%!PS-Adobe-2.0 %%Creator: dvipsk 5.58f Copyright 1986, 1994 Radical Eye Software %%Title: pagenr.dvi %%Pages: 8 %%PageOrder: Ascend %%BoundingBox: 0 0 596 842 %%DocumentFonts: Times-Bold Times-Roman Times-Italic Helvetica-Bold %%DocumentPaperSizes: a4 %%EndComments %DVIPSCommandLine: dvips -D 600 -o pagenr.eps pagenr %DVIPSParameters: dpi=600, comments removed %DVIPSSource: TeX output 1997.12.08:1419 %%BeginProcSet: tex.pro /TeXDict 250 dict def TeXDict begin /N{def}def /B{bind def}N /S{exch}N /X{S N}B /TR{translate}N /isls false N /vsize 11 72 mul N /hsize 8.5 72 mul N /landplus90{false}def /@rigin{isls{[0 landplus90{1 -1}{-1 1} ifelse 0 0 0]concat}if 72 Resolution div 72 VResolution div neg scale isls{landplus90{VResolution 72 div vsize mul 0 exch}{Resolution -72 div hsize mul 0}ifelse TR}if Resolution VResolution vsize -72 div 1 add mul TR[matrix currentmatrix{dup dup round sub abs 0.00001 lt{round}if} forall round exch round exch]setmatrix}N /@landscape{/isls true N}B /@manualfeed{statusdict /manualfeed true put}B /@copies{/#copies X}B /FMat[1 0 0 -1 0 0]N /FBB[0 0 0 0]N /nn 0 N /IE 0 N /ctr 0 N /df-tail{ /nn 8 dict N nn begin /FontType 3 N /FontMatrix fntrx N /FontBBox FBB N string /base X array /BitMaps X /BuildChar{CharBuilder}N /Encoding IE N end dup{/foo setfont}2 array copy cvx N load 0 nn put /ctr 0 N[}B /df{ /sf 1 N /fntrx FMat N df-tail}B /dfs{div /sf X /fntrx[sf 0 0 sf neg 0 0] N df-tail}B /E{pop nn dup definefont setfont}B /ch-width{ch-data dup length 5 sub get}B /ch-height{ch-data dup length 4 sub get}B /ch-xoff{ 128 ch-data dup length 3 sub get sub}B /ch-yoff{ch-data dup length 2 sub get 127 sub}B /ch-dx{ch-data dup length 1 sub get}B /ch-image{ch-data dup type /stringtype ne{ctr get /ctr ctr 1 add N}if}B /id 0 N /rw 0 N /rc 0 N /gp 0 N /cp 0 N /G 0 N /sf 0 N /CharBuilder{save 3 1 roll S dup /base get 2 index get S /BitMaps get S get /ch-data X pop /ctr 0 N ch-dx 0 ch-xoff ch-yoff ch-height sub ch-xoff ch-width add ch-yoff setcachedevice ch-width ch-height true[1 0 0 -1 -.1 ch-xoff sub ch-yoff .1 sub]{ch-image}imagemask restore}B /D{/cc X dup type /stringtype ne{]} if nn /base get cc ctr put nn /BitMaps get S ctr S sf 1 ne{dup dup length 1 sub dup 2 index S get sf div put}if put /ctr ctr 1 add N}B /I{ cc 1 add D}B /bop{userdict /bop-hook known{bop-hook}if /SI save N @rigin 0 0 moveto /V matrix currentmatrix dup 1 get dup mul exch 0 get dup mul add .99 lt{/QV}{/RV}ifelse load def pop pop}N /eop{SI restore userdict /eop-hook known{eop-hook}if showpage}N /@start{userdict /start-hook known{start-hook}if pop /VResolution X /Resolution X 1000 div /DVImag X /IE 256 array N 0 1 255{IE S 1 string dup 0 3 index put cvn put}for 65781.76 div /vsize X 65781.76 div /hsize X}N /p{show}N /RMat[1 0 0 -1 0 0]N /BDot 260 string N /rulex 0 N /ruley 0 N /v{/ruley X /rulex X V}B /V {}B /RV statusdict begin /product where{pop product dup length 7 ge{0 7 getinterval dup(Display)eq exch 0 4 getinterval(NeXT)eq or}{pop false} ifelse}{false}ifelse end{{gsave TR -.1 .1 TR 1 1 scale rulex ruley false RMat{BDot}imagemask grestore}}{{gsave TR -.1 .1 TR rulex ruley scale 1 1 false RMat{BDot}imagemask grestore}}ifelse B /QV{gsave newpath transform round exch round exch itransform moveto rulex 0 rlineto 0 ruley neg rlineto rulex neg 0 rlineto fill grestore}B /a{moveto}B /delta 0 N /tail {dup /delta X 0 rmoveto}B /M{S p delta add tail}B /b{S p tail}B /c{-4 M} B /d{-3 M}B /e{-2 M}B /f{-1 M}B /g{0 M}B /h{1 M}B /i{2 M}B /j{3 M}B /k{ 4 M}B /w{0 rmoveto}B /l{p -4 w}B /m{p -3 w}B /n{p -2 w}B /o{p -1 w}B /q{ p 1 w}B /r{p 2 w}B /s{p 3 w}B /t{p 4 w}B /x{0 S rmoveto}B /y{3 2 roll p a}B /bos{/SS save N}B /eos{SS restore}B end %%EndProcSet %%BeginProcSet: texps.pro TeXDict begin /rf{findfont dup length 1 add dict begin{1 index /FID ne 2 index /UniqueID ne and{def}{pop pop}ifelse}forall[1 index 0 6 -1 roll exec 0 exch 5 -1 roll VResolution Resolution div mul neg 0 0]/Metrics exch def dict begin Encoding{exch dup type /integertype ne{pop pop 1 sub dup 0 le{pop}{[}ifelse}{FontMatrix 0 get div Metrics 0 get div def} ifelse}forall Metrics /Metrics currentdict end def[2 index currentdict end definefont 3 -1 roll makefont /setfont load]cvx def}def /ObliqueSlant{dup sin S cos div neg}B /SlantFont{4 index mul add}def /ExtendFont{3 -1 roll mul exch}def /ReEncodeFont{/Encoding exch def}def end %%EndProcSet %%BeginProcSet: special.pro TeXDict begin /SDict 200 dict N SDict begin /@SpecialDefaults{/hs 612 N /vs 792 N /ho 0 N /vo 0 N /hsc 1 N /vsc 1 N /ang 0 N /CLIP 0 N /rwiSeen false N /rhiSeen false N /letter{}N /note{}N /a4{}N /legal{}N}B /@scaleunit 100 N /@hscale{@scaleunit div /hsc X}B /@vscale{@scaleunit div /vsc X}B /@hsize{/hs X /CLIP 1 N}B /@vsize{/vs X /CLIP 1 N}B /@clip{ /CLIP 2 N}B /@hoffset{/ho X}B /@voffset{/vo X}B /@angle{/ang X}B /@rwi{ 10 div /rwi X /rwiSeen true N}B /@rhi{10 div /rhi X /rhiSeen true N}B /@llx{/llx X}B /@lly{/lly X}B /@urx{/urx X}B /@ury{/ury X}B /magscale true def end /@MacSetUp{userdict /md known{userdict /md get type /dicttype eq{userdict begin md length 10 add md maxlength ge{/md md dup length 20 add dict copy def}if end md begin /letter{}N /note{}N /legal{} N /od{txpose 1 0 mtx defaultmatrix dtransform S atan/pa X newpath clippath mark{transform{itransform moveto}}{transform{itransform lineto} }{6 -2 roll transform 6 -2 roll transform 6 -2 roll transform{ itransform 6 2 roll itransform 6 2 roll itransform 6 2 roll curveto}}{{ closepath}}pathforall newpath counttomark array astore /gc xdf pop ct 39 0 put 10 fz 0 fs 2 F/|______Courier fnt invertflag{PaintBlack}if}N /txpose{pxs pys scale ppr aload pop por{noflips{pop S neg S TR pop 1 -1 scale}if xflip yflip and{pop S neg S TR 180 rotate 1 -1 scale ppr 3 get ppr 1 get neg sub neg ppr 2 get ppr 0 get neg sub neg TR}if xflip yflip not and{pop S neg S TR pop 180 rotate ppr 3 get ppr 1 get neg sub neg 0 TR}if yflip xflip not and{ppr 1 get neg ppr 0 get neg TR}if}{noflips{TR pop pop 270 rotate 1 -1 scale}if xflip yflip and{TR pop pop 90 rotate 1 -1 scale ppr 3 get ppr 1 get neg sub neg ppr 2 get ppr 0 get neg sub neg TR}if xflip yflip not and{TR pop pop 90 rotate ppr 3 get ppr 1 get neg sub neg 0 TR}if yflip xflip not and{TR pop pop 270 rotate ppr 2 get ppr 0 get neg sub neg 0 S TR}if}ifelse scaleby96{ppr aload pop 4 -1 roll add 2 div 3 1 roll add 2 div 2 copy TR .96 dup scale neg S neg S TR}if}N /cp {pop pop showpage pm restore}N end}if}if}N /normalscale{Resolution 72 div VResolution 72 div neg scale magscale{DVImag dup scale}if 0 setgray} N /psfts{S 65781.76 div N}N /startTexFig{/psf$SavedState save N userdict maxlength dict begin /magscale true def normalscale currentpoint TR /psf$ury psfts /psf$urx psfts /psf$lly psfts /psf$llx psfts /psf$y psfts /psf$x psfts currentpoint /psf$cy X /psf$cx X /psf$sx psf$x psf$urx psf$llx sub div N /psf$sy psf$y psf$ury psf$lly sub div N psf$sx psf$sy scale psf$cx psf$sx div psf$llx sub psf$cy psf$sy div psf$ury sub TR /showpage{}N /erasepage{}N /copypage{}N /p 3 def @MacSetUp}N /doclip{ psf$llx psf$lly psf$urx psf$ury currentpoint 6 2 roll newpath 4 copy 4 2 roll moveto 6 -1 roll S lineto S lineto S lineto closepath clip newpath moveto}N /endTexFig{end psf$SavedState restore}N /@beginspecial{SDict begin /SpecialSave save N gsave normalscale currentpoint TR @SpecialDefaults count /ocount X /dcount countdictstack N}N /@setspecial {CLIP 1 eq{newpath 0 0 moveto hs 0 rlineto 0 vs rlineto hs neg 0 rlineto closepath clip}if ho vo TR hsc vsc scale ang rotate rwiSeen{rwi urx llx sub div rhiSeen{rhi ury lly sub div}{dup}ifelse scale llx neg lly neg TR }{rhiSeen{rhi ury lly sub div dup scale llx neg lly neg TR}if}ifelse CLIP 2 eq{newpath llx lly moveto urx lly lineto urx ury lineto llx ury lineto closepath clip}if /showpage{}N /erasepage{}N /copypage{}N newpath }N /@endspecial{count ocount sub{pop}repeat countdictstack dcount sub{ end}repeat grestore SpecialSave restore end}N /@defspecial{SDict begin} N /@fedspecial{end}B /li{lineto}B /rl{rlineto}B /rc{rcurveto}B /np{ /SaveX currentpoint /SaveY X N 1 setlinecap newpath}N /st{stroke SaveX SaveY moveto}N /fil{fill SaveX SaveY moveto}N /ellipse{/endangle X /startangle X /yrad X /xrad X /savematrix matrix currentmatrix N TR xrad yrad scale 0 0 1 startangle endangle arc savematrix setmatrix}N end %%EndProcSet TeXDict begin 39158280 55380996 1000 600 600 (pagenr.dvi) @start /Fa 1 50 df<00E00001E00007E000FFE000F9E00001E00001E00001E00001E0 0001E00001E00001E00001E00001E00001E00001E00001E00001E00001E00001E00001E0 0001E00001E00001E00001E00001E00001E00001E00001E00001E00003F000FFFFC0FFFF C012217AA01E>49 D E /Fb 1 50 df<00380000780001F8001FF800FEF800E0F80000F8 0000F80000F80000F80000F80000F80000F80000F80000F80000F80000F80000F80000F8 0000F80000F80000F80000F80000F80000F80000F80000F80000F80000F80000F80000F8 0000F80000F80000F80000F80001FC00FFFFF8FFFFF815267BA521>49 D E /Fc 134[46 2[46 51 28 46 32 1[51 51 51 74 23 1[23 23 1[51 28 46 51 46 51 46 12[51 55 4[60 1[51 2[23 2[51 4[60 13[46 46 46 2[23 46[{}31 83.333336 /Helvetica-Bold rf /Fd 134[42 2[42 46 28 32 37 2[42 46 69 3[23 3[37 1[37 1[42 13[46 2[51 10[55 60 60 8[28 58[{}19 83.333336 /Times-Bold rf /Fe 1 14 df<0000007FF8000000000007FFFF80000000001FFFFFE0000000007FC0 0FF800000001FC0000FE00000003F000003F0000000FC000000FC000001F00000003E000 003E00000001F000007800000000780000F0000000003C0001E0000000001E0003C00000 00000F00038000000000070007800000000007800F000000000003C00E000000000001C0 1E000000000001E01C000000000000E03C000000000000F0380000000000007078000000 00000078700000000000003870000000000000387000000000000038F00000000000003C E00000000000001CE00000000000001CE00000000000001CE00000000000001CE0000000 0000001CE00000000000001CE00000000000001CE00000000000001CE00000000000001C F00000000000003C70000000000000387000000000000038700000000000003878000000 0000007838000000000000703C000000000000F01C000000000000E01E000000000001E0 0E000000000001C00F000000000003C00780000000000780038000000000070003C00000 00000F0001E0000000001E0000F0000000003C000078000000007800003E00000001F000 001F00000003E000000FC000000FC0000003F000003F00000001FC0000FE000000007FC0 0FF8000000001FFFFFE00000000007FFFF8000000000007FF80000003E3D7CAE47>13 D E /Ff 81[37 52[33 1[48 33 33 18 26 22 1[33 33 33 52 18 33 18 18 33 33 22 29 33 29 33 29 3[22 1[22 5[48 1[37 44 1[37 48 48 4[22 2[37 41 1[44 44 48 7[33 1[33 33 33 33 33 1[33 33 1[17 22 17 2[22 22 40[{}51 66.666664 /Times-Roman rf /Fg 1 4 df<006000007000006000006000406020E06070F861F07E67E01FFF8007FE 0000F00007FE001FFF807E67E0F861F0E060704060200060000060000070000060001415 7B9620>3 D E /Fh 78[42 1[46 46 51[37 42 42 60 42 42 23 32 28 42 42 42 42 65 23 42 23 23 42 42 28 37 42 37 42 37 3[28 1[28 51 1[60 78 60 60 51 46 55 1[46 60 60 74 51 60 32 28 60 60 46 51 60 55 55 60 5[23 23 42 42 42 42 42 42 42 42 42 42 23 21 28 21 2[28 28 28 39[{}74 83.333336 /Times-Roman rf /Fi 81[42 51[32 37 1[55 37 42 23 32 32 1[42 42 42 60 23 37 23 23 42 42 23 37 42 37 42 42 9[69 2[46 42 51 1[51 60 55 69 3[28 1[60 51 51 60 55 51 51 7[42 1[42 42 42 3[42 2[21 28 21 4[28 39[{}50 83.333336 /Times-Italic rf /Fj 134[50 2[50 55 33 39 44 1[55 50 55 83 28 2[28 55 50 33 44 55 44 55 50 12[66 1[72 1[61 78 72 4[39 5[72 66 72 11[50 50 50 50 50 2[25 46[{}35 100.000000 /Times-Bold rf /Fk 2 104 df<0000000FE0000000FFE0000003FC0000 000FE00000003FC00000007F80000000FF00000000FE00000001FC00000001FC00000003 F800000003F800000003F800000003F800000003F800000003F800000003F800000003F8 00000003F800000003F800000003F800000003F800000003F800000003F800000003F800 000003F800000003F800000003F800000003F800000003F800000003F800000003F80000 0003F800000003F800000003F800000003F800000003F800000003F800000003F8000000 03F800000003F800000007F000000007F00000000FE00000001FE00000003FC00000007F 80000000FE00000007F8000000FFE0000000FFE000000007F800000000FE000000007F80 0000003FC00000001FE00000000FE000000007F000000007F000000003F800000003F800 000003F800000003F800000003F800000003F800000003F800000003F800000003F80000 0003F800000003F800000003F800000003F800000003F800000003F800000003F8000000 03F800000003F800000003F800000003F800000003F800000003F800000003F800000003 F800000003F800000003F800000003F800000003F800000003F800000003F800000003F8 00000001FC00000001FC00000000FE00000000FF000000007F800000003FC00000000FE0 00000003FC00000000FFE00000000FE0236479CA32>102 DI E /Fl 61[33 18[55 52[44 50 50 72 50 50 28 39 33 1[50 50 50 78 28 2[28 50 50 33 44 50 44 50 44 9[94 1[72 61 55 2[55 72 1[89 61 1[39 33 72 1[55 61 72 66 66 72 92 10[50 3[50 50 1[25 33 25 44[{}49 100.000000 /Times-Roman rf /Fm 2 16 df<000380000007C0000007C0000007C0000007C0000007C0000007C000 0007C0007803803CFC03807EFE0380FE7F8383FC3FC387F80FE38FE003FBBF8000FFFE00 003FF800000FE000000FE000003FF80000FFFE0003FBBF800FE38FE03FC387F87F8383FC FE0380FEFC03807E7803803C0007C0000007C0000007C0000007C0000007C0000007C000 0007C000000380001F247BA62A>3 D<000FE000007FFC0000FFFE0003FFFF8007FFFFC0 0FFFFFE01FFFFFF03FFFFFF83FFFFFF87FFFFFFC7FFFFFFC7FFFFFFCFFFFFFFEFFFFFFFE FFFFFFFEFFFFFFFEFFFFFFFEFFFFFFFEFFFFFFFEFFFFFFFE7FFFFFFC7FFFFFFC7FFFFFFC 3FFFFFF83FFFFFF81FFFFFF00FFFFFE007FFFFC003FFFF8000FFFE00007FFC00000FE000 1F207BA42A>15 D E /Fn 78[60 55[60 1[86 1[66 40 47 53 1[66 60 66 100 33 66 1[33 66 60 40 53 1[53 1[60 12[80 66 4[86 4[47 5[86 1[86 65[{}26 119.999947 /Times-Bold rf end %%EndProlog %%BeginSetup %%Feature: *Resolution 600dpi TeXDict begin %%PaperSize: a4 %%BeginPaperSize: a4 a4 %%EndPaperSize %%EndSetup %%Page: 1 1 1 0 bop -54 374 a Fn(Security)31 b(in)f(the)g(T)-11 b (elecommunications)30 b(Inf)m(ormation)g(Netw)o(orking)h(Ar)n (chitectur)n(e)g(\261)1236 524 y(the)g(CrySTIN)n(A)f(A)m(ppr)n(oach) 2523 480 y Fm(\003)424 839 y Fl(Sebastian)25 b(Staamann)193 956 y(Uwe)g(W)l(ilhelm)124 b(Andr)6 b(\302)-39 b(e)25 b(Schiper)69 1072 y(Swiss)f(Federal)i(Institute)e(of)g(T)-7 b(echnology)212 1188 y(Operating)24 b(Systems)g(Laboratory)-58 1304 y(EPFL-DI-LSE,)i(1015)e(Lausanne,)h(Switzerland)79 1421 y Fk(f)p Fl(staa,)g(wilhelm,)e(schiper)p Fk(g)h Fl(@lse.ep\257.ch)2539 839 y(Le)n(v)o(ente)g(Butty)6 b(\302)-39 b(an)2473 956 y(Jean-Pierre)26 b(Hubaux)2113 1072 y(Swiss)e(Federal)i(Institute)d(of)i(T)-7 b(echnology)2219 1188 y(T)g(elecommunications)23 b(Laboratory)1917 1304 y(EPFL-DE-TCOM,)i(1015)f(Lausanne,)h(Switzerland)2193 1421 y Fk(f)p Fl(b)n(uttyan,)e(hubaux)p Fk(g)h Fl(@tcom.ep\257.ch)617 1771 y Fj(Abstract)-182 1996 y Fi(The)15 b(article)h(pr)m(esents)f(the) h(\256r)o(st)g(r)m(esults)g(of)g(the)f(CrySTIN)n(A)h(pr)l(oject.)