A security framework combining access control and trust management for mobile e-commerce applications Gregor v.Bochmann, Zhen Zhang, Carlisle Adams School.

Slides:

Advertisements

Similar presentations

Fraunhofer Institute Secure Telecooperation Areas of Work.

Advertisements

Welcome to Middleware Joseph Amrithraj

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SCENARIO Suppose the presenter wants the students to access a file Supply Credenti -als Grant Access Is it efficient? How can we make this negotiation.

Secure Communication Architectures.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

“...creating knowledge.” Enabling Digital Content Protection on Super-Distribution Models - Carlos Serrão ISCTE – Intituto Superior.

A.Vandenberg August 7, 2001 HE PKI Summit State of Georgia and PKI Art Vandenberg Director, Advanced Campus Services Information Systems & Technology.

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

ASNA Architecture and Services of Network Applications Research overview and opportunities L. Ferreira Pires.

FIT3105 Smart card based authentication and identity management Lecture 4.

Rev BMarch 2004 The ABC Service as a Research Infrastructure Rajesh Mishra Per Johansson Cahit Akin Salih Ergut.

Ubiquitous Access Control Workshop 1 7/17/06 Access Control and Authentication for Converged Networks Z. Judy Fu John Strassner Motorola Labs {judy.fu,

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Friendly Authentication and Communication Experience (Face) for Ubiquitous Authentication on Mobile Devices Author: Benjamin Halpert Presented by: 魏聲尊.

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

Chapter 10: Electronic Commerce Security. Electronic Commerce, Seventh Annual Edition2 Impact of Security on E-Commerce In 2006 an estimated $913 million.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

1 An overview Always Best Connected Networks Dênio Mariz Igor Chaves Thiago Souto Aug, 2004.

Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Secure Knowledge Management: and.

Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

A Secure Protocol for Spontaneous Wireless Ad Hoc Networks Creation.

Introduction to distributed systems Dr. S. Indran 23 January 2004.

Mobile data. Introduction Wireless (cellular) communications has experienced a tremendous growth in this decade. Most of the wireless users also access.

ICT business statistics and ICT sector: Uzbekistan’s experience Prepared by Mukhsina Khusanova.

Development of ODR in China

Demonstration of the Software Prototypes PRIME PROJECT 17 December 2004.

1 6th EC/GIS workshop - Lyon - June 2000 Easy and friendly access to geographic information for mobile users David HELLO (Matra.

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

Configuring Directory Certificate Services Lesson 13.

MagicNET: Security Architecture for Creation, Classification, and Validation of Trusted Mobile Agents Presented By Mr. Muhammad Awais Shibli.

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall EDI and the Internet Oz – Foundations of Electronic Commerce © 2002 Prentice Hall.

SWIM-SUIT Information Models & Services

Active Directory Harikrishnan V G 18 March Presentation titlePage 2 Agenda ► Introduction – Active Directory ► Directory Service ► Benefits of Active.

Survey on Privacy-Related Technologies Presented by Richard Lin Zhou.

Advanced Computer Networks Topic 2: Characterization of Distributed Systems.

Leveraging UICC with Open Mobile API for Secure Applications and Services.

Electronic data collection system eSTAT in Statistics Estonia: functionality, authentication and further developments issues 4th June 2007 Maia Ennok,

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Cerberus: A Context-Aware Security Scheme for Smart Spaces presented by L.X.Hung u-Security Research Group The First IEEE International Conference.

Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #22 Secure Web Information.

A Generalized Effectuate Strategy for Mash-up Mobile Circumstances A Generalized Effectuate Strategy for Mash-up Mobile Circumstances Project Guide M.J.Jeyasheela.

1 Service Sharing with Trust in Pervasive Environment: Now it’s Time to Break the Jinx Sheikh I. Ahamed, Munirul M. Haque and Nilothpal Talukder Ubicomp.

CIS 210 Systems Analysis and Development Week 8 Part II Designing Distributed and Internet Systems,

Teleseminar Nice – Mannheim w3auction 1 W3 AUCTION Vanessa BOUCHET, Lars KLOSE, Heiko KOPITZKI, Annabelle LE SONN, Dorothée ROBERT, Gunnar WIEDENFELS.

© Chinese University, CSE Dept. Distributed Systems / Distributed Systems Topic 1: Characterization of Distributed & Mobile Systems Dr. Michael R.

Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.

1 G52IWS: Web Services Chris Greenhalgh. 2 Contents The World Wide Web Web Services example scenario Motivations Basic Operational Model Supporting standards.

Part V Electronic Commerce Security Online Security Issues Overview Managing Risk Computer Security Classifications. Security.

Web Services Security Patterns Alex Mackman CM Group Ltd

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Providing web services to mobile users: The architecture design of an m-service portal Minder Chen - Dongsong Zhang - Lina Zhou Presented by: Juan M. Cubillos.

