Security Hompage DOE Security Workshop III

U. S. Department of Energy, Joint Energy Research / Defense Programs Computing-related Security Research Requirements Workshop - III

News

• 5/29/98

  All presentations are now available!

Abstracts and Background Information (in order of presentation)

PowerPoint-generated slide presentations are optimized for 1024 x 768. Whenever possible, two versions of each PowerPoint presentation are provided, one using frames and JavaScript, the other using vanilla HTML. A PDF version of each talk is also available.

• Wednesday 3/18/98

  • The Security Aspects of On-Line Science
    William Johnston, Lawrence Berkeley National Laboratory
    • PDF versions of slides

  • SSDS: Secure Software Distribution System
    Anthony Bartoletti, Lawrence Livermore National Laboratory

    Abstract

    This paper presents the design and implementation of a new SSDS is representative of an enormous range of lightweight, distributed, semi-autonomous processes whose network traffic needs authentication, integrity and confidentiality. Such applications can benefit greatly from public key technology, where key-pairs serve to identify persistent application services on specific systems. But the overhead of complex certificate structures and the heavy proscriptions for key certification authority, intended for "judicial-grade" key management, are arguably inappropriate for these lightweight processes and dynamic environments, especially so in narrow domains of authority. Such applications would benefit greatly from a standard for a lightweight key certification format, procedures and policy.

    • PDF version of slides (PowerPoint couldn't create HTML)

  • The CRISIS Wide Area Security Architecture
    Eshwar Belani and Amin Vahdat, University of California, Berkeley
    Thomas Anderson, University of Washington, Seattle
    Michael Dahlin, University of Texas, Austin

    Abstract

    This paper presents the design and implementation of a new authentication and access control system, called CRISIS. A goal of CRISIS is to explore the systematic application of a number of design principles to building highly secure systems, including: redundancy to eliminate single points of attack, caching to improve performance and availability over slow and unreliable wide area networks, fine-grained capabilities and roles to enable lightweight control of privilege, and complete local logging of all evidence used to make each access control decision. Measurements of a prototype CRISIS-enabled wide area file system show that in the common case CRISIS adds only marginal overhead relative to unprotected wide area accesses.

    • HTML version of slides (frames and JavaScript)
    • HTML version of slides (plain)
    • PDF version of slides
    • WebOS home page (includes pages about CRISIS)

  • Security Architecture for the Globus Distributed System
    Ian Foster, Argonne National Laboratory
    
    • HTML version of slides (frames and JavaScript)
    • HTML version of slides (plain)
    • PDF version of slides

  • The Akenti Access Control System: Resource Access Control With Authorization and Attribute Certificates
    William Johnston, Srilekha Mudumbai, and Mary Thompson, Lawrence Berkeley National Laboratory

    Abstract

    We describe a system whose purpose is to explore the use of certificates for the distributed management of access rights for resources that have multiple, independent, and geographically dispersed stakeholders. The stakeholders assert their use-conditions in authorization certificates and designate those trusted to attest to the corresponding attributes. These use-conditions implicitly define access groups through their requirement for certain attributes. All use-conditions must be satisfied simultaneously, so the actual access group is the intersection of all of the groups. A policy engine collects the use-condition certificates and attribute certificates when a user attempts to access a particular resource. If all of the use-conditions are met, a capability is generated for the resource. The policy engine can provide several different policy models depending on whether any relationship is established among the use-conditions. The system architecture and implementation is described, together with some of the identified strengths, weaknesses, and vulnerabilities.

    • PDF version of slides

  • GSSAPI_SSLEAY for Globus Security
    Douglas E. Engert, Argonne National Laboratory

    Abstract

    The Globus project is using GSSAPI for authentication. The gssapi_ssleay is the implementation which uses SSL for authentication, using the SSLeay package. Delegation of credentials is accomplished by the server creating a key pair and a certificate request for a "proxy" This is returned to the client which signs, and returns the "proxy" certificate to the server. During the verification of certificate chains a "proxy" certificate will be accepted if and only if it signed by the user. This may be done recursively as well. An alternate authentication service (AAS) for Kerberos V5 or DCE will be created which will allow a user or "proxy" certificate to obtain a Kerberos V5 TGT, thus allowing access to a local sites resources such as the DFS or AFS distributed file systems.

    • HTML version of slides (frames and JavaScript)
    • HTML version of slides (plain)
    • PDF version of slides

• Thursday 3/19/98

  • The Collaboratory Infrastructure Framework and Security Issues
    Deborah Agarwal, Lawrence Berkeley National Laboratory
    • HTML version of slides (frames and JavaScript)
    • HTML version of slides (plain)
    • PDF version of slides

  • Electronic Notebooks (Collaboratories)
    James Meyers, Pacific Northwest National Laboratory
    • HTML version of slides (frames and JavaScript)
    • HTML version of slides (plain)
    • PDF version of slides

  • Role Based Access Control
    John Barkley, National Institute of Standards and Technology

    Abstract

    I will discuss a Role Engineering and Diagnostic tool which takes role/permission information and outputs suggested roles and role hierarchy. I will also discuss two new versions of the RBAC/Web Admin Tool: one to directly manipulate the NT User Manager database and one to represent the RBAC database in a relational database.

    • HTML version of slides (frames and JavaScript)
    • HTML version of slides (plain)
    • PDF version of slides
    • Role-based Access Control (NIST page)

  • ImgLib - A Secure Digital Library
    Mary Thompson, Lawrence Berkeley National Laboratory

    Abstract

    The LBNL Imglib is a Web-based interface to collections of images kept on a server machine and viewed and curated via standard Web browsers. The owner of the images, designated as the curator of the collection, can independently control who may view the thumbnail images and textual metadata, who may view/retrieve the orignal images and who may modify the collection.