-182 2096 y(W)-8 b(e)31 b(analyze)e(and)g(structur)m(e)h(the)g(security)h (pr)l(oblem)e(domain)g(in)-182 2195 y(the)c(TIN)n(A-C)h(ar)m(c)o (hitectur)m(e)f(and)g(pr)m(esent)g(our)h(appr)l(oac)o(h)d(to)j(pr)l(o-) -182 2295 y(vide)20 b(the)g(necessary)h(security)f(functionality)f(in)i (the)f(form)h(of)f(self-)-182 2395 y(contained)41 b (application-independen)o(t)d(security)44 b(services)g(and)-182 2494 y(security)23 b(mec)o(hanisms)g(as)g(part)g(of)h(the)f(DPE)g (functionality)-5 b(.)33 b(The)-182 2594 y(DPE)22 b(is)i(assumed)e(to)g (be)h(basically)f(pr)l(o)o(vided)g(by)g(CORB)n(A)h(pr)l(od-)-182 2693 y(ucts.)40 b(Ther)m(efor)m(e)o(,)26 b(we)g(intr)l(oduce)f(the)g (CORB)n(A)g(security)h(speci\256-)-182 2793 y(cation)21 b(and)h(in)m(vestigate)f(if)j(and)d(how)i(the)f(identi\256ed)f(TIN)n(A) i(secu-)-182 2893 y(rity)c(services)h(can)e(be)h(implemented)e(using)h (the)h(CORB)n(A)g(security)-182 2992 y(functionality)-5 b(.)-182 3326 y Fj(1)o(.)25 b(Intr)n(oduction)-83 3544 y Fh(An)44 b(essential)h(requirement)d(for)i(the)g(T)-6 b(elecommunication)-182 3643 y(Information)32 b(Netw)o(orking)h (Architecture)g(\(TIN)m(A\))h(is)i(security)-5 b(.)-182 3743 y(TIN)m(A)40 b(is)i(intended)d(to)i(pro)o(vide)d(a)j(comprehensi)n (v)o(e)d(architec-)-182 3842 y(ture)27 b(for)g(multi-service)g(netw)o (orks)g(that)h(shall)g(enable)f(multime-)-182 3942 y(dia)21 b(communications)e(and)i(access)g(to)h(information)d(for)i(b)n(usiness) -182 4042 y(and)j(pri)n(v)n(ate)g(users.)40 b(In)24 b(traditional)g (communications)f(netw)o(orks)-182 4141 y(that)d(are)g(solely)g (dedicated)f(to)i(the)f(telephon)o(y)e(service,)i(not)g(much)-182 4241 y(attention)27 b(has)h(been)f(paid)h(to)g(authenticity)-5 b(,)28 b(inte)o(grity)-5 b(,)28 b(and)g(con-)-182 4341 y(\256dentiality)i(of)h(the)h(v)n(oice)f(data)g(carried.)57 b(Ef)o(forts)30 b(for)h(security)-182 4440 y(ha)n(v)o(e)17 b(been)h(nearly)f(e)o(xclusi)n(v)o(ely)f(focused)h(on)h(the)g(secure)g (and)g(safe)-182 4540 y(operation)29 b(of)i(the)g(netw)o(ork)f(itself)i (and)f(the)g(protection)f(against)-182 4639 y(toll)e(fraud.)49 b(In)28 b(future)f(multi-service)g(netw)o(orks,)i(this)g(situation)-182 4739 y(has)h(to)g(be)g(changed.)53 b(If)30 b(commercially)e(v)n (aluable)h(interactions)-182 4839 y(shall)24 b(tak)o(e)f(place)h(o)o(v) o(er)e(these)i(netw)o(orks,)f(users)h(will)g(require)e(au-)-182 4938 y(thenticity)-5 b(,)24 b(inte)o(grity)-5 b(,)24 b(and)g(con\256dentiality)f(for)i(the)f(information)p -182 5012 788 4 v -99 5065 a Fg(\003)-63 5088 y Ff(Research)19 b(supported)f(by)f(the)g(Swiss)f(National)j(Science)g(F)o(oundation)g (as)d(part)-182 5167 y(of)h(the)h(Swiss)f(Priority)i(Programme)e (Information)i(and)f(Communications)i(Struc-)-182 5246 y(tures)i(\(SPP-ICS\))f(under)i(project)g(number)f(5003-045364.)1296 5244 y(c)1276 5246 y Fe(\015)p Ff(IEEE,)d(published)-182 5325 y(by)e(IEEE)e(1997)1974 1771 y Fh(transmitted.)40 b(The)25 b(pro)o(vision)f(of)h(security)g(is)h(becoming)e(an)h(im-)1974 1870 y(portant)c(issue)j(in)f(the)g(competition)e(between)h(TIN)m(A)h (technology)1974 1970 y(and)30 b(other)g(multi-service)g(netw)o(orks,)i (\256rst)g(of)e(all)i(the)f(Internet.)1974 2070 y(In)h(the)g(Internet)g (w)o(orld,)i(se)n(v)o(eral)e(approaches)e(on)i(v)n(arious)g(lay-)1974 2169 y(ers,)h(all)d(based)g(on)g(cryptography)-5 b(,)27 b(are)j(currently)f(discussed)g(or)1974 2269 y(already)c(in)h(use,)h (e.g.,)g([3])f([10])f([4])g([26].)41 b(In)26 b(order)f(to)h(be)g(com-) 1974 2369 y(petiti)n(v)o(e,)k(TIN)m(A)e(netw)o(orks)g(must)g(guarantee) f(at)i(least)g(the)g(same)1974 2468 y(de)o(gree)17 b(of)g(security)-5 b(.)24 b(An)18 b(important)e(\256eld)j(of)f(application)e(is)j(elec-) 1974 2568 y(tronic)j(commerce.)30 b(The)22 b(Internet)f(does)h(not)h (yet)f(ha)n(v)o(e)g(a)h(speci\256c)1974 2668 y(architecture)k(for)i (electronic)f(commerce.)50 b(On)29 b(the)g(other)f(hand,)1974 2767 y(TIN)m(A)21 b(with)h(its)g(b)n(usiness)f(model)g(and)g(service)g (architecture)e([23])1974 2867 y(together)26 b(with)i(the)f(kno)n(w-ho) n(w)e(and)i(the)h(customer)e(base)i(of)f(the)1974 2966 y(established)20 b(telecommunication)d(netw)o(ork)i(operators)g(as)i (one)e(of)1974 3066 y(the)27 b(dri)n(ving)f(forces)h(of)g(the)g(TIN)m (A)h(ef)o(fort)d(inherently)h(possesses)1974 3166 y(the)f(appropriate)d (infrastructure)g(for)j(electronic)e(commerce.)37 b(T)-7 b(o)1974 3265 y(bene\256t)30 b(from)g(this)i(adv)n(antage,)f(the)g(o)o (v)o(erall)f(architecture)f(must)1974 3365 y(pro)o(vide)24 b(the)i(functionality)e(to)i(protect)f(the)h(transactions)g(and)f(to) 1974 3465 y(establish)20 b(the)g(le)o(gal)g(bindings.)2073 3598 y(In)g(order)e(to)i(a)n(v)n(oid)f(redundanc)o(y)d(of)k (functionality)d(and)i(for)g(the)1974 3697 y(sak)o(e)27 b(of)g(interoperability)-5 b(,)26 b(security)h(in)g(TIN)m(A)g(netw)o (orks)g(has)g(to)1974 3797 y(be)d(pro)o(vided)d(in)j(a)g(consistent)f (w)o(ay)-5 b(.)35 b(The)24 b(security)f(problem)f(do-)1974 3897 y(main)d(should)g(be)h(structured)e(and)h(security)h (functionality)d(should)1974 3996 y(be)29 b(pro)o(vided)d(as)k(much)e (as)h(possible)g(through)e(general)h(security)1974 4096 y(services.)39 b(A)26 b(prerequisite)d(for)h(these)i(services)e(in)i(a) f(multi-party)1974 4196 y(en)m(vironment,)g(such)i(as)h(a)g(TIN)m(A)f (netw)o(ork,)g(is)h(the)f(e)o(xistence)f(of)1974 4295 y(a)k(security)f(infrastructure)f(that)i(pro)o(vides)e(long)h(term)g(k) o(e)o(ys)h(and)1974 4395 y(supports)c(the)h(ne)o(gotiation)e(of)i (security)g(mechanisms)f(and)h(poli-)1974 4494 y(cies)e(between)f(dif)o (ferent)e(administrati)n(v)o(e)h(domains.)37 b(The)24 b(means)1974 4594 y(are)41 b(mainly)g(pro)o(vided)e(by)i(cryptography) -5 b(.)84 b(All)42 b(application-)1974 4694 y(independent)16 b(security)j(functionality)e(should)h(be)h(a)n(v)n(ailable)g(from)1974 4793 y(the)e(Distrib)n(uted)g(Processing)g(En)m(vironment)d(\(DPE\),)j (since)h(appli-)1974 4893 y(cation)29 b(and)h(platform)f(independent)e (functionality)h(is)j(in)f(TIN)m(A)1974 4993 y(pro)o(vided)18 b(at)i(this)h(architectural)e(le)n(v)o(el.)2073 5126 y(The)30 b(pro)o(vision)f(of)h(the)g(security)g(infrastructure)e(is)j (the)g(sub-)1974 5225 y(ject)g(of)g(the)g(CrySTIN)m(A)g (\(Cryptographically)d(Secured)i(TIN)m(A\))1974 5325 y(project,)i(a)e(joint)h(research)e(ef)o(fort)g(of)h(the)g(Swiss)i (Federal)e(Insti-)p eop %%Page: 2 2 2 1 bop -182 83 a Fh(tute)36 b(of)f(T)-6 b(echnology)34 b(Lausanne,)k(Siemens)e(Munich,)i(and)e(the)-182 183 y(Swiss)28 b(T)-6 b(elecom.)47 b(As)28 b(e)o(xpressed)e(in)i(the)f (name,)i(security)e(is)h(re-)-182 282 y(alized)f(mainly)f(by)g (cryptographic)e(means.)46 b(CrySTIN)m(A)26 b(is)i(part)-182 382 y(of)i(a)h(broader)d(research)i(ef)o(fort)f(aiming)h(at)h(a)g (Secure)f(and)g(Reli-)-182 482 y(able)k(Distrib)n(uted)g(Processing)g (En)m(vironment)d(for)j(telecommu-)-182 581 y(nication)28 b(netw)o(orks.)51 b(This)29 b(article)g(presents)g(the)g(results)h(of)f (the)-182 681 y(analysis)22 b(phase,)h(i.e.)33 b(ho)n(w)22 b(the)h(security)f(problem)f(domain)h(must)-182 780 y(be)30 b(structured)e(in)j(order)d(to)j(pro)o(vide)d(security)h(functionality) f(as)-182 880 y(application-independent)12 b(services)18 b(and)g(ho)n(w)f(CORB)m(A)j(security)-182 980 y(can)15 b(be)g(used)g(for)g(that)h(purpose.)22 b(It)15 b(is)i(an)e(impro)o(v)o (ed)e(and)i(enhanced)-182 1079 y(presentation)i(of)i(the)g(analysis)h (gi)n(v)o(en)e(in)h([20].)k(Similar)d(to)f(the)g(ap-)-182 1179 y(proach)24 b(stated)j(in)g(the)f(technical)g(report)f(on)h(the)g (TIN)m(A)h(security)-182 1279 y(architecture)h([22],)k(we)f(also)f (stri)n(v)o(e)g(to)h(reuse)f(established)g(con-)-182 1378 y(cepts)25 b(from)f(other)h(standardization)e(w)o(ork,)j(such)f (as)h(OSI,)f(TMN)-182 1478 y(and)19 b(the)h(OMG)h(speci\256cations.)-83 1579 y(In)c(the)h(follo)n(wing)e(section,)h(we)h(analyze)f(and)g (structure)f(the)i(se-)-182 1678 y(curity)24 b(problem)f(domain)h(in)h (TIN)m(A.)g(Then)g(we)g(in)m(v)o(estigate)e(ho)n(w)-182 1778 y(CORB)m(A)e(security)e(can)h(be)g(used)f(for)g(TIN)m(A)h(and)f (we)i(identify)d(ad-)-182 1878 y(ditional)f(security)h(services)g(and)g (mechanisms)g(that)g(must)h(be)f(pro-)-182 1977 y(vided)k(by)g(the)h (DPE.)g(Section)g(3)g(presents)g(the)g(CORB)m(A)i(security)-182 2077 y(speci\256cation.)35 b(In)24 b(Section)g(4)g(we)g(propose)f(ho)n (w)g(CORB)m(A)j(secu-)-182 2177 y(rity)g(may)h(be)g(used)g(in)g(TIN)m (A)g(netw)o(orks)f(and)g(identify)g(the)h(open)-182 2276 y(issues)e(for)f(the)g(TIN)m(A-DPE.)g(Finally)-5 b(,)24 b(in)h(Section)f(5)h(we)f(gi)n(v)o(e)g(an)-182 2376 y(outlook)18 b(on)i(our)f(ongoing)f(and)i(future)f(w)o(ork.)-182 2613 y Fj(2)o(.)25 b(The)h(TIN)n(A)f(security)h(pr)n(oblem)f(domain)-83 2833 y Fh(Security)17 b(concerns)g(all)i(parts)f(of)f(a)i(TIN)m(A)f (system;)h(it)f(is)h(perv)n(a-)-182 2933 y(si)n(v)o(e)h(and)f(cannot)g (be)h(addressed)e(in)j(isolation.)j(T)-7 b(o)20 b(cope)f(with)h(this) -182 3032 y(comple)o(xity)-5 b(,)17 b(it)j(is)g(necessary)f(to)h (structure)e(the)i(security)f(problem)-182 3132 y(domain)25 b(in)i(an)g(appropriate)e(w)o(ay)-5 b(.)45 b(All)27 b(services)g(and)g (resources)-182 3231 y(may)f(be)i(the)f(subject)g(to)h(attacks.)46 b(Attacks)28 b(may)f(be)g(the)g(ille)o(git-)-182 3331 y(imate)e(use)g(of)g(components)e(or)i(the)g(modi\256cation)e(of)i (data,)h(state)-182 3431 y(or)21 b(programs.)29 b(The)o(y)20 b(may)i(occur)f(through)e(direct)j(access)h(to)f(sys-)-182 3530 y(tems,)c(data,)g(or)f(services)h(from)f(outside)g(or)g(through)f (modi\256cation)-182 3630 y(of)34 b(messages)i(e)o(xchanged)c(between)j (interacting)e(components.)-182 3730 y(Potential)18 b(attack)o(ers)g (are)h(outsiders,)f(b)n(ut)g(also)h(other)f(stak)o(eholders)-182 3829 y(in)j(the)h(TIN)m(A)f(netw)o(ork.)27 b(Moti)n(v)o(es)21 b(of)g(attack)o(ers)g(may)g(be)g(the)h(ille-)-182 3929 y(gitimate)j(use)i(of)e(services,)j(fraud)c(\(e.g.,)j(in)f(online)f(b)n (usinesses\),)-182 4028 y(toll)e(fraud,)g(ea)n(v)o(esdropping)d(on)j (and)g(observ)n(ation)e(of)i(consumers)-182 4128 y(or)i(pro)o(viders,)g (or)g(the)h(deliberate)e(pre)n(v)o(ention)f(of)i(service)h(pro)o(vi-) -182 4228 y(sion)f(\(denial)f(of)g(service)h(attack\).)38 b(The)25 b(ultimate)g(goal)f(of)h(an)g(at-)-182 4327 y(tack)31 b(may)h(be)f(achie)n(v)o(ed)g(directly)g(or)g(indirectly)-5 b(.)58 b(In)32 b(the)g(latter)-182 4427 y(case,)25 b(an)g(attack)o(er)f (may)g(install)h(a)g(backdoor)d(during)h(a)i(\256rst)g(suc-)-182 4527 y(cessful)f(attack,)h(which)e(enables)h(him)g(later)g(on)g(\(and)f (possibly)g(at)-182 4626 y(multiple)d(times\))h(the)g(actually)g (intended)f(misuse.)27 b(Examples)21 b(for)-182 4726 y(backdoors)13 b(are)j(the)g(modi\256cation)e(of)i(programs)d(or)j (access)g(rights.)