Research Interests: Andrew Hutchison

Goal Oriented Protocol Generation The Security Protocol Engineering and Analysis Resource (SPEAR and SPEAR II) work has been a focal point for security protocol related projects in the DNA group. Various projects have addressed protocol specification, analysis and code generation. Projects relating to analysis (incorporation of Strand Space modelling/analysis technique) and code generation (verification of protocol code) are underway in 2003–2004 as Masters projects. The intention of this project is to provide an expert 'front-end' to the security protocol engineering process, that enables users of the SPEAR tool to define and achieve a set of goals in a particular protocol. The benefit of such an approach is that it ensures that the protocol engineering activity is consistent with what the protocol should achieve. A possible scenario for achieving this is to incorporate libraries of existing protocols,and to select from these according to the goals stated by the user. Explicitly describing protocol goals would also allow the cryptographic logic / strand-space analysis modules to be pre-configured for checking certain traits and attributes of a protocol.

Web Services Security Web Services are increasingly being recognised as a means to provide system interoperability, and also as an attractive way to 'wrap' legacy and/or proprietary systems. In such an approach, encapsulation of an existing system presents the opportunity to incorporate additional security components as part of an overall web service. Specifically, the concept of this is to introduce a 'mediation layer' between the existing system and the web service interface. Of particular interest is the extent to which IDS/A (host based intrusion detection, as developed by PhD student Marc Welz) can
be depoyed as part of such a secure web service. The associated rules and/or anomaly detection module would have to be defined and developed. In addition this module could also act as a reference monitor for the web service, if appropriate. Other components of such a mediation layer could also be provided, for example to handle privacy, information security policies (e.g. compulsory encryption depending on content labelling) etc.

Identity Management as Enabler of Secure Enterprise Environment Identity Management is a concern for enterprises. This project should consider what information is required for an authentication and authorisation model in support of enterprise identity management. The links (and automatic account management) between an identity management module and underlying LDAP repositories should be considered. The OpenLDAP system could be used as an experimental system in this regard. Consideration should also be given to how cryptographic key management can / should be co-ordinated within an enterprise, and in particular how this can be associated with the greater identity management activity. Use of cryptographic keys, associated with authenticated and authorised principals, should also be brought within the consideration of this project. In this way a unified approach to enterprise security can be pursued. Deployment for tasks such as secure communication (between pairs or groups) over an Instant Messaging mechanism could also be considered as an example environment. The challenge of the project is to address each of the three aspects (identity management, key management, secure communication) individually, but also to look at the intersections, and how these topics can inter-relate to achieve a secure enterprise environment.