A security framework combining access control and trust management for mobile e-commerce applications Gregor v. Bochmann, Zhen Zhang, Carlisle Adams School of Information Technology and Engineering (SITE) and Jennifer Chandler Faculty of Law University of Ottawa
Abstract In the context of e-commerce applications, access control must be combined with authentication and trust management. In this presentation, we consider several typical usage scenarios for mobile e-commerce users. We consider the security requirements which include authentication, authorization, privacy, and risk management, and discuss how these requirements can be met with various access control and trust management models. We then present a secure e-commerce framework including functions for authentication, role-based access control and trust management for clients as well as service providers. The distributed trust management system allows the client to choose the service provider based on trust information, and the service provider may determine his trust in the user before determining the access rights that will be granted; we note that this may raise certain privacy law issues. An experimental implementation of this framework is then presented which is based on our previous work [1, 2, 4] and incorporates the "XML Security Suite" from IBM. The presentation will introduce the architecture of this security framework, highlight some of the system components and discuss implementation choices and performance issues.
Overview n n Usage scenarios and security requirements Background studies n n n n Home directory for mobile users Authentication for mobile users A trust model Combining trust and access control Security and trust for mobile users System Implementation Conclusion
Typical Scenarios Mobile users: in a foreign domain – using portable and ad hoc devices I. II. Vo. IP Conversation Bob starts audio/video conversation with Alice over Internet while he is in a hotel. Secure Printing Bob needs to print sensitive documentations from a commercial site III. Anonymous Online Service Bob requests a online service from a hotel room without disclosing his identification to service provider
Security requirements n n n Data integrity Authentication Privacy, Anonymity Access control, Authorization Signatures with non-repudiation … and Trust …
Background study Authentication for mobile users n Enable support for mobile user and services: The concept of home directory[1]
Background study Authentication for mobile users n Proposed authentication model for mobile users: A secure authentication protocol for mobile users[2]
Background study Transactions based on trust n Existing access control model for mobile users: Autonomic Distributed Authorization Middleware [3] (Figure adapted from [3])
Background study Trust model with statistical foundation n Proposed trust model for mobile users: A trust model with statistical foundation[4]
Overview of proposed system (with typical scenario II) While Bob is on a business trip in Paris, he wants to print his bank statement from a hotel’s business center of which he is staying at
Phase I: Authentication & Role Assignment CERTFA(Role{R 1, R 2, R 3, …}) At this point, Bob and F. A. share Ks 2 while Bob and H. A. share Ks 3. Additionally, Bob receive a set of Roles from F. A, each of which has the form of CERTFA( Rx, IDBob)
Phase II: Service Selection
Phase III: Service Request & Access Control
Phase IV: Service Reputation update
Implementation Environment Open wireless LAN Service Directory & Reputation Server: wellknown URL Use of XACL (XML-encoded) n n n Service request/response messages Access policy representation Role assignment: based on trust Implementation: n n Java (Sun JVM and Blackdown java on IPAQ) IBM Security Suite (XACL support)
Implementation architecture PC-1 Ipaq PC-3 PC-2
Conclusion n Secure e-commerce framework for fixed and mobile users n n n authentication role-based access control trust management for clients as well as service providers The general framework can be customized to fit any particular service requirement Performance of a simplified system implementation is still under investigation
Reference 1. 2. 3. 4. K. El-Khatib, Zhen E. Zhang, N. Hadibi, and G. v. Bochmann, Personal and Service Mobility in Ubiquitous Computing Environments, Journal of Wireless communications and Mobile Computing, 2004 G. v. Bochmann and Zhen E. Zhang, A secure authentication infrastructure for mobile users, Advances in Security and Payment Methods for Mobile Commerce, 2004 A. Seleznyov, S. Hailes, An access control model based on distributed knowledge management, 18 th International Conference on Advanced Information Networking and Applications, 2004. Jianqiang Shi, G. v. Bochmann and Carlisle Adams, A trust model with statistical foundation, Workshop on Formal Aspects in Security and Trust (FAST '04), 18 th IFIP World Computer Congress, 2004
Thank you! Questions ?
Скачать презентацию A security framework combining access control and trust
8acb03d782ef2cfe6659ae98f3ed3b02.ppt