Vijay Varadharajan

Review: Wireless sensor network key management survey and taxonomy

Wireless sensor networks (WSN) are mobile ad hoc networks in which sensors have limited resources and communication capabilities. Secure communications in some wireless sensor networks are critical. Key management is the fundamental security mechanism in wireless sensor network. Many key management schemes have been developed in recent years. In this paper, we present wireless sensor network key management survey and taxonomy. We classify proposed wireless sensor network key management schemes into three categories based on the encryption key mechanism. We then divide each category into several subcategories based on key pre-distribution and key establishment.

Achieving Secure Role-Based Access Control on Encrypted Data in Cloud Storage

With the rapid developments occurring in cloud computing and services, there has been a growing trend to use the cloud for large-scale data storage. This has raised the important security issue of how to control and prevent unauthorized access to data stored in the cloud. One well known access control model is the role-based access control (RBAC), which provides flexible controls and management by having two mappings, users to roles and roles to privileges on data objects. In this paper, we propose a role-based encryption (RBE) scheme that integrates the cryptographic techniques with RBAC. Our RBE scheme allows RBAC policies to be enforced for the encrypted data stored in public clouds. Based on the proposed scheme, we present a secure RBE-based hybrid cloud storage architecture that allows an organization to store data securely in a public cloud, while maintaining the sensitive information related to the organizations structure in a private cloud. We describe a practical implementation of the proposed RBE-based architecture and discuss the performance results. We demonstrate that users only need to keep a single key for decryption, and system operations are efficient regardless of the complexity of the role hierarchy and user membership in the system.

An analysis of the proxy problem in distributed systems

The authors look at the problem of delegation of rights or proxy in distributed object systems. Two signature-based schemes for achieving delegation which require different inter-object trust assumptions are presented. These schemes have been instantiated using public key and secret key based cryptographic techniques. Additional trust implications which arise from these implementations are also considered. Then the authors consider the issue of revocation of delegations and propose several ways of achieving this. These solutions have been compared with the mechanism found in the Distributed System Security Architecture (M. Gasser et al., 1990). Finally, the authors consider the Kerberos authentication system (J. Steiner et al., 1988) and propose extensions to implement the delegation scheme.<<ETX>>

Enhancing grid security with trust management

Recently, trust has been recognized as an important factor for grid computing security. We develop a trust management architecture for trust enhanced grid security incorporating a novel trust model which is capable of capturing various types of trust relationships that exist in a grid system and providing mechanisms for trust evaluation, recommendations and update for trust decisions. The outcomes of the trust decisions can then be employed by the grid security system to formulate trust enhanced security solutions. We design several algorithms to demonstrate how one can derive the trust enhanced security solutions for both user and resource provider protection with the proposed trust management architecture. Leveraging on trust knowledge and forming it as part of the security decisions, the proposed architecture possesses several desirable emerging properties that enable it to provide an improved level of security for grid computing systems.

TrustLite: a security architecture for tiny embedded devices

Embedded systems are increasingly pervasive, interdependent and in many cases critical to our every day life and safety. Tiny devices that cannot afford sophisticated hardware security mechanisms are embedded in complex control infrastructures, medical support systems and entertainment products [51]. As such devices are increasingly subject to attacks, new hardware protection mechanisms are needed to provide the required resilience and dependency at low cost. In this work, we present the TrustLite security architecture for flexible, hardware-enforced isolation of software modules. We describe mechanisms for secure exception handling and communication between protected modules, enabling seamless interoperability with untrusted operating systems and tasks. TrustLite scales from providing a simple protected firmware runtime to advanced functionality such as attestation and trusted execution of userspace tasks. Our FPGA prototype shows that these capabilities are achievable even on low-cost embedded systems.

Information and Communication Security

Cryptography is a fundamental security technology. It is used in applications ranging from authentication and digital signatures to protecting the privacy and integrity of emails and other forms of interactions. Besides a technology, cryptography has become a topic for front page news. Governments around the world are debating and passing laws concerning the export and (sometimes) the use of cryptography. This talk will discuss the current international scene for cryptography technology. We will discuss today’s situation with regards to cryptography export as well as future trends. We will also discuss some new technologies that may provide solutions for manufacturers and software developers while complying with international regulations. V. Varadharajan and Y. Mu (Eds.): ICICS’99, LNCS 1726, p. 1, 1999. c

Anonymous secure e-voting over a network

We propose two new anonymous secure electronic voting schemes that protect the privacy of the voters and prevent double voting. These schemes do not require any special voting channel and the communications can occur entirely over existing networks such as the Internet. The proposed schemes are based on the ElGamal digital signature algorithm and can be applied to elections in a variety of situations ranging from an election in a small organization to a country.

Security as a Service Model for Cloud Environment

Cloud computing is becoming increasingly important for provision of services and storage of data in the Internet. However there are several significant challenges in securing cloud infrastructures from different types of attacks. The focus of this paper is on the security services that a cloud provider can offer as part of its infrastructure to its customers (tenants) to counteract these attacks. Our main contribution is a security architecture that provides a flexible security as a service model that a cloud provider can offer to its tenants and customers of its tenants. Our security as a service model while offering a baseline security to the provider to protect its own cloud infrastructure also provides flexibility to tenants to have additional security functionalities that suit their security requirements. The paper describes the design of the security architecture and discusses how different types of attacks are counteracted by the proposed architecture. We have implemented the security architecture and the paper discusses analysis and performance evaluation results.

Enforcing Role-Based Access Control for Secure Data Storage in the Cloud

In recent times, there has been increasing interest in storing data securely in the cloud environment. To provide owners of data stored in the cloud with flexible control over access to their data by other users, we propose a role-based encryption (RBE) scheme for secure cloud storage. Our scheme allows the owner of data to store it in an encrypted form in the cloud and to grant access to that data for users with specific roles. The scheme specifies a set of roles to which the users are assigned, with each role having a set of permissions. The data owner can encrypt the data and store it in the cloud in such a way that only users with specific roles can decrypt the data. Anyone else, including the cloud providers themselves, will not be able to decrypt the data. We describe such an RBE scheme using a broadcast encryption algorithm. The paper describes the security analysis of the proposed scheme and gives proofs showing that the proposed scheme is secure against attacks. We also analyse the efficiency and performance of our scheme and show that it has superior characteristics compared with other previously published schemes.

Security for cluster based ad hoc networks

A mobile ad hoc network is a short-lived cooperative collection of mobile nodes that communicate with each other without the services of a fixed infrastructure. Each host acts as a specialised router to relay information to other nodes. Near-Term Digital Radio (NTDR) networks, which follow the cluster based design principles, are designed specifically for use in ad hoc networks. A major challenge in the design of these networks is their vulnerability to security attacks. In this paper, we describe the security threats and propose security services to counteract these threats in cluster-based NTDR ad hoc networks. We describe secure schemes for a mobile node to initiate, join and leave a cluster. We also discuss the secure end-to-end communication and group key management related issues for NTDR networks.