-83 4827 y(Each)22 b(stak)o(eholder)f(in)i(a)f(TIN)m (A)h(netw)o(ork)e(has)i(his)f(or)g(her)g(o)n(wn)-182 4926 y(administrati)n(v)o(e)h(domain)h([24].)40 b(W)-7 b(e)26 b(mak)o(e)f(the)h(assumption)e(that)-182 5026 y(the)g(administrati)n(v)o(e)f(domain)g(is)i(the)g(trust)f(domain)f(of) h(the)h(stak)o(e-)-182 5126 y(holder)-5 b(.)25 b(This)c(assumption)e (is)j(based)e(on)g(the)h(f)o(act)g(that)f(in)h(the)g(re)o(g-)-182 5225 y(ular)k(case)h(the)g(installed)f(hardw)o(are)g(is)h(under)f(the)g (physical)g(con-)-182 5325 y(trol)e(of)h(the)g(stak)o(eholder)f(and)g (the)h(softw)o(are)g(is)h(installed)f(by)f(him)1974 83 y(or)31 b(herself.)56 b(The)31 b(trust)g(domain)e(may)i(in)g(f)o(act)g (consist)g(of)g(v)n(ari-)1974 183 y(ous)19 b(nodes)g(under)f(the)i (physical)e(control)g(of)i(the)f(stak)o(eholder)f(that)1974 282 y(are)g(connected)e(by)i(physically)f(unsecure)g(communication)e (links.)1974 382 y(These)27 b(links)g(can)g(be)g(turned)f(into)g (secure)h(channels)f(by)h(the)g(use)1974 482 y(of)f(symmetric)f (cryptography)d(without)j(sophisticated)h(manage-)1974 581 y(ment)16 b(of)g(k)o(e)o(ys,)h(so)g(that)f(the)h(connected)d(nodes) i(form)g(a)h(single)f(trust)1974 681 y(domain.)50 b(Since)29 b(TIN)m(A)g(supports)f(personal)g(mobility)h(for)f(con-)1974 780 y(sumers)j([23])f([1],)k(the)d(current)f(administrati)n(v)o(e)g (domain)g(is)i(not)1974 880 y(necessarily)15 b(administered)g(by)h(the) g(consumer)f(currently)f(using)i(it.)1974 980 y(Ho)n(we)n(v)o(er)m(,)i (in)j(this)g(article)g(we)g(do)f(not)g(co)o(v)o(er)f(the)i(additional)e (trust)1974 1079 y(relationship)29 b(between)h(the)g(consumer)f (administrati)n(v)o(e)g(domain)1974 1179 y(and)21 b(the)g(consumer)-5 b(.)27 b(This)22 b(relationship)e(is)i(subject)f(of)g(our)g(ongo-)1974 1279 y(ing)e(w)o(ork.)24 b(In)19 b(this)h(article,)f(we)h(assume)f (complete)f(trust)i(between)1974 1378 y(the)e(user)f(and)g(his)i(or)e (her)g(current)g(administrati)n(v)o(e)f(domain.)23 b(Secu-)1974 1478 y(rity)16 b(within)g(the)g(administrati)n(v)o(e)e(domain)h (\(intradomain)e(security\))1974 1577 y(is)25 b(domain)e(speci\256c)i (and)f(is)h(achie)n(v)o(ed)e(by)h(local)h(means.)37 b(W)m(ithin)1974 1677 y(his)25 b(or)e(her)h(domain,)g(the)g(stak)o(eholder)f(trusts)i (in)f(the)g(correctness)1974 1777 y(of)c(the)h(installed)g(softw)o (are.)k(T)-7 b(o)n(w)o(ards)21 b(the)f(outside,)g(the)h(adminis-)1974 1876 y(trati)n(v)o(e)15 b(domain)g(must)i(be)f(protected)e(against)i (ille)o(gitimate)g(access.)1974 1976 y(F)o(or)30 b(interactions)f(with) i(other)e(domains)g(\(interdomain)f(interac-)1974 2076 y(tions\),)d(limited)g(trust)g(relationships)f(must)g(be)h (established.)39 b(The)1974 2175 y(communication)31 b(channels)i (between)g(domains)g(cannot)g(be)h(as-)1974 2275 y(sumed)20 b(to)i(be)f(secure.)27 b(Therefore)19 b(protection)h(must)h(be)g(achie) n(v)o(ed)1974 2374 y(by)26 b(cryptographic)d(means.)43 b(Security)26 b(must)h(be)f(pro)o(vided)e(to)j(all)1974 2474 y(parts)e(of)h(the)f(TIN)m(A)h(system)f(that)h(are)f(in)m(v)n(olv) o(ed)f(in)h(interdomain)1974 2574 y(interactions.)i(The)21 b(security)g(of)g(each)g(part)f(is)j(usually)d(dependent)1974 2673 y(on)e(the)g(security)g(of)g(man)o(y)f(other)g(parts)i(in)f(the)g (administrati)n(v)o(e)f(do-)1974 2773 y(main,)24 b(ne)n(v)o(ertheless,) f(all)i(single)f(parts)g(ha)n(v)o(e)f(to)h(be)g(protected)f(on)1974 2873 y(their)28 b(o)n(wn.)51 b(Figure)28 b(1)h(sho)n(ws)g(our)f (structuring)f(of)i(the)g(security)1974 2972 y(problem)18 b(domain.)1974 3171 y Fd(System)i(Security:)1974 3271 y Fh(System)h(security)f(shall)i(ensure)e(that)h(systems,)g(mainly)f (the)h(hard-)1974 3371 y(w)o(are)36 b(and)f(the)g(operating)f(system,) 40 b(are)35 b(not)h(subject)f(to)h(intru-)1974 3470 y(sions.)52 b(This)30 b(concerns)e(netw)o(orking)f(resources)h(\(e.g.,)i(netw)o (ork)1974 3570 y(switches\))19 b(and)e(computing)g(resources.)23 b(It)c(also)g(includes)f(the)g(Na-)1974 3670 y(ti)n(v)o(e)d(Computing)f (and)g(Communications)g(En)m(vironment)e(\(NCCE\))1974 3769 y(\(operating)28 b(system)j(and)g(communication)d(ports\),)k (since)f(intru-)1974 3869 y(sions)24 b(may)f(not)h(only)e(occur)h(o)o (v)o(er)f(communication)f(ports)j(of)f(the)1974 3968 y(NCCE)j(that)g(are)g(used)f(by)g(the)h(DPE,)f(b)n(ut)h(also)g(o)o(v)o (er)e(other)h(ports)1974 4068 y(of)18 b(the)g(NCCE.)h(The)e(latter)i (point)e(concerns)g(mainly)g(the)h(adminis-)1974 4168 y(trati)n(v)o(e)23 b(domains)h(of)g(end)f(users)i(\(consumers\))d (whose)i(Customer)1974 4267 y(Premises)16 b(Equipment)d(\(CPE\),)i (e.g.,)g(Personal)g(Computers)f(\(PCs\))1974 4367 y(or)24 b(w)o(orkstations,)g(cannot)g(be)g(assumed)g(to)g(be)h(e)o(xclusi)n(v)o (ely)d(used)1974 4467 y(as)f(the)f(endpoint)e(of)i(the)g(TIN)m(A)h (netw)o(ork.)1974 4666 y Fd(Ser)o(vice)f(Security:)1974 4765 y Fh(Service)j(security)h(is)h(mainly)e(concerned)f(with)i(the)g (preserv)n(ation)1974 4865 y(of)e(the)h(inte)o(grity)f(of)g(service)h (control.)31 b(Service)22 b(control)g(includes)1974 4965 y(among)i(others)h(the)g(v)o(eri\256cation)f(of)h(whether)f(a)i(user)g (is)g(allo)n(wed)1974 5064 y(to)17 b(use)h(a)g(service)f (\(subscription\))e(and)i(the)g(accounting)e(for)i(billing)1974 5164 y(purposes.)65 b(Both)35 b(rely)e(on)h(the)g(authenticated)f (identity)g(of)h(the)1974 5264 y(user)-5 b(.)36 b(This)24 b(must)g(be)f(supported)f(by)h(a)i(protocol)d(for)h(the)h(authen-)1859 5574 y(2)p eop %%Page: 3 3 3 2 bop 54 1517 a @beginspecial @setspecial %%BeginDocument: tinasec.epsss /sf {170 224 div} def /llx {-4} def /lly {-464} def /vx {llx sf mul} def /vy {lly sf mul} def vx vy translate sf sf scale /tgifdict 3 dict def tgifdict begin /tgifcentertext { dup stringwidth pop 2 div neg 0 rmoveto } def end tgifdict begin /tgifsavedpage save def 1 setmiterlimit 1 setlinewidth 0 setgray 72 0 mul 72 11.70 mul translate 72 128 div 100.000 mul 100 div dup neg scale gsave /tgiforigctm matrix currentmatrix def % POLY/OPEN-SPLINE 0 setgray gsave newpath 368 476 moveto 468 424 lineto tgiforigctm setmatrix 1 setlinewidth stroke grestore % POLY/OPEN-SPLINE 0 setgray gsave newpath 460 476 moveto 468 424 lineto tgiforigctm setmatrix 1 setlinewidth stroke grestore % POLY/OPEN-SPLINE 0 setgray gsave newpath 544 476 moveto 468 424 lineto tgiforigctm setmatrix 1 setlinewidth stroke grestore % POLY/OPEN-SPLINE 0 setgray gsave newpath 876 476 moveto 932 424 lineto tgiforigctm setmatrix 1 setlinewidth stroke grestore % POLY/OPEN-SPLINE 0 setgray gsave newpath 996 477 moveto 932 424 lineto tgiforigctm setmatrix 1 setlinewidth stroke grestore % POLY/OPEN-SPLINE 0 setgray gsave newpath 632 476 moveto 688 424 lineto tgiforigctm setmatrix 1 setlinewidth stroke grestore % POLY/OPEN-SPLINE 0 setgray gsave newpath 752 477 moveto 688 424 lineto tgiforigctm setmatrix 1 setlinewidth stroke grestore % POLY/OPEN-SPLINE 0 setgray gsave newpath 60 480 moveto 172 424 lineto tgiforigctm setmatrix 1 setlinewidth stroke grestore % POLY/OPEN-SPLINE 0 setgray gsave newpath 168 476 moveto 172 424 lineto tgiforigctm setmatrix 1 setlinewidth stroke grestore % POLY/OPEN-SPLINE 0 setgray gsave newpath 256 480 moveto 172 424 lineto tgiforigctm setmatrix 1 setlinewidth stroke grestore % RCBOX 0 setgray newpath 204 372 moveto 220 372 220 424 16 arcto 4 {pop} repeat 220 408 lineto 220 424 128 424 16 arcto 4 {pop} repeat 144 424 lineto 128 424 128 372 16 arcto 4 {pop} repeat 128 388 lineto 128 372 220 372 16 arcto 4 {pop} repeat closepath 1 setgray fill 0 setgray gsave gsave newpath 204 372 moveto 220 372 220 424 16 arcto 4 {pop} repeat 220 408 lineto 220 424 128 424 16 arcto 4 {pop} repeat 144 424 lineto 128 424 128 372 16 arcto 4 {pop} repeat 128 388 lineto 128 372 220 372 16 arcto 4 {pop} repeat closepath stroke grestore grestore % TEXT 0 setgray /Helvetica findfont [18 0 0 -18 0 0] makefont setfont gsave 174 394 moveto (System ) tgifcentertext show 174 416 moveto (Security) tgifcentertext show grestore % RCBOX 0 setgray newpath 716 372 moveto 732 372 732 424 16 arcto 4 {pop} repeat 732 408 lineto 732 424 640 424 16 arcto 4 {pop} repeat 656 424 lineto 640 424 640 372 16 arcto 4 {pop} repeat 640 388 lineto 640 372 732 372 16 arcto 4 {pop} repeat closepath 1 setgray fill 0 setgray gsave gsave newpath 716 372 moveto 732 372 732 424 16 arcto 4 {pop} repeat 732 408 lineto 732 424 640 424 16 arcto 4 {pop} repeat 656 424 lineto 640 424 640 372 16 arcto 4 {pop} repeat 640 388 lineto 640 372 732 372 16 arcto 4 {pop} repeat closepath stroke grestore grestore % TEXT 0 setgray /Helvetica findfont [18 0 0 -18 0 0] makefont setfont gsave 686 394 moveto (DPE ) tgifcentertext show 686 416 moveto (Security) tgifcentertext show grestore % RCBOX 0 setgray gsave gsave newpath 1008 372 moveto 1024 372 1024 424 16 arcto 4 {pop} repeat 1024 408 lineto 1024 424 800 424 16 arcto 4 {pop} repeat 816 424 lineto 800 424 800 372 16 arcto 4 {pop} repeat 800 388 lineto 800 372 1024 372 16 arcto 4 {pop} repeat closepath stroke grestore grestore % TEXT 0 setgray /Helvetica findfont [18 0 0 -18 0 0] makefont setfont gsave 914 394 moveto (Communications Contents ) tgifcentertext show 914 416 moveto (Security) tgifcentertext show grestore % RCBOX 0 setgray gsave gsave newpath 496 372 moveto 512 372 512 424 16 arcto 4 {pop} repeat 512 408 lineto 512 424 420 424 16 arcto 4 {pop} repeat 436 424 lineto 420 424 420 372 16 arcto 4 {pop} repeat 420 388 lineto 420 372 512 372 16 arcto 4 {pop} repeat closepath stroke grestore grestore % TEXT 0 setgray /Helvetica findfont [18 0 0 -18 0 0] makefont setfont gsave 466 394 moveto (Service ) tgifcentertext show 466 416 moveto (Security) tgifcentertext show grestore % POLY/OPEN-SPLINE 0 setgray gsave newpath 172 372 moveto 548 312 lineto tgiforigctm setmatrix 1 setlinewidth stroke grestore % POLY/OPEN-SPLINE 0 setgray gsave newpath 684 372 moveto 548 312 lineto tgiforigctm setmatrix 1 setlinewidth stroke grestore % POLY/OPEN-SPLINE 0 setgray gsave newpath 464 372 moveto 548 312 lineto tgiforigctm setmatrix 1 setlinewidth stroke grestore % POLY/OPEN-SPLINE 0 setgray gsave newpath 912 372 moveto 548 312 lineto tgiforigctm setmatrix 1 setlinewidth stroke grestore % RCBOX 0 setgray newpath 202 474 moveto 218 474 218 546 16 arcto 4 {pop} repeat 218 530 lineto 218 546 114 546 16 arcto 4 {pop} repeat 130 546 lineto 114 546 114 474 16 arcto 4 {pop} repeat 114 490 lineto 114 474 218 474 16 arcto 4 {pop} repeat closepath 1 setgray fill 0 setgray gsave gsave newpath 202 474 moveto 218 474 218 546 16 arcto 4 {pop} repeat 218 530 lineto 218 546 114 546 16 arcto 4 {pop} repeat 130 546 lineto 114 546 114 474 16 arcto 4 {pop} repeat 114 490 lineto 114 474 218 474 16 arcto 4 {pop} repeat closepath stroke grestore grestore % TEXT 0 setgray /Helvetica findfont [18 0 0 -18 0 0] makefont setfont gsave 166 495 moveto (Computing) tgifcentertext show 166 517 moveto (Resources) tgifcentertext show 166 539 moveto (Security) tgifcentertext show grestore % RCBOX 0 setgray newpath 98 474 moveto 114 474 114 546 16 arcto 4 {pop} repeat 114 530 lineto 114 546 10 546 16 arcto 4 {pop} repeat 26 546 lineto 10 546 10 474 16 arcto 4 {pop} repeat 10 490 lineto 10 474 114 474 16 arcto 4 {pop} repeat closepath 1 setgray fill 0 setgray gsave gsave newpath 98 474 moveto 114 474 114 546 16 arcto 4 {pop} repeat 114 530 lineto 114 546 10 546 16 arcto 4 {pop} repeat 26 546 lineto 10 546 10 474 16 arcto 4 {pop} repeat 10 490 lineto 10 474 114 474 16 arcto 4 {pop} repeat closepath stroke grestore grestore % TEXT 0 setgray /Helvetica findfont [18 0 0 -18 0 0] makefont setfont gsave 64 495 moveto (Networking) tgifcentertext show 64 517 moveto (Resources) tgifcentertext show 64 539 moveto (Security) tgifcentertext show grestore % RCBOX 0 setgray newpath 278 474 moveto 294 474 294 546 16 arcto 4 {pop} repeat 294 530 lineto 294 546 218 546 16 arcto 4 {pop} repeat 234 546 lineto 218 546 218 474 16 arcto 4 {pop} repeat 218 490 lineto 218 474 294 474 16 arcto 4 {pop} repeat closepath 1 setgray fill 0 setgray gsave gsave newpath 278 474 moveto 294 474 294 546 16 arcto 4 {pop} repeat 294 530 lineto 294 546 218 546 16 arcto 4 {pop} repeat 234 546 lineto 218 546 218 474 16 arcto 4 {pop} repeat 218 490 lineto 218 474 294 474 16 arcto 4 {pop} repeat closepath stroke grestore grestore % TEXT 0 setgray /Helvetica findfont [18 0 0 -18 0 0] makefont setfont gsave 256 506 moveto (NCCE) tgifcentertext show 256 528 moveto (Security) tgifcentertext show grestore % RCBOX 0 setgray newpath 483 474 moveto 499 474 499 546 16 arcto 4 {pop} repeat 499 530 lineto 499 546 387 546 16 arcto 4 {pop} repeat 403 546 lineto 387 546 387 474 16 arcto 4 {pop} repeat 387 490 lineto 387 474 499 474 16 arcto 4 {pop} repeat closepath 1 setgray fill 0 setgray gsave gsave newpath 483 474 moveto 499 474 499 546 16 arcto 4 {pop} repeat 499 530 lineto 499 546 387 546 16 arcto 4 {pop} repeat 403 546 lineto 387 546 387 474 16 arcto 4 {pop} repeat 387 490 lineto 387 474 499 474 16 arcto 4 {pop} repeat closepath stroke grestore grestore % TEXT 0 setgray /Helvetica findfont [18 0 0 -18 0 0] makefont setfont gsave 443 498 moveto (Management) tgifcentertext show 443 520 moveto (Services) tgifcentertext show 443 542 moveto (Security) tgifcentertext show grestore % RCBOX 0 setgray newpath 563 474 moveto 579 474 579 546 16 arcto 4 {pop} repeat 579 530 lineto 579 546 499 546 16 arcto 4 {pop} repeat 515 546 lineto 499 546 499 474 16 arcto 4 {pop} repeat 499 490 lineto 499 474 579 474 16 arcto 4 {pop} repeat closepath 1 setgray fill 0 setgray gsave gsave newpath 563 474 moveto 579 474 579 546 16 arcto 4 {pop} repeat 579 530 lineto 579 546 499 546 16 arcto 4 {pop} repeat 515 546 lineto 499 546 499 474 16 arcto 4 {pop} repeat 499 490 lineto 499 474 579 474 16 arcto 4 {pop} repeat closepath stroke grestore grestore % TEXT 0 setgray /Helvetica findfont [18 0 0 -18 0 0] makefont setfont gsave 503 495 moveto (Special) show 503 517 moveto (Security) show 503 539 moveto (Services) show grestore % RCBOX 0 setgray newpath 371 474 moveto 387 474 387 546 16 arcto 4 {pop} repeat 387 530 lineto 387 546 311 546 16 arcto 4 {pop} repeat 327 546 lineto 311 546 311 474 16 arcto 4 {pop} repeat 311 490 lineto 311 474 387 474 16 arcto 4 {pop} repeat closepath 1 setgray fill 0 setgray gsave gsave newpath 371 474 moveto 387 474 387 546 16 arcto 4 {pop} repeat 387 530 lineto 387 546 311 546 16 arcto 4 {pop} repeat 327 546 lineto 311 546 311 474 16 arcto 4 {pop} repeat 311 490 lineto 311 474 387 474 16 arcto 4 {pop} repeat closepath stroke grestore grestore % TEXT 0 setgray /Helvetica findfont [18 0 0 -18 0 0] makefont setfont gsave 349 495 moveto (Service) tgifcentertext show 349 517 moveto (Control) tgifcentertext show 349 539 moveto (Security) tgifcentertext show grestore % POLY/OPEN-SPLINE 0 setgray gsave newpath 320 602 moveto 444 546 lineto tgiforigctm setmatrix 1 setlinewidth stroke grestore % POLY/OPEN-SPLINE 0 setgray gsave newpath 452 602 moveto 444 546 lineto tgiforigctm setmatrix 1 setlinewidth stroke grestore % POLY/OPEN-SPLINE 0 setgray gsave newpath 560 602 moveto 444 546 lineto tgiforigctm setmatrix 1 setlinewidth stroke grestore % RCBOX 0 setgray newpath 381 596 moveto 397 596 397 668 16 arcto 4 {pop} repeat 397 652 lineto 397 668 249 668 16 arcto 4 {pop} repeat 265 668 lineto 249 668 249 596 16 arcto 4 {pop} repeat 249 612 lineto 249 596 397 596 16 arcto 4 {pop} repeat closepath 1 setgray fill 0 setgray gsave gsave newpath 381 596 moveto 397 596 397 668 16 arcto 4 {pop} repeat 397 652 lineto 397 668 249 668 16 arcto 4 {pop} repeat 265 668 lineto 249 668 249 596 16 arcto 4 {pop} repeat 249 612 lineto 249 596 397 596 