Bogdan C. Popescu

Safe and private data sharing with turtle: friends team-up and beat the system

In this paper we describe Turtle, a peer-to-peer architecture for safe sharing of sensitive data. The truly revolutionary aspect of Turtle rests in its novel way of dealing with trust issues: while existing peer-to-peer architectures with similar aims attempt to build trust relationships on top of the basic, trust-agnostic, peer-to-peer overlay, Turtle takes the opposite approach, and builds its overlay on top of pre-existent trust relationships among its users. This allows both data sender and receiver anonymity, while also protecting each and every intermediate relay in the data query path. Furthermore, its unique trust model allows Turtle to withstand most of the denial of service attacks that plague other peer-to-peer data sharing networks.

Enabling DRM-preserving digital content redistribution

Traditionally, the process of online digital content distribution has involved a limited number of centralised distributors selling protected contents and licenses authorising the use of these contents, to consumers. In this paper, we extend this model by introducing a security scheme that enables DRM preserving digital content redistribution. Essentially consumers can not only buy the rights to use digital content but also the rights to redistribute it to other consumers in a DRM controlled fashion. We examine the threats associated with such a redistribution model and explain how our scheme addresses them.

A security architecture for object-based distributed systems

Large-scale distributed systems present numerous security problems not present in local systems. We present a general security architecture for a large-scale object-based distributed system. Its main features include ways for servers to authenticate clients, clients to authenticate servers, new secure servers to be instantiated without manual intervention, and ways to restrict which client can perform which operation on which object. All of these features are done in a platform- and application-independent way, so the results are quite general. The basic idea behind the scheme is to have each object owner issue cryptographically sealed certificates to users to prove which operations they may request and to servers to prove which operations they are authorized to execute. These certificates are used to ensure secure binding and secure method invocation. The paper discusses the required certificates and security protocols for using them.

A certificate revocation scheme for a large-scale highly replicated distributed system

A common way to protect objects in distributed systems is to issue authorization certificates to users, which they present to gain access. In some situations a way is needed to revoke existing certificates. Current methods, such as having a master revocation list, have been designed to work efficiently with identity certificates, and to not take into account the delegation of certificate-issuing rights required when implementing complex administrative hierarchies for large distributed applications. In this paper we present a novel mechanism for revoking authorization certificates based on clustering users and servers, and present arguments showing that it is more efficient than other methods. We also discuss a way for probabilistically auditing the use of the revocation mechanism proposed to reduce the chances of any component behaving maliciously.

Support for multi-level security policies in DRM architectures

Digital rights management systems allow copyrighted content to be commercialized in digital format without the risk of revenue loss due to piracy. Making such systems secure is no easy task, given that content needs to be protected while accessed through electronic devices in the hands of potentially malicious end-users; in this context, intrusion tolerance becomes a very useful system property. In this paper we point out a limitation shared by all current DRM architectures, namely their weakness in reacting to possible device compromise and confining the damage caused by such a compromise. As a solution, we propose a paradigm shift - moving from the original DRM system model where all devices are equally trustworthy and have discretionary control over all protected content, to a new model where information flow is controlled through a multi-level security policy that differentiates between devices based on their tamper-resistance properties. We show that besides improved intrusion-tolerance, supporting such policies has other advantages, such as the ability to define more flexible business models for supplying content. We also show that for a given DRM architecture, the type authentication protocol used when accepting new devices in the system has a big impact on how well multi-level security policies can be supported, and that a number of protocols currently being considered are not very well suited for this job.

Symmetric Key Authentication Services Revisited

Most of the symmetric key authentication schemes deployed today are based on principles introduced by Needham and Schroeder [15] more than twenty years ago. However, since then, the computing environment has evolved from a LAN-based client-server world to include new paradigms, including wide area networks, peer-to-peer networks, mobile ad-hoc networks and ubiquitous computing. Also, there are new threats, including viruses, worms and denial of service attacks.

Securely replicated Web documents

In order to achieve better scalability and reduce latency in handling user requests, many Web applications make extensive use of data replication through caches and content delivery networks. However, in such scenarios data is often placed on untrusted hosts. As a result, existing replication mechanisms open a wide class vulnerabilities, ranging from denial of service to content masquerading. In this paper we present an architecture that combines data content, replication strategies and security in one unified object model and offers integrity guarantees for Web documents replicated on non secure servers.

Design and implementation of a secure wide-area object middleware

Wide-area service replication is becoming increasingly common, with the emergence of new operational models such as content delivery networks and computational grids. This paper describes the security architecture for Globe, an object-based middleware specifically designed to support dynamic replication of services over wide-area networks. Replication introduces a series of new security issues, including the need to restrict replica privileges with respect to method execution, and protection of distributed objects against malicious hosts running instances of their code. Our modular security design addresses these new threats, as well as a broad range of traditional ones, and is validated through a series of performance measurements. Additional contributions include a novel authentication mechanism specifically designed for wide-area deployment, which combines some of the best features of public key authentication protocols (reliance on an offline trusted third party in particular) with the computational efficiency characteristic to symmetric key schemes.

Safe and private data sharing with turtle: friends team-up and beat the system (transcript of discussion)

Today I will talk about a project which aims at designing a peer-to-peer network for safe and private data sharing. The motivation for this work is a development that threatens to shut down peer-to-peer file sharing networks, and that’s a recent tactic by the recording industry to take legal action against peerto- peer type networks. So first I want talk about the peer-to-peer file sharing phenomenon: in general, its origin, some of the positive social aspects of such a thing, and the tactical attacks that a peer-to-peer network is subject to. I will then focus on a specific attack that motivates our work, namely illegal users being sued, and discuss possible defences. Our solution, which we call Turtle because as you will see, it is slow but safe, cannot reach the performance of general existing file sharing networks, but at the same time we think it does a good job in protecting users against legal harassment.

Enforcing security policies for distributed objects applications

In this paper we present the design and the implementation of a policy engine for enforcing security policies for distributed applications. Such policies, represented by using the RBAC model, include both how the distributed, shared and replicated objects are used, by mean of role certificates and how these roles are managed by means of administrative roles. The policy engine can enforce not only privileges to invoke methods with particular parameters and under specific conditions but also the permissions to execute such methods. The engine is offered as a middleware service such that application developers can concntrate on specify the security policies for their applications and they are realesed from the burden of implementing the mechanisms for the actual enforcement of such policies.