Integrated Security Services for
Dynamic Coalition Management
(DARPA/ITO IA&S BAA 99 - 33)
University of Maryland, College Park




People     Objective     Approach     Prototype     Acomplishments     Future Plans     Contact




People
Principal Investigator: Virgil Gligor  (e-mail)
Co-Principal Investigator:   John S. Baras  (e-mail)


Research Scientists: 
Himanshu Khurana  (e-mail)
Serban Gavrila  (e-mail)


Graduate Students: 
Vijay G. Bharadwaj  (e-mail)
Rakesh Bobba  (e-mail)
Emilian Dinu  (e-mail)
Laurent Eschenauer  (e-mail)
Omer Horvitz  (e-mail)
Radostina Koleva  (e-mail)
Anuja Sonalker  (e-mail)
Gelareh Taban (e-mail)
Hong Zhao


Undergraduate Students:
Aurelie Gatelet



Objective
The objective of this project is to enable the creation and management of coalitions with diverse and rapidly changing membership, dynamically. Specifically, the project aims at providing solutions to fundamental problems of integrating diverse access control policies, public-key infrastructures (PKIs) and secure group-communication techniques for dynamic coalitions. Currently, the project objective is unattainable because of (1) inability to represent, negotiate, and enforce a consistent security policy across multiple organizations, system platforms, and public-key infrastructures, (2) lack of secure group-communication services, products, and policies to enable large-scale management of group access rights within tight time constraints, and (3) absence of visual tools for definition and management of security policies.

Quad Chart


Approach
The project is based on the following five basic ideas: (1) the integration of a common access control policies, PKIs, and group-communication technologies is mandated by the dynamic coalitions; (2) the representation of a common security policy is mandated by the requirement for dynamic policy negotiation, and, in its turn, requires the definition of policy properties and property dependencies, (3) the effective management of a security policy is mandated by the visualization of the common policy representation; (4) the scalable group-key generation, distribution, revocation, which survives denial-of-service attacks caused by dynamic re-keying, is mandated by the requirement of frequent group-membership changes; and (5) the extension of PKIs with certificate revocation and review policies (not just mechanisms) is mandated by policy integration. We conduct the project in three phases, namely the analysis, design, and implementation of servers for access control policies, secure group communication, and certificate management in PKIs. In each phase, we investigate the implications of the five basic ideas in the context of practical systems and applications.


FY-2003 Prototype Development Efforts:
We have developed a prototype of tools for coalition infrastructure services, which includes joint policy administration services, certificate services, and group communication services. The joint administration services include a coalition authority, and signature servers for signing attribute certificates with shared private keys. The coalition authority comprises an access certificate authority that distributes attribute certificates and whose private key is shared among the coalition domains, and a role based access control module to manage coalition resource access policies at the coalition web server that manages the jointly owned applications. Secure group communication services include group key generation and management built on reliable multicast communication. These tools support the join, voluntary departure and involuntary departure of a member domain. Using collusion-based techniques, a majority of the domains can exclude a particular member domain and revoke the departing domain's access to coalition resources. We also support large-scale revocation of attribute certificates to affect the domain's departure via an intuitive graphical interface. We demonstrated these tools at the DARPA PI meeting in San Antonio, TX in January 2003, at the DARPA DISCEX III conference in April 2003, and at the DARPA PI meeting in Honolulu, Hawaii in July 2003.


FY-2003 Accomplishments:

* Stage IV prototype of the Coalition Infrastructure was presented at the DARPA-DC PI meeting in San Antonio, TX in January 2003.
- Power Point Presentation  by H. Khurana and V. Baradwaj at Joint Principal Investigator Meeting, San Antonio, TX, January 2003.

- Poster presentation at Joint Principal Investigator Meeting, San Antonio, TX, January 2003.

* Vijay G. Bharadwaj and John S. Baras, "A Framework for Automated Negotiation of Access Control Policies" Published in the Proceedings of the Third DARPA Information Survivability Conference and Exposition (DISCEX III), 2003.