16 arcto 4 {pop} repeat closepath stroke grestore grestore % TEXT 0 setgray /Helvetica findfont [18 0 0 -18 0 0] makefont setfont gsave 323 617 moveto (Systems) tgifcentertext show 323 639 moveto (Management) tgifcentertext show 323 661 moveto (Services Security) tgifcentertext show grestore % RCBOX 0 setgray newpath 597 596 moveto 613 596 613 668 16 arcto 4 {pop} repeat 613 652 lineto 613 668 505 668 16 arcto 4 {pop} repeat 521 668 lineto 505 668 505 596 16 arcto 4 {pop} repeat 505 612 lineto 505 596 613 596 16 arcto 4 {pop} repeat closepath 1 setgray fill 0 setgray gsave gsave newpath 597 596 moveto 613 596 613 668 16 arcto 4 {pop} repeat 613 652 lineto 613 668 505 668 16 arcto 4 {pop} repeat 521 668 lineto 505 668 505 596 16 arcto 4 {pop} repeat 505 612 lineto 505 596 613 596 16 arcto 4 {pop} repeat closepath stroke grestore grestore % TEXT 0 setgray /Helvetica findfont [18 0 0 -18 0 0] makefont setfont gsave 559 617 moveto (DPE) tgifcentertext show 559 639 moveto (Management) tgifcentertext show 559 661 moveto (Security) tgifcentertext show grestore % RCBOX 0 setgray newpath 489 596 moveto 505 596 505 668 16 arcto 4 {pop} repeat 505 652 lineto 505 668 397 668 16 arcto 4 {pop} repeat 413 668 lineto 397 668 397 596 16 arcto 4 {pop} repeat 397 612 lineto 397 596 505 596 16 arcto 4 {pop} repeat closepath 1 setgray fill 0 setgray gsave gsave newpath 489 596 moveto 505 596 505 668 16 arcto 4 {pop} repeat 505 652 lineto 505 668 397 668 16 arcto 4 {pop} repeat 413 668 lineto 397 668 397 596 16 arcto 4 {pop} repeat 397 612 lineto 397 596 505 596 16 arcto 4 {pop} repeat closepath stroke grestore grestore % TEXT 0 setgray /Helvetica findfont [18 0 0 -18 0 0] makefont setfont gsave 451 617 moveto (Service) tgifcentertext show 451 639 moveto (Management) tgifcentertext show 451 661 moveto (Security) tgifcentertext show grestore % RCBOX 0 setgray newpath 1021 474 moveto 1037 474 1037 546 16 arcto 4 {pop} repeat 1037 530 lineto 1037 546 965 546 16 arcto 4 {pop} repeat 981 546 lineto 965 546 965 474 16 arcto 4 {pop} repeat 965 490 lineto 965 474 1037 474 16 arcto 4 {pop} repeat closepath 1 setgray fill 0 setgray gsave gsave newpath 1021 474 moveto 1037 474 1037 546 16 arcto 4 {pop} repeat 1037 530 lineto 1037 546 965 546 16 arcto 4 {pop} repeat 981 546 lineto 965 546 965 474 16 arcto 4 {pop} repeat 965 490 lineto 965 474 1037 474 16 arcto 4 {pop} repeat closepath stroke grestore grestore % TEXT 0 setgray /Helvetica findfont [18 0 0 -18 0 0] makefont setfont gsave 967 506 moveto (Stream) show 967 528 moveto (Security) show grestore % RCBOX 0 setgray newpath 949 474 moveto 965 474 965 546 16 arcto 4 {pop} repeat 965 530 lineto 965 546 829 546 16 arcto 4 {pop} repeat 845 546 lineto 829 546 829 474 16 arcto 4 {pop} repeat 829 490 lineto 829 474 965 474 16 arcto 4 {pop} repeat closepath 1 setgray fill 0 setgray gsave gsave newpath 949 474 moveto 965 474 965 546 16 arcto 4 {pop} repeat 965 530 lineto 965 546 829 546 16 arcto 4 {pop} repeat 845 546 lineto 829 546 829 474 16 arcto 4 {pop} repeat 829 490 lineto 829 474 965 474 16 arcto 4 {pop} repeat closepath stroke grestore grestore % TEXT 0 setgray /Helvetica findfont [18 0 0 -18 0 0] makefont setfont gsave 897 495 moveto (End-to-End) tgifcentertext show 897 517 moveto (Communcations) tgifcentertext show 897 539 moveto (Security) tgifcentertext show grestore % RCBOX 0 setgray newpath 655 474 moveto 671 474 671 546 16 arcto 4 {pop} repeat 671 530 lineto 671 546 595 546 16 arcto 4 {pop} repeat 611 546 lineto 595 546 595 474 16 arcto 4 {pop} repeat 595 490 lineto 595 474 671 474 16 arcto 4 {pop} repeat closepath 1 setgray fill 0 setgray gsave gsave newpath 655 474 moveto 671 474 671 546 16 arcto 4 {pop} repeat 671 530 lineto 671 546 595 546 16 arcto 4 {pop} repeat 611 546 lineto 595 546 595 474 16 arcto 4 {pop} repeat 595 490 lineto 595 474 671 474 16 arcto 4 {pop} repeat closepath stroke grestore grestore % TEXT 0 setgray /Helvetica findfont [18 0 0 -18 0 0] makefont setfont gsave 633 495 moveto (DPE) tgifcentertext show 633 517 moveto (Node) tgifcentertext show 633 539 moveto (Security) tgifcentertext show grestore % RCBOX 0 setgray newpath 795 474 moveto 811 474 811 546 16 arcto 4 {pop} repeat 811 530 lineto 811 546 671 546 16 arcto 4 {pop} repeat 687 546 lineto 671 546 671 474 16 arcto 4 {pop} repeat 671 490 lineto 671 474 811 474 16 arcto 4 {pop} repeat closepath 1 setgray fill 0 setgray gsave gsave newpath 795 474 moveto 811 474 811 546 16 arcto 4 {pop} repeat 811 530 lineto 811 546 671 546 16 arcto 4 {pop} repeat 687 546 lineto 671 546 671 474 16 arcto 4 {pop} repeat 671 490 lineto 671 474 811 474 16 arcto 4 {pop} repeat closepath stroke grestore grestore % TEXT 0 setgray /Helvetica findfont [18 0 0 -18 0 0] makefont setfont gsave 741 495 moveto (DPE) tgifcentertext show 741 517 moveto (Communications) tgifcentertext show 741 539 moveto (Security) tgifcentertext show grestore % RCBOX 0 setgray newpath 596 276 moveto 612 276 612 312 16 arcto 4 {pop} repeat 612 296 lineto 612 312 488 312 16 arcto 4 {pop} repeat 504 312 lineto 488 312 488 276 16 arcto 4 {pop} repeat 488 292 lineto 488 276 612 276 16 arcto 4 {pop} repeat closepath 1 setgray fill 0 setgray gsave gsave newpath 596 276 moveto 612 276 612 312 16 arcto 4 {pop} repeat 612 296 lineto 612 312 488 312 16 arcto 4 {pop} repeat 504 312 lineto 488 312 488 276 16 arcto 4 {pop} repeat 488 292 lineto 488 276 612 276 16 arcto 4 {pop} repeat closepath stroke grestore grestore % TEXT 0 setgray /Helvetica findfont [18 0 0 -18 0 0] makefont setfont gsave 550 301 moveto (TINA Security) tgifcentertext show grestore grestore tgifsavedpage restore end %MatchingCreationDate: Sat Aug 23 12:07:03 1997 %%EndDocument @endspecial 1095 1700 a Fc(Figure)23 b(1.)g(TINA)g(security)g(pr)n(ob) o(lem)g(domain)-182 1967 y Fh(tication)g(of)h(the)g(user)-5 b(.)36 b(Anon)o(ymous)21 b(users)j(of)g(a)g(char)o(geable)e(ser)n(-) -182 2066 y(vice)29 b(may)f(be)h(authenticated)e(using)i(anon)o (ymized,)f(b)n(ut)h(char)o(ge-)-182 2166 y(able)22 b(\(e.g.)31 b(pre-paid\),)20 b(identities.)31 b(The)22 b(authentication)f(protocol) -182 2265 y(must)i(guarantee)e(that)i(no)g(secret)g(authenticating)e (information)g(is)-182 2365 y(re)n(v)o(ealed.)38 b(This)25 b(can)g(be)g(achie)n(v)o(ed)f(best)h(by)g(mutual)f(authentica-)-182 2465 y(tion)j(of)g(the)g(user)h(and)f(the)g(pro)o(vider)-5 b(.)45 b(The)27 b(inte)o(grity)f(of)h(service)-182 2564 y(control)32 b(includes)h(inte)o(grity)f(of)h(subscription)f(v)o (eri\256cation)g(and)-182 2664 y(accounting.)21 b(Access)d(to)g(the)f (service)g(functionality)e(is)j(controlled)-182 2764 y(at)28 b(tw)o(o)h(le)n(v)o(els,)g(the)f(DPE)h(le)n(v)o(el)f(and)f(the) h(service)g(le)n(v)o(el.)48 b(At)29 b(the)-182 2863 y(DPE)20 b(le)n(v)o(el,)f(a)g(coarse-grained)e(access)j(control)f(based)g(on)g (the)g(au-)-182 2963 y(thenticated)h(identities)i(of)f(the)h(users)f (in)m(v)n(olv)o(ed)f(in)i(a)g(session)g(pre-)-182 3062 y(v)o(ents)e(attempts)g(by)h(others)f(to)h(in)m(v)n(ok)o(e)e (operations)g(of)i(the)f(service)-182 3162 y(components)13 b(in)m(v)n(olv)o(ed)h(in)i(the)g(session.)24 b(At)16 b(the)g(service)g(le)n(v)o(el,)g(the)-182 3262 y(service)30 b(logic)g(implemented)e(in)j(the)f(service)g(component)e(con-)-182 3361 y(trols)16 b(the)h(access)g(to)g(service)g(speci\256c)g (information)d(and)i(function-)-182 3461 y(ality)h(based)g(on)g(the)g (authenticated)f(identities,)h(conte)o(xt,)f(and)h(state)-182 3561 y(information.)44 b(Inte)o(grity)26 b(and)g(con\256dentiality)g (of)h(the)h(messages)-182 3660 y(e)o(xchanged)15 b(between)i(the)h (service)g(component')-5 b(s)16 b(operational)g(in-)-182 3760 y(terf)o(aces)j(is)h(achie)n(v)o(ed)e(by)h(the)g(acti)n(v)n(ation) f(of)h(the)g(appropriate)e(fea-)-182 3859 y(tures)g(of)g(the)g(DPE)h (security)f(services.)24 b(These)17 b(features)g(must)g(pro-)-182 3959 y(vide)h(not)h(only)g(the)g(protection)f(of)h(the)g(inte)o(grity)f (of)h(the)h(messages)-182 4059 y(and)28 b(their)h(temporal)f(order)g(b) n(ut)i(also)f(protection)f(against)g(inter)n(-)-182 4158 y(ruption)19 b(of)j(the)f(control)f(connection)g(itself,)i(as)g(we)g (ha)n(v)o(e)f(demon-)-182 4258 y(strated)27 b(in)g([19].)45 b(Special)28 b(cases)g(of)f(services)g(are)g(management)-182 4358 y(services)17 b(and)h(special)g(security)f(services.)24 b(Both)18 b(require)f(a)h(poten-)-182 4457 y(tially)f(higher)e(de)o (gree)h(of)h(security)f(\(e.g.,)g(stronger)g(authentication)-182 4557 y(mechanisms,)f(longer)g(cryptographic)d(k)o(e)o(ys,)17 b(or)e(a)i(physically)d(bet-)-182 4656 y(ter)25 b(secured)g(DPE)h(node) e(for)h(their)g(implementation\).)38 b(The)25 b(spe-)-182 4756 y(cial)g(security)f(services)g(pro)o(vide)f(specialized)h (security)g(features,)-182 4856 y(e.g.,)d(digital)h(cash)f(support,)g (that)h(are)g(not)f(present)g(in)h(e)n(v)o(ery)f(DPE)-182 4955 y(node)i(b)n(ut)h(are)f(supported)f(by)i(dedicated)f(pro)o(viders) f(\(retailers)h(or)-182 5055 y(third)c(party)g(service)h(pro)o (viders\))e(at)i(the)h(service)e(le)n(v)o(el.)25 b(The)20 b(man-)-182 5155 y(agement)31 b(services)i(are)g(concerned)e(with)i (the)g(management)e(of)-182 5254 y(systems,)17 b(services)f(and)f(the)h (DPE.)g(The)g(security)f(of)h(management)1974 1967 y(services)i(is)g (crucial,)g(since)g(ille)o(gal)f(access)h(to)g(management)d(func-)1974 2066 y(tionality)j(may)h(be)g(used)f(for)h(the)g(implantation)e(of)i (backdoors.)j(Of)1974 2166 y(particular)16 b(concern)g(is)j(the)e (management)f(of)h(the)h(DPE,)f(which)g(in-)1974 2265 y(cludes)j(the)g(management)e(of)i(the)g(DPE)h(security)e(services.) 1974 2465 y Fd(DPE)i(Security:)1974 2564 y Fh(DPE)e(security)g(is)h (mainly)f(concerned)e(with)i(the)g(pre)n(v)o(ention)e(of)i(il-)1974 2664 y(le)o(gal)j(access)i(to)g(computational)c(objects)j(\(CO\))h(and) f(CO)h(groups)1974 2764 y(as)18 b(well)g(as)g(the)f(protection)e(of)i (transmitted)g(messages)g(containing)1974 2863 y(ar)o(guments,)e (results,)j(and)e(e)o(xceptions)f(of)h(object)h(in)m(v)n(ocations)e (and)1974 2963 y(noti\256cations.)23 b(DPE)c(node)f(security)g(also)h (pro)o(vides)e(the)i(means)f(to)1974 3062 y(audit)e(and)g(report)g (security)g(rele)n(v)n(ant)f(e)n(v)o(ents)h(on)g(the)h(node)f(accord-) 1974 3162 y(ing)25 b(to)g(the)h(audit)f(speci\256cations)f(de\256ned)h (by)g(the)g(administrator)1974 3262 y(\(see)d(also)f([6])g([7]\).)28 b(DPE)22 b(security)f(includes)g(the)g(security)g(of)g(the)1974 3361 y(DPE)f(implementation)d(and)i(its)i(basic)f(services,)f(such)h (as)g(the)g(Ob-)1974 3461 y(ject)h(Services)f(in)h(CORB)m(A.)h(Since)f (our)e(architectural)g(placement)1974 3561 y(of)26 b(security)g (functionality)f(allocates)i(the)f(general)g(security)g(ser)n(-)1974 3660 y(vices)d(and)g(mechanisms)f(to)h(the)g(DPE)g(\(see)h(Section)e (4\),)i(also)f(the)1974 3760 y(security)18 b(of)h(the)g(security)f (services)h(themselv)o(es)g(is)h(part)e(the)h(secu-)1974 3859 y(rity)h(of)g(the)g(DPE.)1974 4059 y Fd(Communications)g(Contents) g(Security:)1974 4158 y Fh(Communication)d(contents)i(security)h(is)g (concerned)e(with)i(the)g(au-)1974 4258 y(thenticity)-5 b(,)26 b(inte)o(grity)-5 b(,)26 b(and)g(con\256dentiality)f(of)h(the)g (service)g(con-)1974 4358 y(tents)37 b(information.)71 b(Since)37 b(all)g(service)f(content)g(information)1974 4457 y(is)42 b(deli)n(v)o(ered)e(in)h(the)h(form)e(of)h(streams,)47 b(it)42 b(deals)f(only)g(with)1974 4557 y(streams.)26 b(Streams)20 b(are)g(protected)f(using)h(cryptographic)d(mecha-)1974 4656 y(nisms,)g(preferably)d(stream)i(ciphers)g([17])f([18])g(or)h (special)h(ciphers)1974 4756 y(for)j(certain)f(information)f(formats,)h (e.g.,)h(v)n(oice)g(or)g(video)f(data.)25 b(If)1974 4856 y(the)e(service)g(implemented)e(in)i(the)h(pro)o(vider')-5 b(s)21 b(domain)h(does)g(not)1974 4955 y(require)i(an)o(y)i (modi\256cation)e(of)h(the)h(stream)g(between)f(tw)o(o)h(users,)1974 5055 y(the)o(y)k(can)g(ha)n(v)o(e)g(end-to-end)e(security)-5 b(.)55 b(Otherwise,)33 b(only)c(user)n(-)1974 5155 y(pro)o(vider)20 b(security)i(can)g(be)g(pro)o(vided.)30 b(The)22 b(management)e(of)i (the)1974 5254 y(necessary)d(k)o(e)o(ys)h(is)h(part)f(of)g(the)g (service)g(control.)1859 5574 y(3)p eop %%Page: 4 4 4 3 bop -182 83 a Fj(3)o(.)25 b(CORB)m(A)g(security)-83 297 y Fh(The)37 b(CORB)m(A)h(Security)f(speci\256cation)f([13])g(has)h (been)f(re-)-182 397 y(leased)27 b(by)g(the)g(OMG)h(to)f(pro)o(vide)f (the)h(model,)h(architecture,)f(as)-182 497 y(well)g(as)h(usage)f(and)g (administration)e(interf)o(aces)i(for)f(security)h(in)-182 596 y(CORB)m(A)39 b([12])d(systems.)77 b(There)36 b(are)i(tw)o(o)f(le)n (v)o(els)h(of)f(confor)n(-)-182 696 y(mance.)53 b(Some)30 b(features)g(are)g(optional.)53 b(Thus,)32 b(not)e(all)g(secure)-182 795 y(CORB)m(A)f(implementations)d(will)i(pro)o(vide)e(the)i(complete)e (func-)-182 895 y(tionality)19 b(speci\256ed.)