peertrust-discuss Mailing List for Peertrust
Status: Alpha
Brought to you by:
dolmedilla
Menu
▾
▴
peertrust-discuss — Peertrust discussion list
You can subscribe to this list here.
| 2004 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(4) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|---|
|
From: <co...@ya...> - 2004-07-16 09:40:42
|
Hi, PeerTrust uses an Automatic Trust Negotiation (ATN) to establish trust if sensitive data have to be exchanged. Peers usually do not hold all necessary security information locally. Therefore they need to access external security information during ATN. This is where the Security Markup Language helps. It provides indeed an XML framework to exchange security information. The objective of my project is to integrate SAML functionalities in PeerTrust. This will e.g. enable peers to communicate with a larger range of security authorities (Provided SAML becomes widespread!). The development is based on OpenSAML, which provides some APIs to perform SAML interactions transparently from Java. Status of the project: I have done some explorative prototypes. Now the task is to build the "final integration", i.e. providing an Interface to translate PeerTrust specific security request in an SAML request and to translate back a SAML assertion into a PeerTrust specific security answer. Best regards, Patrice Congo ___________________________________________________________ Gesendet von Yahoo! Mail - Jetzt mit 100MB Speicher kostenlos - Hier anmelden: http://mail.yahoo.de |
|
From: Mathias F. <Mat...@gm...> - 2004-07-08 17:07:09
|
Hi, We, Marc Herrlich and I (Mathias Fiedler), are trying to integrate Peertrust into the P2P project Edutella (http://edutella.jxta.org), which uses JXTA for P2P services. First we built up an new service for sending and receiving our own messages, which will be used for Peertrust specific queries and answers. Until now there are 3 possibilities to send a message: - Broadcast a message through the Jxta ResovlerService. For now this is restricted to strings, is unsecure and limited in size. - Send a message through a Jxta Pipe to a specific Peer. Any Object can be sent and Pipes can be made secure. - Broadcast a message through Jxta Pipes. But it's expensive, because Pipes have to be esthablished to all recipients Until now the code contains no Peertrust specific parts. The next step will be to integrate Peertrust code into the service, so a Edutella peer with this Peertrust Service can make use of Peertrust's capabilities. Greets, Mathias Fiedler |
|
From: Sebastian W. <se...@gm...> - 2004-07-05 11:47:23
|
Hi! Mr. Olmedilla wanted the people that are involved in the PeerTrust-project to summarize what they have done so far. In my Bachelor-thesis I have to do with the security-part in PeerTrust, so I will give a short overview of what I did until now. The first task was to implement a special authenticatesTo-predicate. The extaxt syntax is authenticatesTo(Identity,Party,Authority)@Requester and it means that Party must proove to Requester that he posseses a X.509-certificate chain with Identity as subject alias of the first certificate and Authority as the issuer alias of the last certificate. First, I solved this task with additional SSLSockets, because the exchange of the certificate chain is included in the TLS-handshake. But later, we decided to do it with existing sockets in the MetaInterpreter.java and MetaInterpreterListener.java. When a MetaInterpreter reveives the authenticatesTo-query, it is delegated to Requester. He sends a special Query to Party, which includes the Identity, Authority and a random text string which Party must use later to proove that he owns the suitable private key for the public key of the first certificate of the chain. After receiving the query, Party builds a certificate chain from his keystore that satisfies the Identity- and Authority-parameters (I wrote a special class for that). Then, Party searches for the private key that is symmetric to the public key of the first certificate of the chain and decrypts the random text string with it. This decrypted text is sent back to Requester along with the Identity and Authority. The Requester validates the certificate chain and encrypts the decrypted string with the public key of the first certificate of the chain and compares the result with the random text he sent before. This way, Requester can decide, if Party was able to successfully authenticate himself. The handling of this communication is in a separate class, I had to include a few method calls for it in the MetaInterpreter.java and MetaInterpreterListener.class for it. I also used the CertificateChain-class I wrote, as already mentioned. The second task consisted of validating the proof tree that is included in every Tree-object, so that a server can find out if the answer he received from another peer is right. When I began my Bachelor-thesis, the proof tree consisted of a single string. This is ok for normal rules, but not for signed rules, because they have also a matching credential. This can't be included in a simple string. So I store all the rules of the proof tree in a vector, which stores the rules in special classes. The normal rule-class has just a string as attribute, the signed rule-class extends it and has also the matching credential and a certificate chain (the same class I used in the first task) as attributes. When a server receives an answer now, he can iterate through the proof vector. All string representations of the rules are added to a prolog-inference engine. If there is a signed rule, he can check, if the included credential is valid (with the credential himself and the certificate chain). When all rules are valid and added the the inference engine, it is used to find out, if the goal of the the query can be constructed from the rules. I had to include the new proof vector in the Tree.java and Answer. java, along with additional methods. The validation of the proof tree is included in a separate-class and is called from the MetaInterpreterListener. Again, I used my CertificateChain-class. My third task was the verification of the credentials. As those are included in X.509-Credentials and another student has written some classes for credentials (without verification), this was the easiest task. I just check, if the signer of the string representation of the credential is the same as the subject alias of the certificate, if the certificate is valid and verify it with the suitable public key. This all is done already in the validation of the proof tree (the second task). This is what I have done so far (I hope, my summarization isn't too long and boring ;-) ). Best regards, Sebastian Wittler -- "Sie haben neue Mails!" - Die GMX Toolbar informiert Sie beim Surfen! Jetzt aktivieren unter http://www.gmx.net/info |
|
From: Daniel O. <olm...@l3...> - 2004-07-02 00:04:04
|
=2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi to all, first of all some news. As all of you should know the peertrust home page i= s=20 at http://sourceforge.net/projects/peertrust/ . I have been updating the=20 different parts of the web and I am starting to upload the source code=20 (whenever I finish I will post it to the developers list). There are already many people working in parallel in different aspects of=20 peertrust. As some of the task you are doing could overlap I would like you= =20 to send one mail to these lists summarizing your current work. That way all= =20 of you could distribute the work if you are performing the same task or jus= t=20 share experiences or answer questions from other colleagues that you alread= y=20 resolved. In addition in the discussion list you can post any suggestion of future=20 directions/implementations/ideas for the project that you think could be=20 interesting or even that you would like to research on. Best regards, DOC =2D --=20 Daniel Olmedilla Learning Lab Lower Saxony (L3S) Deutscher Pavillon Expo plaza 1 D - 30539 Hannover Phone: +49 (0)511 762.9741 / +49 (0)511 7621.9714 Fax: +49 (0)511 762.9779 / +49 (0)511-7621.9712 http://www.l3s.de/~olmedilla/ E-Mail: olm...@l3... =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA5KY2HyADsW1P33oRAlODAJ92MplUe+I1aJsAeYR21n8R/SRl9gCgoncu v0mXq7gwbKDKxlAwgsgp+sI=3D =3DKkuD =2D----END PGP SIGNATURE----- |
