Security in a Distributed Resource EnvironmentPaper OverviewIntroduction and Motivation Research GoalsIntroduction and Motivation ApproachIntroduction and Motivation Initial ArchitectureIntroduction and Motivation Initial PrototypesIntroduction and Motivation Security System Resources and ServicesIntroduction and Motivation Initial Security Client and Resource InteractionsIntroduction and Motivation Client Interactions and ProcessingIntroduction and Motivation ObjectivesSlide 11Slide 12System Architecture and Improvements JINI Prototype of Role Based ApproachSystem Architecture and Improvements Security Policy and EnforcementSlide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Related WorkConclusionsFuture WorkSlide 35CSE300-1Profs. Steven A. Demurjian Q. Jin, J. Nam, Z. Qian and C. PhillipsComputer Science & Engineering Department191 Auditorium Road, Box U-155The University of ConnecticutStorrs, Connecticut 06269-3155 Security in a Distributed Resource Security in a Distributed Resource EnvironmentEnvironmentCSE300-2Paper OverviewPaper Overview1. Introduction and Motivation1. Introduction and Motivation2. JINI 2. JINI 3. System Architecture and Improvements 3. System Architecture and Improvements Merge PrototypesSecurity Client DatabaseDual Security Clients Platform IndependenceLeasing EnforcementNegative PrivilegesArchitecture ImprovementsExperimental Prototype Experimental Prototype Related WorkRelated WorkConclusions and Future WorkConclusions and Future WorkCSE300-3Introduction and MotivationIntroduction and MotivationResearch GoalsResearch GoalsIncorporation of Role-Based Approach within Incorporation of Role-Based Approach within Distributed Resource EnvironmentDistributed Resource EnvironmentMake Distributed Applications Available Using Middleware ToolsPropose Software Architecture and Role-Based Propose Software Architecture and Role-Based Security Model forSecurity Model forAuthorization of Clients Based on RoleAuthentication of Clients and ResourcesEnforcement so Clients Only Use Authorized Services (of Resource)CSE300-4Introduction and MotivationIntroduction and MotivationApproachApproachMany Middleware Lookup ServicesMany Middleware Lookup ServicesSuccessfully Dictates Service UtilizationRequires Programmatic Solution for SecurityDoes Not Selectively and Dynamically Control Access Based on Client RoleSecurity of a Distributed Resource Should Security of a Distributed Resource Should Selectively and Dynamically Control Client Selectively and Dynamically Control Client Access to Services Based on the RoleAccess to Services Based on the RoleOur ApproachOur ApproachDefine Dedicated Resource to Authorize, Authenticate, and Enforce Security Policy based on Role of ClientCSE300-5Introduction and MotivationIntroduction and MotivationInitial ArchitectureInitial ArchitectureResources Provide ServicesClients Using ServicesFigure 1.1: General Architecture of Clients and Resources.Role-BasedPrivilegesAuthorizationListSecurity RegistrationLegacyCOTSCOTSDatabaseDatabase LookupServiceLookupServiceJavaClientJavaClientLegacyClientDatabaseClientSoftwareAgentCOTSClientCSE300-6Introduction and MotivationIntroduction and MotivationInitial PrototypesInitial PrototypesJINI Prototype of Role Based ApproachJINI Prototype of Role Based ApproachUniversity Database (UDB)Initial GUI for Sign In (Authorization List)Student/faculty GUI Client (Coursedb) Access to Methods Limited Based on Role (Ex: Only Student Can Enroll in a Course)Security Client Prototype Security Client Prototype Generic ToolUses Three Resources and Their ServicesRole-Based PrivilegesAuthorization-ListSecurity RegistrationCSE300-7Introduction and MotivationIntroduction and Motivation Security System Resources and ServicesSecurity System Resources and ServicesRole-Based Privileges ResourceRole-Based Privileges ResourceDefine User-roleGrant/Revoke Access of Role to ResourceRegister ServicesAuthorization List ResourceAuthorization List ResourceMaintains Client Profile (Many Client Types)Client Profile and Authorize Role ServicesSecurity Registration ResourceSecurity Registration ResourceRegister Client ServiceIdentity Registration at StartupUses IP AddressServices of ResourceServices of ResourceFunctionally Separated and OrganizedResemble Method Definitions (OO)CSE300-8Introduction and MotivationIntroduction and Motivation InitialInitial Security Client and Resource InteractionsSecurity Client and Resource InteractionsFigure 1.2. Security Client and Database Resource Interactions.Role-BasedPrivilegesAuthorizationListSecurity RegistrationLookupServiceSecurityClientFind_Client(C_Id, IP_Addr); Find_All_Active_Clients(); Discover Service Return ProxyGeneralResource Grant_UR_Client(UR_Id, C_Id); Revoke_UR_Client(UR, C_Id); Find_AllUR_Client(C_Id); Find_All_Clients_UR(UR);Create_New_Role(UR_Name, UR_Disc, UR_Id); Delete_Role(UR_Id); Find_UR_Name(UR_Name); Find_UR_Id(UR_Id); Grant_Resource(UR_Id, R_Id); Grant_Service(UR_Id, R_Id, S_Id); Grant_Method(UR_Id, R_Id, S_Id, M_Id); Revoke_Resource(UR, R_Id); Revoke_Service(UR, R_Id, S_Id); Revoke_Method(UR, R_Id, S_Id, M_Id); Find_AllUR_Resource(UR,R_Id); Find_AllUR_Service(UR,R_Id,S_Id); Find_AllUR_Method(UR,R_Id,S_Id,M_Id); Find_UR_Privileges(UR);Register_Resource(R_Id); Register_Service(R_Id, S_Id);Register_Method(R_Id, S_Id, M_Id);UnRegister_Resource(R_Id);UnRegister_Service(R_Id, S_Id);UnRegister_Method(R_Id, S_Id, M_Id);Create_New_Client(C_Id); Delete_Client(C_Id); Find_Client(C_Id); Find_All_Clients();CSE300-98. Check_Privileges(UR,R_Id,S_Id,M_Id);Introduction and MotivationIntroduction and Motivation Client Interactions and ProcessingClient Interactions and ProcessingDatabaseResourceFigure 3.1: Client Interactions and Service Invocations.Role-BasedPrivilegesAuthorizationListSecurity RegistrationLookupServiceGUIClient 1. Register_Client(C_Id, IP_Addr,UR); 2. Verify_UR_Client(UR,C_Id);Discover Service Return Proxy 3. Client OK? 4. Registration OK?5.
View Full Document