Edward Ball

Role-based access control with X.509 attribute certificates

We adapted the standard X.509 privilege management infrastructure to build an efficient role-based trust management system in which role assignments can be widely distributed among organizations, and an XML-based local policy determines which roles to trust and which privileges to grant. A simple Java API lets target applications easily incorporate the system. The Permis API has already proven its general utility in four very different applications throughout Europe.

Patient privacy in electronic prescription transfer

In paper-based prescribing in the United Kingdoms National Health Service (NHS), patients are responsible for protecting the privacy of their prescription information while it is in transit from the prescriber to the dispenser. The UK government has introduced a plan for future NHS reform that includes a change from paper-based prescribing to a national electronic transfer of prescriptions (ETP) system. This brings with it concerns for patient data privacy and questions about the burden of trust placed on professionals in the ETP system. As recently seen in the Emilio Calatayud case in the United States, systems that contain an aggregation of identifiable personal information can be abused. A similar case could result from malpractice in an ETP system. We have developed and implemented an ETP system for the UK NHS. We present our system for protecting the privacy of patient data, describe how we implemented it in Java, and discuss how others can use our system for other applications both inside and outside the healthcare sector.

Multiprocessor architectures for high-speed LAN Data Link layer

Abstract This paper describes an implementation of LLC on an array of transputer processing nodes which permits the protocols to operate at close to the maximum theoretical speed of the Ethernet medium.

Traffic analyser and generator. Part 2: traffic capture, generation, statistics and network integrity tests program in C

Abstract A traffic analysis program, written in the C language, is presented. The program makes full use of the underlying hardware and kernel to perform network traffic capture with fully programmable filtering and traffic generation where user-programmed packets can be arbitrarily transmitted. Packet parameters are displayed and statistics compiled on either pre-stored data or in real time, at maximum network speeds. A set of integrity tests can be performed on the network to establish correct operation and enable fast fault-finding and debugging. Real-life screen extracts are included and hints given on how to locate cable faults, deal with faulty stations and tree network configurations, perform station connectivity tests, simulate heavy traffic conditions and calculate the used and available network bandwidth.

Knowledge Issues Raised in Modelling Trust in a Public Key Infrastructure

The paper describes a knowledge-based system for modelling trust in the certification authority (CA) of a public key infrastructure. It was built using a graphical knowledge-based system toolkit, Istar, that allows the knowledge builder to easily model the important relationships between concepts of the domain. The knowledge base was initially built using published work and was subsequently extended by knowledge obtained from leading public key infrastructure experts. The first prototype system computes the trust in a CA by asking the user a series of questions about the CAs Certification Practice Statement. Examples of its use with two well-known public CAs is discussed. An important issue raised and discussed in this paper is how to map symbols in the knowledge base to the knowledge level of human trust and beliefs, for such an ill-defined area of knowledge as trust, and four main mappings have been identified. Another issue that emerged relates to the use of questionnaires during knowledge acquisition. The expert system is currently available online via the Istar knowledge server, and future work is discussed.

A content addressable memory for data communications

Abstract The paper describes a form of content addressable memory based on a dynamically configured state machine. This device has particular application to serial data systems, such as local area networks. The system described provides a cost-effective solution to the problem of address recognition in packet based network technologies such as Ethernet, and has applications in network bridges, routers and ATM switching nodes. A particular feature is that address matching can be performed on the serial data stream with no additional time overhead.

Modifying LDAP to Support PKI

One of the impediments to a successful roll out of public key infrastructures (PKIs), is that Lightweight Directory Access Protocol (LDAP) directories do not fully support PKIs. In particular, it is not possible to search for X.509 attributes (certificates or CRLs) that match user defined criteria. This paper describes the various approaches that have been suggested for enabling users to search for X.509 attributes, namely component matching and attribute extraction. The implementation of attribute extraction in the OpenLDAP product is then described.

Traffic analyser and generator: Part 1: high-speed traffic capture for IEEE 802.3/Ethernet networks

Abstract A three-card rack system is presented that is designed to form the hardware basis for a fast and sophisticated traffic analyser and generator. The system features an efficient 16-bit main processor to handle protocol implementation and data analysis, considerable memory space to allow temporary packet or long-term statistical data storage and a network coprocessor to perform the Ethernet link and medium access management; this processor is capable of packet capture and traffic generation at maximum network speeds. A custom designed software kernel, equipped with a C language interface, provides a comprehensive set of low-level functions such as system self tests, file transfer and file protocol translation, hardware and network link initialization and packet buffer allocation.