Secure Mobile and Wireless Communication Services for Collaborative Virtual Gaming Babak Akhgar, Jawed Siddiqi and Mehrdad Naderi Sheffield Hallam University (UK),
[email protected]
Wolfgang Orth Fraunhofer Institute for Secure Information Technology (Germany), email
Norbert Meyer Poznan Supercomputing & Networking Center (Poland), email
Miika Tuisku University of Helsinki (Finland), email
Gregor Pipan XLAB (Slovenia), email Mario López Gallego and José Alberto García Telefónica I+D (Spain), email
Maurizio Cecchi Telecom Italia (Italy), email
Jean-Noel Colin Sun Microsystems (Belgium), email
aims to deliver a unique framework for secure and mobile wireless communication services whose fundamental innovation lies in the fact that it extends the management of global identity to get federated access across heterogeneous ICT platforms. Further innovation in the
ABSTRACT The paper reports on the current research activities and innovations provisioning secure ICT services. The identified research challenges and roadmap represent a significant step towards the development of global federated security services for the Web, Grid and particularly for future Mobile and Wireless communication (ICT platforms). The overall aim of the research is to provide seamless traversal to access distributed resources in the heterogeneous Web, Grid, and particularly Mobile and Wireless spaces. Furthermore, in order to consider the value and usefulness of the Trust-ME framework its strategic impact is assessed in terms of its proposed application to real world integrated scenario in a collaborative virtual gaming.
Trust-ME framework is the integration of this with trust and policy management that is reinforced by an intrusion detection system. The research was led through a collaborative effort by the following four partners: Sheffield Hallam University (UK), Fraunhofer Institute for Secure Information Technology (Germany), University of Helsinki (Finland) and Poznan Supercomputing & Networking Center (Poland) leading to the proposed development of the proposed Trust-Me framework. This was then distributed for peer review and comments to our industrial partners that included Sun Microsystems (Belgium), Telecom Italia (Italy), Telefónica Investigacióny Desarrollo (Spain) Valimo Wireless (Finland) and an SME XLAB (Slovenia). Therefore, the proposal benefits from being a true European wide collaborative development effort that benefits from a peer to peer critique between leading academic institutions and key industrial partners involved in security and telecommunications.
1. INTRODUCTION For complex and distributed ICT platforms the Trust-ME project is carrying out novel research that aims to provide federated trust and security management framework for the Web and Grid as well as Mobile and Wireless spaces. Here we report specifically on the innovation relating to mobile and wireless space as it applies to collaborative virtual gaming.
In the next section we review some of projects directly related to Trust Me as well as providing a state of the art review of federated identity in the context of secure multiple distributed heterogeneous (ie web, grid and
Current identity and security management in ICT platforms is dedicated, restricted, and limited to individual users and applications. The Trust-ME project
0-9785699-0-3/06/$20.00©2006 IEEE
363
authentication, authorization and auditing and security functionalities provided by corresponding networkrelated middleware.
mobile &wireless) services hereafter termed as global ICT infrastructures. In the third section the specifics of the research challenges and a roadmap as a first step towards a framework for the provisioning of secure ICT services is presented. In a companion paper [1] the development of the Trust Me framework is detailed. Given the significant research, development and innovation required to achieve the Trust-ME vision we provide each of these three elements in each of the activities to be carried out in the project. Finally, in order to assess the impact of the research an integrated showcase scenario is employed to demonstrate the added value accrued from the framework.
Akogrimo introduces the concept of “virtual home” with nomadic and mobile environments for solving complex problems across network technology and provider domains. Regarding grid, the project will address these environments as mobile dynamic virtual organizations expecting to provide network-identity-based concepts of personalization, profiling, privacy, security and trust. From the providers point of view the project will provide new business models and opportunities eventually making commercially viable NGGs a reality. Applications of the project have been concentrated on but are not limited to areas such: eHealth, eLearning and crisis management,
2. RELATED RESEARCH Security and mobility have become essential features in today’s computing systems, therefore several initiatives taking these into consideration have appeared. This includes a number of projects under the EU IST Framework VI programme. One such is the PRIME project that addresses the problem of identity and privacy management in the European information society through developing a set of privacy-enhancing identity management tools that will promote the integration of these tools into legacy and new applications. Trust-ME will utilise and complement some of its output, especially with respect to the identity management systems architecture, in order to avoid redundancy in research. We next present some projects that have directly influenced and complemented our research.
