Security Issues in a SOA- based Provenance System Victor Tan, Paul Groth, Simon Miles, Sheng Jiang, Steve Munroe, Sofia Tsasakou and Luc Moreau PASOA/EU.

Slides:



Advertisements
Similar presentations
MyGrid Security Issues Simon Miles University of Southampton.
Advertisements

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
An Open Provenance Model for Scientific Workflows Professor Luc Moreau University of Southampton
UK e-Science All Hands Meeting 2005 Paul Groth, Simon Miles, Luc Moreau.
Web Service Security CS409 Application Services Even Semester 2007.
Architecture Tutorial Summary and Conclusions. Architecture Tutorial The Provenance Architecture.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Provenance in Distr. Organ Transplant Management Applying Provenance in Distributed Organ Management Sergio Álvarez, Javier Vázquez-Salceda, Tamás Kifor,
A responsibility based model EDG CA Managers Meeting June 13, 2003.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
PrIMe PrIMe : Provenance Incorporating Methodology Steve Munroe The EU Grid Provenance Project University of Southampton UK
Architecture Tutorial 1 Overview of Today’s Talks Provenance Data Structures Recording and Querying Provenance –Break (30 minutes) Distribution and Scalability.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.
Web services security I
Key Management Guidelines. 1. Introduction 2. Glossary of Terms and Acronyms 3. Cryptographic Algorithms, Keys and Other Keying Material 4. Key Management.
Understanding Security Lesson 6. Objective Domain Matrix Skills/ConceptsMTA Exam Objectives Understanding the System.Security Namespace Understand the.
1 Cryptography Cryptography is a collection of mathematical techniques to ensure confidentiality of information Cryptography is a collection of mathematical.
Architecture Tutorial Overview of Today’s Talks Provenance Data Structures Recording and Querying Provenance –Break (30 minutes) Distribution and Scalability.
Electronically Querying for the Provenance of Entities Simon Miles Provenance-Aware Service-Oriented Architectures.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
UK e-Science All Hands Meeting 2005 Paul Groth, Simon Miles, Luc Moreau.
Architecture Tutorial Provenance: overview Professor Luc Moreau University of Southampton
Practices in Security Bruhadeshwar Bezawada. Key Management Set of techniques and procedures supporting the establishment and maintenance of keying relationships.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Architecture Tutorial 1 Overview of Today’s Talks Provenance Data Structures Recording and Querying Provenance –Break (30 minutes) Distribution and Scalability.
Provenance: an open approach to experiment validation in e- Science Professor Luc Moreau University of Southampton
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
The protection of the DB against intentional or unintentional threats using computer-based or non- computer-based controls. Database Security – Part 2.
SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.
Module 9: Fundamentals of Securing Network Communication.
SAML 2.0: Federation Models, Use-Cases and Standards Roadmap
17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.
Agent-Oriented Data Curation in Bioinformatics Simon Miles University of Southampton PASOA project:
WS-Trust “From each,according to his ability;to each, according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
Security Many secure IT systems are like a house with a locked front door but with a side window open -somebody.
1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz
Identity Proofing, Signatures, & Encryption in Direct esMD Author of Record Workgroup John Hall Coordinator, Direct Project June 13, 2012.
DIGITAL SIGNATURE.
Formalising a protocol for recording provenance in Grids Paul Groth – University of Southampton.
Security & Privacy. Learning Objectives Explain the importance of varying the access allowed to database elements at different times and for different.
Recording Actor Provenance in Scientific Workflows Ian Wootten, Shrija Rajbhandari, Omer Rana Cardiff University, UK.
Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Task Force CoRD Meeting / XML Security for Statistical Data Exchange Gregory Farmakis Agilis SA.
Understanding Security
Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework.
Architecture Tutorial 1 Overview of Today’s Talks Provenance Data Structures Recording and Querying Provenance –Break (30 minutes) Distribution and Scalability.
Principles of High Quality Documentation for Provenance: A Philosophical Discussion Paul Groth, Simon Miles, Steve Munroe University of Southampton.
Basic Security Cor Loef Philips Medical Systems Co-Chair IHE Radiology Technical Committee.
6.033 Quiz3 Review Spring How can we achieve security? Authenticate agent’s identity Verify the integrity of the request Check the agent’s authorization.
INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
 Introduction  History  What is Digital Signature  Why Digital Signature  Basic Requirements  How the Technology Works  Approaches.
S/MIME T ANANDHAN.
Security Protection Goals
Example Use Case for Attribute Authorities and Token Translation Services - the case for eduGAIN Andrea Biancini.
Presentation transcript:

Security Issues in a SOA- based Provenance System Victor Tan, Paul Groth, Simon Miles, Sheng Jiang, Steve Munroe, Sofia Tsasakou and Luc Moreau PASOA/EU Provenance University of Southampton IPAW May 2006, Chicago

Provenance in a SOA context  Interactions through message exchange between services (actors)  Execution of a workflow: process  Provenance of a piece of data is the process that led to that piece of data.  P-assertion: specific piece of information documenting some step of a process  p-assertions are stored in a provenance store, to be queried by actors in the system

Access control on process documentation  Useful provenance information obtained from aggregation of p- assertions  Granularity of access control: on groups of p-assertions  Problem: combination of certain p- assertions may provide unintentional access to provenance information

Access control on process documentation PA2PA1PA3PA4PA5PA6 To answer provenance query X To answer provenance query Y To answer provenance query Z User A has access to answer provenance query X User A is given access to answer provenance query Y Unintentionally, User A is given access to answer provenance query Z

Access control on process documentation  Expose access only at level of provenance queries Tools/services aggregate p-assertions and process them Potential provenance queriers only access tools/services  Use cryptographic protocols Use appropriate algorithms to encrypt p- assertions Assign keys corresponding to different groups Information obtainable only if user has access to p-assertions as well as keys to decrypt groups of p-assertions.

Accountability for p-assertions  P-assertion is a subjective view of actor  Need to establish accountability for the creation of an assertion (non- repudiation)  Ensure that p-assertions are not altered after being created (integrity)  Directly implemented by signing p- assertions

Trust framework for actors and provenance stores  Distributed systems: cannot ensure that all possible actors creating p- assertions are doing so correctly  Establish trust model to reflect relationships: between actors creating p-assertions and actors using them between actors and provenance stores e.g. ratings system, e-Bay, mySpace

Information sensitivity in p-assertions  Relevant with regards to legal requirements, e.g. patient records  Information recorded in p- assertions may be obscured: One way anonymization Encryption with a shared key

Long term storage  P-assertions may be archived  If signed and/or encrypted, appropriate certificate/key archival facilities is also required  May need to ensure algorithms remain updated

Relating access control for data and p- assertions  P-assertions may describe or relate to data with existing access control restrictions (authorizations)  How do we relate authorizations for data and p-assertions that is derived from that data ? No relation Allow actor creating p-assertion to specify its authorization Allow automated generation of authorizations from existing authorizations

Distributed provenance stores PS - Bandwidth - Access Control - Storage

Federated identity – approach 1 ActorSecurity token service Provenance store – Security domain 1 Provenance store – Security domain 2 Security token

Federated identity – approach 2 ActorSecurity token service Provenance store – Security domain 1 Provenance store – Security domain 2 Security token

Conclusion  Many security issues: most analogous to standard access control issues, some possibly new  Important to consider if provenance systems are to become industrial strength  EU Provenance project – security features in GT4, WS-Security for authentication, proxy certificates for delegating access control, CAS for role-based authorization and federated identity

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.