MIME-Version: 1.0 Server: CERN/3.0 Date: Wednesday, 20-Nov-96 19:32:11 GMT Content-Type: text/html Content-Length: 4800 Last-Modified: Tuesday, 24-Oct-95 23:07:32 GMT David Cooper's Home Page

David Cooper

Postdoctoral Associate
4112 Upson Hall
Phone: 607-255-9222
Email: dcooper@cs.cornell.edu

Current Research

My current research involves the design and implementation of a security architecture for Horus. The goal of this work is to provide a layer to Horus which will interact with The Kerberos Network Authentication Service and other cryptographic tools in order to provide privacy and authentication services to processes in a group setting.

The original security architecture for Horus was implemented by Mike Reiter (see A Security Architecture for Fault-Tolerant Systems). In the original implementation of Horus, all process groups supported the virtual synchrony model of computation. In order to maintain virtual synchrony (in the crash failure model used in Horus), it is necessary for all processes within a group to be honest. As a result, the original security architecture makes the assumption that any process which is allowed to join a group is trusted by all of the group members.

In the current version of Horus, it is possible to maintain process groups whose semantics are weaker than those of virtual synchrony. In such groups, it may be desirable to permit untrusted processes to join. An example of this might involve allowing untrusted clients to join a client/server group. In such a setting, servers would communicate with untrusted clients, but would only accept a limited set of commands from the clients (and would be responsible for screening out all other messages).

The new Horus security architecture will permit arbitrary trust relationships among the processes within a group. This is accomplished by using a key management scheme which does not allow one process in a group to impersonate another group member. Using this scheme, a process group may trivially achieve the semantics provided by the original security architecture (however with a slightly higher overhead). However, unlike the original security architecture, the new architecture enables the implementation of groups (such as client/server groups) which many have more complicated trust relationships among group members.


Thesis Research

In my thesis, I proposed a set of solutions to the privacy problems inherent in mobile networks. In a static network, there are two basic types of information which users may wish to keep private. The first is the contents of the messages that they send to other users. This information can be hidden with the proper use of encryption. Users may also wish to prevent outsiders from determining with whom they are communicating. A solution to maintaining the unlinkability of message senders and recipients was first proposed in 1981 by David Chaum (Communications of the ACM, February 1981). Since then, several others have made improvements to the original scheme.

In a mobile network, in addition to the types of information in a static network, there is also location information. Users who carry mobile communications devices will, in general, desire privacy. However, the messages that their devices send and receive may reveal private information about the devices' owners. In my research, I developed, along with my advisor Ken Birman, a set of protocols to prevent such attacks from both internal and external adversaries.


Publications