MIME-Version: 1.0 Server: CERN/3.0 Date: Wednesday, 20-Nov-96 19:32:11 GMT Content-Type: text/html Content-Length: 4800 Last-Modified: Tuesday, 24-Oct-95 23:07:32 GMT
The original security architecture for Horus was implemented by Mike Reiter (see A Security Architecture for Fault-Tolerant Systems). In the original implementation of Horus, all process groups supported the virtual synchrony model of computation. In order to maintain virtual synchrony (in the crash failure model used in Horus), it is necessary for all processes within a group to be honest. As a result, the original security architecture makes the assumption that any process which is allowed to join a group is trusted by all of the group members.
In the current version of Horus, it is possible to maintain process groups whose semantics are weaker than those of virtual synchrony. In such groups, it may be desirable to permit untrusted processes to join. An example of this might involve allowing untrusted clients to join a client/server group. In such a setting, servers would communicate with untrusted clients, but would only accept a limited set of commands from the clients (and would be responsible for screening out all other messages).
The new Horus security architecture will permit arbitrary trust relationships among the processes within a group. This is accomplished by using a key management scheme which does not allow one process in a group to impersonate another group member. Using this scheme, a process group may trivially achieve the semantics provided by the original security architecture (however with a slightly higher overhead). However, unlike the original security architecture, the new architecture enables the implementation of groups (such as client/server groups) which many have more complicated trust relationships among group members.
In a mobile network, in addition to the types of information in a static network, there is also location information. Users who carry mobile communications devices will, in general, desire privacy. However, the messages that their devices send and receive may reveal private information about the devices' owners. In my research, I developed, along with my advisor Ken Birman, a set of protocols to prevent such attacks from both internal and external adversaries.