* Himanshu Khurana, Serban Gavrila, Rakeshbabu Bobba, Radostina Koleva, Anuja Sonalker, Emilian Dinu, Virgil Gligor and John S. Baras, "Integrated Security Services for Dynamic Coalitions " Proc. of the third DARPA Information Survivability Conference and Exposition, Washington D.C., April 2003.

- Poster presentation at DISCEX III, Washington, DC, April 2003.

* Vijay G. Bharadwaj and John S. Baras, "Towards Automated Negotiation of Access Control Policies" Presented at the Fourth International Workshop on Policies for Distributed Systems and Networks (POLICY 2003), Lake Como, Italy, June 2003.

* Vijay G. Bharadwaj and John S. Baras, "Dynamic Adaptation of Access Control Policies" To be presented at Military Communications Conference (MILCOM 2003), Boston, October 2003.

* Stage V prototype of the Coalition Infrastructure was presented at the DARPA-DC PI meeting in Honolulu, HI, July 2003.
- Power Point Presentation  by H. Khurana at Joint Principal Investigator Meeting, Honolulu, HI, July 2003.

- Poster presentation at Joint Principal Investigator Meeting, Honolulu, HI, July 2003.




FY-2002 Accomplishments:
* H. Khurana, V. Gligor and J. Linn " Reasoning about Joint Administration of Access Policies for Coalition Resources" appeared in the International Conference on Distributed Computing Systems, Vienna, Austria, July 2002.

- Power Point Presentation  by V.D. Gligor  at Conference on Distributed Computing Systems, Vienna, Austria , July 2002.

* Stage II prototype of the Negotiation Module was presented at the DARPA-DC PI meeting in San Diego, CA in January 2002
- Power Point Presentation  by V.D. Gligor and J. Baras at Joint Principal Investigator Meeting, San Diego, CA, January, 2002.

- Poster presentation at Joint Principal Investigator Meeting, San Diego, CA, January 2002.

* Stage III prototype  for  Joint Administration of Access Policies in dynamic coalitions.

- Power Point Presentation  by H. Hkurana and V. Baradwaj at Joint Principal Investigator Meeting, Newport, RI, July 2002.

- Poster presentation at Joint Principal Investigator Meeting, Newport, R, July 2002.




FY-2001 Accomplishments:
* Virgil Gligor presented a paper, co-authored with Himanshu Khurana, Radostina Koleva, Vijay Bharadwaj, and John Baras, titled "On the Negotiation of Access Control Policies", Proc. of the Security Protocols Workshop, Cambridge, UK, April 2001. To appear in Lecture Notes in Computer Science, Springer-Verlag, 2002.


* Virgil Gligor presented a paper, co-authored with Himanshu Khurana, titled "Enforcement of Certificate Dependencies in ad-hoc Networks" at the IEEE International Conference on Telecommunications, Bucharest, Romania, June 2001. 


* The paper "Information Theoretic Approach for Design and Analysis of Rooted-Tree Based Multicast Key Management Schemes," (R. Poovendran and J. Baras) appeared in the IEEE Transactions on Information Theory.


* Stage I prototype of the Negotiation Module was presented at the DARPA-DC PI meeting in Colorado Springs, CO, July 2001.

- Power Point Presentation  by V.D. Gligor and J. Baras at Joint Principal Investigator Meeting, Colorado Springs, Colorado, July 2001.

- Poster presentation at Joint Principal Investigator Meeting, Colorado Springs, Colorado, July 2001.



Future Plans

- finish the implementation of the Negotiation Module

- write a technical paper on the tools and technologies necessary for the support of coalition dynamics



FY-2003 Technology Transition
Continue to disseminate research findings via conference, workshop, and symposia presentations and to collaborate with our peers in the industry, government, and academia.



For further information about this project, please contact
Principal Investigator:  Virgil D. Gligor
Professor Electrical and Computer Engineering Department
University of Maryland, College Park, Maryland 20742
Tel. (301) 405-3647
Fax. (301) 657-9021
(e-mail)
http://www.glue.umd.edu/~gligor/




Last Update 7 August 2003 by  Radost

Department of Electrical and Computer Engineering
A.V. Williams Building
University of Maryland
College Park, MD 20742