Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13A Security Architecture Based on Trust Management for Pervasive Computing SystemsLalana Kagal, Jeffrey Undercoffer, Filip Perich, Anupam Joshi, Tim FininComputer Science and Electrical Engineering DepartmentUniversity of Baltimore County• Ordinary Computing and Pervasive Computing!• What is pervasive computing? • Solution based on distributed trust management – create security policies, assign credentials, revoking it and even reasoning them. • Solution complements PKI and RBAC.• Smart Spaces – NIST Sponsored Project.• Many other attempts were already made but none used distributed trust as a way to secure the system and the policies. •Attempts : 1. Smart Homes by Unisys ( uses WAP and PDA ), 2. Centaurus infrastructure system, 3. UCB’s Ninja and its problem 4. Policy Maker • The proposed solution drew good points from all the above systems and uses PKI to enforce policies and security features. INTRODUCTION• Policy in this context contains what? Or what exactly does it mean about rules and rights?• What do they actually propose or what does it have?• Vigil is the proposed system. • Can be used in wireless and wired – main point is that security has to be dynamic. • Vigil uses PKI and RBAC – but not totally like RBAC which uses only role heirarchies. Uses its own set of properties and constraints expressed in a XML based language. There are six components : Service Manager, Communication Manager, Certificate, Controller, Security Agent, Role Assignment Manager, and Clients(users and services).• Service Manager – broker between clients and services.• Communication Manager – communication gateway between the service managers and the different spaces.• Certificate Controller - responsible for generating x.509 digital certificates [5] for entities in the system and for responding to certificate validation queries.•Role Assignment Manager maintains a role list for known entities in the system and a set of rules for role assignment. It responds to initial requests for role assignment in a particular Space. •Security Agent, manages the trust in the Space, receives information about new access rights that are conferred on a user and rights that are revoked, and reasons about the current rights of a user.• Clients – services and users.• All messages between the various entities in the Vigil system are in Centaurus Capability Markup Language.Service Manager • The Service Manager acts as a mediator between the Services andthe users. All clients of the system, whether they are services orusers, have to register with a Service Manager in the SmartSpace.The Service Manager is responsible for processing Client Registration/De-Registration requests, responding to registered Client requests for alisting of available services, for brokering Subscribe/Un-Subscribeand Command requests from users to services, and for sending serviceupdates to all subscribed users whenever the state of a particularservice is modified.• Service Managers are arranged in a tree like hierarchy and messages are routed through to other SM’s through this tree.• This tree like structure forms the core of the vigil system.• Each client establishes trust with its SM, and SM’s across the hierarchy establish trust among them, hence trust now is a concept that is transparent between all clients in the system.CLIENT •During registration, the client transmits its digital certificate, a list of roles which can access it.• Client Flag – Visibility Concept.• A service can inform SM about the requested security level. • The SM updates its knowledge by querying the Security Agent. • The client and SM exchange certificates with the SA as the coordinator, and hence a trust web is formed. • Client then gets roles and associated rights from the RAM and receives a list of services that it can access.• Client requests for service from another space through the SM, which in turn receives help from the SA.CERTIFICATE CONTROLLER •To get a certificate , an entity sends a certificate request to the Certificate Controller. The entity is sent back a x.509 certificate, signed by the Certificate Controller and the Certificate Controller’s self signed certificate, which is used to validate other entities’ certificates.•These certificates are stored and protected on a client’s smartcard. An entity could enter a Space with a certificate from another Certificate Authority.ROLE ASSIGNMENT MANAGER• The Role Assignment Manager maintains a list of roles associating entities with roles, and a set of rules for role assignment. These rules specifythe credentials required to be in a certain role.•When queried with the certificate of an entity, the Role Assignment Manager checks the access control list and the rules for assignment to find the roles of the entity. An entity could have more than one role at a time. For example, an entity could be both a graduate student and a researchassistant. The role of an entity could change over time. Its access rights could also change without any change in role through the delegations of rights.• When the Role Assignment Manager is initialized, it reads its x.509 digital certificate and its PKCS#11 [11] wrapped private key from a secure file and stores it into local memory. It also reads and indexes the ACL file, which contains the roles of all entities within the system, and stores the time stamp of the file.• When the Role Assignment Manager receives a query for an entity’s role, it compares the current time stamp on the capability file with the time stamp of the last file read, if they are not equal it re-reads the ACL file. This feature allows roles of entities to change continuously and dynamically.SECURITY AGENT•The Security Agent uses a knowledge base and sophisticated reasoning techniques for security. On initialization, it reads the policy and stores it in a Prolog knowledge base.• All requests are translated into Prolog, and the knowledge base is queried. The policy contains permissions which are access rights associated with roles,and prohibitions which are interpreted as negative access rights. A positive or negative result is produced.• When a user needs to access a service that it does not have the right to access, it requests another user, who has the right, or the service itself, for the permission to