{"title":"Secure communication for ad-hoc, federated groups","authors":"A. Sjöholm, L. Seitz, B. S. Firozabadi","doi":"10.1145/1373290.1373298","DOIUrl":"https://doi.org/10.1145/1373290.1373298","url":null,"abstract":"Ad-hoc federated groups are getting increasingly popular as means of addressing collaborative tasks that require information sharing. However, in some application scenarios, the security of the shared information is vital. Managing the communication security of such groups in an efficient way is a difficult task.\u0000 This paper presents an architecture that enables secure communication for ad-hoc, cross-organisational groups. Our architecture covers group admission control, group key management and secure group communication. The groups in question are expected to be ad-hoc groups where the potential participants have no prior knowledge of each other and thus federation mechanisms need to be used to establish group admission rights. In order to handle group admission we use the SAML and XACML standards, for group key management we use the TGDH protocol. Our approach thus supports decentralised management of the most important tasks in secure group communication using an integrated approach based on established security standards. We have also produced a demo implementation to show the feasibility of our architecture.\u0000 This research was pursued as part of the TrustDis project funded by the Swedish Governmental Agency for Innovation Systems (Vinnova).","PeriodicalId":269454,"journal":{"name":"Symposium on Identity and Trust on the Internet","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-03-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124339734","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Securing the core with an Enterprise Key Management Infrastructure (EKMI)","authors":"Arshad Noor","doi":"10.1145/1373290.1373303","DOIUrl":"https://doi.org/10.1145/1373290.1373303","url":null,"abstract":"The last twenty-five years has witnessed an emphasis on protecting the network and computing host as a proxy for protecting data from unauthorized access. While this was a reasonable strategy at the dawn of network-based computing, given the state of the internet today with its security issues, this strategy is proving to be hopeless.\u0000 This paper advances the notion that the time has finally come to begin what we should have done initially -- protect the core of our computing infrastructure: the data -- in addition to protecting the network and computing host.\u0000 The paper describes an architecture - and a specific implementation of that architecture - to enable the encryption of data across the enterprise in a platform and application-independent manner. The architecture describes the use of a Public Key Infrastructure (PKI) and a Symmetric Key Management System (SKMS) within an Enterprise Key Management Infrastructure (EKMI), to securely - and centrally - manage the life-cycle of the symmetric encryption keys used for data encryption.","PeriodicalId":269454,"journal":{"name":"Symposium on Identity and Trust on the Internet","volume":"485 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-03-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121732857","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"OpenID identity discovery with XRI and XRDS","authors":"D. Reed, Les Chasen, William Tan","doi":"10.1145/1373290.1373294","DOIUrl":"https://doi.org/10.1145/1373290.1373294","url":null,"abstract":"The work examines the identity discovery problems that needed to be addressed by the OpenID 2.0 protocol in order to enable a user-centric Internet identity layer. The paper illustrates how the OASIS XRI and XRDS specifications were applied to help solve these identity discovery challenges. The work also considers interoperable identity discovery for other Internet identity frameworks such as SAML, Information Cards, and the Higgins Project, and recommends future work.","PeriodicalId":269454,"journal":{"name":"Symposium on Identity and Trust on the Internet","volume":"36 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-03-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127572479","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Secure roaming with identity metasystems","authors":"L. Hoang, Pekka Laitinen, N. Asokan","doi":"10.1145/1373290.1373297","DOIUrl":"https://doi.org/10.1145/1373290.1373297","url":null,"abstract":"The notion of identity metasystem has been introduced as the means to ensure inter-operability among different identity systems while providing a consistent user experience. Current identity metasystems provide limited support for secure roaming: by \"roaming\" we refer to the ability of a user to use the same set of identities and credentials across different terminals. We argue that in order to support different types of roaming, the identity metasystem client should be structured as a set of distributable components. We describe such distributed client-side software architecture and how that architecture is implemented by adapting Novell's Bandit project. We use our implementation to demonstrate how credentials are stored in a trusted device in the form of a mobile phone but can be used on less trusted terminals in the form of PCs.","PeriodicalId":269454,"journal":{"name":"Symposium on Identity and Trust on the Internet","volume":"54 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-03-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122307071","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Identity protection factor (IPF)","authors":"Arshad Noor","doi":"10.1145/1373290.1373293","DOIUrl":"https://doi.org/10.1145/1373290.1373293","url":null,"abstract":"Since the dawn of computing, operating systems and applications have used many schemes to identify and authenticate entities accessing resources within computers. While the technologies and schemes have varied, there appears to have been little attempt to classify them based on their ability to resist attacks from unauthorized entities.\u0000 With the proliferation of identity management technologies in the market today, it is becoming increasingly difficult to assess and compare them with each other. As the threat level continues to rise on the internet, and regulations governing information technology continue to grow, risk managers need more objective mechanisms to assign risk to their systems so they may apply appropriate mitigating controls.