EduRoam EduRoam, standing for Education Roaming, introduces a system that enables mobile users to access the Internet and other participants using their home institutions credentials with a minimal administrative overhead. The EduRoam service supports Web-based authentication with RADIUS. A general scenario looks like the following: the user provides his credentials, a local RADIUS server checks if it is responsible for these, if not, it passes the credentials to the appropriate national (or even topEuropean) RADIUS server, which in turn forwards the credentials to the institutional RADIUS server that the user actually belongs to. The credentials are verified and the response is transferred back to the visited institution and the user is granted access if allowed. Because the user credentials travel over a number of intermediate servers that in general is not under control of the home institution of the user, the credentials must be appropriately protected for the privacy reasons. A general idea is that a secure TLS(transport layer security) tunnel is built between the client and the home institution RADIUS server on top of RADIUS based on the verification of the server certificate of the home RADIUS server.
Mobile Grids Mobility has become a central aspect of life for people in business, education, and leisure. Related mobile 3G network infrastructures and user communities have surpassed corresponding Internet figures. Independent of this development, Grid technology is evolving from a niche market solely addressing the High Performance Computing (HPC) domain towards a framework useable within a broad business context. However, while affecting largely identical complex applications, user and provider domains, the Grid community has been basically mobility-unaware.
SAHARA SAHARA (Service Architecture for Heterogeneous Access, Resources, and Applications) is a project led by University of California, Berkeley that aims to develop a new architecture for future telecommunications services that supports the dynamic confederation of sometimes collaborating and sometimes competing service providers. This is in order to be able to create end-to-end telecommunications services with desirable and predictable properties, such as performance and reliability, when provisioned from multiple and independent service providers. SAHARA is going to introduce a radically new service architecture. The architecture will be able to: accommodate a diversity of
Akogrimo Akogrimo IST [3] project is aiming to radically advance the pervasiveness of Grid computing across Europe. In order to achieve this goal, in addition to embracing layers and technologies which are supposed to make up the so-called Next Generation Grids(NGG) such as e.g. knowledge-related and semantics-driven Web services. Akogrimo will architect and prototype a blueprint of an NGG which exploits and closely co-operates with evolving Mobile Internet infrastructures based on IPv6. It is concentrating on mobility, quality of service,
364
During initial workshops the key security requirements obtained were discussed, clarified and challenged. At the start of the project the workshops focus changed to defining the deliverables, milestones and their iterations and increments. Further three workshops were arranged and ran to learn about standards, best practices, goals and objective, and other projects.
systems; enable emerging business models; enhance a confederation of services and an increase network awareness of the applications. One of research areas within SAHARA is secure authentication system for public wide and local area network (WLAN) roaming The solution presents concept of confederated service providers under different trust levels and with different authentication schemes, which enables the user to maintain only a single identity and credentials per WLAN provider. As for trust relationship between clients and service providers, SAHARA presents the approach that bases them on trusted third party monitors. Current type of relationships based on contracts between well established commercial enterprises may be not sufficient for huge number of service providers. Trust third parties are anticipated to audit the providers, providing a rating service that separates the reliable participants from those who are unreliable. General services like establishing trust relationships and managing transitive trust relationships are also envisaged.
The workshops served as an effective instrument to capture the collective mental construct of the action team for construction of the architecture. The collective mental construct of action team in relation to the project reflected in the contextualisation of TRUST-ME project (see Figure 1).
