Journal of KIISE:Computing Practices and Letters (한국정보과학회논문지:컴퓨팅의 실제 및 레터)

Korean Institute of Information Scientists and Engineers (한국정보과학회)
권호 표지

Security Architecture for OSGi Service Platform Environment

OSGi 서비스 플랫폼 환경을 위한 보안 아키텍처

  • 박대하 (한국디지털대학교 디지털정보학과) ;
  • 김영갑 (고려대학교 컴퓨터학과) ;
  • 문창주 (고려대학교 컴퓨터학과) ;
  • 백두권 (고려대학교 컴퓨터학과)
  • Published : 2004.06.01
Download PDF
⟨ Previous Next ⟩

Abstract

This paper suggests a new security architecture for facilitating secure OSGi service platform environment. The security architecture includes 1) user authentication mechanism, 2) bundle authentication mechanism, 3) key sharing mechanism, and 4) authorization mechanism. The user authentication mechanism supplies SSO(single sign-on) functions which are useful for safe and easy user authentications. The bundle authentication mechanism utilizes both PKI-based and MAC-based digital signatures for efficiently authenticating service bundles. The key sharing mechanism, which is performed during bootstrapping phase of a service gateway, supplies a safe way for sharing secret keys that are required for authentication mechanisms. Finally, the authorization mechanism suggests distributed authorization among service providers and an operator by establishing their own security policies. The main contributions of the parer are twofold. First, we examine several security requirements of current OSGi specification when its security functions can be applied in real OSGi environments. Second, we describe the ways to resolve the problems by means of designing and implementing concrete security mechanisms.

본 논문에서는 안전한 OSGi 서비스 플랫폼 환경의 구축에 필요한 새로운 보안 아키텍처를 제시한다. 이 보안 아키텍처에는 1) 사용자 인증 메커니즘, 2) 번들 인증 메커니즘, 3) 키 공유 메커니즘, 4) 권한부여 메커니즘이 포함된다. 사용자 인중 메커니즘에서는 안전하고 편리한 사용자 인증을 위해 SSO (single sign-on) 기능을 제공한다. 번들 인증 메커니즘에서는 효율적인 서비스 번들의 인증을 위해 PKI 기반의 전자서명과 대칭키 기반의 MAC을 함께 이용한다. 서비스 게이트웨이의 부트스트래핑 단계에서 수행되는 키 공유 메커니즘은 인증 메커니즘에서 사용되는 비밀키를 안전하게 공유할 수 있는 방법을 제공한다. 마지막으로 권한부여 메커니즘을 통해 서비스 번들의 제공자와 게이트웨이 오퍼레이터가 분산된 보안 정책을 수립할 수 있는 방안을 제시한다. 본 논문은 기존의 OSGi 스펙에서 추상적으로 명세한 보안 기능을 실제로 OSGi 환경에서 적용할 때 필요한 요구사항을 살펴보고 구체적인 보안 아키텍처의 설계와 구현을 통해 해결 방안을 기술한 점에서 중요한 의미를 갖는다.

Keywords

References

  1. OSGi, 'OSGi Service Platform - Release 3,' http://www.osgi.org, 2003.3
  2. J. Clark and J. Jacob, 'A Survey of Authentication Protocol Literature: Version 1.0,' University of York, Department of Computer Science, 1997.11
  3. C. Neuman and T. Ts'o, 'Kerberos: An Authentication Service for Computer Network,' IEEE, Computer Magazine, 32(9), pp.33-38, 1994.9 https://doi.org/10.1109/35.312841
  4. Sun Microsystems, 'The Java Tutorial - Signing JAR Files,' http://java.sun.com/docs/books/tutorial/jar/sign/signing.html, 2002
  5. OSGi, 'RFC 36 - Secure Provisioning Data Transport using HTTP',http://www.osgi.org/, 2002
  6. H. Krawczyk et al., 'IETF RFC 2104 - HMAC Keyed-Hashing for Message Authentication,' http://www.apps.ietf.org/rfc/rfc2104.html, 1997.2
  7. W. Diffie and M. Hellman, 'New Directions in Cryptography,' Proc. of the AFIPS National Computer Conference, 1976.6 https://doi.org/10.1109/TIT.1976.1055638
  8. R. Merkle, 'Secrecy, Authentication, and Public Key Systems. Ph.D. Thesis,' Stanford University, 1979.6
  9. R. Needham and M. Schroeder, 'Using Encryption for Authentication in Large Networks of Computers', Communications of the ACM, 1978.12 https://doi.org/10.1145/359657.359659
  10. L. Kassab et al., 'Towards Formalizing the Java Security Architecture of JDK 1.2,' Proc. of the ERORICS'98, Leuven-la-Neuve, Belgium, 1998.9
  11. M. Hauswirth et al., 'A Secure Execution Framework for Java', Proc. of the 7th ACM conference on computer and communications security (CCS 2000), pp. 43-52, Athens, Greece, 2000.11 https://doi.org/10.1145/352600.352608
  12. P. Nikander et al., 'Distributed Policy Management for JDK 1.2,' Proc. of the 1999 Network and Distributed Systems Security Symposium, pp. 91-102, San Diego, CA, 1999.2
  13. G. Karjoth et al., 'A Security Model for Aglets,' IEEE Internet Computing, 1(4), 1997.7 https://doi.org/10.1109/4236.612220
  14. C. Lai and L. Gong, 'User Authentication and Authorization in the Java Platform,' Proc. of the Computer Security Applications Conference, 1999.12
  15. D. Harkins and D. Carrel, 'RFC 2409-The Internet Key Exchange (IKE),' 1998.11.http://www.faqs.org/rfcs/rfc2409.html
  16. S. Jajodia et al., 'A Logical Language for Expressing Authorization,' Proc. of the IEEE Symposium on Security and Privacy, Oakland, CA, 1997.5 https://doi.org/10.1109/SECPRI.1997.601312
  17. Sun Microsystems, 'Java Embedded Server 2.0,' http://wwws.sun.com/software/embeddedserver/index.html
  18. Ericsson, 'Ericsson's E-box System - An Electronic Services Enabler', http://www.ericsson.com/about/publications/review/1999_01/files/1999015.pdf
  19. Security Technologies Inc., 'Java Cryptography Library - J/LOCK', http://www.stitec.com/product/ejlock.html
  20. M. Pistoia, et al., 'Java 2 Network Security,' Second edition, Prentice Hall, 1999
  21. B. Galbraith, et al., 'Professional Web Services Security,' Wrox Press, 2002
  22. R. Sandhu, et al., 'Role-Based Access Control Model,' IEEE Computer, 29(2), pp.38-47, 1996.2 https://doi.org/10.1109/2.485845