Negotiated Privacy and Security Policies for Web Services George Yee (Joint work with Larry Korba) www.iit-iti.nrc-cnrc.gc.ca/personnel/yee_george_e.html.

Slides:

Advertisements

Similar presentations

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Advertisements

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Analysis of privacy risks and measurement of privacy protection in Web Services complying with privacy policy Prepared by Ashif Adnan, Omair Alam, Aktar-uz-zaman.

Chapter 1 – Introduction

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Implementing P3P Using Database Technology Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu Presented by Yajie Zhu 03/24/2005.

WS-PolicyNegotiate A Web Service Standard for Policy Negotiation by Nicholis Bufmack.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

Applied Cryptography for Network Security

The Architecture of Transaction Processing Systems

Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.

Credit Card And Prepaid Process Edward M. Kwang President.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Computer Science Public Key Management Lecture 5.

Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.

Dr. Lo’ai Tawalbeh 2007 INCS 741: Cryptography Chapter 1:Introduction Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus

Web Services (Part 1) Service-Oriented Architecture Overview ITEC 625 Web Development Fall 2006 Reference: Web Services and Service-Oriented Architectures.

Cryptography and Network Security

Eng. Wafaa Kanakri Second Semester 1435 CRYPTOGRAPHY & NETWORK SECURITY Chapter 1:Introduction Eng. Wafaa Kanakri UMM AL-QURA UNIVERSITY

Identity Management Report By Jean Carreon and Marlon Gonzales.

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.

Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Business Plug-In B6 Information Security.

Feature Interactions in Policy-Driven Privacy Management George Yee Larry Korba Network Computing Group Institute for Information Technology National Research.

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

Cryptography, Authentication and Digital Signatures

E-commerce What are the relationships among: – Client (i.e. you) – Server – Bank – Certification authority Other things to consider: – How to set up your.

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

1 Boundary Control Chapter Materi: Boundary controls:  Cryptographic controls  Access controls  Personal identification numbers  Digital signatures.

Secure Systems Research Group - FAU Using patterns to compare web services standards E. Fernandez and N. Delessy.

Chapter 21 Distributed System Security Copyright © 2008.

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.

Specifying Personal Privacy Policies to Avoid Unexpected Outcomes George Yee and Larry Korba {George.Yee, PST 2005 October 12-14, 2005.

Customer Interface for wuw.com 1.Context. Customer Interface for wuw.com 2. Content Our web-site can be classified as an service-dominant website. 3.

Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.

U.S. Department of Commerce Web Advisory Group Minding Your Own Business The Platform for Privacy Preferences Project.

Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #22 Secure Web Information.

© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.

1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.

Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.

CS453: Introduction to Information Security for E-Commerce Prof. Tom Horton.

Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.

Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Web Services An Introduction Copyright © Curt Hill.

Cryptography and Network Security Chapter 1. Background  Information Security requirements have changed in recent times  traditionally provided by physical.

VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.

1 Network Security Maaz bin ahmad.. 2 Outline Attacks, services and mechanisms Security attacks Security services Security Mechanisms A model for Internetwork.

Key management issues in PGP

Training for developers of X-Road interfaces

Server Concepts Dr. Charles W. Kann.

Module 8: Securing Network Traffic by Using IPSec and Certificates

Pooja programmer,cse department

Module 8: Securing Network Traffic by Using IPSec and Certificates

Presentation transcript:

Negotiated Privacy and Security Policies for Web Services George Yee (Joint work with Larry Korba)

Contents Introduction The current landscape Personal privacy policy E-services security policy Negotiation requirements Help for negotiation Policy negotiation for web services Related work Conclusions

Introduction Drivers for personal privacy policies –Growth of the Internet  greater consumer exposure to e- services (e-commerce, e-gov’t, e-health, etc.)  growth of consumer awareness to lack of privacy –Privacy legislation  greater consumer awareness of privacy rights Drivers for personal security policies –Nature of e-service consumer’s business (e.g. defense contractor) –Consumer’s resources (e.g. mobile device) Negotiation required if mismatch between consumer and provider polices

The current landscape Privacy and security policies on the Internet –Posted privacy policies –P3P privacy policies for web sites Browser plug-in allows checking of personal privacy preferences against web site’s policy “Privacy Bird”: check preferences, display policy in easy to understand language, customizable warnings No negotiation, “take it or leave it” –No personal security policies for e-services Web services –Some elements to allow policies and negotiation are in place: WS-Policy, WS-SecurityPolicy, WS-Agreement –No negotiation protocol

Personal privacy policy Necessary content implied by privacy legislation Simple so that it can be understood by the average e-service consumer Machine processable, e.g. using XML-based language such as APPEL Policy Use: E-learning Owner: Alice Consumer Valid: unlimited Collector: Any What: name, address, tel Purposes: identification Retention Time: unlimited Disclose-To: none Collector: Any What: Course Marks Purposes: Records Retention Time: 2 years Disclose-To: none { { { Header Privacy Rule

