EPSRC Reference: |
EP/D051878/1 |
Title: |
Novel Security Architectures and Policy Manangement Techniques for e-Science |
Principal Investigator: |
Paterson, Professor KG |
Other Investigators: |
|
Researcher Co-Investigators: |
|
Project Partners: |
|
Department: |
Mathematics |
Organisation: |
Royal Holloway, Univ of London |
Scheme: |
Standard Research (Pre-FEC) |
Starts: |
01 February 2006 |
Ends: |
31 January 2008 |
Value (£): |
110,491
|
EPSRC Research Topic Classifications: |
Networks & Distributed Systems |
Software Engineering |
|
EPSRC Industrial Sector Classifications: |
No relevance to Underpinning Sectors |
|
|
Related Grants: |
|
Panel History: |
|
Summary on Grant Application Form |
Security considerations are particularly important in collaborativecomputing ventures that incorporate multiple organisations andrequire interoperation between different trust domains. Thesecurity mechanisms in such ventures, including the UK e-Scienceproject, rely on establishing the authenticity of public keys, whichis generally performed using a public key infrastructure (PKI).Nevertheless, it is fair to say that few PKIs have been anunqualified success, and those that have typically operate within asingle organisation or a tightly coupled consortium with strongpre-existing trust relationships between the partners. Many of theseproblems are related to the maintenance and revocation of public keycertificates, which attest to a binding between an identity and apublic key.Large, loosely coupled virtual organisations comprising manyorganisations, typically co-ordinated using grid technology, arebecoming increasingly commonplace and important within thescientific community, and are expected to become increasinglyimportant to industry. The Globus Toolkit, the de facto standard forbuilding grids, relies on the existence of a PKI for the provisionof security services. Moreover, web services security services arebased on PKI technology. In short, it seems that many current andfuture computing services will rely on PKI, despite the flawsinherent in such technology.The primary aim of this project is to demonstrate that there arecompelling alternatives to PKI for providing the basis of securityservices in a distributed computing environment. In particular,identity-based public key cryptography (ID-PKC) and certificate-lesspublic key cryptography (CL-PKC), two recent developments incryptography, support public key cryptography without the use ofcertificates.We will begin by refining our existing work on the use ofidentity-based public key cryptography (ID-PKC) in grids, developingnew cryptographic schemes to further improve the performance ofproxying, and to support secure, remote credential storage. ID-PKCrelies on a trusted authority that has knowledge of every privatekey, a characteristic usually known as key escrow which mightinhibit the use of ID-PKC in commercial grid computing. The use ofCL-PKC eliminates key escrow. In our second area of research,therefore, we will develop a grid security architecture based onCL-PKC, and compare it to the standard PKI approach and ouridentity-based approaches.Our next theme will be to examine how identity-based andcertificateless systems can support enforcement of policies forfine-grained access control and authorization in grids. This workwill exploit the novel property of these systems that public keys,being derived from arbitrary strings, can directly express complexpolicies, while the possession of a matching private key can be usedto demonstrate that a given policy is satisfied. In our work, wewill consider the use of this technique both to provide a mechanismto transport confidentiality constraints with data and to develop alightweight, flexible authentication and authorization mechanism.Our final piece of work reflects the trend towards increasingintegration of grid technology with web services. Our objective isto investigate the application of ID-PKC and CL-PKC to web servicessecurity, and to study how the resulting protocols and schemas canbe applied in grids. We will focus on developing new versions of XMLEncryption, XML Signature and WS-SecureConversation supporting thesenew forms of cryptography. We will define key management servicessuited to ID-PKC and CL-PKC architectures which parallel thosespecified by XKMS for standard PKI. Our belief is that the use ofID-PKC/CL-PKC has the potential to make these XKMS-like servicessimpler and more lightweight, with potential for removing the needfor certain XKMS services altogether and simplifying others.
|
Key Findings |
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
|
Potential use in non-academic contexts |
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
|
Impacts |
Description |
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk |
Summary |
|
Date Materialised |
|
|
Sectors submitted by the Researcher |
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
|
Project URL: |
|
Further Information: |
|
Organisation Website: |
|