-83 995 y(The)c(basic)h(notion)e(is)j(the)e(secure)h(object)f(in)m(v)n (ocation.)21 b(F)o(or)15 b(each)-182 1094 y(object)25 b(in)m(v)n(ocation,)h(the)g(request)f(from)h(the)g(client)g(object)g (to)g(the)-182 1194 y(tar)o(get)14 b(object)h(is)h(subject)f(to)g (access)h(control)e(by)h(the)g(ORB)i(security)-182 1294 y(implementation.)35 b(This)25 b(access)g(control)f(may)g(tak)o(e)g (place)h(at)g(the)-182 1393 y(client)20 b(side,)h(the)f(tar)o(get)f (side,)i(or)f(on)g(both)g(sides.)26 b(Figure)19 b(2)i(sho)n(ws)-182 1493 y(a)i(secure)g(object)f(in)m(v)n(ocation.)32 b(The)23 b(access)h(is)g(decided)e(based)g(on)-182 1592 y(information)h(bound)h (to)j(the)f(tar)o(get)f(object,)i(and/or)d(information)-182 1692 y(link)o(ed)e(to)h(the)h(client)f(object')-5 b(s)23 b(request.)33 b(The)23 b(latter)g(information)-182 1792 y(is)h(referred)e(to)h(as)i(credentials.)34 b(A)24 b(credential)e (consists)i(of)f(unau-)-182 1891 y(thenticated)j(and)h(authenticated)f (attrib)n(utes.)47 b(Authenticated)26 b(at-)-182 1991 y(trib)n(utes)j(are)h(identity)e(and)h(pri)n(vile)o(ge)f(attrib)n (utes.)53 b(This)30 b(general)-182 2091 y(model)h(enables)h(a)h(lar)o (ge)e(v)n(ariety)h(of)g(access)h(control)e(schemes,)-182 2190 y(ranging)25 b(from)h(access)i(control)f(lists)h(o)o(v)o(er)e (capabilities)h(to)h(label)-182 2290 y(based)19 b(schemes.)25 b(The)19 b(scale)i(of)e(access)i(control)d(is)j(not)e(speci\256ed,)-182 2389 y(b)n(ut)e(it)i(can)e(be)h(assumed)f(that)h(implementors)d(will)k (pro)o(vide)c(access)-182 2489 y(control)k(do)n(wn)g(to)h(the)g (granularity)e(of)i(operations.)-136 3650 y @beginspecial @setspecial %%BeginDocument: secinvoc.epsss /sf {113 239 div} def /llx {-77} def /lly {-548} def /vx {llx sf mul} def /vy {lly sf mul} def vx vy translate sf sf scale /tgifdict 39 dict def tgifdict begin /tgifellipsedict 6 dict def tgifellipsedict /mtrx matrix put /tgifellipse { tgifellipsedict begin /yrad exch def /xrad exch def /y exch def /x exch def /savematrix mtrx currentmatrix def x y translate xrad yrad scale 0 0 1 0 360 arc savematrix setmatrix end } def /tgifarrowtipdict 8 dict def tgifarrowtipdict /mtrx matrix put /tgifarrowtip { tgifarrowtipdict begin /dy exch def /dx exch def /h exch def /w exch def /y exch def /x exch def /savematrix mtrx currentmatrix def x y translate dy dx atan rotate 0 0 moveto w neg h lineto w neg h neg lineto savematrix setmatrix end } def /tgifpatdict 10 dict def /tgifpatbyte { currentdict /retstr get exch pat i cellsz mod get put } def /tgifpatproc { 0 1 widthlim {tgifpatbyte} for retstr /i i 1 add def } def /tgifpatfill { tgifpatdict begin /h exch def /w exch def /lty exch def /ltx exch def /cellsz exch def /pat exch def /widthlim w cellsz div cvi 1 sub def /retstr widthlim 1 add string def /i 0 def tgiforigctm setmatrix ltx lty translate w h true [1 0 0 1 0 0] {tgifpatproc} imagemask ltx neg lty neg translate end } def /pat3 <8000000008000000> def /pat4 <8800000022000000> def /pat5 <8800220088002200> def /pat6 <8822882288228822> def /pat7 def /pat8 <77dd77dd77dd77dd> def /pat9 <77ffddff77ffddff> def /pat10 <77ffffff77ffffff> def /pat11 <7fffffff7fffffff> def /pat12 <8040200002040800> def /pat13 <40a00000040a0000> def /pat14 def /pat15 def /pat16 def /pat17 <038448300c020101> def /pat18 <081c22c180010204> def /pat19 <8080413e080814e3> def /pat20 <8040201008040201> def /pat21 <8844221188442211> def /pat22 <77bbddee77bbddee> def /pat23 def /pat24 <7fbfdfeff7fbfdfe> def /pat25 <3e1f8fc7e3f1f87c> def /pat26 <0102040810204080> def /pat27 <1122448811224488> def /pat28 def /pat29 <83070e1c3870e0c1> def /pat30 def /pat31 <7cf8f1e3c78f1f3e> def end tgifdict begin /tgifsavedpage save def 1 setmiterlimit 1 setlinewidth 0 setgray 72 0 mul 72 11.70 mul translate 72 128 div 100.000 mul 100 div dup neg scale gsave /tgiforigctm matrix currentmatrix def % OVAL 0 setgray gsave newpath 820 150 50 50 tgifellipse closepath 1 setgray fill 0 setgray newpath 820 150 50 50 tgifellipse closepath eoclip newpath pat4 8 768 96 104 112 tgifpatfill grestore gsave gsave newpath 820 150 50 50 tgifellipse 2 setlinewidth stroke grestore grestore % OVAL 0 setgray gsave newpath 300 150 50 50 tgifellipse closepath 1 setgray fill 0 setgray newpath 300 150 50 50 tgifellipse closepath eoclip newpath pat4 8 248 96 104 112 tgifpatfill grestore gsave gsave newpath 300 150 50 50 tgifellipse 2 setlinewidth stroke grestore grestore % TEXT 0 setgray gsave newpath 784 119 moveto 858 119 lineto 858 178 lineto 784 178 lineto closepath 1 setgray fill 0 setgray newpath 784 119 moveto 858 119 lineto 858 178 lineto 784 178 lineto closepath eoclip newpath pat4 8 784 112 80 72 tgifpatfill grestore /Helvetica findfont [25 0 0 -25 0 0] makefont setfont gsave 785 144 moveto (Target) show 785 173 moveto (Object) show grestore % TEXT 0 setgray gsave newpath 269 134 moveto 335 134 lineto 335 164 lineto 269 164 lineto closepath 1 setgray fill 0 setgray newpath 269 134 moveto 335 134 lineto 335 164 lineto 269 164 lineto closepath eoclip newpath pat4 8 264 128 72 40 tgifpatfill grestore /Helvetica findfont [25 0 0 -25 0 0] makefont setfont gsave 270 159 moveto (Client) show grestore % POLY/OPEN-SPLINE 0 setgray gsave newpath 140 325 moveto 190 285 lineto 190 300 lineto 940 300 lineto 940 285 lineto 990 325 lineto 940 365 lineto 940 350 lineto 190 350 lineto 190 365 lineto 140 325 lineto closepath 1 setgray eofill 0 setgray newpath 140 325 moveto 190 285 lineto 190 300 lineto 940 300 lineto 940 285 lineto 990 325 lineto 940 365 lineto 940 350 lineto 190 350 lineto 190 365 lineto 140 325 lineto closepath eoclip newpath pat6 8 136 280 856 88 tgifpatfill grestore gsave newpath 140 325 moveto 190 285 lineto 190 300 lineto 940 300 lineto 940 285 lineto 990 325 lineto 940 365 lineto 940 350 lineto 190 350 lineto 190 365 lineto 140 325 lineto tgiforigctm setmatrix 2 setlinewidth stroke 1 setlinewidth grestore % TEXT 0 setgray /Helvetica findfont [25 0 0 -25 0 0] makefont setfont gsave 525 324 moveto (ORB) show grestore % TEXT 0 setgray /Helvetica findfont [25 0 0 -25 0 0] makefont setfont gsave 150 399 moveto (client-side security on invocations) show 150 428 moveto (\(security association,) show 150 457 moveto ( access control,) show 150 486 moveto ( message protection,) show 150 515 moveto ( audit\)) show grestore % TEXT 0 setgray /Helvetica findfont [25 0 0 -25 0 0] makefont setfont gsave 605 399 moveto (target-side security on invocations) show 605 428 moveto (\(security association,) show 605 457 moveto ( access control,) show 605 486 moveto ( message protection,) show 605 515 moveto ( audit\)) show grestore % POLY/OPEN-SPLINE 0 setgray gsave newpath 300 200 moveto 300 325 lineto 310 335 lineto 810 335 lineto 820 325 lineto 820 200 lineto tgiforigctm setmatrix 6 setlinewidth stroke 1 setlinewidth grestore % POLY/OPEN-SPLINE 0 setgray gsave newpath 820 305 moveto -75 0 atan dup cos 20.000 mul 820 exch sub exch sin 20.000 mul 230 exch sub lineto tgiforigctm setmatrix 6 setlinewidth stroke 1 setlinewidth grestore gsave tgiforigctm setmatrix newpath 820 230 20.000 8.000 0 -75 tgifarrowtip 1 setgray closepath fill 0 setgray newpath 820 230 20.000 8.000 0 -75 tgifarrowtip closepath fill grestore % POLY/OPEN-SPLINE 0 setgray gsave newpath 300 205 moveto 55 0 atan dup cos 20.000 mul 300 exch sub exch sin 20.000 mul 260 exch sub lineto tgiforigctm setmatrix 6 setlinewidth stroke 1 setlinewidth grestore gsave tgiforigctm setmatrix newpath 300 260 20.000 8.000 0 55 tgifarrowtip 1 setgray closepath fill 0 setgray newpath 300 260 20.000 8.000 0 55 tgifarrowtip closepath fill grestore % BOX 0 setgray gsave newpath 285 315 moveto 325 315 lineto 325 345 lineto 285 345 lineto closepath 1 setgray fill 0 setgray newpath 285 315 moveto 325 315 lineto 325 345 lineto 285 345 lineto closepath eoclip newpath pat16 8 280 312 48 40 tgifpatfill grestore gsave 10 setmiterlimit gsave newpath 285 315 moveto 325 315 lineto 325 345 lineto 285 345 lineto closepath 3 setlinewidth stroke grestore grestore % BOX 0 setgray gsave newpath 790 315 moveto 830 315 lineto 830 345 lineto 790 345 lineto closepath 1 setgray fill 0 setgray newpath 790 315 moveto 830 315 lineto 830 345 lineto 790 345 lineto closepath eoclip newpath pat16 8 784 312 48 40 tgifpatfill grestore gsave 10 setmiterlimit gsave newpath 790 315 moveto 830 315 lineto 830 345 lineto 790 345 lineto closepath 3 setlinewidth stroke grestore grestore % POLY/OPEN-SPLINE 0 setgray gsave newpath 310 340 moveto 295 380 lineto tgiforigctm setmatrix 1 setlinewidth stroke grestore % POLY/OPEN-SPLINE 0 setgray gsave newpath 805 340 moveto 830 380 lineto tgiforigctm setmatrix 1 setlinewidth stroke grestore grestore tgifsavedpage restore end %MatchingCreationDate: Thu Mar 20 20:56:27 1997 %%EndDocument @endspecial 129 3832 a Fc(Figure)j(2.)g(Secure)h(object)f(in)m(v)n (ocation)-83 4030 y Fh(The)j(client)g(object)f(acts)h(on)g(behalf)f(of) g(a)i(principal.)40 b(In)26 b(most)-182 4129 y(cases,)41 b(the)36 b(principal)g(is)h(a)g(human)e(user)-5 b(.)74 b(In)37 b(some)f(cases,)41 b(it)-182 4229 y(may)20 b(be)h(a)g(system)g (entity)-5 b(,)20 b(comparable)f(to)i(a)h(system)f(account)e(on)-182 4329 y(UNIX)j(computers.)31 b(F)o(or)22 b(an)g(object)g(in)m(v)n (ocation,)f(the)i(credentials)-182 4428 y(of)f(the)g(client)h(object)f (are)g(contained)f(in)i(a)g(dedicated)e(credentials)-182 4528 y(object)31 b(which)g(is)i(referenced)c(by)i(the)h(object)f (representing)f(the)-182 4628 y(current)20 b(e)o(x)o(ecution)f(conte)o (xt.)28 b(The)21 b(credentials)g(object)g(is)i(created)-182 4727 y(for)h(the)h(principal)f(as)i(the)f(result)g(of)f(the)h (authentication)e(process)-182 4827 y(of)d(the)g(principal.)-83 4926 y(Access)d(control)d(is)i(only)f(one)g(of)h(se)n(v)o(eral)f (concerns)f(of)h(a)h(secure)-182 5026 y(object)k(in)m(v)n(ocation.)25 b(A)d(secure)e(object)g(in)m(v)n(ocation)f(requires)h(a)i(se-)-182 5126 y(curity)f(association)g(between)g(client)h(and)g(tar)o(get)f (object.)30 b(In)21 b(a)i(se-)-182 5225 y(curity)e(association,)h(both) f(parties)h(trust)g(the)g(claimed)g(identity)f(of)-182 5325 y(each)f(other)-5 b(.)25 b(This)20 b(may)g(require)f(additional,)g (mutual)g(authentica-)1974 83 y(tion)j(with)g(the)g(creation)f(of)h (additional)e(credentials,)i(particularly)1974 183 y(if)28 b(the)g(tw)o(o)g(objects)f(do)h(not)f(reside)h(in)f(the)h(same)g(ORB)h (system.)1974 282 y(A)21 b(security)g(association)f(will)i(normally)e (persist)h(for)g(man)o(y)e(inter)n(-)1974 382 y(actions.)37 b(Depending)22 b(on)h(the)i(security)e(polic)o(y)-5 b(,)24 b(inte)o(grity)e(and/or)1974 482 y(con\256dentiality)j(of)i(requests)g (and)f(responses)g(within)h(a)h(security)1974 581 y(association)23 b(may)g(be)g(protected)f(by)h(cryptographic)d(means.)34 b(F)o(or)1974 681 y(security)25 b(auditing,)g(security)g(rele)n(v)n (ant)f(actions)h(may)g(be)h(logged.)1974 780 y(As)g(an)g(option,)f (CORB)m(A)j(security)d(implementations)e(may)i(pro-)1974 880 y(vide)34 b(support)f(for)g(non-repudiation)d(to)35 b(the)f(applications)f(pro-)1974 980 y(grammer)-5 b(.)2073 1100 y(The)19 b(CORB)m(A)i(security)d(document)f(does)i(not)g(specify)f (the)h(un-)1974 1199 y(derlying)28 b(security)h(technology)f(itself.)54 b(Instead,)31 b(it)g(de\256nes)e(in-)1974 1299 y(terf)o(aces)e(for)f (the)h(use)g(and)f(administration)f(of)i(the)g(security)f(ser)n(-)1974 1399 y(vice\(s\))f(and)h(interf)o(aces)f(to)i(inte)o(grate)d(security)i (technology)d(into)1974 1498 y(ORB)31 b(implementations.)52 b(In)29 b(a)i(security)e(enhanced)f(ORB)j(sys-)1974 1598 y(tem,)h(security)d(is)i(imposed)e(at)h(tw)o(o)g(le)n(v)o(els,)i(the)e (administration)1974 1698 y(le)n(v)o(el)22 b(and)h(the)g(application)e (le)n(v)o(el.)32 b(Security)23 b(policies)f(for)h(access)1974 1797 y(control,)28 b(message)f(protection)f(and)i(audit)f(are)g (speci\256ed)h(by)f(the)1974 1897 y(administrator)-5 b(.)47 b(A)28 b(security)f(polic)o(y)g(is)i(represented)d(by)h(a)h (secu-)1974 1996 y(rity)20 b(polic)o(y)f(object.)25 b(One)20 b(security)g(polic)o(y)f(may)h(be)g(v)n(alid)g(for)g(one)1974 2096 y(or)26 b(more)g(security)g(domains.)44 b(Each)26 b(security)g(domain)g(contains)1974 2196 y(a)g(domain)e(manager)g (object)h(which)g(references)g(the)g(v)n(alid)g(secu-)1974 2295 y(rity)e(polic)o(y)f(object)h(for)g(this)g(domain.)33 b(The)23 b(af)o(\256liation)f(of)h(an)h(ob-)1974 2395 y(ject)18 b(to)g(a)g(security)f(domain)f(is)i(determined)e(by)h(the)h (administrator)-5 b(.)1974 2495 y(The)19 b(respecti)n(v)o(e)g(policies) g(are)g(in)h(each)g(case)g(enforced)d(on)i(the)h(ob-)1974 2594 y(ject.)39 b(At)25 b(the)g(application)e(le)n(v)o(el,)i (additional)f(security)g(measures)1974 2694 y(may)e(be)g(enforced)e(by) i(the)g(applications)g(themselv)o(es.)30 b(This)23 b(may)1974 2793 y(be)f(done)f(by)g(the)h(additional)e(enforcement)g(of)h (administrator)g(de-)1974 2893 y(\256ned)e(policies)h(and/or)f(the)h (direct)f(use)h(of)g(security)f(features)g(such)1974 2993 y(as)i(non-repudiation.)g(The)g(application)d(enforced)h(security) h(mea-)1974 3092 y(sures)g(cannot)f(o)o(v)o(erride)f(administrator)h (enforced)f(policies.)2073 3212 y(There)24 b(are)h(four)e(types)i(of)f (domains)g(re)o(garding)d(security:)34 b(se-)1974 3312 y(curity)25 b(domains,)h(security)f(polic)o(y)g(domains,)g(security)h (en)m(viron-)1974 3412 y(ment)15 b(domains,)h(and)f(security)g (technology)f(domains.)22 b(A)17 b(security)1974 3511 y(domain)i(is)i(the)f(domain)f(that)h(is)h(administered)e(by)h(one)f (authority)-5 b(.)1974 3611 y(A)19 b(security)g(polic)o(y)f(domain)g (is)i(the)f(scope)g(o)o(v)o(er)f(which)g(a)i(security)1974 3711 y(polic)o(y)29 b(is)i(enforced.)52 b(In)30 b(most)g(cases,)j(it)e (is)f(identical)g(with)g(the)1974 3810 y(security)20 b(domain.)27 b(A)21 b(security)g(en)m(vironment)d(domain)i(is)i(the)f (do-)1974 3910 y(main)k(in)h(which)f(the)h(enforcement)d(of)i(the)h (security)f(polic)o(y)g(may)1974 4009 y(be)h(achie)n(v)o(ed)e(by)h (local)h(means,)h(e.g.)41 b(objects)26 b(on)g(the)f(same)i(ma-)1974 4109 y(chine.)k(A)24 b(security)e(technology)e(domain)h(is)j(a)f(set)g (of)f(objects)h(for)1974 4209 y(which)g(the)g(same)h(technology)d (\(e.g.,)i(K)n(erberos)f([11]\))g(is)i(used)f(to)1974 4308 y(enforce)c(the)h(policies.)2073 4428 y(Secure)34 b(interoperation)e(between)h(objects)h(depends)f(on)h(the)1974 4528 y(membership)19 b(of)i(the)h(objects)f(to)h(security)f(technology) d(domains,)1974 4628 y(ORB)h(technology)d(domains,)i(and)g(security)f (polic)o(y)h(domains.)23 b(In-)1974 4727 y(teroperability)29 b(between)i(objects)g(in)h(dif)o(ferent)d(security)i(polic)o(y)1974 4827 y(domains)26 b(can)g(only)h(be)f(achie)n(v)o(ed)g(if)h(both)f (domains)g(agree)g(on)h(a)1974 4926 y(cooperation)e(security)i(polic)o (y)f(for)h(the)g(respecti)n(v)o(e)f(interactions.)1974 5026 y(This)35 b(cooperation)e(polic)o(y)h(may)h(be)h(ne)o(gotiated)d (at)j(in)m(v)n(ocation)1974 5126 y(time)c(or)g(in)h(adv)n(ance.)60 b(In)32 b(the)g(simplest)h(case,)j(only)31 b(the)h(secu-)1974 5225 y(rity)h(polic)o(y)g(for)g(the)g(tar)o(get)g(is)h(applied.)64 b(Objects)34 b(in)g(dif)o(ferent)1974 5325 y(ORB)22 b(technology)d (domains)g(can,)i(technically)-5 b(,)19 b(interact)i(without)1859 5574 y(4)p eop %%Page: 5 5 5 4 bop -182 83 a Fh(problems)28 b(using)h(the)g(Secure)h(Inter)n(-ORB) f(protocol)f(\(SECIOP\))-182 183 y(as)19 b(speci\256ed)f(in)h([13],)e (as)i(long)f(as)h(the)g(same)f(security)g(technology)-182 282 y(is)23 b(used)e(on)h(both)f(sides.)31 b(\(W)-7 b(e)23 b(do)e(not)h(consider)f(the)g(gate)n(w)o(ay)g(ap-)-182 382 y(proach)i(for)i(inter)n(-ORB-interoperability)e(to)i(be)h(used)f (in)g(TIN)m(A.)