1 Using Certified Policies to Regulate E-Commerce Transactions Victoria Ungureanu Rutgers University.

Slides:



Advertisements
Similar presentations
Secure Naming structure and p2p application interaction IETF - PPSP WG July 2010 Christian Dannewitz, Teemu Rautio and Ove Strandberg.
Advertisements

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Regulation Grant Brown Bag Session February 12, 2013.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Lecture 23 Internet Authentication Applications
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Trusted Identities That Drive Global Commerce IdenTrust: NCMS Presentation JPAS Logon changes requiring PKI credentials Richard Jensen, October 19 th 2011.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
1 Towards Secure Interdomain Routing For Dr. Aggarwal Win 2004.
6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.
Interoperation Between a Conventional PKI and an ID-Based Infrastructure Geraint Price Royal Holloway University of London joint work with Chris Mitchell.
End-to-End Analysis of Distributed Video-on-Demand Systems Padmavathi Mundur, Robert Simon, and Arun K. Sood IEEE Transactions on Multimedia, February.
Electronic Commerce. On-line ordering---an e-commerce application On-line ordering assumes that: A company publishes its catalog on the Internet; Customers.
Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.
Distributed Databases
ORACLE APPLICATION SERVER BY PHANINDER SURAPANENI CIS 764.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Understanding Active Directory
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Extended Role Based Access Control – Based Design and Implementation for a Secure Data Warehouse Dr. Bhavani Thuraisingham Srinivasan Iyer.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
IS 466 ADVANCED TOPICS IN INFORMATION SYSTEMS LECTURER : NOUF ALMUJALLY 3 – 10 – 2011 College Of Computer Science and Information, Information Systems.
Sanzi-1 CSE5 810 CSE5810: Intro to Biomedical Informatics Dynamically Generated Adaptive Credentials for Health Information Exchange Eugene Sanzi.
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
Demonstration of the Software Prototypes PRIME PROJECT 17 December 2004.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
CSC8320. Outline Content from the book Recent Work Future Work.
Computer Science 725 – Software Security Presentation “Decentralized Trust Management” Decentralized Trust ManagementDecentralized Trust Management M.
Cryptography, Authentication and Digital Signatures
Configuring Directory Certificate Services Lesson 13.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Proof-Carrying Code & Proof-Carrying Authentication Stuart Pickard CSCI 297 June 2, 2005.
A Flexible Access Control Model for Web Services Elisa Bertino CERIAS and CS Department, Purdue University Joint work with Anna C. Squicciarini – University.
Data Oriented Network Architecture (DONA) Andrey Ermolinskiy Mohit Chawla CS 262 A Project Poster December 14.
1 Vigil : Enforcing Security in Ubiquitous Environments Authors : Lalana Kagal, Jeffrey Undercoffer, Anupam Joshi, Tim Finin Presented by : Amit Choudhri.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.
Trust-X: A Peer-to-Peer Framework for Trust Establishment Elisa Bertino, et.al. Presented by: Carlos Caicedo.
® IBM Software Group © 2007 IBM Corporation Best Practices for Session Management
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #22 Secure Web Information.
© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.
Distribution and components. 2 What is the problem? Enterprise computing is Large scale & complex: It supports large scale and complex organisations Spanning.
Matej Bel University Cascaded signatures Ladislav Huraj Department of Computer Science Faculty of Natural Sciences Matthias Bel University Banska Bystrica.
A P2P-Based Architecture for Secure Software Delivery Using Volunteer Assistance Purvi Shah, Jehan-François Pâris, Jeffrey Morgan and John Schettino IEEE.
DIGITAL SIGNATURE.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
28 June 2016 | Proprietary and confidential information. © Mphasis 2013 Audit and its classifications Mar-2016 Internal Auditor Training.
McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 15 Legal and Ethics.
Presented by Edith Ngai MPhil Term 3 Presentation
Trust Profiling for Adaptive Trust Negotiation
Public Key Infrastructure (PKI)
Chapter 14: System Protection
Improving searches through community clustering of information
Topic 1 Tangible Non-current Assets
Data and Applications Security Developments and Directions
Module 8: Securing Network Traffic by Using IPSec and Certificates
Distribution and components
Enterprise Service Bus (ESB) (Chapter 9)
Module 8: Securing Network Traffic by Using IPSec and Certificates
Protecting Privacy During On-line Trust Negotiation
Presentation transcript:

1 Using Certified Policies to Regulate E-Commerce Transactions Victoria Ungureanu Rutgers University

2 The Problem  Ensuring that actions of agents involved in e-commerce conform with a-priori established contracts.  A contract example: An airline company, say FlyAway, agrees to sell discounted tickets to a travel company, say TravelRUS, subject to the following provisions:  The purchases are to be made between January and June ;  The price of each ticket is discounted by 10%;  Only agents duly certified as travel agents may buy tickets at discounted prices.

