Security Technologies for Open Networking Environments (STONE)
Under this project SETECS performed research, created the design, and the initial prototype of three groups of security technologies: (a) middleware security platform, (b) Web services security, and (c) group security system. The results of the project indicate that the three types of security technologies can be used either individually or in combination, which enables effective and rapid deployment of a number of secure applications in open networking environments. The middleware security platform represents a set of object-oriented security components providing various functions to handle basic cryptography, X.509 certificates, S/MIME and PKCS No.7 encapsulation formats, secure communication protocols, and smart cards. The platform has been designed in the form of security engines, including a Registration Engine, Certification Engine, an Authorization Engine, and a Secure Group Applications Engine. By creating a middleware security platform consisting of multiple independent components the following advantages have been achieved - Object-oriented, Modularity, Simplified Development, and testing, Portability, and Simplified extensions. The middleware security platform has been fully designed and a preliminary Java-based prototype has been created for the Microsoft Windows operating system. The Web services security system, designed in the project, consists of technologies and applications that provide authentication (i.e., single sign), authorization, and federation of identities in an open networking environment. The system is based on OASIS SAML and XACML standards for secure Web services. Its topology comprises three major components: Domain Security Server (DSS) is the main building block of the system Secure Application Server (SAS) Secure Client In addition to the SAML and XACML engines, the authorization system consists of two sets of components An Authorization Administration System An Authorization Enforcement System Federation of identities in multi-domain scenarios is supported by a set of security engines that represent the core of the Federated Identities Management Server, which is also an extension of the Domain Security Server. The Federated Identity Management server allows users to federate their identities or terminate the federation between the service provider and the identity provider. At the service provider web site, the users are offered a list of identity providers to which they can choose to federate their identities. After users federate their identity, they can perform Single Sign-On protocol in an environment of federated domains. The group security system consists of a number of security technologies under a unified architecture, which supports creation of secure groups and execution of secure group transactions and applications in an open networking environment. The system is based on extensions of the GSAKMP standard for group key distribution and management. The Top layer is the Security Infrastructure with the Security Management and Administration System components and protocols that provide security functions common to all secure network applications The Middle layer is the Secure Group Protocols and Applications layer, consisting of the Policy and Group Key Distribution Server and Web-based (thin) Client. The Bottom layer is the supporting Middleware Security Platform, the cryptographic platform already described above. The group security system is designed to perform the functions necessary to create secure groups and enable secure group applications. Specifically, the system can manage group roles, create and disseminate a group security policy, perform authentication and authorization of users using PKI certificates and Web services security, generate group keys, and recover from compromises. In accordance with the GSAKMP standard, the group security system must perform all the required group life-cycle functions: group definition, group establishment, group maintenance, and group removal. The group security system has been designed to support four roles: The Security Domain Administrator is responsible for providing security functions defined in the top layer The Server Administrator. The central component of the group security system is the Policy and Group Key Distribution Server The Group Officer (GO) authorizes the creation of groups at a specific Policy and Group Key Distribution Server The Group Member (user) is any entity that participates in group transactions. Secure Group Applications The group security system has been designed to support four secure group applications: A Secure Instant Messaging: with the Secure Instant Messaging application A Secure Whiteboard A Secure Document Sharing A Secure Document Archiving: During the project, the group security system architecture was fully designed and preliminary prototyping was carried out for some of its components.
- Research Organization:
- Secure Transactions for Electronic Commerce Systems, Inc. (SETECS)
- Sponsoring Organization:
- USDOE Office of Science (SC)
- DOE Contract Number:
- FG02-04ER84072
- OSTI ID:
- 894922
- Report Number(s):
- Final Report; TRN: US201215%%332
- Country of Publication:
- United States
- Language:
- English
Similar Records
Certificate-based authorization policy in a PKI environment
Universal Utility Data Exchange (UUDEX) – Security and Administration: Cybersecurity of Energy Delivery Systems (CEDS) Research and Development
Related Subjects
ARCHITECTURE
COMMUNICATIONS
CRYPTOGRAPHY
DESIGN
DISTRIBUTION
ENCAPSULATION
ENFORCEMENT
ENGINES
LIFE CYCLE
MAINTENANCE
MANAGEMENT
REMOVAL
SECURITY
TESTING
TOPOLOGY
WINDOWS
middleware security platform
web services security
group security system