-182 482 y(Ho)n(we)n(v)o(er)m(,)19 b(the)j(follo)n(wing) d(w)o(ould)i(also)h(apply)e(in)h(this)h(case.\))29 b(Ac-)-182 581 y(cording)16 b(to)i(the)f(CORB)m(A)j(security)d(speci\256cation,)g (interoperabil-)-182 681 y(ity)22 b(between)f(objects)h(in)g(systems)h (with)f(dif)o(ferent)e(security)i(tech-)-182 780 y(nology)f(requires)h (a)h(security)g(technology)d(gate)n(w)o(ay)-5 b(.)32 b(This)24 b(is)g(ob-)-182 880 y(viously)e(not)h(a)h(trust)g(problem)d (if)j(both)f(security)g(technology)e(do-)-182 980 y(mains)31 b(are)g(in)g(the)g(same)h(security)e(domain)g(\(one)g(common)g(se-)-182 1079 y(curity)e(administration\).)50 b(It)29 b(may)g(cause)g(trust)g (problems)f(if)h(the)-182 1179 y(boundary)20 b(between)i(security)g (domains)f(\(with)i(dif)o(ferent)e(admin-)-182 1279 y(istrations\))26 b(is)h(also)g(a)f(boundary)e(between)i(security)f(technology)-182 1378 y(domains.)d(F)o(or)15 b(instance,)h(assume)g(one)f(security)g (domain)g(\(and)g(se-)-182 1478 y(curity)22 b(technology)f(domain)h (using)h(asymmetric)f(cryptography\))-182 1577 y(pro)o(viding)27 b(the)j(non-repudiation)d(service)j(using)f(digital)h(signa-)-182 1677 y(tures)20 b(and)g(another)f(security)h(domain)f(\(and)h(security) f(technology)-182 1777 y(domain)14 b(using)h(only)g(symmetric)g (cryptography\))c(pro)o(viding)i(non-)-182 1876 y(repudiation)h(using)i (notary)f(serv)o(ers.)23 b(In)16 b(general,)g(a)h(security)e(tech-)-182 1976 y(nology)21 b(gate)n(w)o(ay)i(cannot)f(be)i(realized)f(without)g (the)g(administra-)-182 2076 y(tors)h(of)f(both)g(security)g(domains)g (trusting)g(each)h(other)f(or)g(a)i(third)-182 2175 y(party)14 b(that)i(runs)f(the)h(gate)n(w)o(ay)-5 b(.)21 b(A)c(less)f(restricti)n (v)o(e)f(solution)g(w)o(ould)-182 2275 y(be)20 b(to)g(ne)o(gotiate)f (the)h(security)g(technology)d(used.)-83 2379 y(The)44 b(speci\256cation)f(for)h(secure)f(interoperability)f(between)-182 2478 y(ORBs)21 b(e)o(xtends)e(the)g(CORB)m(A)j(2.0)d(standard)g(which)g (speci\256es)h(in-)-182 2578 y(teroperability)-5 b(.)40 b(The)26 b(information)d(which)j(security)f(technology)-182 2677 y(the)i(tar)o(get)g(requires)g(and)g(which)h(security)f (mechanisms)g(it)h(sup-)-182 2777 y(ports)15 b(is)i(part)f(of)g(the)g (interoperable)e(object)h(reference)g(\(IOR\).)g(The)-182 2877 y(Common)i(Secure)h(Interoperability)d(Speci\256cation)j(\(CSI\))h (by)f(the)-182 2976 y(OMG)24 b([14])g(allo)n(ws)g(the)h(protocols)e(of) h(three)g(security)g(technolo-)-182 3076 y(gies)f(within)f(the)h (SECIOP)-9 b(,)23 b(namely)f(SPKM,)h(K)n(erberos,)g(and)f(the)-182 3176 y(ECMA)16 b(security)f(protocol.)22 b(If)15 b(the)h (interoperability)d(between)i(the)-182 3275 y(ORBs)24 b(is)g(based)f(on)g(DCE)h([16],)e(the)h(DCE)h(security)e(technology) -182 3375 y(based)28 b(on)h(the)g(K)n(erberos)e(protocol)h(can)g(also)i (be)f(used)f([13].)50 b(A)-182 3475 y(recent)26 b(proposal)f([15])g(w)o (ants)i(to)g(allo)n(w)f(to)h(base)g(inter)n(-ORB)g(se-)-182 3574 y(curity)i(on)h(the)g(Secure)g(Sock)o(et)g(Layer)f(\(SSL\))i ([10].)54 b(Based)30 b(on)-182 3674 y(the)h(information)d(in)j(the)g (IOR,)h(a)f(security)f(conte)o(xt)g(acceptable)-182 3773 y(for)21 b(both)h(sides)g(can)g(be)h(determined.)29 b(The)22 b(establishment)f(of)h(the)-182 3873 y(respecti)n(v)o(e)29 b(security)g(association)h(and)f(the)i(protection)d(of)i(mes-)-182 3973 y(sages)24 b(are)g(controlled)e(by)i(security)g(tok)o(ens)f(which) h(are)g(added)f(to)-182 4072 y(the)18 b(Inter)n(-ORB-Protocols.)k(K)n (e)o(y)c(management)e(is)j(not)f(e)o(xplicitly)-182 4172 y(dealt)i(with)g(in)g(the)h(CORB)m(A)h(security)d(speci\256cation.)-182 4417 y Fj(4)o(.)25 b(Pr)n(o)o(viding)g(security)g(f)n(or)g(TIN)n(A)-83 4645 y Fh(Security)32 b(features)g(in)h(TIN)m(A)g(are)f(implemented)f (at)i(v)n(arious)-182 4745 y(le)n(v)o(els.)61 b(In)32 b(our)g(approach,)h(the)f(DPE)h(of)o(fers)e(general)g(security)-182 4845 y(services)c(and)g(security)f(mechanisms)963 4814 y Fb(1)1027 4845 y Fh(to)h(the)g(applications.)45 b(In)p -182 4932 788 4 v -97 4986 a Fa(1)-63 5010 y Ff(Unlik)o(e)21 b(the)e(CORB)n(A)g(security)h(speci\256cations)i([13])d([14],)g(we)f (use)h(the)h(term)-182 5088 y(security)j(mechanism)g(in)f(the)h(sense)f (as)g(introduced)i(in)e(the)g(OSI)g(security)h(archi-)-182 5167 y(tecture)d([5],)e(i.e.)25 b(for)18 b(an)g(abstract)j(mechanism)e (that)g(can)g(be)g(used)f(to)h(pro)o(vide)g(one)-182 5246 y(or)k(more)g(security)i(services)g(\(e.g.,)f(a)f(digital)j (signature\),)h(b)o(ut)c(does)h(usually)g(not)-182 5325 y(pro)o(vide)18 b(all)g(necessary)h(security)g(functionality)i(for)c (the)h(system.)1974 83 y Fh(the)i(follo)n(wing,)d(we)j(will)h (introduce)d(our)h(approach)e(for)i(TIN)m(A)h(se-)1974 183 y(curity)-5 b(,)28 b(which)f(is)i(based)e(on)h(a)g(layered)e (structure.)47 b(Figure)27 b(3)h(il-)1974 282 y(lustrates)h(the)f (layering.)49 b(The)29 b(usage)f(relations)g(are)h(as)g(follo)n(ws.) 1974 382 y(DPE)20 b(security)e(services)i(are)f(e)o(xclusi)n(v)o(ely)f (based)h(on)g(the)g(DPE)h(se-)1974 482 y(curity)29 b(mechanisms.)54 b(The)30 b(implementation)e(of)i(these)g(mecha-)1974 581 y(nisms)c(may)f(directly)g(use)h(cryptographic)c(mechanisms)j(or)h (may)1974 681 y(be)d(b)n(uilt)g(on)g(a)n(v)n(ailable)g(higher)f(le)n(v) o(el)h(security)g(technology)-5 b(,)20 b(such)1974 780 y(as)j(K)n(erberos)f([11].)32 b(The)23 b(underlying)d(security)i (technology)f(may)1974 880 y(use)26 b(the)g(same)g(cryptographic)d (mechanisms)i(as)h(the)g(DPE)g(secu-)1974 980 y(rity)i(mechanisms)e(or) i(proprietary)d(implementations.)46 b(The)28 b(use)1974 1079 y(of)h(cryptographic)e(mechanisms)i(and/or)g(higher)f(le)n(v)o(el) i(security)1974 1179 y(technology)22 b(may)i(be)h(accomplished)e (through)f(standardized)h(in-)1974 1279 y(terf)o(aces)k(\(e.g.,)g (GSS-API)g([2]\))f(to)h(f)o(acilitate)g(the)g(inte)o(gration)e(of)1974 1378 y(e)o(xisting)19 b(products)g(into)h(the)g(DPE.)1987 2545 y @beginspecial @setspecial %%BeginDocument: layers.epsss /sf {113 158 div} def /llx {-124} def /lly {-593} def /vx {llx sf mul} def /vy {lly sf mul} def vx vy translate sf sf scale /tgifdict 36 dict def tgifdict begin /tgifpatdict 10 dict def /tgifpatbyte { currentdict /retstr get exch pat i cellsz mod get put } def /tgifpatproc { 0 1 widthlim {tgifpatbyte} for retstr /i i 1 add def } def /tgifpatfill { tgifpatdict begin /h exch def /w exch def /lty exch def /ltx exch def /cellsz exch def /pat exch def /widthlim w cellsz div cvi 1 sub def /retstr widthlim 1 add string def /i 0 def tgiforigctm setmatrix ltx lty translate w h true [1 0 0 1 0 0] {tgifpatproc} imagemask ltx neg lty neg translate end } def /pat3 <8000000008000000> def /pat4 <8800000022000000> def /pat5 <8800220088002200> def /pat6 <8822882288228822> def /pat7 def /pat8 <77dd77dd77dd77dd> def /pat9 <77ffddff77ffddff> def /pat10 <77ffffff77ffffff> def /pat11 <7fffffff7fffffff> def /pat12 <8040200002040800> def /pat13 <40a00000040a0000> def /pat14 def /pat15 def /pat16 def /pat17 <038448300c020101> def /pat18 <081c22c180010204> def /pat19 <8080413e080814e3> def /pat20 <8040201008040201> def /pat21 <8844221188442211> def /pat22 <77bbddee77bbddee> def /pat23 def /pat24 <7fbfdfeff7fbfdfe> def /pat25 <3e1f8fc7e3f1f87c> def /pat26 <0102040810204080> def /pat27 <1122448811224488> def /pat28 def /pat29 <83070e1c3870e0c1> def /pat30 def /pat31 <7cf8f1e3c78f1f3e> def /tgifcentertext { dup stringwidth pop 2 div neg 0 rmoveto } def end tgifdict begin /tgifsavedpage save def 1 setmiterlimit 1 setlinewidth 0 setgray 72 0 mul 72 11.70 mul translate 72 128 div 100.000 mul 100 div dup neg scale gsave /tgiforigctm matrix currentmatrix def % BOX 0 setgray gsave newpath 224 260 moveto 804 260 lineto 804 340 lineto 224 340 lineto closepath 1 setgray fill 0 setgray newpath 224 260 moveto 804 260 lineto 804 340 lineto 224 340 lineto closepath eoclip newpath pat5 8 216 256 592 88 tgifpatfill grestore gsave 10 setmiterlimit gsave newpath 224 260 moveto 804 260 lineto 804 340 lineto 224 340 lineto closepath stroke grestore grestore % BOX 0 setgray gsave newpath 224 340 moveto 804 340 lineto 804 440 lineto 224 440 lineto closepath 1 setgray fill 0 setgray newpath 224 340 moveto 804 340 lineto 804 440 lineto 224 440 lineto closepath eoclip newpath pat7 8 216 336 592 112 tgifpatfill grestore gsave 10 setmiterlimit gsave newpath 224 340 moveto 804 340 lineto 804 440 lineto 224 440 lineto closepath stroke grestore grestore % BOX 0 setgray gsave 10 setmiterlimit gsave newpath 224 164 moveto 804 164 lineto 804 440 lineto 224 440 lineto closepath stroke grestore grestore % TEXT 0 setgray /Helvetica findfont [20 0 0 -20 0 0] makefont setfont gsave 514 204 moveto (Applications) tgifcentertext show grestore % BOX 0 setgray gsave newpath 612 200 moveto 804 200 lineto 804 260 lineto 612 260 lineto closepath 1 setgray fill 0 setgray newpath 612 200 moveto 804 200 lineto 804 260 lineto 612 260 lineto closepath eoclip newpath pat3 8 608 192 200 72 tgifpatfill grestore gsave 10 setmiterlimit gsave newpath 612 200 moveto 804 200 lineto 804 260 lineto 612 260 lineto closepath stroke grestore grestore % TEXT 0 setgray /Helvetica findfont [20 0 0 -20 0 0] makefont setfont gsave 708 228 moveto (Special) tgifcentertext show 708 248 moveto (Security Services) tgifcentertext show grestore % POLY/OPEN-SPLINE 0 setgray gsave newpath 224 340 moveto 224 440 lineto 440 440 lineto 440 380 lineto 548 380 lineto 548 340 lineto 224 340 lineto closepath 1 setgray eofill 0 setgray newpath 224 340 moveto 224 440 lineto 440 440 lineto 440 380 lineto 548 380 lineto 548 340 lineto 224 340 lineto closepath eoclip newpath pat6 8 224 336 328 104 tgifpatfill grestore gsave newpath 224 340 moveto 224 440 lineto 440 440 lineto 440 380 lineto 548 380 lineto 548 340 lineto 224 340 lineto tgiforigctm setmatrix 1 setlinewidth stroke grestore % POLY/OPEN-SPLINE 0 setgray gsave [4 4] 0 setdash newpath 440 380 moveto 224 380 lineto tgiforigctm setmatrix 1 setlinewidth stroke [] 0 setdash grestore % RCBOX 0 setgray newpath 624 304 moveto 624 324 lineto 384 324 lineto 384 304 lineto closepath 1 setgray fill 0 setgray % TEXT 0 setgray /Helvetica findfont [20 0 0 -20 0 0] makefont setfont gsave 504 320 moveto (DPE Security Mechanisms) tgifcentertext show grestore % RCBOX 0 setgray newpath 491 350 moveto 491 370 lineto 299 370 lineto 299 350 lineto closepath 1 setgray fill 0 setgray % TEXT 0 setgray /Helvetica findfont [20 0 0 -20 0 0] makefont setfont gsave 395 366 moveto (Security Technology) tgifcentertext show grestore % RCBOX 0 setgray newpath 795 403 moveto 795 423 lineto 463 423 lineto 463 403 lineto closepath 1 setgray fill 0 setgray % TEXT 0 setgray /Helvetica findfont [20 0 0 -20 0 0] makefont setfont gsave 629 421 moveto (Common Cryptographic Mechanisms) tgifcentertext show grestore % BOX 0 setgray gsave newpath 452 260 moveto 712 260 lineto 712 292 lineto 452 292 lineto closepath 1 setgray fill 0 setgray newpath 452 260 moveto 712 260 lineto 712 292 lineto 452 292 lineto closepath eoclip newpath pat4 8 448 256 272 40 tgifpatfill grestore gsave 10 setmiterlimit gsave newpath 452 260 moveto 712 260 lineto 712 292 lineto 452 292 lineto closepath stroke grestore grestore % RCBOX 0 setgray newpath 683 267 moveto 683 287 lineto 479 287 lineto 479 267 lineto closepath 1 setgray fill 0 setgray % TEXT 0 setgray /Helvetica findfont [20 0 0 -20 0 0] makefont setfont gsave 582 284 moveto (DPE Security Services) tgifcentertext show grestore % BOX 0 setgray newpath 244 389 moveto 420 389 lineto 420 433 lineto 244 433 lineto closepath 1 setgray fill 0 setgray % TEXT 0 setgray /Helvetica findfont [17 0 0 -17 0 0] makefont setfont gsave 333 402 moveto (Security Technology ) tgifcentertext show 333 417 moveto (Specific Cryptographic ) tgifcentertext show 333 432 moveto (Mechanisms) tgifcentertext show grestore grestore tgifsavedpage restore end %MatchingCreationDate: Fri Sep 12 16:19:00 1997 %%EndDocument @endspecial 2099 2728 a Fc(Figure)j(3.)h(La)n(y)o(ering)f(of)g(TINA)f (security)i(f)o(eatures)2073 2932 y Fh(Abo)o(v)o(e)15 b(the)i(DPE)g(le)n(v)o(el,)g(Figure)e(3)i(sho)n(ws)g(the)f(special)h (security)1974 3031 y(services,)31 b(which)d(also)h(rely)f(e)o(xclusi)n (v)o(ely)f(on)i(the)g(DPE)g(security)1974 3131 y(mechanisms)20 b(and)h(services.)28 b(The)o(y)20 b(are)h(used)g(by)g(TIN)m(A)g (applica-)1974 3230 