Skip to Main content Skip to Navigation

Services d'autorisation et Intégration au protocole d'attribution dynamique des adresses

Abstract : Security is a major stake of modern numerical technologies. With the development of the Internet, the needs for security are increasingly becoming more important than ever before. The development of Internet applications such as e-business, medical applications or videoconference, implies new needs such as, identification of the communicating entities, integrity of the exchanged messages, confidentiality of the transaction, authentication of the entities, anonymity of the certificate owner, rights capacitation, procuration, etc.

Whether they are medical, tax or banking related data, the requirement in security is essential in order to give credibility to the system, while respecting at the same time users' and applications' needs. This security has nevertheless a price: that of the establishment of trust between communicating partners. Users' trust goes through transactions security, for example by means of a certification procedure, and the recognition of electronic signatures.

Despite the diversity of existing certificates (X.509 identity certificate, SPKI, attributes certificate, etc), they are still limited, generic and thus, meet insufficiently the specific needs of electronic applications and users. Hence, the need for specifying a new approach for the generation of certificates
answering these requirements, light, simplified and more open than those existing.

The research tasks presented in this thesis consist in proposing a new approach for the generation of certificates to contribute to the authorization services, then to integrate this contribution to DHCP (Dynamic Host Configuration Protocol) in order to reinforce it.

This thesis consists of two parts.

In the first part, we treat various types of existing certificates as well as their limits. We propose and specify an approach which makes it possible to guarantee to the application and to the users a good representation of information within the certificate and the adequacy of the certificate content with their needs. These certificates are attributes certificates specified in XML, flexible and respecting the needs of the application and user's personalization during the certificate generation process.
For each application, we defined a grammar DTD (Document Type Definition) to specify all required fields for the application. The main idea is to store, on the server, DTDs i.e. files containing a certain number of parameters corresponding to data that will be inserted in the final attributes certificate. The generation of these attributes certificates respects the application associated grammar.
Indeed, it is thanks to these parameters that the administrator will personalize the attributes certificates that the user will be able to request. Thus, if the need for a new type of attributes certificate emanates, it would be enough to create the DTD corresponding to the new added application.
To satisfy users' needs, E-IGP (in English E-PMI for Extended-Privilege Management Infrastructure) allows the use to customize her/his attributes certificate request, the user specifies the
application parameters' values, the validity period of the attributes certificate, roles that she/he would like to have or the delegation she/he would like to provide someone else according to these needs. The set of E-IGP (E-PMI) required the existence of a Key Management Infrastructure, to which the E-IGP
(E-PMI) is bound.

To prove the feasibility and the effectiveness of the suggested approach, we integrate it in the functioning of DHCP. Intended to facilitate the work of the system administrators by automating the
attribution of IP addresses and the configuration parameters to the network clients, DHCP suffers from many security problems. It does not support the mechanism with which DHCP client and server are authenticated. Moreover, DHCP does not ensure the integrity of the exchanged messages, nor their confidentiality, and it does not have any access control mechanism.

The second major contribution of this thesis is the specification and the implementation of an extension to DHCP, called E-DHCP (Extended Dynamic Host Configuration Protocol). E-DHCP presents a method of authentication of DHCP entities (client and server) and of DHCP messages contents. E-DHCP proposes a new DHCP option. The technique used by this option is based on the use of asymmetric key algorithms, of X.509 identity certificates and of simplified attributes certificates specified in XML, suggested in the first contribution of this thesis. The main idea of E-DHCP is to support DHCP server with an AA (Attribute Authority) server of an E-PMI to form a new server called E-DHCP server. This new server creates an attributes certificate for the client containing the Internet address dynamically allocated. The use of the attributes certificate confirms the possession of the client of their IP address.
Complete list of metadata

Cited literature [89 references]  Display  Hide  Download
Contributor : JACQUES DEMERJIAN Connect in order to contact the contributor
Submitted on : Monday, September 5, 2005 - 4:58:50 PM
Last modification on : Tuesday, September 21, 2021 - 2:06:13 PM
Long-term archiving on: : Friday, April 2, 2010 - 9:53:58 PM


  • HAL Id : tel-00010042, version 1


Jacques Demerjian. Services d'autorisation et Intégration au protocole d'attribution dynamique des adresses. Réseaux et télécommunications [cs.NI]. Télécom ParisTech, 2004. Français. ⟨tel-00010042⟩



Record views


Files downloads