E-Services security policy ISO (Reference Model for Security Architectures), ITU-T X800 (Security Architecture for Open Systems Interconnection) suggest the following security services: 1. Authentication, 2. Access Control, 3. Data Confidentiality, 4. Data Integrity, 5. Non-repudiation We add: 6. Secure Logging, 7. Certification, 8. Malware Detection, 9. Application Monitoring Internet Consumer Consumer Private Information Database E-Service Provider Certification Authority 1, 5, 7, 8, 9 3, , 2, 5, 6, 7, 8

E-Services security policy Security mechanisms (e.g. digital signature) are used to support security services. Negotiation can be over security services or security mechanisms but since the security services are usually required, negotiation tends to be over mechanisms.

E-Services security policy - example CONSUMER PROVISIONS Consumer Authentication Implement: yes (default) Mechanism: password Mechanism: V+F biometrics Consumer Malware Detect Implement: yes (default) Mechanism: Norton Application Monitoring Implement: yes (default) Mechanism: IIT-ISG PROVIDER PROVISIONS Provider Authentication Implement: yes (default) Mechanism: security token Mechanism: digital signature Secure Logging What: order transactions Mechanism: 3DES encrypt What: user input Mechanism: 3DES encrypt Access Control

Negotiation requirements 1.The policy measures to be negotiated must be clear and understandable. 2.The consumer may negotiate any subset of measures in the policy. 3.There needs to be some form of trusted online help for the consumer in cases where it is difficult to know what choice to make in a particular step in the negotiation. 4.The consumer normally initiates negotiation after finding the e- service that he wants to use. However, when a provider changes its service and requires new measures, it may initiate a policy negotiation with the consumer. 5.Negotiation may be terminated by either the consumer or the provider, at any step in the negotiation. If so terminated, the associated e-service may not proceed. 6.The user interface for the negotiation must be easy to use, intuitive, and trustable (i.e. give the user a sense of ease that everything is working as stated or planned).

Negotiation requirements Each side is represented by a software agent. Agent acts on behalf of the consumer to receive/send negotiation messages from/to the provider. Another agent serves the provider in the same way. These agents also perform validation checks on the information to be sent. CA PA Consumer Provider spSP CA – Consumer Agent PA – Provider Agent SP – Security Policy sp – security preferences

Negotiation requirements Order of negotiations Look for e- service Start Negotiate security policy Found? Success? Negotiate privacy policy Success? Stop Execute e-service no yes Steps in negotiations ConsumerProvider Consumer compares SP to his security preferences, finds mismatch Req SP SP SP1 SP2 SP3 SPn Successful negotiation after n steps (SPn = SPn)

Help for negotiation Fulfilling negotiation requirement 3: –For privacy policy negotiation, help for the consumer to know what offer to make can be obtained using the experience of reputable others who have negotiated the same or similar items before. –For security policy negotiation, similar help can be obtained by looking at policies that have been successful in thwarting attacks and then using these policies to guide what offers to make.

Policy negotiation for Web Services The SOAP message that initiates a web service would instead request a comparison of policies and then if necessary carry on with the above negotiation steps through an exchange of SOAP messages. Only after the privacy policy negotiation is successful would the SOAP message to execute the service be sent. Where a negotiation fails, the consumer would access the UDDI directory again to find another provider and start the negotiation stages all over again (or find ways to satisfy the provider’s security policy). Provider privacy and security policies could be stored in the UDDI.

Other related work Semi-automated generation of personal privacy policies – uses community consensus to normalize privacy levels which are then used to map privacy rules as selected by the consumer using a privacy slider. Comparing and matching personal privacy policies by comparing and matching privacy levels assigned to privacy rules through community consensus. Use of a Privacy Policy Compliance System (PPCS) for ensuring privacy policy compliance. Prototype for negotiating privacy and security policies.

Conclusions Consumers will want their privacy and security preferences respected. Providers will have to comply or loose business. Negotiation of personal privacy and security policies is a good way for providers to respect consumer preferences. Personal privacy and security policies have to be understandable by consumers and therefore should not be obscure or too complex. They should resemble as much as possible processes with which consumers are already familiar. The approach given above for policy negotiation can be implemented in web services.

About Us National Research Council Canada –Herzberg Institute of Astrophysics –Institute for Aerospace Research –National Institute for Nanotechnology –… –Institute for Information Technology Software Engineering Computational Video Visual Information Technology Integrated Reasoning Interactive Information High Performance Computing … Information Security (4 full-time researchers)

Thank-you