y(tions,)26 b(b)n(ut)f(are)g(application)f (services)h(themselv)o(es.)39 b(The)25 b(special)1974 3330 y(security)i(services)g(are)g(not)g(implemented)f(on)h(each)g(DPE) g(node.)1974 3430 y(Examples)e(are)g(electronic)g(retail)h(banking)e (functions)g(or)h(notary)1974 3529 y(services.)2073 3631 y(General)i(security)f(functionality)f(is)j(of)o(fered)d(to)i(the)g (applica-)1974 3731 y(tions)18 b(on)h(each)f(node)g(as)h(part)f(of)g (the)h(DPE)g(functionality)-5 b(.)22 b(T)-7 b(o)19 b(ease)1974 3831 y(inte)o(gration)k(in)i(applications,)f(as)h(much)f(functionality) f(as)i(possi-)1974 3930 y(ble)g(should)g(be)h(pro)o(vided)d(as)j (self-contained)d(security)i(services,)1974 4030 y(i.e.)39 b(the)24 b(application)g(is)h(not)g(concerned)d(with)j(ho)n(w)f(the)h (security)1974 4129 y(functionality)d(is)j(pro)o(vided)d(\(e.g.,)j (which)e(security)h(mechanisms)1974 4229 y(are)f(used)h(and)f(on)g (which)g(cryptographic)d(mechanisms)j(or)g(secu-)1974 4329 y(rity)f(technology)d(the)o(y)i(are)h(based\).)29 b(The)22 b(application)e(is)j(only)e(re-)1974 4428 y(quired)k(to)i(use) g(the)f(DPE)h(security)f(mechanisms)g(directly)f(if)i(the)1974 4528 y(handling)13 b(of)j(the)f(security)g(mechanisms)f(is)j(service)e (speci\256c,)h(e.g.,)1974 4628 y(if)28 b(the)f(v)o(eri\256cation)f(of)h (a)h(digital)f(signature)g(is)h(directly)f(needed.)1974 4727 y(The)22 b(necessary)g(DPE)h(services)f(and)g(mechanisms)f(must)i (be)f(pro-)1974 4827 y(vided)g(by)h(CORB)m(A)i(security)e(and)f (additional)g(parts)h(of)g(the)h(DPE)1974 4926 y(that)f(are)f (addressed)g(in)h(the)f(CrySTIN)m(A)h(project.)31 b(In)23 b(the)f(follo)n(w-)1974 5026 y(ing,)17 b(we)f(in)m(v)o(estigate)f(for)h (each)g(of)h(the)f(security)g(topics)h(introduced)1974 5126 y(in)23 b(Section)g(2)h(whether)e(CORB)m(A)j(security)e (functionality)e(is)k(suf-)1974 5225 y(\256cient)20 b(and)g(propose)e (additional)h(features)h(if)g(needed.)1859 5574 y(5)p eop %%Page: 6 6 6 5 bop -182 83 a Fd(System)20 b(Security:)-182 183 y Fh(System)g(security)g(cannot)f(be)h(pro)o(vided)e(by)i(CORB)m(A)i (security)-5 b(.)25 b(It)-182 282 y(can)20 b(only)f(be)i(guaranteed)d (by)i(a)h(proper)e(design,)g(implementation)-182 382 y(and)k(installation)g(of)g(the)h(respecti)n(v)o(e)f(hardw)o(are)f(and) h(softw)o(are)g(as)-182 482 y(well)16 b(as)h(the)e(protection)f(of)i (communication)d(o)o(v)o(er)h(unsecure)h(links)-182 581 y(at)h(the)g(NCCE)h(le)n(v)o(el.)23 b(In)16 b(operation,)e(system)i (security)g(can)g(be)f(sup-)-182 681 y(ported)22 b(by)g(auditing)g(of)h (security)g(rele)n(v)n(ant)f(e)n(v)o(ents)h(at)h(the)f(NCCE)-182 780 y(le)n(v)o(el)c(and)h(alarm)g(reporting)e(in)i(case)h(of)f(serious) g(incidents.)-182 983 y Fd(Ser)o(vice)g(Security:)-182 1083 y Fh(Service)15 b(security)h(relies)h(e)o(xtensi)n(v)o(ely)d(on)i (DPE)g(security)g(features.)-182 1182 y(In)k(principle,)g(the)g (security)h(of)f(service)h(control)e(can)i(be)f(pro)o(vided)-182 1282 y(by)25 b(the)g(use)g(of)h(the)f(CORB)m(A)i(security)e(services)g (in)g(cooperation)-182 1382 y(with)h(the)h(security)e(rele)n(v)n(ant)h (service)g(logic.)43 b(A)27 b(crucial)e(point)h(is)-182 1481 y(the)k(mapping)f(of)h(security)g(rele)n(v)n(ant)f(domain)g(types) h(de\256ned)g(in)-182 1581 y(the)g(TIN)m(A-C)g(architecture)f(and)g(in) i(the)f(CORB)m(A)i(architecture.)-182 1680 y(Based)26 b(on)g(observ)n(ations)f(of)h(trial)h(implementations)d(of)i(the)h(ser) n(-)-182 1780 y(vice)15 b(architecture)g(\(e.g,)h([25]\),)f(we)h (assume)g(the)g(mapping)e(of)h(each)-182 1880 y(administrati)n(v)o(e)g (domain)h(in)i(TIN)m(A)f(onto)g(one)g(ORB)i(system.)24 b(This)-182 1979 y(is)30 b(reasonable)e(because)h(resulting)f(from)g (this)i(mapping)e(the)h(in-)-182 2079 y(terf)o(ace)i(between)f(ORBs)j (is)f(a)g(protocol)e(interf)o(ace,)j(i.e.)58 b(in)32 b(the)-182 2179 y(interaction)f(with)i(another)f(administrati)n(v)o(e)f (domain)h(no)g(poten-)-182 2278 y(tially)19 b(v)o(endor)n(-speci\256c)e (e)o(x)o(ecutable)g(code)h(from)g(the)h(other)g(side)g(is)-182 2378 y(needed)j(at)i(the)g(DPE)g(le)n(v)o(el.)34 b(F)o(or)24 b(security)f(reasons,)h(we)g(propose)-182 2478 y(the)h(follo)n(wing)f (mappings)f(of)j(TIN)m(A)f(domain)f(types)h(to)h(security)-182 2577 y(rele)n(v)n(ant)19 b(domain)f(types)i(at)h(the)f(CORB)m(A)i(le)n (v)o(el:)-58 2774 y Fm(\017)41 b Fh(Each)35 b(TIN)m(A)g(administrati)n (v)o(e)e(domain)g(is)j(mapped)e(onto)25 2873 y(one)h(security)f (domain.)68 b(This)36 b(domain)d(is)j(also)g(e)o(xactly)25 2973 y(one)e(security)g(polic)o(y)f(domain.)66 b(The)34 b(mapping)f(re\257ects)25 3072 y(that)c(each)g(stak)o(eholder)e(\(i.e.) 52 b(administrator)27 b(of)i(a)g(TIN)m(A)25 3172 y(administrati)n(v)o (e)20 b(domain\))f(has)j(speci\256c)f(security)g(interests)25 3272 y(and)k(limited)g(trust)g(in)g(other)f(stak)o(eholders)g(and)h (that)g(a)h(se-)25 3371 y(curity)k(domain)f(should)g(not)h(contain)f (equipment)g(that)h(is)25 3471 y(not)22 b(under)f(the)h(physical)f (control)g(of)h(the)g(security)f(author)n(-)25 3571 y(ity)-5 b(.)24 b(This)19 b(mapping)e(further)g(implies)i(that)g(all)g (interdomain)25 3670 y(interactions)g(between)g(service)h(components)d (\(e.g.,)i(U)m(AP-)25 3770 y(USM\))g(rely)f(on)h(inter)n(-ORB)g (security)f(and)g(on)h(the)g(ne)o(gotia-)25 3869 y(tion)h(of)g(a)h (cooperation)c(security)j(polic)o(y)-5 b(.)-58 4049 y Fm(\017)41 b Fh(Each)22 b(TIN)m(A)g(administrati)n(v)o(e)f(domain)g (\(also)h(CORB)m(A)j(se-)25 4149 y(curity)i(domain)f(and)i(CORB)m(A)h (security)e(polic)o(y)g(domain\))25 4249 y(is)20 b(also)f(one)f (security)f(en)m(vironment)f(domain,)h(i.e.)25 b(ho)n(w)18 b(the)25 4348 y(security)h(polic)o(y)f(is)i(enforced)d(within)i(the)g (domain,)f(is)i(a)g(lo-)25 4448 y(cal)h(matter)-5 b(.)-58 4628 y Fm(\017)41 b Fh(Each)k(boundary)d(between)i(TIN)m(A)g (administrati)n(v)o(e)g(do-)25 4727 y(mains)24 b(is)h(assumed)e(to)i (be)f(also)g(a)g(boundary)d(between)j(se-)25 4827 y(curity)j (technology)e(domains.)45 b(This)28 b(re\257ects)f(that)h(stak)o(e-)25 4926 y(holders)20 b(with)i(v)n(arious)e(kinds)h(of)g(CPE,)h(v)n(arying) e(priorities)25 5026 y(re)o(garding)28 b(security)-5 b(,)32 b(and)f(under)e(possibly)h(dif)o(ferent)f(na-)25 5126 y(tional)18 b(la)o(ws)h(cannot)e(be)h(assumed)g(to)h(ha)n(v)o(e)e (the)i(same)f(secu-)25 5225 y(rity)24 b(technology)-5 b(.)33 b(It)24 b(requires)e(that)i(the)g(security)f(technol-)25 5325 y(ogy)i(used)g(for)g(interdomain)e(interactions)i(\(including)e (the)2181 83 y(mechanisms)c(used\))g(is)i(ne)o(gotiated)d(as)i(part)g (of)f(the)h(respec-)2181 183 y(ti)n(v)o(e)29 b(cooperation)c(security)j (polic)o(y)-5 b(.)48 b(This)29 b(may)f(result)g(in)2181 282 y(the)22 b(use)g(of)f(the)g(same)h(or)f(a)h(compatible)e(security)h (technol-)2181 382 y(ogy)g(or)g(the)h(use)f(of)g(a)h(mutually)e(agreed) h(security)g(technol-)2181 482 y(ogy)f(gate)n(w)o(ay)-5 b(.)2073 643 y(Control)38 b(of)g(access)i(to)e(information)e(and)i (functionality)f(at)1974 742 y(the)20 b(service)g(le)n(v)o(el)g (\(authorization\))d(pre)n(v)o(ents)i(ille)o(gitimate)h(use)g(of)1974 842 y(these)j(resources)f(within)h(the)g(service)g(usage.)33 b(It)23 b(is)h(based)f(on)f(the)1974 941 y(identities)g(of)h(stak)o (eholders)e(and)h(authorization)e(information)g(re-)1974 1041 y(garding)i(subscriptions)i(and)g(access)i(to)f(management)d (function-)1974 1141 y(ality)-5 b(.)53 b(The)29 b(authorization)f (process)h(is)h(implemented)e(as)i(a)h(part)1974 1240 y(of)e(the)h(service)f(logic)g(in)h(the)f(respecti)n(v)o(e)f(service)i (components,)1974 1340 y(e.g.,)35 b(the)e(User)g(Agent)g(\(U)m(A\))f (for)g(the)h(access)g(service)g(as)h(well)1974 1440 y(as)28 b(the)f(User)h(Service)f(Session)g(Manager)f(\(USM\))h(and)g(the)g(Ser) n(-)1974 1539 y(vice)18 b(Session)g(Manager)e(\(SSM\))i(for)f(the)h (actual)g(telecommunica-)1974 1639 y(tions)25 b(service.)40 b(The)25 b(authorization)e(decisions)h(are)i(made)e(inside)1974 1738 y(a)e(service)f(component)e(after)i(the)h(in)m(v)n(ocation)d(of)i (an)h(operation)d(of)1974 1838 y(an)29 b(operational)f(interf)o(ace)g (of)i(the)f(service)g(component.)50 b(These)1974 1938 y(decisions)27 b(rely)g(on)h(the)f(authentication)f(of)h(the)h(claimed) f(identi-)1974 2037 y(ties)k(as)h(well)f(as)h(the)f(authenticity)-5 b(,)31 b(inte)o(grity)-5 b(,)31 b(and)g(\(optionally\))1974 2137 y(con\256dentiality)g(of)h(the)g(messages)h(e)o(xchanged)d(with)i (the)h(other)1974 2237 y(stak)o(eholder)-5 b(.)23 b(The)18 b(three)g(latter)g(properties)f(must)h(be)g(pro)o(vided)e(by)1974 2336 y(DPE)29 b(services,)h(whereas)e(the)g(\256rst,)k(i.e.)50 b(the)28 b(authentication)e(of)1974 2436 y(the)19 b(other)g(stak)o (eholder)m(,)e(tak)o(es)j(place)f(at)h(the)f(service)g(le)n(v)o(el)g (as)i(part)1974 2535 y(of)h(the)g(establishment)f(of)h(an)g(access)h (session)f(between)g(dif)o(ferent)1974 2635 y(stak)o(eholders.)51 b(CORB)m(A)31 b(security)e(does)g(not)g(pro)o(vide)e(the)j(nec-)1974 2735 y(essary)d(inter)n(-ORB)h(inter)n(-domain)d(authentication)g (service.)45 b(An)1974 2834 y(additional)20 b(authentication)g(service) i(must)g(pro)o(vide)e(f)o(acilities)j(for)1974 2934 y(the)28 b(mutual)g(authentication)e(of)i(stak)o(eholders.)49 b(This)28 b(service)g(is)1974 3034 y(used)h(for)g(the)h(establishment)e (of)i(access)g(sessions.)54 b(Since)29 b(user)1974 3133 y(mobility)24 b(must)i(be)g(supported,)e(the)i(authentication)e (technology)1974 3233 y(must)d(be)g(designed)e(in)i(such)g(a)g(w)o(ay)g (that)g(the)g(consumer)e(does)h(not)1974 3332 y(need)k(to)h(trust)g (the)f(equipment)f(in)i(the)g(consumer)e(domain.)37 b(This)1974 3432 y(suggests)24 b(the)f(use)h(of)g(smart)g(card)f(technology)-5 b(.)33 b(The)23 b(inte)o(gration)1974 3532 y(of)d(established)h(smart)f (card)h(technology)d(can)i(guarantee)f(that)i(the)1974 3631 y(o)n(wner)26 b(\(administrator\))f(of)i(the)g(CPE)h (\(administrati)n(v)o(e)d(domain\))1974 3731 y(used)j(at)h(the)f (moment)f(cannot)g(learn)h(the)g(secret)g(authenticating)1974 3831 y(information)18 b(of)i(the)g(consumer)-5 b(.)1974 4030 y Fd(DPE)21 b(Security:)1974 4129 y Fh(Session)g(k)o(e)o(ys)g (resulting)g(from)f(the)h(e)o(x)o(ecution)f(of)h(an)g(authentica-)1974 4229 y(tion)g(protocol)f(at)j(the)f(service)f(le)n(v)o(el)g(may)h(be)g (used)f(subsequently)1974 4329 y(at)i(the)f(DPE)h(\(CORB)m(A\))h(le)n (v)o(el)e(to)h(pro)o(v)o(e)d(and)i(v)o(erify)f(the)i(identity)1974 4428 y(of)c(client)h(objects.)25 b(The)19 b(session)i(k)o(e)o(ys)e(may) h(also)g(be)g(used)f(to)h(pro-)1974 4528 y(vide)d(authenticity)-5 b(,)16 b(inte)o(grity)-5 b(,)16 b(and)h(con\256dentiality)e(for)i(the)g (estab-)1974 4628 y(lished)24 b(security)h(association)f(using)g(CORB)m (A)i(inter)n(-ORB)f(secu-)1974 4727 y(rity)-5 b(.)35 b(The)23 b(e)o(xact)g(security)g(conte)o(xt)g(of)g(the)h(security)f (association,)1974 4827 y(i.e.)43 b(which)26 b(security)f(mechanisms)h (are)g(used,)h(is)g(established)f(at)1974 4926 y(association)17 b(setup)g(using)g(the)h(security)f(tok)o(ens)g(of)g(the)h(inter)n(-ORB) 1974 5026 y(protocol.)23 b(The)c(conte)o(xt)g(is)i(deri)n(v)o(ed)d (from)g(the)i(cooperation)d(secu-)1974 5126 y(rity)25 b(polic)o(y)g(for)g(the)g(interaction)g(between)f(the)i(domains,)g (which)1974 5225 y(also)21 b(includes)e(the)i(choice)e(of)h(the)h (mechanisms)e(and)h(the)h(authen-)1974 5325 y(tication)f(serv)o(ers)f (\(or)h(public)f(k)o(e)o(y)h(certi\256ers\).)1859 5574 y(6)p eop %%Page: 7 7 7 6 bop -83 83 a Fh(Access)29 b(control)e(at)i(the)f(DPE)g(le)n(v)o(el) g(has)g(to)h(pre)n(v)o(ent)d(ille)o(giti-)-182 183 y(mate)i(in)m(v)n (ocations)f(of)i(operations.)49 b(This)28 b(access)i(control)d(is,)32 b(in)-182 282 y(contrast)18 b(to)h(the)f(access)i(control)d(at)j(the)e (service)h(le)n(v)o(el)f(\(authoriza-)-182 382 y(tion\),)30 b(not)e(determined)f(by)h(the)h(semantics)g(of)g(the)g(service,)h(b)n (ut)-182 482 y(by)f(the)g(question)g(whether)f(the)h(originating)f (stak)o(eholder)g(of)h(an)-182 581 y(attempt)20 b(to)h(in)m(v)n(ok)o(e) e(an)h(operation)f(is)j(allo)n(wed)e(to)g(in)m(v)n(ok)o(e)g(this)h(op-) -182 681 y(eration)15 b(at)h(all.)24 b(The)16 b(only)f(possible)g (results)i(of)e(an)h(access)h(decision)-182 780 y(are)j(access)i (permitted)d(or)i(access)g(denied.)26 b(Granularities)20 b(are)h(the)-182 880 y(whole)i(interf)o(aces)h(or)f(the)i(single)e (operation)g(of)g(an)h(interf)o(ace.)36 b(In)-182 980 y(order)24 b(to)i(analyze)f(ho)n(w)g(CORB)m(A)j(access)e(control)f(can) h(be)f(used,)-182 1079 y(it)g(is)g(necessary)f(to)h(study)f(ho)n(w)g (TIN)m(A)g(service)h(components)d(are)-182 1179 y(b)n(uilt)30 b(up)g(using)g(CORB)m(A.)h(Service)f(components)e(are)j(lik)o(ely)f(to) -182 1279 y(be)23 b(implemented)e(as)j(CO)g(groups,)e(e)n(v)o(en)g (though)g(the)h(service)g(ar)n(-)-182 1378 y(chitecture)28 b([23])h(does)h(not)g(prescribe)e(the)i(mapping)f(of)g(service)-182 1478 y(components)23 b(onto)h(COs)j(or)e(CO)h(groups.)40 b(The)25 b(service)g(compo-)-182 1577 y(nent')-5 b(s)17 b(interf)o(aces)g(are)h(in)f(that)h(case)g(pro)o(vided)d(as)k (contracts)e(of)g(the)-182 1677 y(respecti)n(v)o(e)k(CO)j(group.)32 b(Ho)n(we)n(v)o(er)m(,)21 b(CORB)m(A)k(lacks)e(the)g(concept)-182 1777 y(of)28 b(object)g(groups.)50 b(Additionally)-5 b(,)28 b(in)h(contrast)f(to)h(TIN)m(A)g(COs,)-182 1876 y(CORB)m(A)19 b(objects)e(ha)n(v)o(e)g(e)o(xactly)f(one)h(interf)o (ace.)23 b(W)-7 b(e)18 b(assume)g(that)-182 1976 y(each)k(TIN)m(A)g(CO) i(is)f(implemented)e(as)i(a)g(set)h(of)e(CORB)m(A)i(objects)-182 2076 y(and)j(that)h(each)f(CO)h(interf)o(ace)f(is)i(implemented)d(as)i (a)g(dedicated)-182 2175 y(CORB)m(A)33 b(object,)h(as)e(proposed)e(in)h ([9].)59 b(The)31 b(service)h(compo-)-182 2275 y(nent')-5 b(s)22 b(interf)o(aces)g(\(the)g(contracts)g(of)g(the)g(group\))f(are,) h(thus,)h(pro-)-182 2374 y(vided)29 b(as)i(the)f(CORB)m(A)i(interf)o (aces)d(of)h(those)g(CORB)m(A)i(objects)-182 2474 y(that)20 b(implement)f(the)h(CO)h(interf)o(aces)f(that)g(serv)o(e)g(as)h (contracts.)