names bind securely to the global identities of their target devices independent of network location. Each user manages one namespace, shared among all the user’s devices and always available on each device. Users can also name other users to share resources with trusted acquaintances. Devices with naming relationships automatically arrange connectivity when possible, both in ad hoc networks and using global infrastructure when available. A UIA prototype demonstrates these capabilities using optimistic replication for name resolution and group management and a routing algorithm exploiting the user’s social network for connectivity. 1

Securing a Grid environment presents a distinctive set of challenges. This paper groups the activities that need to be secured into four categories: naming and authentication; secure communication; trust, policy, and authorization; and enforcement of access control. It examines the current state of the art in securing these activities and introduces new technologies that promise to meet the security requirements of Grids more completely. Keywords—Authentication, authorization, computational Grid security, secure communication, security policy, trust management. I.

Traditional Public Key Infrastructures (PKI) have not lived up to their promise because there are too many ways to define PKIs, too many cryptographic primitives to build them with, and too many administrative domains with incompatible roots of trust. Alpaca is an authentication and authorization framework that embraces PKI diversity by enabling one PKI to “plug in ” another PKI’s credentials and cryptographic algorithms, allowing users of the latter to authenticate themselves to services using the former using their existing, unmodified certificates. Alpaca builds on Proof-Carrying Authorization (PCA) [8], expressing a credential as an explicit proof of a logical claim. Alpaca generalizes PCA to express not only delegation policies but also the cryptographic primitives, credential formats, and namespace structure needed to use foreign credentials directly. To achieve this goal, Alpaca introduces a method of creating and naming new principals which behave according to arbitrary rules, a modular approach to logical axioms, and a domain-specific language specialized for reasoning about authentication. We have implemented Alpaca as a Python module that assists applications in generating proofs (e.g., in a client requesting access to a resource), and in verifying those proofs via a compact 800-line TCB (e.g., in a server providing that resource). We present examples demonstrating Alpaca’s extensibility in scenarios involving inter-organization PKI interoperability and secure remote PKI upgrade.

Abstract not found

Abstract. Autonomic Communication is a new paradigm for dynamic network integration. An Autonomic Network crosses organizational boundaries and is provided by entities that see each other just as business partners. Policy-base network anagement already requires a paradigm shift in the access control mechanism (from identity-based access control to trust management and negotiation), but this is not enough for cross organizational autonomic communication. For many services no partner may guess a priori what credentials will be sent by clients and clients may not know a priori which credentials are required for completing a service requiring the orchestration of many different autonomic nodes. We propose a logical framework and a Web-Service based implementation for reasoning about access control for Autonomic Communication. Our model is based on interaction and exchange of requests for supplying or declining missing credentials. We identify the formal reasoning services that characterise the problem and sketch their implementation. 1

Abstract. Trust is hard to establish in a service-oriented grid architecture because of the need to support end user single sign-on and dynamic transient service. In order to enhance the security by the Grid Security Infrastructure (GSI), this paper proposes a two-level trust model and the corresponding trust metrics evaluation algorithms. The upper level defines the trust relationships among Virtual Organizations (VO) in a distributed manner. The lower level justifies the trust values within a grid domain. This novel model provides an integrated trust evaluation mechanism to support secure and transparent services across security domains. It is flexible, scalable and interoperable. We design the implementation of embedding the trust scheme into GSI. At this stage, we achieve additional authentication means between grid users and grid services. 1

The Internet’s architecture, designed in the days of large, stationary computers tended by technically savvy and accountable administrators, fails to meet the demands of the emerging ubiquitous computing era. Nontechnical users now routinely own multiple personal devices, many of them mobile, and need to share information securely among them using interactive, delay-sensitive applications. Unmanaged Internet Architecture (UIA) is a novel, incrementally deployable network architecture for modern personal devices, which reconsiders three architectural cornerstones: naming, routing, and transport. UIA augments the Internet’s global name system with a personal name system, enabling users to build personal administrative groups easily and intuitively, to establish secure bindings between his devices and with other users’ devices, and to name his devices and his friends

Public key infrastructure standards assert that proof-of-possession of private key is an essential requirement during the enrollment process. Even though the justifications for this requirement seem to be well-known within the PKI community, they do not appear to be documented anywhere. In this paper, we document and examine potential rationales for proof-of-possession and discuss their merits. We conclude that if protocols and applications are designed "properly", proof-of-possession does not add any security. However, the world is not perfect. Many existing applications and protocols are in fact not properly designed. Proof-of-possession is a useful safety precaution for the users of such applications and protocols. But there is no simple automated way for a relying party application to check whether proof-of-possession was done during enrollment. Therefore, we argue that designers of public key protocols must not assume that CAs require proof-of-possession during enrollment.

In this paper we define and provide a general construction for a class of policies we call dynamic policies. In most existing systems, policies are implemented and enforced by changing the operational parameters of shared system objects. These policies do not account for the behavior of the entire system, and enforcing these policies can have unexpected interactive or concurrent behavior. We present a policy specification, implementation, and enforcement methodology based on formal models of interactive behavior and satisfiability of system properties. We show that changing the operational parameters of our policy implementation entities does not affect the behavioral guarantees specified by the properties. We demonstrate the construction of dynamic access control policies based on safety property specifications and describe an implementation of these policies in the Seraphim active network architecture. We present examples of reactive security systems that demonstrate the power and dynamism of our policy implementations. We also describe other types of dynamic policies for information flow and availability based on safety, liveness, fairness, and other properties. We believe that dynamic policies are important building blocks of reactive security solutions for active networks. 1.

With the growing interest in service-oriented architectures, achieving seamless interoperability between heterogeneous middleware technologies has become increasingly important. While much work investigating functional interoperability between different middleware architectures has been reported, little practical work has been done on providing a unified and/or interoperable view of security between the different approaches. In this paper we describe how the Secure WebCom distributed architecture provides access control policy interoperability support between a number of middleware security architectures. Secure WebCom uses the KeyNote trust management system to help coordinate the trust relationships between the different middleware systems and their associated access control policies. Middleware authorisation policies can be encoded in terms of cryptographic certificates, and vice-versa. This provides a unified view of access control across heterogeneous middleware systems and also provides the basis for decentralised support of middleware access control policies.