Christian Schridde

Secure on-demand grid computing

In this paper, a novel approach for enabling Grid users to autonomously install and use custom software on demand using an image creation station is presented, while at the same time offering new security mechanisms to protect both software and data from other Grid users and external attackers. An automated dynamic firewalling mechanism enables both virtual organization and user-based network security setups. Furthermore, the Grid environment is partitioned into several zones to protect local cluster resources from compromised Grid middleware. To enable the secure integration of this Grid environment into existing business processes, an extension of BPEL is presented which allows the execution of GSI secured Grid services in combination with existing business web services. The workflow engine transparently handles proxy certificate creation and monitors proxy certificate lifetime. An implementation based on the Globus Toolkit 4, the Sun Grid Engine and the ActiveBPEL Engine is presented. A performance evaluation of the critical components of the new Grid setup is provided.

An identity-based security infrastructure for Cloud environments

This paper presents a novel security infrastructure for deploying and using service-oriented Cloud applications securely without having to face the complexity associated with certificate management. The proposal is based on an identity-based cryptographic approach that offers an independent setup of security domains and does not require a trust hierarchy compared to other identity-based cryptographic systems. The service URLs can be used as public keys, such that creating a secure connection to a service is very simple. A comparison between traditional approaches and identity-based cryptography with respect to data transfer requirements is presented.

An Identity-Based Key Agreement Protocol for the Network Layer

A new identity-based key agreement protocol designed to operate on the network layer is presented. Endpoint addresses, namely IP and MAC addresses, are used as public keys to authenticate the communication devices involved in a key agreement, which allows us to piggyback much of the security overhead for key management to the existing network infrastructure. The proposed approach offers solutions to some of the open problems of identity-based key agreement schemes when applied to the network layer, namely multi-domain key generation, key distribution, multi-domain public parameter distribution, inter-domain key agreement and network address translation traversal.

On the Validity of the Φ-Hiding Assumption in Cryptographic Protocols

Most cryptographic protocols, in particular asymmetricprotocols, are based on assumptions about the computationalcomplexity of mathematical problems. The Φ -Hidingassumption is such an assumption. It states that if p 1 and p 2 are small primes exactlyone of which divides φ (N ), where N is a number whose factorization is unknown and φ isEulers totient function, then there is no polynomial-timealgorithm to distinguish which of the primes p 1 and p 2 dividesφ (N ) with a probability significantly greaterthan 1/2. In this paper, it will be shown that theΦ -Hiding assumption is not valid when applied to amodulus N = PQ 2e , whereP ,Q > 2 are primes, e > 0 is aninteger and P hides the prime in question. This indicatesthat cryptographic protocols using such moduli and relying on theΦ -Hiding assumption must be handled with care.

TrueIP: prevention of IP spoofing attacks using identity-based cryptography

In this paper, TrueIP--a system to prevent IP spoofing using identity-based cryptography--is presented. TrueIP is based on a new identity-based signature scheme to allow verification of an IP address without relying on a certificate or a public key infrastructure. It does not require changes or restrictions to the Internet routing protocol, is incrementally deployable, and offers protection from denial-of-service attacks based on IP spoofing. Implementation issues for practical deployment are discussed. Measurements of the TrueIP computation times for signature generation and verification are presented. Furthermore, the management overhead and bandwidth consumption to achieve proof of legitimate IP address possession and verification is compared with a standard Public Key Infrastructure approach using X.509 certificates signed by a Certificate Authority.

Securing stateful grid servers through virtual server rotation

The Grid computing paradigm is aimed at providing seamless access to different kinds of resources, such as compute clusters, data, special appliances and even people. Like most complex IT systems, Grid middleware systems exhibit a number of security problems, and there will always be attacks that are unknown and can circumvent even the best security measures and intrusion detection systems. This creates the requirement that Grid environments should be equipped with intrusion tolerance mechanisms as well as with the traditional intrusion prevention and intrusion detection mechanisms. In this paper, we present a new intrusion tolerance approach which improves the security of stateful WSRF Grid servers against stealth attacks. The proposal is based on a novel server rotation strategy utilizing paravirtualization to close attack windows for stateful service-oriented Grid headnode servers. A flexible plugin based rotation manager deals with the complex issue of stateful connections to the Grid server, and a database connector is utilized to detach service state from the rotating functional components of the Grid server. A prototypical implementation based on the Globus Toolkit 4 is presented.

Polyreactive antibodies in multidonor-derived immunoglobulin G: theory and conclusions drawn from experiments.

Multidonor-derived (md) preparations of IgG antibodies, agents of therapeutic potential, contain molecules interacting at clonal concentrations (concns) and with affinities recently estimated to cover a considerable range. Here we demonstrate that polyreactivity of the monomeric molecules represents the essential driving force of formation of the main reaction product, the IgG-dimers. This conclusion is obtained by applying the principles of the law of mass action to dimer formation by polyreactive monomeric reactants. In addition, general interrelationships involving the mean number of reactants per reactor, the experimental dimer portion (w/w) and the mean concentrations of monomers in a polyreactive and monoreactive antibody system are derived. These interrelationships, together with quantitative results obtained from simplified computational kinetic models of polyreactive antibodies, allow to estimate a remarkably high value for the mean number of reactants per reactor, exceeding 60 for the underlying IgG preparation obtained from pooled human plasma units of 5000 donors. Moreover, the potential origin and other consequences of polyreactivity are outlined.

Securing Mobile Phone Calls with Identity-Based Cryptography

In this paper, an identity-based key agreement system and its implementation for mobile telephony in GSM and UMTS networks is presented. The use of telephone numbers as public keys allows the system to piggyback much of the security overhead for key management to the existing GSM or UMTS infrastructure. The proposed approach offers solutions to the problems of multi-domain key generation, key distribution, multi-domain public parameter distribution and inter-domain key agreement. The feasibility of the approach is illustrated by presenting experimental results based on a Symbian implementation running on N95-1 and N82-1 Nokia smartphones.

Secure mobile communication via identity-based cryptography and server-aided computations

In this paper, an identity-based key agreement protocol for securing mobile telephony in GSM and UMTS networks is presented. The approach allows two mobile phones to perform a session key agreement over an unsecured channel and between different providers using telephone numbers as public keys. Using the created session key, a symmetric encryption of all call data can be performed. Solutions to the problems of multi-domain key generation, key distribution, multi-domain public parameter distribution and inter-domain key agreement are presented. Furthermore, the proposed approach can be speeded up using server-aided cryptography, by outsourcing computationally expensive cryptographic operations to a high-performance backend computing server. The feasibility of the approach is illustrated by presenting experimental results based on a Symbian implementation running on N95-1 and N82-1 Nokia smartphones.

Identity-Based Cryptography for Securing Mobile Phone Calls

In this paper, an identity-based key agreement system for mobile telephony in GSM and UMTS networks is presented. The use of telephone numbers as public keys allows the system to piggyback much of the security overhead for key management to the existing GSM or UMTS infrastructure. The proposed approach offers solutions to the problems of multi-domain key generation, key distribution, multi-domain public parameter distribution and inter-domain key agreement.