-83 2604 y(Potentially)-5 b(,)27 b(the)f(operations)e(of)i (all)h(CORB)m(A)g(interf)o(aces)f(are)-182 2704 y(accessible)g(to)g(e)n (v)o(eryone)d(who)j(has)g(access)h(to)f(the)g(k)o(ernel)f(trans-)-182 2804 y(port)e(netw)o(ork)f(that)i(connects)f(the)h(single)g(ORB)h (systems.)36 b(Ho)n(w-)-182 2903 y(e)n(v)o(er)m(,)19 b(only)h(fe)n(w)h(of)g(these)g(interf)o(aces)f(shall)h(be)g(accessible) g(by)g(ob-)-182 3003 y(jects)27 b(acting)f(for)g(other)g(stak)o (eholders,)h(i.e.)45 b(shall)27 b(be)g(accessible)-182 3103 y(for)f(another)g(identity)h(than)g(the)g(one)g(of)h(the)f (administrati)n(v)o(e)f(do-)-182 3202 y(main)17 b(\(the)h(o)n(wner\))f (the)i(object)e(is)i(allocated)f(to.)24 b(These)18 b(interf)o(aces)-182 3302 y(are)26 b(implementations)f(of)h(those)g(interf)o(aces)g(of)h (service)f(compo-)-182 3401 y(nents)g(that)h(are)g(part)g(of)f(an)h (interdomain)e(reference)g(point.)44 b(Ac-)-182 3501 y(cess)33 b(to)f(all)g(other)g(CORB)m(A)h(interf)o(aces)f(must)g(be)g (restricted)g(to)-182 3601 y(those)19 b(objects)h(that)g(act)g(under)f (the)h(same)g(identity)-5 b(.)24 b(This)c(is)h(easily)-182 3700 y(achie)n(v)o(ed)d(by)i(ORB-local)g(access)h(control.)-83 3831 y(Access)j(control)f(for)g(the)g(objects)h(that)f(are)h(indeed)e (part)i(of)f(an)-182 3930 y(interdomain)14 b(reference)h(point)h(is)i (more)e(comple)o(x.)22 b(Ho)n(we)n(v)o(er)m(,)16 b(our)-182 4030 y(observ)n(ation)23 b(is)k(that)f(the)f(functionality)f(of)o (fered)f(across)j(domain)-182 4129 y(boundaries)i(is)j(al)o(w)o(ays)g (structured)e(as)i(interf)o(aces)e(so)i(that)f(each)-182 4229 y(instance)25 b(of)g(an)h(operational)d(interf)o(ace)i(is)i (dedicated)d(to)i(e)o(xactly)-182 4329 y(one)e(other)g(stak)o(eholder)m (,)g(as)i(suggested)e(in)h([9].)39 b(As)26 b(long)e(as)h(this)-182 4428 y(observ)n(ation)c(holds,)i(identity)g(based)g(access)h(control)f (can)g(be)g(ap-)-182 4528 y(plied)c(at)g(the)h(granularity)d(of)i (service)g(component)e(interf)o(aces,)i(i.e.)-182 4628 y(at)25 b(the)g(CORB)m(A)i(le)n(v)o(el)e(to)g(the)h(whole)e(object)h (implementing)e(the)-182 4727 y(interf)o(ace)17 b(of)g(the)h(respecti)n (v)o(e)f(service)g(component)f(and)h(can)g(be)h(re-)-182 4827 y(alized)24 b(by)g(simply)g(checking)e(authenticity)h(and)h(inte)o (grity)f(of)h(the)-182 4926 y(message)h(con)m(v)o(e)o(ying)d(the)k(in)m (v)n(ocation)e(request.)40 b(If)26 b(the)g(observ)n(a-)-182 5026 y(tion)j(abo)o(v)o(e)e(does)i(not)g(hold,)h(tw)o(o)g(cases)g(with) f(dif)o(ferent)e(granu-)-182 5126 y(larities)32 b(can)g(be)g (distinguished.)58 b(If)32 b(an)g(interf)o(ace)f(of)h(a)g(service)-182 5225 y(component)14 b(is)k(accessed)f(by)f(v)n(arious)g(stak)o (eholders,)g(b)n(ut)h(with)g(the)-182 5325 y(same)h(rights,)g(the)h (unit)f(of)g(access)h(control)f(can)g(also)h(be)f(the)g(whole)1974 83 y(interf)o(ace.)34 b(On)24 b(the)g(other)f(hand,)g(if)h(an)f(interf) o(ace)g(is)i(accessed)f(by)1974 183 y(v)n(arious)16 b(stak)o(eholders)g (with)h(dif)o(ferent)e(rights,)i(the)g(unit)g(is)h(the)f(sin-)1974 282 y(gle)22 b(operation)e(of)i(the)g(interf)o(ace.)30 b(In)21 b(both)h(cases,)h(access)f(control)1974 382 y(should)i(be)i (supported)d(by)i(a)h(list)g(bound)e(to)h(each)g(unit)g(of)h(access) 1974 482 y(control)f(that)i(contains)f(the)g(identities)h(of)f(the)h (stak)o(eholders)e(that)1974 581 y(are)i(authorized)e(to)j(access)g (the)f(unit.)46 b(This)27 b(mechanism)f(can)h(be)1974 681 y(e)o(xpected)18 b(to)j(be)f(supported)e(by)h(a)i(wide)f(range)f (of)h(CORB)m(A)i(prod-)1974 780 y(ucts.)1974 984 y Fd(Communications)e (Contents)g(Security:)1974 1084 y Fh(In)31 b(TIN)m(A,)f(all)i(service)f (contents)f(information)e(is)k(deli)n(v)o(ered)e(by)1974 1184 y(streams.)76 b(\(There)36 b(is)i(an)f(ongoing)e(discussion)h (also)i(to)f(allo)n(w)1974 1283 y(to)30 b(pro)o(vide)f(contents)h (information)e(via)i(operational)f(interf)o(aces)1974 1383 y(without)22 b(relying)f(on)h(streams.)32 b(Ho)n(we)n(v)o(er)m(,) 21 b(the)i(follo)n(wing)d(is)k(also)1974 1483 y(v)n(alid)g(for)h(such)f (a)i(deli)n(v)o(ery)d(of)i(contents.\))38 b(Until)25 b(no)n(w)-5 b(,)25 b(CORB)m(A)1974 1582 y(does)20 b(neither)g(support)g (streams)h(nor)f(stream)g(protection.)25 b(A)d(DPE)1974 1682 y(supporting)d(streams)i(must)g(also)h(support)d(DPE)j(security)e (mecha-)1974 1781 y(nisms)h(applicable)f(to)i(streams.)28 b(The)21 b(establishment)g(of)g(a)g(stream)1974 1881 y(should)e(include)f(the)i(establishment)f(of)g(a)h(protection)e(conte) o(xt)h(for)1974 1981 y(the)32 b(stream.)62 b(This)33 b(conte)o(xt)e(determines)h(the)g(security)g(mecha-)1974 2080 y(nisms)f(and)f(the)g(k)o(e)o(y\(s\))g(used.)55 b(The)30 b(protection)f(conte)o(xt)g(is)j(de-)1974 2180 y(ri)n(v)o(ed)18 b(from)g(the)h(cooperation)e(security)i(polic)o(y)f (of)h(both)f(domains.)1974 2280 y(Such)e(a)h(polic)o(y)-5 b(,)16 b(and)g(possibly)g(a)h(session)g(k)o(e)o(y)-5 b(,)16 b(may)h(already)e(e)o(xist,)1974 2379 y(e.g.,)j(if)h(both)f (parties)g(are)h(in)g(a)g(user)f(pro)o(vider)f(relationship.)23 b(If)18 b(the)1974 2479 y(parties)g(ha)n(v)o(e)g(not)g(authenticated)f (each)h(other)g(directly)f(\(e.g.,)h(both)1974 2578 y(parties)k(are)g (users)h(of)e(a)i(common)d(pro)o(vider\))g(and)i(w)o(ant)g(to)g(estab-) 1974 2678 y(lish)c(end-to-end)e(security)-5 b(,)17 b(the)o(y)g(can)h (use)g(the)g(authentication)e(ser)n(-)1974 2778 y(vice)25 b(mentioned)d(abo)o(v)o(e)h(for)i(direct)f(mutual)g(authentication)f (and)1974 2877 y(the)d(ne)o(gotiation)e(of)i(a)h(session)f(k)o(e)o(y)-5 b(.)1974 3124 y Fj(5.)24 b(Conclusion)2073 3354 y Fh(W)-7 b(e)26 b(analyzed)e(and)g(structured)f(the)i(TIN)m(A)g(security)f (problem)1974 3454 y(domain.)i(It)c(w)o(as)f(demonstrated)e(ho)n(w)i (the)g(security)g(services)g(and)1974 3553 y(mechanisms)k(can)h(be)g (pro)o(vided)e(as)j(part)f(of)f(the)i(DPE)f(function-)1974 3653 y(ality)-5 b(.)35 b(Ongoing)22 b(conceptual)g(w)o(ork)h(in)h (CrySTIN)m(A)f(is)h(dedicated)1974 3752 y(to)h(the)h(identi\256cation)e (and)h(speci\256cation)f(of)h(the)g(necessary)g(sin-)1974 3852 y(gle)20 b(security)g(services,)h(a)g(formal)e(model)h(of)g(ho)n (w)g(administrati)n(v)o(e)1974 3952 y(domains)29 b(with)h(dif)o(ferent) f(security)g(policies)h(agree)g(on)g(a)g(coop-)1974 4051 y(eration)22 b(security)h(polic)o(y)-5 b(,)23 b(and)f(the)i(use)f(of)g (a)h(hierarchical)e(public)1974 4151 y(k)o(e)o(y)27 b(infrastructure)e (based)j(on)f(certi\256cates)h(as)g(speci\256ed)f(in)h([8].)1974 4251 y(The)g(approach)f(to)i(TIN)m(A)g(security)f(presented)f(is)j (implemented)1974 4350 y(e)o(xtending)16 b(the)j(CORB)m(A)h(security)e (features)g(and)g(using)h(commer)n(-)1974 4450 y(cial)32 b(CORB)m(A)i(products.)59 b(Future)31 b(w)o(ork)h(will)g(co)o(v)o(er)f (the)h(addi-)1974 4549 y(tional)25 b(trust)g(relationship)e(between)i (the)g(current)e(user)i(of)g(a)g(CPE)1974 4649 y(and)18 b(the)i(CPE)f(itself)h(that)f(is)h(needed)e(for)h(the)g(support)e(of)i (personal)1974 4749 y(mobility)g(with)h(full)g(security)-5 b(.)1974 4995 y Fj(Refer)n(ences)1974 5225 y Fh([1])68 b(T)-6 b(.Eckardt,)192 b(T)-6 b(.Magedanz,)192 b(R.Popescu-Zeletin,) 2140 5325 y(M.Schulz,)33 b(M.Stapf.)60 b(Personal)31 b(Communications)f(Sup-)1859 5574 y(7)p eop %%Page: 8 8 8 7 bop -16 83 a Fh(port)20 b(in)i(the)f(TIN)m(A)g(Service)g (Architecture)f(-)h(A)h(ne)n(w)f(TIN)m(A-)-16 183 y(C)37 b(Auxiliary)e(Project.)72 b Fi(Pr)l(oceedings)35 b(TIN)n(A)m('96)g (Confer)n(-)-16 282 y(ence)p Fh(,)24 b(Heidelber)o(g,)e(German)o(y)-5 b(,)23 b(September)f(1996,)h(pp.)36 b(55-)-16 382 y(64.)-182 482 y([2])68 b(Internet)21 b(RFC)i(1508.)30 b(Generic)21 b(Security)h(Service)f(-)i(Appli-)-16 581 y(cations)d(Program)e(Interf) o(ace.)24 b(September)19 b(1993.)-182 681 y([3])68 b(Internet)19 b(RFCs)j(1825\2611829,)17 b(1851,)i(1852.)25 b(IPv4)20 b(and)g(IPv6)-16 780 y(Security)-5 b(.)23 b(August/September)18 b(1995.)-182 880 y([4])68 b(Internet)31 b(RFCs)j(1113,)g(1814,)g(1815.) 60 b(Pri)n(v)n(ac)o(y)31 b(Enhance-)-16 980 y(ment)c(for)g(Internet)f (Electronic)h(Mail,)i(P)o(arts)f(I-III.)f(August)-16 1079 y(1989.)-182 1179 y([5])68 b(ISO/IEC)17 b(7498-2:)k(Information)14 b(T)-6 b(echnology)14 b(-)j(Open)g(Sys-)-16 1279 y(tems)23 b(Interconnections)e(-)i(Basic)h(Reference)f(Model)f(-)i(P)o(art)-16 1378 y(2:)42 b(Security)29 b(Architecture)e(\(Also)i(ITU-T)f (Recommenda-)-16 1478 y(tion)20 b(X.800\).)-182 1577 y([6])68 b(ISO/IEC)38 b(10164-7:)59 b(Information)35 b(T)-6 b(echnology)36 b(-)j(Open)-16 1677 y(Systems)18 b(Interconnections)e(-)i(Systems)h(Management:)k(Se-)-16 1777 y(curity)16 b(Alarm)h(Reporting)e(Function)h(\(Also)h(ITU-T)g (Recom-)-16 1876 y(mendation)h(X.736\).)-182 1976 y([7])68 b(ISO/IEC)38 b(10164-8:)59 b(Information)35 b(T)-6 b(echnology)36 b(-)j(Open)-16 2076 y(Systems)18 b(Interconnections)e(-)i(Systems)h (Management:)k(Se-)-16 2175 y(curity)i(Audit)h(T)m(rail)g(Function)e (\(Also)i(ITU-T)g(Recommen-)-16 2275 y(dation)19 b(X.740\).)-182 2374 y([8])68 b(ISO/IEC)17 b(9594-8:)k(Information)14 b(T)-6 b(echnology)14 b(-)j(Open)g(Sys-)-16 2474 y(tems)i (Interconnections)c(-)k(The)f(Directory:)23 b(Authentication)-16 2574 y(Frame)n(w)o(ork)18 b(\(Also)i(ITU-T)g(Recommendation)d(X.509\).) -182 2673 y([9])68 b(B.Kitson.)42 b(CORB)m(A)28 b(and)d(TIN)m(A:)h(The) g(Architectural)e(Re-)-16 2773 y(lationships.)60 b Fi(Pr)l(oceedings)31 b(TIN)n(A)m('95)h(Confer)m(ence)p Fh(,)i(Mel-)-16 2873 y(bourne,)18 b(Australia,)i(February)e(1995,)h(pp.)24 b(371-386.)-182 2972 y([10])i(Netscape.)e(Secure)c(Sock)o(et)g(Layer)-5 b(.)25 b(March)19 b(1996,)-16 3072 y (http://home.netscape.com/eng/ssl3/)-182 3171 y([11])26 b(C.Neuman,)21 b(T)-6 b(.Ts'o.)30 b(K)n(erberos:)d(An)c(Authentication) d(Ser)n(-)-16 3271 y(vice)26 b(for)f(Computer)g(Netw)o(orks.)42 b Fi(IEEE)26 b(Communications)-16 3371 y(Ma)o(gazine)p Fh(,)19 b(September)g(1994,)f(pp.)25 b(33-38.)-182 3470 y([12])h(Object)20 b(Management)f(Group.)26 b(The)21 b(Common)f(Object)g(Re-)-16 3570 y(quest)e(Brok)o(er)m(,)g (Architecture)g(and)g(Speci\256cation,)g(Re)n(vision)-16 3670 y(2.0.)24 b(July)c(1995,)-16 3769 y(http://www)-5 b(.omg.or)o(g/corb)o(a/cor)o(biiop)o(.h)o(tm.)-182 3869 y([13])26 b(Object)31 b(Management)f(Group.)57 b(CORB)m(A)33 b(Security)-5 b(.)58 b(De-)-16 3968 y(cember)19 b(1995,)2136 83 y(http://www)-5 b(.omg.or)o(g/library)o(/cor)o(bserv)f(.h)o(tm.)1974 183 y([14])26 b(Object)21 b(Management)d(Group.)26 b(Common)19 b(Secure)h(Interop-)2140 282 y(erability)f(\(CSI\).)h(March)g(1997,) 2140 382 y(http://www)-5 b(.omg.or)o(g/library)o(/schedu)o(le/T)f(ech)o (no)o(log)o(y)p 3794 382 25 4 v 2140 482 a(Adoption.htm.)1974 581 y([15])26 b(Object)d(Management)e(Group.)33 b(CORB)m(Asecurity/SSL) 24 b(In-)2140 681 y(teroperability)-5 b(.)22 b(June)e(1997,)2140 780 y(http://www)-5 b(.omg.or)o(g/library)o(/schedu)o(le/T)f(ech)o(no)o (log)o(y)p 3794 780 V 2140 880 a(Adoption.htm.)1974 980 y([16])26 b(Open)35 b(Softw)o(are)h(F)o(oundation.)70 b Fi(OSF)36 b(DCE)h(Application)2140 1079 y(Guide)p Fh(.)24 b(Prentice-Hall,)19 b(1992.)1974 1179 y([17])26 b(R.Rueppel.)54 b Fi(Analysis)30 b(and)f(Design)h(of)g(Str)m(eam)g(Cipher)o(s)p Fh(.)2140 1279 y(Springer)19 b(V)-9 b(erlag,)19 b(1986.)1974 1378 y([18])26 b(B.Schneier)-5 b(.)44 b Fi(Applied)26 b(Crypto)o(gr)o(aphy)p Fh(,)h(2nd)f(edition.)44 b(W)m(i-)2140 1478 y(le)o(y)-5 b(,)19 b(1996.)1974 1577 y([19])26 b(S.Staamann.)57 b(Ov)o(erall)31 b(Inte)o(grity)e(of)i(Service)g(Control)g(in)2140 1677 y(TIN)m(A)18 b(Netw)o(orks.)24 b Fi(Pr)l(oceedings)18 b(of)g(Communications)f(and)2140 1777 y(Multimedia)23 b(Security)h(Confer)m(ence)f('97)p Fh(,)h(Athens,)h(Greece,)2140 1876 y(September)19 b(1997.)1974 1976 y([20])26 b(S.Staamann,)h(U.W)m (ilhelm.)45 b(CORB)m(A)29 b(as)e(the)g(Core)g(of)g(the)2140 2076 y(TIN)m(A-DPE:)37 b(A)h(V)-5 b(ie)n(w)37 b(from)f(the)i(Security)e (Perspecti)n(v)o(e.)2140 2175 y Fi(Pr)l(oceedings)24 b(of)i(Object)f(W)-8 b(orld)26 b(F)-5 b(r)o(ankfurt)25 b(1997)p Fh(,)g(Special)2140 2275 y(track)h Fi(Distrib)n(uted)i(Object) e(Computing)g(in)h(T)-8 b(elecommuni-)2140 2374 y(cations)p Fh(,)19 b(Frankfurt,)f(German)o(y)-5 b(,)18 b(October)h(1997.)1974 2474 y([21])26 b(TIN)m(A-C)k(Document:)43 b(Authentication)28 b(in)i(TIN)m(A)f(Access)2140 2574 y(Session,)i(V)-9 b(ersion)28 b(1.0)g(\(Draft\).)50 b(Engineering)26 b(Note,)31 b(Au-)2140 2673 y(gust)20 b(1996.)1974 2773 y([22])26 b(TIN)m(A-C)39 b(Document:)63 b(Security)38 b(Architecture,)43 b(V)-9 b(ersion)2140 2873 y(2.0.)24 b(T)-6 b(echnical)19 b(Report,)h(March)f (1996.)1974 2972 y([23])26 b(TIN)m(A-C)16 b(Document:)22 b(Service)16 b(Architecture,)f(V)-9 b(ersion)16 b(5.0.)2140 3072 y(Baseline)21 b(Document,)d(June)i(1997.)1974 3171 y([24])26 b(TIN)m(A-C)h(Document:)39 b(TIN)m(A)27 b(Business)h(Model)f (and)g(Ref-)2140 3271 y(erence)e(Points,)h(V)-9 b(ersion)25 b(4.0.)40 b(Baseline)26 b(Document,)f(May)2140 3371 y(1997.)1974 3470 y([25])h(H.)c(W)-7 b(oo)22 b(Sun,)g(K.)g(Eun)f(Chul,)h(J.)h(Hee)f (K)n(yung.)28 b(Realization)2140 3570 y(of)k(TIN)m(A)h(Service)f (Architecture)f(on)h(the)h(Internet.)61 b Fi(Pr)l(o-)2140 3670 y(ceedings)26 b(TIN)n(A)m('96)h(Confer)m(ence)p Fh(,)h(Heidelber)o(g,)f(German)o(y)-5 b(,)2140 3769 y(September)19 b(1996,)f(pp.)25 b(235-243.)1974 3869 y([26])h(P)-9 b(.R.Zimmermann.)56 b Fi(PGP)31 b(Sour)m(ce)f(Code)i(and)e(Internals)p Fh(.)2140 3968 y(MIT)20 b(Press,)h(1995.)1859 5574 y(8)p eop %%Trailer end userdict /end-hook known{end-hook}if %%EOF