3 The Problem (cont.)  An enterprise is bound by a potentially large number of disparate contracts: Ex: Wall-Mart, Ford, Daimler-Chrysler, GM have in excess of 20,000 suppliers operating under different contracts;  New contracts are continuously being established, and previously established contracts end.  A contract has a limited, predefined validity period.

4 The Problem (cont.)  Contracts may be annulled for various reasons For example: the travel agency is bankrupt.  Contracts may be revised For example: the travel agency establishes a new certifying authority which issues certificates for sale representatives;  Contracts may be stateful: Examples of stateful contract provisions:  Only a limited number of tickets, say 100, may be purchased at the discounted price.  FlyAway accepts reservations. A PO for a reserved ticket is honored only if made within 24 hours from the reservation.

5 The Problem (cont.)  Need to support a large set of autonomous, evolving and stateful contracts.  Current access control mechanisms deal mostly with monolithic, relatively stable, stateless policies.

6 Traditional Approaches  Have a dedicated server for each contract: Problematic, if the number of contracts is large  Combine all contracts in a super policy: The super policy is difficult to construct if the number of contracts is large; The super policy needs to change every time a new contract is established, or a contract ends; The super policy needs to change when a contract is anulled or revised.

7 Overview  Motivation  Certificates  Certified policies  The enforcement mechanism  Conclusion

8 A Necessary Parenthesis: Certificates  Are used to prove certain attributes regarding the owner: Ex: the owner is John Doe, and he is employed by TravelRus, and he is a travel agent;  Are signed by a certification authority;  Are presented by the owner to gain certain rights  Are valid for a limited time period;  May be revoked for various reasons;

9 Certificate-based Authorization server request certificates granted denied Policy Alice request certificates Eve

10 Contract Enforcement  Idea: a client presents the policy embedding contract terms together with other credentials. server granted denied request certificates Policy certificates request Policy

11 Certified Policies (CPs)  Are obtained by: expressing contract terms in a formal, interpretable language; certifying the contract terms, by signing them by an authority, trusted by the parties involved in the contract.  Advantages: no need for composing a super policy, nor for establishing a dedicated server for each contract;

12 The Elements of a Certified Policy  Id  Validity period  Revocation server  Version number  Repository  Initial control state  State server  Rules formalizing contract terms regarding access and control regulations

13 Deployment of Certified Policies  Traditional certificates are maintained by repositories;  Similarly, an enterprise can: Express the contracts it is involved in as certified policies; Store certified policies on designated repositories, from where agents may retrieve them as needed.

14 Contract Annulment and Revision  If a contract is annulled, the corresponding CP should be invalidated  CP invalidation may be modeled by certificate revocation;  If contract terms need to be revised this can be achieved simply by: revoking the obsolete version of the corresponding CP, deploying the new version of the CP on a repository

15 System Architecture  Assumes the following trusted entities: Repositories: provide persistent storage for CPs Revocation servers: maintain and disseminate revocation information; Application servers:  Each server has an associated policy engine, called observer;  Observers verify certificates and interpret and carry out the rules of a CP;  A server is trusted to serve only requests sanctioned by its associated observer. State servers: maintain the current value of contract states.

16 Enforcement of Certified Policies  application server revocation server observer request, subject-certificate(s), CP repository state server

17 Cluster-based Application Servers  Application servers often use cluster architectures in order to handle effectively high volume traffic.  Cluster-based servers consists of a dispatcher and several back-end servers; dispatcher back-end server back-end server back-end server

18 Effective Assignment Policies for Cluster-based Servers  The problem: short waiting periods for clients.  A (first) solution: the TDA (Type Dependent Assignment) policy  In broad outline, under TDA: A back-end server acts as state server for a set of CPs; The dispatcher assigns:  a request governed by a stateful CP to the back-end server that maintains the state of the CP.  a request governed by a stateless CP to the least loaded back-end server.

19 TDA’s Performance  Gauged by running a simulation study driven by empirical data: compares TDA with Least- Connected policy; performance metric used by the study is waiting time.  The simulation models: 4 back-end servers 100 contracts uses a trace containing ~170,000 requests arriving over 200 second considers that 80% of requests are governed by stateful contracts  TDA outperforms Least- Connected by a factor of 4!

20 Conclusion  Policy management operations are easy to perform: Deployment: simply store CPs on appropriate repositories. Annulment: revoke the corresponding CP; Update: revoke the previous version and deploy the new one  Easy to deploy: Uses an infrastructure already in place Requires no modifications to the infrastructure, and only minimal modifications to application servers;  Efficient enforcement.

21  The papers discussing some of these topics appeared in: IEEE Cluster, December 2003; ACM Transactions on Internet Technologies, February  These papers can be found at: research.rutgers.edu/~ungurean/ Thanks!

22 Certificate-based Authorization server request certificates granted denied request certificates Policy Alice Eve

23 Contract Enforcement  Idea: a client presents the policy embedding contract terms together with other credentials. server granted denied request certificates Policy certificates request Policy

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.