DIPARTIMENTO   DI   INFORMATICA
Università di Torino

Research Report Year 2000

Computer Science

Computer Systems and Networks

  People   Research Activities   Publications   Software Products   Research Grants

Security and Computer Networks

People

Francesco Bergadano

Full Professor

bergadan(at)di.unito.it

Franco Sirovich

Full Professor

franco(at)di.unito.it

Daniele Gunetti

Senior Researcher

gunetti(at)di.unito.it

Giancarlo Ruffo

Researcher

ruffo(at)di.unito.it

Davide Cavagnino

Research Assistant

cavagnino(at)di.unito.it

Andrea Nesta

Ph.D Student

nesta(at)di.unito.it

Research activity in 2000

The group's work in Security and Computer Network started in 1994, with special interest in public key systems as a basis for applications in secure wide area network communications. Since then, ten students have graduated with a thesis in network security, supervised by Prof. Bergadano. This activities continued until the present day, with significant collaboration with the University of Cambridge. This collaboration has included research on such issues as public key certification, innovative digital signature mechanisms, and WWW security. From 1994 until 1996, research activities in the area of secure agent architectures were investigated, in collaboration with Prof. Vita, at the University of Messina. In 1996, activities in computer security were also started, especially in the areas of password checking and intrusion detection. Other undergraduate theses are under completion in this area, also supervised by Prof. Bergadano. On the other hand, in the wider area of computer networks, Prof. Sirovich has investigated the ISO/OSI protocols during the past ten years, with special reference to network management and directory services. Also with the participation of Prof. Balbo and his group, the activity in 2000 has included a project for the study and the implementation of secure multicast transmission and video-conferencing; the development of a system to certify the number of visitors of an Internet site; and the study of a biometric systems to recognize users and reject impostors.

a) Public key systems and certification

This research is concerned with public key certification in distributed environments, proposing a certification scheme to exchange documents that are digitally signed. Our system, proposed in collaboration with the University of Cambridge, includes the implementation of a separate authority dedicated to delete the public key certificates that are no longer valid. Log file records are bound in a chain of hash values, so that they may not be deleted by the authority in an undetected way. The system has been implemented and a series of experiments is starting to integrate the above certification system with a few browser and mail services available on the market, both in Unix and Windows NT environments. Through this structure it will be possible to obtain a number of secure services that require signed and/or encrypted documents to be sent.

a.1) Secure Mailtools

In this research we studied PGP (Pretty Good Privacy), the most popular mail encryption and signature tool available worldwide. Within the context of two undergraduate theses, that were supervised by the security group, a public domain program, named "ACT", was implemented in 1997 and maintained in 1998, 1999 and 2000. This tool is compatible with PGP (versions prior to 5.0), but solves some of its weaknesses.

a.2) Digital Signatures and Authentication

The research was about the study of the mechanism to generate digital signatures based on public key algorithms. In collaboration with the University of Cambridge we made a new and alternative proposal to generate digital signatures based only on hash function chains. This mechanism turns out to be more efficient than the traditional approaches, and moreover it does not involve all the problems connected to the restrictions imposed by some countries about the export of encryption software.

b) Secure WWW

he research is concerned with authentication and privacy in the World Wide Web. The security of the transactions is guaranteed using public key systems, together with the certification scheme described above. The implementation is based on the original HTTP protocol and on commercial browsers. It is obtained through Java applets associated to the client, that silently transform the base HTTP transaction into an exchange of encrypted and authenticated information. The actual communication is not carried out at the HTTP level, but between application processes that are added for this task, both on the client host and on the server. The idea is an alternative w.r.t. the SHTTP protocol, that modifies the standard HTTP format, and also w.r.t. SSL, that works at the level of the communication software. The advantage is a quicker integration with the pre-existent tools. The implementation of a prototype (that is also used to address some of the aspects we study in the context of public key certification) is almost at the end of its development..

c) Password systems and access control

Another aspect of our research is related to the important problem of password checking. User passwords tend to be weak, and checking at the time of password creation or change is highly recommended. Although there are more sophisticated authentication systems - like those based on dedicated hardware (for instance a smartcard) or those asking for an answer to a "challenge" – the most common systems are based on passwords.

This as a consequence of their simplicity: they can be integrated in every environment without dedicated hardware and with well known user interfaces. In order to prevent bad password choices, the user password is usually confronted with a dictionary, with implementation difficulties that are related to checking time and especially space to store the dictionary. We have developed a proactive password checking method that can lead to very high dictionary compression, with low error rates, under one per cent. On the basis of the classification algorithm, the password checker ProCheck has been implemented as a patch for the Unix command passwd. ProCheck is freely distributed from http://maga.di.unito.it, and versions for SunOS, Ultrix and OSF1 are available. A version for NT has also been developed.

d) The X.500 protocol Directory (Franco Sirovich)

The X.500 protocol directory allows to realize a sophisticated distributed database with a partial reproduction of the database. Substantially, it is a free scheme with research functions for the database content. In the 1992 standard from ISO and CCITT, the functionality of the X.500 service was extended introducing access control. Basic Access Control functionalities have been studied, and an algorithm was developed to verify at runtime the access control for a generic X.500 database.

A new interesting concept has originated from the research and development on Directories: The Concept of MetaDirectory.

