Abdelilah Essiari

Certificate-based authorization policy in a PKI environment

The major emphasis of public key infrastructure has been to provide a cryptographically secure means of authenticating identities. However, procedures for authorizing the holders of these identities to perform specific actions still need additional research and development. While there are a number of proposed standards for authorization structures and protocols such as KeyNote, SPKI, and SAML based on X.509 or other key-based identities, none have been widely adopted. As part of an effort to use X.509 identities to provide authorization in highly distributed environments, we have developed and deployed an authorization service based on X.509 identified users and access policy contained in certificates signed by X.509 identified stakeholders. The major goal of this system, called Akenti, is to produce a usable authorization system for an environment consisting of distributed resources used by geographically and administratively distributed users. Akenti assumes communication between users and resources over a secure protocol such as transport layer security (TLS) to provide mutual authentication with X.509 certificates. This paper explains the authorization model and policy language used by Akenti, and how we have implemented an Apache authorization module to provide Akenti authorization.

Mutual authentication and group key agreement for low-power mobile devices

Wireless networking has the power to fit the Internet with wings, however, it will not take off until the security technological hurdles have been overcome. In this paper we propose a very efficient and provably secure group key agreement well suited for unbalanced networks consisting of devices with strict power consumption restrictions and wireless gateways with less stringent restrictions. Our method meets practicability, simplicity, and strong notions of security.

PKI-based security for peer-to-peer information sharing

Freeflow of information is the feature that has made peer-to-peer information sharing applications popular. However, this very feature holds back the acceptance of these applications by the corporate and scientific communities. In these communities it is important to provide confidentiality and integrity of communication and to enforce access control to shared resources. We present a collection of security mechanisms that can be used to satisfy these security requirements. Our solutions are based on established and proven security techniques and we utilize existing technologies when possible. As a proof of concept, we have developed an information sharing system, called scishare, which integrates a number of these security mechanisms to provide a secure environment for information sharing. This system will allow a broader set of user communities to benefit from peer-to-peer information sharing.

MUTUAL AUTHENTICATION AND GROUP KEY AGREEMENT FOR LOW-POWER MOBILE DEVICES

A latch mechanism comprising a latch plate spring biased to a central position by a coil spring located in an opening in the plate. Ends of the spring are held against two stationary pins which extend through arcuate slots to guide the plate.

Workflow management for real-time analysis of lightsource experiments

The Advanced lightsource (ALS) is a X-ray synchrotron facility at Lawrence Berkeley National Laboratory. The ALS generates terabytes of raw and derived data each day and serves 1,000s of researchers each year. Only a subset of the data is analyzed due to barriers in terms of processing that small science teams are ill-equipped to surmount. In this paper, we discuss the development and application of a computational framework, termed SPOT, fed with synchrotron data, powered by storage, networking and compute resources at NERSC and ESnet. We describe issues and recommendations for an end-to-end analysis workflow for ALS data. After one year of operation, the collection contains over 90,000 datasets (550 TB) from 85 users across three beamlines. For 16 months, beamline data taken has been promptly and automatically analyzed and annotated with metadata, allowing users to focus on analysis, conclusions and experiments.

High performance data management and analysis for tomography

The Advanced Light Source (ALS) is a third-generation synchrotron X-ray source that operates as a user facility with more than 40 beamlines hosting over 2000 users per year from around the world. Users of the Hard X-ray Micro-Tomography Beamline (8.3.2) often collect more than 1 Terabyte of raw data per day that in turn generates additional Terabytes of processed data. The data rate continues to increase rapidly due to faster detectors and new sample automation capabilities. We will present the development and deployment of a computational pipeline, fed by data from the ALS, and powered by the storage, networking, and computing resources of the local National Energy Research Scientific Computing Center (NERSC) and the Energy Sciences Network (ESNET). After one year of operation, the system contained 70,000 datasets and 350 TB of data from 85 users. All datasets now collected at the Hard X-ray Tomography Beamline are automatically reconstructed using parameters set by users and/or that are automatically detected from the data acquisition control system. Results are presented to users for visualization through a secure web portal. Users can then download their data or launch a (currently limited but) growing number of operations based on the data-such as filtering, segmentation, and simulation. The massive computational resources of NERSC are thus made available on a level that is easily accessible to the full range of micro-tomography users.

Peer-to-peer I/O (P2PIO) protocol specification Version 0.6

Todays distributed systems require simple and powerful resource discovery queries in a dynamic environment consisting of a large number of resources spanning many autonomous administrative domains. The distributed search problem is hard due to the variety of query types, the number of resources and their autonomous, partitioned and dynamic nature. We propose a generalized resource discovery framework that is built around an application level messaging protocol called Peer-to-Peer I/O (P2PIO). P2PIO addresses a number of scalability problems in a general way. It provides flexible and uniform transport-independent resource discovery mechanisms to reduce both the client and network burden in multi-hop P2P systems.