Policy-Based Dynamic Negotiation for Grid Services Authorization Ionut Constandache, Daniel Olmedilla, Wolfgang Nejdl Semantic Web Policy Workshop, ISWC’05.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Semantic Web in Context Broker Architecture Presented by Harry Chen, Tim Finin, Anupan Joshi At PerCom ‘04 Summarized by Sungchan Park

多媒體網路安全實驗室 A Secure Privacy-Preserving Roaming Protocol Based on Hierarchical Identity-Based Encryption for mobile Networks 作者 :Zhiguo Wan,Kui Ren,Bart.

Electronic Banking & Security Electronic Banking & Security.

E-commerce Architecture Ayşe Başar Bener. Client Server Architecture E-commerce is based on client/ server architecture –Client processes requesting service.

From Coulouris, Dollimore, Kindberg and Blair Distributed Systems: Concepts and Design Edition 5, © Addison-Wesley 2012 Slides for Chapter 9 Web Services.

Dr. Ir. Yeffry Handoko Putra

World-Leading Research with Real-World Impact!

Net 431: ADVANCED COMPUTER NETWORKS

Security & .NET 12/1/2018.

WS Standards – WS-* Specifications

Presentation transcript:

A security framework combining access control and trust management for mobile e-commerce applications Gregor v.Bochmann, Zhen Zhang, Carlisle Adams School of Information Technology and Engineering (SITE) and Jennifer Chandler Faculty of Law University of Ottawa

Abstract In the context of e-commerce applications, access control must be combined with authentication and trust management. In this presentation, we consider several typical usage scenarios for mobile e-commerce users. We consider the security requirements which include authentication, authorization, privacy, and risk management, and discuss how these requirements can be met with various access control and trust management models. We then present a secure e-commerce framework including functions for authentication, role-based access control and trust management for clients as well as service providers. The distributed trust management system allows the client to choose the service provider based on trust information, and the service provider may determine his trust in the user before determining the access rights that will be granted; we note that this may raise certain privacy law issues. An experimental implementation of this framework is then presented which is based on our previous work [1,2,4] and incorporates the "XML Security Suite" from IBM. The presentation will introduce the architecture of this security framework, highlight some of the system components and discuss implementation choices and performance issues.

Overview Usage scenarios and security requirements Background studies Home directory for mobile users Authentication for mobile users A trust model Combining trust and access control Security and trust for mobile users System Implementation Conclusion

Typical Scenarios Mobile users: in a foreign domain – using portable and ad hoc devices I.VoIP Conversation Bob starts audio/video conversation with Alice over Internet while he is in a hotel. II.Secure Printing Bob needs to print sensitive documentations from a commercial site III.Anonymous Online Service Bob requests a online service from a hotel room without disclosing his identification to service provider

Security requirements Data integrity Authentication Privacy, Anonymity Access control, Authorization Signatures with non-repudiation … and Trust …

Background study Authentication for mobile users Enable support for mobile user and services: The concept of home directory[1]

Background study Authentication for mobile users Proposed authentication model for mobile users: A secure authentication protocol for mobile users[2]

Background study Transactions based on trust Existing access control model for mobile users: Autonomic Distributed Authorization Middleware [3] (Figure adapted from [3])

Background study Trust model with statistical foundation Proposed trust model for mobile users: A trust model with statistical foundation[4]

Overview of proposed system (with typical scenario II) While Bob is on a business trip in Paris, he wants to print his bank statement from a hotel ’ s business center of which he is staying at

Phase I: Authentication & Role Assignment Additionally, Bob receive a set of Roles from F.A, each of which has the form of CERT FA ( R x, ID Bob ) CERT FA (Role{R1, R 2, R 3,…}) At this point, Bob and F.A. share Ks 2 while Bob and H.A. share Ks 3.

Phase II: Service Selection

Phase III: Service Request & Access Control

Phase IV: Service Reputation update

Implementation Environment Open wireless LAN Service Directory & Reputation Server: well- known URL Use of XACL (XML-encoded) Service request/response messages Access policy representation Role assignment: based on trust Implementation: Java (Sun JVM and Blackdown java on IPAQ) IBM Security Suite (XACL support)

Implementation architecture PC-1 PC-2 PC-3 Ipaq

Conclusion Secure e-commerce framework for fixed and mobile users authentication role-based access control trust management for clients as well as service providers The general framework can be customized to fit any particular service requirement Performance of a simplified system implementation is still under investigation

Reference 1.K. El-Khatib, Zhen E. Zhang, N. Hadibi, and G. v. Bochmann, Personal and Service Mobility in Ubiquitous Computing Environments, Journal of Wireless communications and Mobile Computing, G. v. Bochmann and Zhen E. Zhang, A secure authentication infrastructure for mobile users, Advances in Security and Payment Methods for Mobile Commerce, A. Seleznyov, S. Hailes, An access control model based on distributed knowledge management, 18th International Conference on Advanced Information Networking and Applications, Jianqiang Shi, G. v. Bochmann and Carlisle Adams, A trust model with statistical foundation, Workshop on Formal Aspects in Security and Trust (FAST '04), 18th IFIP World Computer Congress, 2004

Thank you! Questions ?