Security in a Distributed Resource EnvironmentPaper OverviewIntroduction and Motivation Research GoalsIntroduction and Motivation ApproachIntroduction and Motivation Initial ArchitectureIntroduction and Motivation Initial PrototypesIntroduction and Motivation Security System Resources and ServicesIntroduction and Motivation Initial Security Client and Resource InteractionsIntroduction and Motivation Client Interactions and ProcessingIntroduction and Motivation ObjectivesSlide 11Slide 12System Architecture and Improvements JINI Prototype of Role Based ApproachSystem Architecture and Improvements Security Policy and EnforcementSlide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Related WorkConclusionsFuture WorkSlide 35CSE300-1Profs. Steven A. Demurjian Q. Jin, J. Nam, Z. Qian and C. PhillipsComputer Science & Engineering Department191 Auditorium Road, Box U-155The University of ConnecticutStorrs, Connecticut 06269-3155 Security in a Distributed Resource Security in a Distributed Resource EnvironmentEnvironmentCSE300-2Paper OverviewPaper Overview1. Introduction and Motivation1. Introduction and Motivation2. JINI 2. JINI 3. System Architecture and Improvements 3. System Architecture and Improvements Merge PrototypesSecurity Client DatabaseDual Security Clients Platform IndependenceLeasing EnforcementNegative PrivilegesArchitecture ImprovementsExperimental Prototype Experimental Prototype Related WorkRelated WorkConclusions and Future WorkConclusions and Future WorkCSE300-3Introduction and MotivationIntroduction and MotivationResearch GoalsResearch GoalsIncorporation of Role-Based Approach within Incorporation of Role-Based Approach within Distributed Resource EnvironmentDistributed Resource EnvironmentMake Distributed Applications Available Using Middleware ToolsPropose Software Architecture and Role-Based Propose Software Architecture and Role-Based Security Model forSecurity Model forAuthorization of Clients Based on RoleAuthentication of Clients and ResourcesEnforcement so Clients Only Use Authorized Services (of Resource)CSE300-4Introduction and MotivationIntroduction and MotivationApproachApproachMany Middleware Lookup ServicesMany Middleware Lookup ServicesSuccessfully Dictates Service UtilizationRequires Programmatic Solution for SecurityDoes Not Selectively and Dynamically Control Access Based on Client RoleSecurity of a Distributed Resource Should Security of a Distributed Resource Should Selectively and Dynamically Control Client Selectively and Dynamically Control Client Access to Services Based on the RoleAccess to Services Based on the RoleOur ApproachOur ApproachDefine Dedicated Resource to Authorize, Authenticate, and Enforce Security Policy based on Role of ClientCSE300-5Introduction and MotivationIntroduction and MotivationInitial ArchitectureInitial ArchitectureResources Provide ServicesClients Using ServicesFigure 1.1: General Architecture of Clients and Resources.Role-BasedPrivilegesAuthorizationListSecurity RegistrationLegacyCOTSCOTSDatabaseDatabase LookupServiceLookupServiceJavaClientJavaClientLegacyClientDatabaseClientSoftwareAgentCOTSClientCSE300-6Introduction and MotivationIntroduction and MotivationInitial PrototypesInitial PrototypesJINI Prototype of Role Based ApproachJINI Prototype of Role Based ApproachUniversity Database (UDB)Initial GUI for Sign In (Authorization List)Student/faculty GUI Client (Coursedb) Access to Methods Limited Based on Role (Ex: Only Student Can Enroll in a Course)Security Client Prototype Security Client Prototype Generic ToolUses Three Resources and Their ServicesRole-Based PrivilegesAuthorization-ListSecurity RegistrationCSE300-7Introduction and MotivationIntroduction and Motivation Security System Resources and ServicesSecurity System Resources and ServicesRole-Based Privileges ResourceRole-Based Privileges ResourceDefine User-roleGrant/Revoke Access of Role to ResourceRegister ServicesAuthorization List ResourceAuthorization List ResourceMaintains Client Profile (Many Client Types)Client Profile and Authorize Role ServicesSecurity Registration ResourceSecurity Registration ResourceRegister Client ServiceIdentity Registration at StartupUses IP AddressServices of ResourceServices of ResourceFunctionally Separated and OrganizedResemble Method Definitions (OO)CSE300-8Introduction and MotivationIntroduction and Motivation InitialInitial Security Client and Resource InteractionsSecurity Client and Resource InteractionsFigure 1.2. Security Client and Database Resource Interactions.Role-BasedPrivilegesAuthorizationListSecurity RegistrationLookupServiceSecurityClientFind_Client(C_Id, IP_Addr); Find_All_Active_Clients(); Discover Service Return ProxyGeneralResource Grant_UR_Client(UR_Id, C_Id); Revoke_UR_Client(UR, C_Id); Find_AllUR_Client(C_Id); Find_All_Clients_UR(UR);Create_New_Role(UR_Name, UR_Disc, UR_Id); Delete_Role(UR_Id); Find_UR_Name(UR_Name); Find_UR_Id(UR_Id); Grant_Resource(UR_Id, R_Id); Grant_Service(UR_Id, R_Id, S_Id); Grant_Method(UR_Id, R_Id, S_Id, M_Id); Revoke_Resource(UR, R_Id); Revoke_Service(UR, R_Id, S_Id); Revoke_Method(UR, R_Id, S_Id, M_Id); Find_AllUR_Resource(UR,R_Id); Find_AllUR_Service(UR,R_Id,S_Id); Find_AllUR_Method(UR,R_Id,S_Id,M_Id); Find_UR_Privileges(UR);Register_Resource(R_Id); Register_Service(R_Id, S_Id);Register_Method(R_Id, S_Id, M_Id);UnRegister_Resource(R_Id);UnRegister_Service(R_Id, S_Id);UnRegister_Method(R_Id, S_Id, M_Id);Create_New_Client(C_Id); Delete_Client(C_Id); Find_Client(C_Id); Find_All_Clients();CSE300-98. Check_Privileges(UR,R_Id,S_Id,M_Id);Introduction and MotivationIntroduction and Motivation Client Interactions and ProcessingClient Interactions and ProcessingDatabaseResourceFigure 3.1: Client Interactions and Service Invocations.Role-BasedPrivilegesAuthorizationListSecurity RegistrationLookupServiceGUIClient 1. Register_Client(C_Id, IP_Addr,UR); 2. Verify_UR_Client(UR,C_Id);Discover Service Return Proxy 3. Client OK? 4. Registration OK?5.