Transcript An access control and trust management combined

A security framework combining
access control and
trust management
for mobile e-commerce applications
Gregor v.Bochmann, Zhen Zhang, Carlisle Adams
School of Information Technology and Engineering (SITE)
and Jennifer Chandler
Faculty of Law
University of Ottawa
Abstract
In the context of e-commerce applications, access control must be combined
with authentication and trust management. In this presentation, we consider
several typical usage scenarios for mobile e-commerce users. We consider the
security requirements which include authentication, authorization, privacy,
and risk management, and discuss how these requirements can be met with
various access control and trust management models. We then present a secure
e-commerce framework including functions for authentication, role-based access
control and trust management for clients as well as service providers. The
distributed trust management system allows the client to choose the service
provider based on trust information, and the service provider may determine
his trust in the user before determining the access rights that will be
granted; we note that this may raise certain privacy law issues. An
experimental implementation of this framework is then presented which is based
on our previous work [1,2,4] and incorporates the "XML Security Suite" from
IBM. The presentation will introduce the architecture of this security
framework, highlight some of the system components and discuss implementation
choices and performance issues.
Overview


Usage scenarios and security requirements
Background studies







Home directory for mobile users
Authentication for mobile users
A trust model
Combining trust and access control
Security and trust for mobile users
System Implementation
Conclusion
Typical Scenarios
Mobile users: in a foreign domain – using
portable and ad hoc devices
I.
II.
VoIP Conversation
Bob starts audio/video conversation with Alice over Internet while
he is in a hotel.
Secure Printing
Bob needs to print sensitive documentations from a commercial
site
III. Anonymous Online Service
Bob requests a online service from a hotel room without disclosing
his identification to service provider
Security requirements






Data integrity
Authentication
Privacy, Anonymity
Access control, Authorization
Signatures with non-repudiation
… and Trust …
Background study
Authentication for mobile users

Enable support for mobile user and services: The concept of
home directory[1]
Background study
Authentication for mobile users

Proposed authentication model for mobile users: A secure
authentication protocol for mobile users[2]
Background study
Transactions based on trust

Existing access control model for mobile users: Autonomic
Distributed Authorization Middleware [3]
(Figure adapted from [3])
Background study
Trust model with statistical foundation

Proposed trust model for mobile users: A trust model with
statistical foundation[4]
Probability
Experiences
Summarize
Recommendations
Interact
Update
30%
20%
10%
Decision
Very
Bad
Bad
Average
Good
Very Good Excellent
QoS
Overview of proposed system
(with typical scenario II)
Bob Home Domain
Foreign Domain
Foreign Agent
Home Agent
While Bob is on a
business trip in
Paris, he wants
to print his bank
statement from a
hotel’s business
center of which
he is staying at
Reputation Server
Service Directory
Bob with his PDA
[email protected]:9090
PEP&PDP
Service Server with Policy Store
Phase I: Authentication & Role Assignment
CERTFA(Role{R1, R2, R3,…})
At this point, Bob and F.A. share Ks2 while Bob and H.A. share Ks3.
Additionally, Bob receive a set of Roles from F.A, each of which has the form
of CERTFA( Rx, IDBob)
Phase II: Service Selection
Service Directory
Bob
Service Server
Reputation Server
Search(Service)
Avail.(Service Candidates)
get(Service Reputation Data)
Data(Reputation of Service)
Eva:(Service,Local Policy,Reputation(Service))
Req(Service)
get(Client Reputation Data)
Data(Reputation of Client)
Eva(Client,Local Policy,Reputation(Client))
ACK(Req(Service))
Phase III:
Service Request & Access Control
Service Server
PEP / PDP
Bob
Access to the Sevice
Policies related to the Service
Policies(service)
evaluation according to the policies
ACK/NACK
Forward the access to service server
Policy Store
Phase IV:
Service Reputation update
Bob
Service Server
Reputation Server
update(Sevice Reputation Data)
ACK/NACK: ACK/NACK
update(Bob' Reputation Data)
ACK/NACK:
Implementation Environment
Open wireless LAN
Service Directory & Reputation Server: wellknown URL
Use of XACL (XML-encoded)





Service request/response messages
Access policy representation
Role assignment: based on trust
Implementation:




Java (Sun JVM and Blackdown java on IPAQ)
IBM Security Suite (XACL support)
Implementation architecture
Bob Home Domain
Foreign Domain
PC-1
Home Agent
Ipaq
Foreign Agent
Reputation Server
PC-3
Service Directory
Bob with his PDA
[email protected]:9090
PEP&PDP
PC-2
Service Server with Policy Store
Conclusion

Secure e-commerce framework for fixed and
mobile users





authentication
role-based access control
trust management for clients as well as service
providers
The general framework can be customized to
fit any particular service requirement
Performance of a simplified system
implementation is still under investigation
Reference
1.
2.
3.
4.
K. El-Khatib, Zhen E. Zhang, N. Hadibi, and G. v. Bochmann,
Personal and Service Mobility in Ubiquitous Computing
Environments, Journal of Wireless communications and Mobile
Computing, 2004
G. v. Bochmann and Zhen E. Zhang, A secure authentication
infrastructure for mobile users, Advances in Security and
Payment Methods for Mobile Commerce, 2004
A. Seleznyov, S. Hailes, An access control model based on
distributed knowledge management, 18th International
Conference on Advanced Information Networking and Applications,
2004.
Jianqiang Shi, G. v. Bochmann and Carlisle Adams, A trust model
with statistical foundation, Workshop on Formal Aspects in
Security and Trust (FAST '04), 18th IFIP World Computer Congress,
2004
Thank you!
Questions ?