3. TRUST ME PROJECT OVERVIEW 3.1 Collaborative Research Cycle The project has been initiated by a joint industry & academia research initiative under the European Union Information Systems Technology initiative . It was agreed that due to the nature of the project the best mode of inquiry is action driven collaborative research as stated by Akhgar [1 and 2]. The iterations cycles during the project discussion process in terms of confirmation, clarification, adjustment, amendment and changes of the key requirements elicited were used as evidence of practical effectiveness of an underlying theory for construction of our architecture without specific organisational narratives. The latter enabled us to address the risk and shortcoming of action research in terms of being too focus on specific organisation and limitation of findings in terms of scope as stated by Peters and Robinson [4] and Seashore and Taber [5]. Furthermore, the adapted iteration principal in the construction of our architecture reduced the risk of our subjectivism and over positivistic interpretation of the requirements by embodying a multiplicity of views, commentaries and critiques, leading to finalise requirements for construction of our TRUST-ME framework.
Figure 1. Mobile and Wireless Over Heterogeneous Network Domain
From action research perspective the aim of workshops was to create and establish “reflection-based learning” of the action team. Based on the research by Mezirow [6] we have established set of three areas of reflecting learning. The contextualised view of reflecting learning in the project is as follows: 1- Content reflection: Discussing, evaluating and understanding of the research diagnosis including the problem situation (within federation), problem frames validity of project industrial context, the key requirements and the underlying assumptions (Identity Management and nature of Trust ). 2- Process reflection: Understanding and validating the action planning (including effectiveness of action team and further requirements for successful construction of the architecture), project conduct, evaluation principals, and strategies for future research (collaboration with other projects)
The project team lead by academic partners established the theoretical framework guiding the “action research” in their capacity as the leaders of the action team through collaborative workshops with the members of action team (representatives from industry and academia).
3- Premise reflection: learning about to what extend Telecom Industry specific behaviour (in
365
Given the significant challenges faced in the project here we detail the three elements relating to the research, development and innovation required to achieve the Trust-ME vision we highlight explicitly each of these elements in each of the activities of Federated Identity Management, Trust & Policies and Intrusion Detection. In addition, for completeness, we have included Showcase and Integration
terms of politics, standards and norms) influenced construction of our architecture. Although we have to acknowledge from “premise reflection” perspective learning was limited due to a number of factors namely team structure, research focus, and time restriction.
3.2 Research Challenges and Roadmap Towards building upon and utilising local identity management schemes within each global ICT platforms and standards-based frameworks (e.g. Shibboleth, Liberty Alliance) Trust-ME creates a mapping to system local identities. Research in this area will comprise of the detailed research and development into: • • •
Federated Identity Management Research Element: To propose an end-to-end architecture and global virtual identity concept that is applied in federated identity management in different layers of integrated security services.
Federated Global Identity management approaches to Trust Management approaches to Intrusion Detection
Technological development: To integrate domain specific best-practices and emerging standards and to develop missing security components to enable Federated identity management across Web, Grid and Mobile domains.
This implementation plan incorporates a matrix of services: federated identity, trust and policies as well as intrusion detection on one dimension and Web, Mobile and Grid spaces on the other dimension.
Innovation Element: To remove the barriers of interoperability in open ICT services market in terms of identity re-use and privacy enhancing secure operation. Trust and Policies Research Element: To extend the Trust fabric and high level policies from one technology domain to cover the domains of Web, Grid, Mobile forming a secure service provisioning environment where policies are enforced with active Intrusion Detection. Technological development: To integrate and develop interoperable reference architecture that ensures trustworthy digital services market.
Figure 2. Matrix of Services and Spaces
Innovation Element: To realize self-sustaining Trust management in heterogeneous Global ICT environment that has a high degree of transparency to users and services.
The Trust-ME technical programme of works comprises of four tracks corresponding to the three activities above and then its subsequent integration. Therefore, the three work-packages Federated Identity Management, Trust and Policies and Intrusion Detection are created separately in a loosely coupled manner and in parallel. Moreover, the interaction between components can be handled employing Service based architecture. It will ensure that the integration will result in the key components being transformed to services and a standard web services process manager being employed for component orchestration. The programme of work in terms the Services and Spaces Matrix and its technical road map are respectively illustrated in Figs 2 and 3.
