Antigone: Policy-based Secure Group Communication System and AMirD: Antigone-based Secure File Mirroring System Jim Irrer and Atul Prakash Department of EECS University of Michigan, Ann Arbor, MI 48109 Patrick McDaniel AT&T Labs - Research P.O. Box 971 Florham Park, NJ 07932-0971 Project web site: http://antigone.eecs.umich.edu This demonstration gives examples of how the Antigone policy-based secure group communication system supports applications. The concept behind Antigone came from the applications whose security needs may vary, depending on operating environment, principals in a group, or the data being exchanged. For example, some applications may handle proprietary data that requires confidentiality, others may make press releases or other announcements that only require integrity and authentication. As another example, resource-plentiful infrastructures such as workstations connected via a high-speed local area network will be less concerned with the extra computational cycles and bandwidth required to ensure high-grade security, as compared to resource-constrained hand-held wireless devices where performance and battery-life concerns may limit the choice of security mechanisms. Antigone supports a policy language, called Ismene. The Ismene policy language is capable of expressing highly flexible security policies and is extensible to support domain-specific requirements. Standard cryptographic algorithms such as DES, Blowfish, MD5, and SHA are supported. However, the Antigone and Ismene systems are designed in a modular fashion to allow other algorithms to be incorporated. Systems level features are also implemented modularly using software components that we term mechanisms. Mechanisms are instantiated from the policy specification to customize their use. For example, policy authors may currently choose either the NULL or SSL- based authentication mechanisms. While NULL requires no authentication, SSL does, and is customizable with a handful of parameters, such as number of retries and TCP port to use. Other mechanism types are Data Handler, Failure Detection and Recovery, Key Management, and Membership Monitoring. Again, the modularity of the Antigone Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX’03) 0-7695-1897-4/03 $17.00 © 2003 IEEE