Project No.: 5003-045364 01.02.97 - 31.12.99
Project leader:
Prof. André Schiper, Operating Systems Laboratory (LSE),
Computer Science Department (DI), Swiss Federal Institute of
Technology at Lausanne (EPFL)
e-mail: andre.schiper@di.epfl.ch
Name of project: Security services creation and management in a distributed processing environment
Partners:
Prof. Jean-Pierre Hubaux, Institute for Computer Communication
and Applications (ICA), Computer Science Department (DI), Swiss
Federal Institute of Technology at Lausanne (EPFL)
Dr. Karin Busch, Swisscom Corporate Technology, Bern
Dr. Michael Gehrke, Secunet GmbH, Essen, Germany
Funding: Sfr 738,983.-
Summary:
The goal of the project is the creation of a manageable security
platform for middleware-based telecommunication service
architectures, i.e. service architectures where telecommunication
services are realized as distributed applications in a so-called
Distributed Processing Environment (DPE) based on the concept of
distributed object computing. The created security platform
enforces the security policies of the parties involved in the
service interaction through the negotiation of a mutually agreed
cooperation security policy and the enforcement of this policy by
the security services, which are capable of applying the security
mechanisms determined by the cooperation security policy. The
approach is intended to be applied in environments without a
central security administration that can define a global security
policy and manage the security services of the whole network.
Instead, the approach is applicable to networks where each
network node can be a self-administered administrative domain,
such as in TINA networks and the Internet.
The results of the project will enable interoperability between administrative domains despite the possible heterogeneity of security policies and security technologies as must be assumed in a global multi-service network. The developed technology is integrated with CORBA as the distributed processing environment of the telecommunication service architectures. The Internet is assumed as the underlying network.
In order to support the development of authentication schemes tailored to the requirements of the users and the established trust relationships, we have developed a logic for authentication protocol verification and design. The tailored authentication schemes can then be dynamically registered in the local security policy bases and used to tailor and optimise the cooperation security policies between certain parties. User authentication over untrusted terminals as must be assumed in telecommunications networks that support the personal mobility of users, i.e. the use of terminals that are not under the administration and physical control of the mobile user, is supported by the development of suitable smart-card-based authentication schemes and the realization of these schemes as well as their integration into the platform.
The project provides the main input for the international research and specification work on the security architecture of the TINA-C architecture.
Phase one concentrated on the architectural aspects of the provision of security services by the middleware layer to applications layer in middleware (DPE) based service architectures. The second phase (the continuation) concentrates on enabling interoperability between different domains with different security policies as well as on the integration of smart-card technology for user authentication into the architecture and the platform.
Cooperation: Swisscom and Secunet, Essen (Germany)