Proxy Re-cryptography Library

The core of the library is a C++ implementation of the proxy re-encryption schemes proposed by Giuseppe Ateniese, Kevin Fu, Matthew Green, and Susan Hohenberger in NDSS 2005.  The library is intended for use by C++ or C programs, though in principle it is possible to access library functions from higher-level languages such as Python or Perl.

The long-term goal of this project is to collect a number of new proxy re-encryption and re-signature schemes into a single location so that researchers can evaluate their suitability for various applications.  The current library implements two public-key proxy re-encryption schemes.  In upcoming versions of this library we plan to implement additional primitives, including the proxy re-signature schemes of CCS '05, new proxy re-encryption schemes from TCC '06, and an Identity-Based re-encryption scheme from ACNS '07.

The Digital Knowledge Center (DKC)
(S. Choudhury)

The DKC conducts research and development related to digital libraries in collaboration with faculty, librarians, and archivists both within and beyond Johns Hopkins University. It provides expertise to facilitate the creation of digital library materials and services. It focuses on assessment and evaluation of digital libraries through usability research and valuation analyses. And it provides leadership in fostering an environment and culture which is conducive to advancing the library and university in the information age.

We are developing a new security architecture for mainstream languages such as Java. This architecture will allow declarative forms of access control and authentication to be integral parts of the language, not simply library add-ons. A declarative form of access control will inform users up-front of security requirements, and will also be statically checkable, before the code is run.

In order for electronic commerce to achieve its full potential, there is a need to define and establish standards of trust between any two entities on the web. This project evaluates consumer privacy tools in an objective, empirical study of consumer expectations, implementation issues, and their impact on business. As part of a multiphase study we will examine the attributes of privacy tools that promote consumer confidence, the trade-offs between complexity and ease of use, the barriers to implementation and how these obstacles vary across user groups and business sectors. The initial focus is P3P-based privacy tools with extensions to additional privacy enhancing tools and technologies anticipated in the later stages of the project.

Secure Distributed Medical Imaging Archive
(J. Gitlin)

This project is a component piece of a nation-wide initiative, under the Hospitals Universities, Business, and Schools Program (HUBS), to coordinate the dissemination of research and clinical information to improve the quality of healthcare for all. JHU has been a leader in digitizing medical images, significantly improving their quality and usability. This project represents another step forward as an architecture is developed to archive these large-object images. The goal is to make these images available in real-time for leading research and clinical institutions. Such an architecture requires a sophisticated security model and testing regimen to ensure accuracy and patient privacy.

Secure Spread
(Y. Amir)

The Secure Spread project (www.cnds.jhu.edu) focuses on integrating security services with reliable group communications in general, but the Spread toolkit in particular (www.spread.org). The project investigates robust key agreement protocols, access control and authentication techniques, and distributed trust in a distributed environment. The Secure Spread project both analyzes security protocols and enhances them to maintain strong fault-tolerance properties, and produces a practical, high-quality secure group communication system. This project is funded by DARPA and the NSA.

Archipelago Wireless
(Y. Amir)

The Archipelago project investigates efficient ways to form a secure, extended ad-hoc network of laptops, hand-helds, and other wireless capable devices, and bridge it to the Internet. The system constructs a multi-hop dynamic network using the wireless devices of participating users. Encryption and authentication provide protection against eavesdropping, snooping by non-authorized participants, and impersonation. Archipelago is a general platform for exploring the security and networking aspects unique to wireless communication.

Denial of Service Attack Assessment
(Applied Physics Laboratory)

Denial of Service (DoS) attacks come in a variety of types and can target groups of users, individual users, or entire computer systems. With the ever-increasing reliance on networked information systems for command and control of military systems—not to mention communications infrastructures — relatively simple attacks that degrade or deny service can have devastating effects. Under sponsorship of DARPA’s Fault Tolerant Networking program, JHU/APL has conducted the Denial of Service Attack Assessment (DOSAA). The DOSAA effort uses modeling and simulation to investigate attack classes and behavior. DOSAA has created and validated models of five computer network attacks, and a target network. Using these models, APL has been able to examine attacks in classes and characterize attack behavior within a class.

Automated Vulnerability Analysis Support Tool (AVAST)
(Applied Physics Laboratory)

There are many sources of information regarding computer security vulnerabilities. Unfortunately, it is difficult to make use of this information for a comprehensive vulnerability analysis because of the variety of sources, disparate ways of presenting the data, and duplication of data between sources. Prior studies indicate that an interactive automated tool could facilitate future analyses by providing a semi-automated means to collect and manipulate the appropriate data for this analysis. The JHU/APL is developing the Automated Vulnerability Analysis Support Tool (AVAST). AVAST, which is currently an initial beta prototype, is designed to support vulnerability assessments, and can potentially assist in the analysis of network attacks as well as aid in red team test planning. AVAST collects security bulletins from pre-defined, trusted on-line sources, stores them in a data repository, scans new material for user defined information of interest, retrieves data via user definable relationships, and summarizes results in a spreadsheet or database.

Research in Host and Network Based Intrusion Detection
(D. Naiman, J. Wierman, C. Priebe)

There are several areas of research in intrusion detection under way between faculty of the Mathematical Sciences Department and researchers at the Naval Surface Warfare Center. These include using activity profiles to characterize normal traffic patterns and detect anomalies, methods of visualization of these patterns, functional data analysis applied to network traffic, and epidemiological methods for modeling computer virus spread.

Securing systems is a top-to-bottom enterprise. The network and hardware, transport protocols, hub firmware, and computer operating systems must all be secured, along with the applications on top. Between the operating system and application lies programming languages and middleware, where there has been relatively little focus on security. Securing this layer will give an important added degree of safety.

Our research focus is securing programming language and component architectures. At the programming language layer we are integrating security constructs directly into programming languages and type systems; at the component layer we are developing cells, a secure distributed component architecture for the Internet.

Zombie Scan Analysis
(Applied Physics Laboratory)

Zombie Scan summarizes the analysis of traffic recently received on a sensor residing outside of a perimeter firewall on a large network. This sensor runs the network intrusion detection software Shadow. The activity drew attention because of the volume involved and the uniqueness compared to previously witnessed activity. Upon initial cursory examination, it was not obvious whether the activity was some kind of flood with the purpose of denial of service, a scan, or something else. Analysis determined the activity to be a concurrent scan by several hundred suspected zombie hosts.