Intrusion Detection System Research Element: To develop an architecture that is able to gather threat information from distinct sources and translate it into output that may be utilized by trust systems with respect to local policies Technological development: To integrate the threat information from multiple environments and architectures, to provide a monitoring system and a decision system utilizing the monitoring results
366
ICT security requirem ents
federated
EU defined
identity
identity
ICT -Concepts Trust and Policy
Federated Identity M gm t
Intrusion Detection
EU defined IM S
TRUST-M E Implementation & Integration
Trust and Policy
ICT -Services Intrusion D etection
Federated Identity
Service O rchestration
TRUST-M E Show Cases and ICT A pplication D omain Figure 3. Trust Me Road Map view of the different actors involved including the user experience.
Innovation Element: To provide a decision system for detected threats that may be linked with trust and policies services for an appropriate reaction, to perform an approach for modifying policies based on user activities history
As a significant step towards showcasing demonstrations of the integrated system, in the next section, we assess the strategic impact of the proposed system via integrated scenarios (ie those incorporating more than one ICT infrastructure) to illustrate the added value provided by the framework within a collaborative virtual gaming environment.
Showcase and Integration Research Element: To identify and select real scenarios and their stakeholders, in which the envisaged concepts, architecture and components about Federated Identity, Trust and Policies and Intrusion Detection could be demonstrated.
3.3 Impact Assessment through Scenarios The significance of basic security – authentication, authorization – in IT is well understood. However there arises the problem of incompatibility of disparate security infrastructures in relation to both the data format and policy levels. For using resources of certain Virtual Organisation (VO) or infrastructure one needs to obtain identity certificate in the format specific to the infrastructure employed and must go through the certification process, which is, again, specific to the organisation owning the resources [7 and 8]. This is a major obstacle to the Global ICT vision of easy accessibility to all.
Technological development: To integrate the different components developed in the project to make up valid test-beds for the proposed real scenarios. To use integration architectures, such as SOA, to orchestrate the different components, including third party and Open Source Innovation Element: Reify the envisaged concepts in different real scenarios and prove the viability of the solutions, showing the added value from the point of
Scenario : Environments
367
Collaborative
Virtual
Games
6.
The Problem Context: In a virtual gaming environment individuals can meet with their peers with certain degree of anonymity. It also incorporates real life aspects like tracking your whereabouts within a city, by the location based services provided by a mobile phone operator or the GPS unit of the phone that can be seen by all the game players. This scenario provides some interesting matchmaking possibilities, as the mates or dates of the user can be notified of their physical presence or proximity. Additionally, the game may involve certain tasks to be performed in real life, collecting items at certain point of time or for example going to a bar around next corner to learn previously unknown information.
Predicted Outcomes: Virtually enhanced gaming environments will be able to exploit the same set of services in digital form as found from the real world and increase social behavior by protecting the privacy of the user. The security mechanisms to identify individuals can be shared between the virtual and real world to allow access and to confirm payment. Perhaps most significantly in mobile environments value-added services like location, presence and payment mechanisms are exposed to other technology domains, namely Web and Grid.
We now enumerate a high level workflow predicated upon the deployment of the proposed Secure Mobile and Wireless Communication Services Framework to illustrate the sequence of events for the virtual collaborative gaming environment outlined above. they are as follows:
1.
A user has been donating computing cycles and extra storage space to the gaming community in exchange she has collected a significant amount of virtual credits that can be spent in the virtual community.
2.
The user can choose to be play from the Web or from a mobile phone on the move. First the user will check the whereabouts of his friends. The game console quickly reveals that her friends are at Sushi bar two blocks from her home.
3.
User arrives at the Sushi bar and at some point in the discussion, one of her friends tells her about a new boy that she met at the University. He has a virtual global identity provided by the Trust-ME framework like the others in this virtual organisation all of whom have given permission for their identity to be passed on.
4.
5.
It is now up to these individuals, whether they want to meet outside the virtual environment.