A MetaDirectory is a controlled union of all the Directories of an Organisation, that on one side allows to have a single point of access to a common repository of data for the whole organisation, and on the other side allows to synchronise and the data contained in different data bases and to control the flow of data from one data base to another that is configured to receive the updates of the data from the "master" one. The interesting point is that the master ship is defined at the attribute level, and the values of attributes can be obtained via an appropriate computation from one or moresource attributes.

We are going to experiment with these new concepts in the area of controlled access to University data from web servers.

e) Network Management (Franco Sirovich)

With the development of applications on computer networks, the problem of managing complex network systems became more and more important. Both within ISO/ITU and Internet, specific protocols and informative models have been developed to realize a distributed system to handle both network elements and distributed network applications. The two network management models are not equivalent, even if a comparative study of them points out interesting analogies. Cryptographic key management in a security system for telecommunications is an interesting area to apply the management model and the corresponding OSI protocols.

An interesting problem the is now being studied is the monitoring of Service Level Agreements. With the widespread adoption of outsourcing contract for the ITC services, the need has emerged of defining precisely the LEvel of Service that the provider must offer to the Users. The finalisation of document called Service Level Agreement is considered to be extremely beneficial to the achievement of customer satisfaction. The problem is now that of being able to monitor level of service that is being offered to group of Users and to be able to manage the resources of the ITC system so that the level of service defined in the SLA is actually met, thus avoiding that the users perceive a degradation of service.

MOnitoring Service LEvel Agreements is radically different than monitoring the performance of devices, computers, or telecommunication lines, because requires the measure of the service that is being delivered the actual users by applications, and not the service that the application "believes" is delivering to users. A Service Level Agreement Monitoring system must be able to allow the operators to identify the real causes of performance degradation, before the users perceive such a degradation and complain with the administrators.

f) Multicast Conferencing and Security (Davide Cavagnino)

Recently the multicast connection of the Computer Science Department to the MBone was improved, changing the routing protocol from DVMRP to the more efficient PIM Sparse Mode.

A novel protocol for the efficient authentication in a multicast environment was implemented in one of the most widely used tool for audio conferencing, modifying the source code. This implementation required the study of the current standards for the transmission of real-time data over the Internet, the definition of a new communication protocol satisfying the requirements of the authentication protocol, and the definition of new packet formats. Moreover, efficient cryptographic techniques (with the authentication protocol) were tested against a naive implementation using the RSA signature of each packet transmitted over the network.

Experimentations of the authenticated audio application have been done with satisfying results (i.e., the load of the machines running the application was low, thus allowing more computing power for the management of other multimedia applications). The delays in authentication (not of the audio) introduced by the authentication protocol were reasonable and acceptable for a teleconferencing application.

The developed protocol is also well suited in a broadcast environment.

g) Internet Traffic Certification

It is important to know who, when, how many times and how users visited a web site. This information must be precise and certain (i.e., it must reflect the effective activity of people navigating within a site and from one site to another). During 2000 a system able to gather and certify such information for the web site on which it is installed has been developed and extensively tested.

2000 Publications

Baldoni M., Baroglio C., Cavagnino D. Use of IFS Codes for Learning 2D Isolated - object Classification Systems. COMPUTER VISION AND IMAGE UNDERSTANDING, Vol. 77, pp. 371-387, 2000.

Beimel A., Bergadano F., Bshouty N.H., Kushilevitz E., Varricchio S. Learning Functions Represented as Multiplicity Automata. JOURNAL OF THE ACM, Vol. 47, No. 3, pp. 506-530, 2000.

Bergadano F, Cavagnino D. and Crispo B. Individual Single source Authentication on the Mbone. ME - IEEE CONFERENCE ON MULTIMEDIA AND EXPO, IEEE Computer Society Press, pp. 541-544, New York - USA, Luglio, 2000.

Bergadano F. and Cavagnino D. Certficazione di Accessi a Server WEB- AICA, -Taormina -Italia, Settembre, 2000.

Bergadano F., Cavagnino D. and Crispo B. Chained Stream Authentication. SAC - SELECTED AREAS IN CRYPTOGRAPHY, Waterloo, Canada, Agosto, 2000.

Werbrouck A., Tosello F., Rivetti A., Mazza G., De Remigis P., Cavagnino D. and Alberici G. Image Compression for the Silicon Drift Detectors in the ALICE Experiment-IMAGING, Stoccolma, Svezia, Giugno, 2000.

Research grants

Title of project

Project leader

Funding Organization

Kind of grant

Ricerca di Informazioni e Navigazione in Basi di Dati Distribuite con Tecniche di Apprendimento Automatico

F. Bergadano

Università di Torino

ex 60%

Prestazione per formazione su temi inerenti la progettazione e configurazione rete informatica

F. Bergadano

ARPA

Research Contract

CED Sperimentazine della "Firma Elettronica" presso alcuni settori del Comune di Biella

F. Bergadano

Città di Biella

Research Contract

Master in Web Technology e Security

F. Bergadano

Performer

Research Contract

Prestazione per formazione su temi inerenti la progettazione e configurazione rete informatica

F. Bergadano

Centro Rete (Univ. di Torino)

Research Contract

Computer Security

D. Gunetti

Università di Torino

ex 60%

Tecniche di Data Mining per la Computer Security e l'Intrusion Detection.

G. Ruffo

Università di Torino

Progetto Giovani Ricercatori

 
Department home [Information] [People] [Research] [Ph.D.] [Education] [Library] [Search]
[Bandi/Careers] [HelpDesk] [Administration] [Services] [Hostings] [News and events]
Administrator: wwwadm[at]di.unito.it Last update: May 17, 2018