Goals related to the design of mechanisms and protocols

We have identified four subclasses of goals that need to be achieved in order to provide the necessary building blocks for implementing large-scale dependable applications.

Dependable middleware: All dependability mechanisms for distributed systems require services that allow a subset of the nodes in the system to engage in secure and correct interactions. Typically, the nodes need to: deliver the same set of messages in the same order (e.g. atomic multicast); agree on a consistent view (e.g. on who is currently member of a certain group); or agree on the decision to abort or commit a distributed transaction. Thus, we will develop a service and protocol architecture for dependable distributed multi-party transactional systems, identify and define the necessary APIs and classes of protocols for supporting them, develop those protocols if necessary, and provide a prototype implementation of this middleware component. The protocols will be designed to run in a realistic environment, which means on weakly synchronised (almost asynchronous) and unreliable networks, with a dynamic population, and a dynamic and mobile adversary. We will make use of protocols for reliable communication and agreement (e.g., reliable broadcast, group membership) and threshold cryptography (secret sharing, threshold signatures and encryption).

Intrusion detection: Transactional services often require that a majority of the parties do not misbehave. To fulfil this constraint, we need intrusion detection so that corrupted subsystems can be identified and possibly "repaired", or at least so that can attacks can be contained (i.e., their effect can be limited). We will address the lack of dependability of large-scale intrusion-detection systems by defining an architecture for using multiple intrusion detection systems in parallel, as a means to tolerate attacks against the IDS, and as an attempt to solve the well-known problems of high rates of false positive and false negative alarms generated by existing solutions. We will study and evaluate how notions such as fault injection, diversity and distributed reasoning can help to solve the weaknesses of existing solutions.

Dependable trusted third parties: Our intended applications are of their very nature unsuitable for any type of central control. To build such applications, one must replace any central, dependability-critical authority, like certification authorities in PKIs, by a collection of nodes, a majority of which need to be corrupted in order to corrupt the service provided, i.e., we will distribute trust. We will produce a generic service and protocol architecture for distributing trusted third party services among several servers, in order to increase the overall trustworthiness (i.e., dependability) of the TTP service. This will be an application of the work on dependable middleware. We will demonstrate the TTP functionality by a sample implementation for issuing certificates and for fair exchange (e.g., contract signing).

Distributed authorisation: The most fundamental security service that needs to be distributed is access control and authorisation. Various schemes have been proposed in the literature to deal with these notions in a non-centralised way (e.g. Kerberos V5 proxies, SESAME PACs, etc.). We will define a generic framework for access control and authorisation in a distributed environment where the access control decision is distributed among parties that might not trust each other completely. Existing trust management approaches will be considered in particular approaches that support privacy protection by enabling users to control what information is revealed about them in a given situation. We will design and implement a prototype of a flexible authorisation scheme, adapted to multi-party transactions.