4. CONCLUSION In conclusion from these the scenario one can see that the Trust-ME framework provides a minimal security services platform layer in real world to identify users and services from multiple service domains: Web, Grid and Mobile as well as users can utilize in a collaborative virtual gaming environment. As a result there is increased interoperability and an open digital services market for both virtual and real life scenarios. Therefore, generalising the benefits of the federated identity strategy and infrastructure are as follows: • a better-secured user and business environment, • increased flexibility of using multiple services • stronger security and trust management • improved alliances within and between organizations through inter-operability • cost reduction and cost avoidance through increased operational efficiency • enlarged possibilities of a secure access to services including mobile environment. These taken together can and should lead to significant revenue growth through development of strategic offerings. Moreover, provided that the outcome of TrustME is accessible freely to any entity, the enterprises owning it become more competitive in general; this in turn will impact their return on investment [9].
User requests to know the boys virtual identity based on the description she heard. Her friends agree to trade this against some virtual credits. This is possible as this specific virtual identity comes with a limited right to further delegate the knowledge of a short-term identity to others inside the personal circle of trust (i.e. friends in real life). The trade is accomplished via blue tooth link between the two mobile phones.
The Trust-ME project has examined, evaluated and built upon the technological and scientific results of research conducted related to federated trust and security management in the Web, Grid, Mobile and Wireless domains. The security and trust management services is being realised by achieving the following goals:
Next time the User is in the University she receives a proximity alert of this boy’s virtual identity. The user then decides to send a short Instant Message, together with his Virtual Identity information to start chatting with him.
Expanding the Circle of Trust: Trust-ME will enable identity authentications and attributes to be shared within the circle of trust
368
Building On Interoperability Standards: Trust-ME will utilise the prevailing standards within each ICT platform that it integrates into, thereby addressing interoperability across heterogeneous ICT platforms.
relations, Vol. 46, No 11, 1976, [in Gustavsen B pp. 1361-66]
Assigning Rights: Trust-ME will enable virtualised resources offered by providers to be mapped to the rights of a user or a service on a temporal or persistent basis. Deploy service provisioning scenarios: Trust-ME Framework will showcase federated trust and security management. The three outcomes of the Trust-ME project are from three distinct perspectives: research, industrial and exploitation respectively are as follows. First, to define a service oriented reference architecture for a federated trust and security management system. Second, to dispel the dystopia by providing interoperability in disparate environments through backwards compatibility. Third, to deploy the federated trust and security management system in Web, Grid and particularly Mobile & Wireless ICT environments. In conclusion, it could be argued that the results of the proposed research contribute to strengthening the social cohesion because users will find that they will be able to seamlessly traverse all these disparate global ICT infrastructures for various application domains such as eGovernment, e-Business, e-Citizen. Therefore these services will become more attractive for the user, friendlier and easier to manage. Moreover as we have argued the outcome of the Trust Me framework can contribute indirectly to sustainable growth and improving competitiveness both of large and small businesses. All these attributes contribute to the trust in the knowledge society and the vision of “Information Society for All”.
REFERENCES [1]
Akhgar, B; "Software Engineering Processes in Practice," A survey of 50 SW Eng project, Vol. 2, No 4, 2002.
[2]
Akhgar, B; "Information Systems Research," An action research perspective SHUWP2, 2003
[3]
Akogrimo, www.mobilegrids.org
[4]
Peters, M. and V. Robinson; "The Origins and Status of Action Research," The Journal of Applied Behavioural Science, V.20, No.2, 1984, pp. 113-124.
[5]
Seashore and Taber; Action research and generation of human knowledge, Human
369
[6]
Mezirow, J; Transformative dimensions of adult learning, 1994, CA: Jossey-Bass
[7]
Daidalos, www.ist-daidalos.org
[8]
Title of Webpage, http://www.fzjuelich.de/unicoreplus/CUG_2000.pdf
[9]
Porter, M.E., “COMPETITIVE ADVANTAGE: CREATING AND SUSTAINING SUPERIOR PERFORMANCE”, Free Press, 1985.
