MICOSec: CORBA as a Secure Platform for Mobile Applications
by Rudolf Schreiner and Ulrich Lang
MICOSec is an Open Source implementation of the CORBA Security Services, which was developed by ObjectSecurity Ltd. as part of T-Systems Nova's Secure CORBA project. It was successfully used to develop CORBA-based applications, which comprised mobile clients on Compaq iPAQ Pocket PCs.
MICOSec (www.micosec.org) is an Open Source implementation of the CORBA Security Services (CORBASec), which was designed and implemented by ObjectSecurity Ltd. (www.objectsecurity.com) as part of Deutsche Telekom T-Systems Nova's Secure CORBA project. The original main goal of the project was to evaluate the usability of CORBASec for developing telecommunications applications, eg, for service provisioning or network management. Due to the fact that no CORBASec implementations that met the specific requirements of the project were initially available, it was decided to implement the complete CORBASec 1.7 level 2 specification.
MICOSec currently supports IIOP for unprotected communications, SSLIOP based on SSL Version 3, extended attributes for X.509 certificates, extended level 1 interfaces, authentication and message protection, Security Domain Membership Management, domain-based auditing (with flat file, Unix syslog and Postgresql as data storage), and domain-based access control. In addition to the MICO ORB, MICOSec uses OpenSSL as a crypto-library and Postgresql as a database for storing audit events. The latest MICOSec version is based on Portable Interceptors, so the Security Services can easily be ported to other standard conformant CORBA ORBs.
The very high deployment costs for future mobile communications networks make a quick return on investment a key survival factor for many communications carriers. Only attractive applications and services beyond the level of simple voice communication can motivate customers to spend more for mobile communication. To develop these applications quickly and economically, a standard application platform is needed. Since many of these applications will be security sensitive, the platform should also provide security functionality.
CORBA middleware is a sound base for the development of complex and distributed applications, but is normally regarded as too big and too complex to meet the requirements of mobile devices with limited resources. The first attempts to port CORBA ORBs to popular PDAs proved this prejudice to be true, when several groups tried to port the MICO ORB to the Palm Pilot with only limited success. The ORB had to be stripped down to minimal client-side functionality, because the performance of the Palm Pilot, CPU speed, memory and electric power were not sufficient to support a full CORBA ORB.
As part of our project, MICOSec was successfully used for the development of CORBA-based mobile applications on a Compaq iPAQ Pocket PC, a new generation of mobile devices. Porting MICOSec to a Compaq iPAQ Pocket PC running under Linux was straightforward, and it was only necessary to set up an appropriate cross-development environment. Then MICOSec, the underlying crypto-library and some demos could be compiled without problems. Porting existing CORBA applications was also very simple. The main issue was the user interface, since the Pocket PC has no keyboard and only a small display. However, the performance of MICOSec on the Pocket PC is more than satisfying. The main bottleneck is the RSA authentication at the beginning of the SSL handshake, which takes less than one second with a 1024 bit key.
MICOSec is currently used at Deutsche Telekom and ObjectSecurity for various projects (eg, for the development of a secure Parlay platform), for several demo applications to prove the viability of the concept, and for a research project in Ubiquitous Computing. It is anticipated that MICOSec will be used for commercial applications. The main foci of the further development of MICOSec are the secure interoperability with EJB by implementing the Common Secure Interoperability Version 2 protocol, integration into enterprise-wide security infrastructures, and secure CORBA components.
CORBA on the Pocket PC has proven to be a very useful platform for mobile applications, as it leverages all the advantages of CORBA and allows a seamless integration of mobile devices into existing applications. For example, it is possible to easily implement a graphical user interface with a CORBA-based geographical information system. It is also possible to use this platform for security-sensitive applications, since the CORBA security services provide the necessary functionality for the enforcement of various security policies.
MICOSec on mobile platforms will benefit from the further enhancement planned for MICOSec on standard systems, since the code base is the same (eg, in the future it will be possible to deploy secure CORBA components on the Pocket PC). The mobile device will then be a first-class part of a distributed application, rather than just a simple client with limited functionality. We anticipate that this platform will prove valuable for the rapid development of a broad range of applications.