    The orginal ImgLib implementation used the standard NCSA Web server access control mechanism to control access to the various parts of the collection. The secure ImgLib is using the Akenti PKI/Certificate based access control mechanisms to allow the collection stakeholders (aka curators) to control access to the images.

    The secure ImgLib uses the Apache Web-server, with Eric Young's SSL patches and replaces the standard Web style user/password access control module with a module that calls the Akenti policy engine to compute the allowed access. The standard Web .htaccess files have been replaced by authority files that tell the policy engine who the stakeholders are, which CA are trusted and where to find UseCondition and Attribute Certificates.

    Since these UseCondition and Attribute Certificates are signed documents they can be generated by the designated stakeholders and stored at distributed sites that are accessible by LDAP or Web servers.

    The Akenti policy engine is also callable by the ImgLib scripts that present the items in the collection to the user. As a result, the stakeholders are able to exert much more fine-grain control over the actions on the collection than was possible with the standard Web GET and POST type access.

    • PDF version of slides

  • The Collaboration Management Environment and the Materials Microcharacterization Collaboratory (two talks)
    James Rome, Oak Ridge National Laboratory
    • HTML version of "Collaborative Management Environment Security Issues" (frames and JavaScript)
    • HTML version of "Collaborative Management Environment Security Issues" (plain)
    • PDF version of "Collaborative Management Environment Security Issues"

    • HTML version of "Security & Remote Operation of Microscopes and Beamlines" (frames and JavaScript)
    • HTML version of "Security & Remote Operation of Microscopes and Beamlines" (plain)
    • PDF version of "Security & Remote Operation of Microscopes and Beamlines"

  • PKI and DCE Within ASCI
    Frank Ploof, Lawrence Livermore National Laboratory
    • HTML version of slides (frames and JavaScript)
    • HTML version of slides (plain)
    • PDF version of slides

  • Security Infrastructure: IPv6 and Secure DNS
    Randall Atkinson, @home
    • PDF version of slides

  • Security Infrastructure: Session Key Management Protocols
    Doug Maughan, Argonne National Laboratory
    • HTML version of slides (frames and JavaScript)
    • HTML version of slides (plain)
    • PDF version of slides

• Friday 3/20/98

  • How Many Certification Authorities are Enough?
    Stephen Kent, BBN Technologies

    Abstract

    Some models of formal (e.g., as opposed to the informal PGP-style) certification systems embody a notion that only a few certificates will be issued to a user to represent that user in interactions with many different applications (services). However, establishing certification authorities (CAs) that issue certificates to represent a user in many different contexts and satisfy different security requirements, has proven difficult. Operating a generic, public CA service requires balancing liability concerns, acceptable cost models, levels of authentication assurance, and name space issues.

    Another approach to certification is motivated by the observation that individuals have many existing relationships with various organizations. This approach leverages the existing databases maintained by organizations to track employees, customers, members, etc. Certificates issued by organizations not for general use, but focused on a specific application context, avoid many of the problems facing generic, public CAs. For example, liability can be well understood because the certificate is bounded in its use. The level of assurance for authentication is determined solely by the issuer, in the context of the application, and the issuer's database provides data associated with the subject that may be used to support on-line registration with fairly high levels of assurance. Naming problems disappear because each subject is already assigned a unique name in the issuer's database.

    • HTML version of slides (frames and JavaScript)
    • HTML version of slides (plain)
    • PDF version of slides

  • Certificate Implementation: The Good, the Bad, and the Ugly
    James Rome, Oak Ridge National Laboratory
    • HTML version of slides (frames and JavaScript)
    • HTML version of slides (plain)
    • PDF version of slides

  • Evaluating Certification Authority Security
    Stephen Kent, BBN Technologies

    Abstract

    A growing number of applications in the Internet are making use of X.509 public key certificates. Examples include security protocols such as SSL (used in web browsers), IPsec (used in firewalls and desktop computers), S/MIME (a secure e-mail protocol), and SET (the electronic commerce credit card transaction protocol). The public key certificates employed by the applications are created by Certification Authorities (CAs), that vouch for the binding of various attributes (e.g., identity) to a public key. Thus the security of these applications is dependent on the security of the CA function. This paper examines security for CAs. It begins with a characterization of security requirements for CAs and continues with an exploration of the wide range of attacks that can be mounted against CAs. Included are attacks against network communications, against the operating systems used by CAs, "close-in" technical attacks against CA components (including cryptographic modules), and even misbehavior by human operators. The paper concludes with an examination of three approaches to implementing CA cryptographic support functions, analyzing each relative to the attack scenarios developed earlier in the paper.

    • PDF version of slides (PowerPoint couldn't create HTML)

  ---

  To report Web page problems, e-mail webmaster@www-itg.lbl.gov. To request further information about the Imaging and Distributed Collaboration Group activities, e-mail wejohnston@lbl.gov. Support Credits identify the funding sources and the organizational context of the work described in this document. Disclaimers and Legal Notices apply to this document and its uses, and access to and uses of the system on which it resides at LBL. Comments on this page should be directed to gjhoo@lbl.gov

  ---

  Page last modified: Thursday, 19-Jul-2001 17:23:05 PDT Credits:Distributed Security research and development is funded by the U.S. Dept. of Energy, Office of Science, Office of Advanced Scientific Computing Research, Mathematical, Information, and Computational Sciences Division. Privacy and site security notice to Users

  ---