Novel Security Architectures and Policy Management Techniques for e-Science

The majority of current grid security implementations are based on PKI, and the operational grid developed as part of the UK e-Science project is no exception. Large-scale PKIs are known to have many problems, which include cost, scalability (both of registration and key management processes), revocation, management of client private keys, and support for dynamic security policies. While some of these issues do not currently affect the viability of grid systems such as the UK e-Science grid, we may expect their impact to become more acute in future, as grids increase in scale, complexity and function, and as trust relationships become more complicated.

One promising alternative to traditional public key cryptography supported by a certificate-based PKI is identity-based public key cryptography (ID-PKC). This was originally proposed by Shamir and given momentum by Boneh and Franklin, who showed how a basic mathematical primitive called pairings on elliptic curves can be used to construct ID-based cryptographic schemes. In an ID-PKC system, public keys can be derived from arbitrary strings (for example, a client's identity), whilst the corresponding private keys are generated and distributed by a Trusted Authority (TA) in possession of a system master secret. This TA roughly corresponds to the Certificate Authority (CA)/Registration Authority (RA) combination in a traditional PKI. ID-PKC enjoys most of the functionality of public key cryptography without the need for certificates and the problems that these bring. Thus it promises a more lightweight approach to deploying public key cryptography.

A second alternative to traditional PKI is offered by certificateless public key cryptography (CL-PKC), a new paradigm in public key cryptography introduced by Al-Riyami and Paterson. The certificateless approach in some sense offers the best of both traditional PKI and ID-PKC: no certificates are required, but the approach also overcomes key escrow that is inherent in ID-PKC systems. It can also avoid ID-PKC's need for a secure channel to distribute private keys. Hence, the overall aim of the project is to:

• explore alternative grid security architectures that overcome the limitations of certificate-based PKIs using ID-PKC and CL-PKC;
• demonstrate that ID-PKC and CL-PKC can be used to support authentication, authorization and delegation services for e-Science and compare the resulting services to those available in existing technologies.

This project is funded by the UK Engineering and Physical Sciences Research Council (EPSRC) for two years, starting in February 2006.

• Prof. Kenny Paterson (Principal Investigator)
• Dr. Jason Crampton
• Dr. Geraint Price
• Dr. Hoon Wei Lim

• H.W. Lim and K.G. Paterson.
  Multi-key Hierarchical Identity-Based Signatures.
  In, S.D. Galbraith, editor, Proceedings of the 11th IMA International Conference on Cryptography and Coding (IMA 2007), Cirencester, UK, pages 384-402. Springer-Verlag LNCS 4887, 2007. [PDF]


• J. Crampton, H.W. Lim and K.G. Paterson.
  What Can Identity-Based Cryptography Offer to Web Services?
  In, Proceedings of the 5th ACM Workshop on Secure Web Services (SWS 2007), Alexandria, Virginia, USA, pages 26-36. ACM Press, 2007. [PDF]


• J. Crampton and H.W. Lim.
  Role Signatures for Access Control in Grid Computing.
  Royal Holloway, University of London, Technical Report RHUL-MA-2007-2, May 2007. [PDF]


• J. Crampton, H.W. Lim, K.G. Paterson and G. Price.
  A Certificate-Free Grid Security Infrastructure Supporting Password-Based User Authentication.
  In, Proceedings of the 6th Annual PKI R&D Workshop 2007, Gaithersburg, Maryland, USA, pages 103-118. NIST Interagency Report 7427, 2007. [PDF]


• J. Crampton, H.W. Lim, K.G. Paterson, and G. Price.
  Alternative Security Architectures for e-Science.
  In S.J. Cox, editor, Proceedings of the UK e-Science All Hands Meeting 2006, Nottingham, UK, pages 324-327. The UK National e-Science Centre, 2006.


• H.W. Lim and K.G. Paterson.
  Secret Public Key Protocols Revisited.
  In, Proceedings of the 14th International Workshop on Security Protocols 2006, Cambridge, UK. Springer-Verlag LNCS. [PDF]