\u0000 This paper attempts to describe a classification scheme that will permit the comparison of seemingly different identification and authentication (I&A) technologies on the basis of their vulnerability to attacks. With a better understanding of related authentication technologies, companies can determine the appropriate technology to use for mitigating authentication risks.","PeriodicalId":269454,"journal":{"name":"Symposium on Identity and Trust on the Internet","volume":"101 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-03-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133304824","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"User-centric PKI","authors":"R. Perlman, C. Kaufman","doi":"10.1145/1373290.1373300","DOIUrl":"https://doi.org/10.1145/1373290.1373300","url":null,"abstract":"The goal of supporting Single Sign-On to the Web has proven elusive. A number of solutions have been proposed -- and some have even been deployed -- but the capability remains unavailable to most users and the solutions deployed raise concerns for both convenience and security. In this paper, we enumerate desirable attributes in a scheme for authenticating from an Internet browser to a web site and the authorization that follows. We categorize the currently deployed or advocated approaches, describing their benefits and issues, and we suggest incremental improvements to such schemes. We then outline a design for public-key based authentication particularly suited to what we believe to be the common case: users, acting on their own behalf (as opposed to as an employee of an organization), performing actions on the web such as making a purchase or maintaining an account at a service provider. We contrast the usability/privacy/security properties of our design with other identity management/authentication schemes deployed or being proposed today. Our design is truly user-centric, in the sense that the user acts as his own CA, and as a decision point for authorizing release of user information to web sites, rather than having an Identity Provider be the center of trust.","PeriodicalId":269454,"journal":{"name":"Symposium on Identity and Trust on the Internet","volume":"28 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-03-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128017668","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"A client-side CardSpace-Liberty integration architecture","authors":"Waleed A. Alrodhan, C. Mitchell","doi":"10.1145/1373290.1373292","DOIUrl":"https://doi.org/10.1145/1373290.1373292","url":null,"abstract":"Over the last few years, many identity management schemes, frameworks and system specifications have been proposed; however these various schemes and frameworks are typically not interoperable. In this paper we propose an approach to enable interoperation between two of the most prominent identity management schemes, namely the Liberty Alliance Project scheme (specifically the ID-FF LEC Profile) and the Microsoft CardSpace (formerly known as InfoCard) scheme. This integration should enhance interoperability by enabling users to make use of identity management systems even if the system participants are using different schemes. The main advantages and disadvantages of the proposed integration model are also investigated.","PeriodicalId":269454,"journal":{"name":"Symposium on Identity and Trust on the Internet","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-03-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117218732","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Tulio de Souza, J. E. Martina, Ricardo Felipe Custódio
{"title":"Audit and backup procedures for hardware security modules","authors":"Tulio de Souza, J. E. Martina, Ricardo Felipe Custódio","doi":"10.1145/1373290.1373302","DOIUrl":"https://doi.org/10.1145/1373290.1373302","url":null,"abstract":"Hardware Security Modules (HSMs) are an useful tool to deploy public key infrastructure (PKI) and its applications. This paper presents necessary procedures and protocols to perform backup and audit in such devices when deployed in PKIs. These protocols were evaluated in an implementation of a real HSM, enabling it to perform secure backups and to provide an audit trail, two important considerations for a safe PKI operation. It also introduces a ceremony procedure to support the operation of such HSMs in a PKI environment.","PeriodicalId":269454,"journal":{"name":"Symposium on Identity and Trust on the Internet","volume":"29 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-03-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129120154","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Security and privacy system architecture for an e-hospital environment","authors":"K. Garson, C. Adams","doi":"10.1145/1373290.1373306","DOIUrl":"https://doi.org/10.1145/1373290.1373306","url":null,"abstract":"Hospitals are now using electronic medical records and computer applications in order to provide more efficient and thorough care for their patients. The Mobile Emergency Triage system provides doctors with decision support for emergency care by pulling information from a patient's health record and a medical literature database. In order to achieve compliance with privacy legislations PIPEDA and PHIPA, security and privacy measures must be put in place. Encryption and access control are necessary for ensuring proper authorization and confidentiality for patient records. Strong authentication and audit logs are required to ensure access only by those allowed. We discuss differences in security technologies and detail the ones used in our MET system. A new encryption technology called policy-based encryption proves to be quite useful within a health care environment for providing both encryption and access control. We propose an extension to an existing scheme which allows for the use of this cryptography in a hospital setting.","PeriodicalId":269454,"journal":{"name":"Symposium on Identity and Trust on the Internet","volume":"23 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-03-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130627152","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Public key superstructure \"it's PKI Jim, but not as we know it!\"","authors":"Stephen Wilson","doi":"10.1145/1373290.1373301","DOIUrl":"https://doi.org/10.1145/1373290.1373301","url":null,"abstract":"While PKI has had its difficulties (like most new technologies) the unique value of public key authentication in paperless transactions is now widely acknowledged. The naïve early vision of a single all-purpose identity system has given way to a more sophisticated landscape of multiple PKIs, used not for managing identity per se, but rather more subtle memberships, credentials and so on. It is well known that PKI's successes have mostly been in closed schemes. Until now, this fact was often regarded as a compromise; many held out hope that a bigger general purpose PKI would still eventuate. But I argue that the dominance of closed PKI over open is better understood as reflecting the reality of identity plurality, which independently is becoming the norm through the Laws of Identity and related frameworks.\u0000 This paper introduces the term \"Public Key Superstructure\" to describe a new way to knit together existing mature PKI components to improve the utility and practicality of digital certificates. The \"superstructure\" draws on useful precedents in the security printing industry for manufacturing specialized security goods without complicated or un-natural liabilities, and inter-national accreditation arrangements for achieving cross-border recognition of certificates. The model rests on a crucial re-imagining of certificates as standing for relationships rather than identities. This elegant re-interpretation of otherwise standard elements could truly be a paradigm shift for PKI, for it grounds certificates in familiar, even mundane management processes. It will bring profound yet easily realized benefits for liability, cost, interoperability, scalability, accreditation, and governance.","PeriodicalId":269454,"journal":{"name":"Symposium on Identity and Trust on the Internet","volume":"26 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-03-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114848800","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
