University of British Columbia Towards Web 2.0 Content Sharing Beyond Walled Gardens San-Tsai Sun Supervisor: Kosta Beznosov Laboratory for Education and.

Slides:

Advertisements

Similar presentations

Tool-Support for Interdisciplinary and Collaborative User Interface Specification IADIS 2008 Amsterdam – Workgroup HCI University of Konstanz – Thomas.

Advertisements

Lousy Introduction into SWITCHaai

Identity Network Ideals – Heterogeneity & Co-existence

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

Expressive Privacy Control with Pseudonyms Seungyeop Han, Vincent Liu, Qifan Pu, Simon Peter, Thomas Anderson, Arvind Krishnamurthy, David Wetherall University.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Laboratory for Education and Research in Secure Systems Engineering (LERSSE) Networked Systems Laboratory (NetSysLab) Department of Electrical & Computer.

Project topics – Private data management Nov

Access Control Enforcement Delegation for Information-Centric Networking Architectures N. Fotiou, G.F. Marias, G.C Polyzos.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Chief Information Officer Branch Gestion du dirigeant principal de l’information “We will have a world class public key infrastructure in place” Prime.

By: Ansuya Chauhan.

Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

Will Darby April  What is Federated Security  Example Implementations  Security Assertion Markup Language (SAML) Overview  Alternative.

May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.

“A Service-enabled Access Control Model for Distributed Data” Mark Turner, Philip Woodall Pennine Forum - 16 th September 2004.

Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.

FIM-ig Federated Identity Management Interest Group.

IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.

Cloud Computing Cloud Security– an overview Keke Chen.

Dynamic Access Control Policy Management for Web Applications

Role-based Trust Management Security Policy Analysis and Correction Environment (RT-SPACE). Gregory T. Hoffer CS7323 – Research Seminar (Dr. Qi Tian)

Towards A User-Centric Identity-Usage Monitoring System - ICIMP Daisuke Mashima and Mustaque Ahamad College of Computing Georgia Institute of Technology.

What makes users refuse web single sign-on? An empirical investigation of OpenID S.-T. Sun, E. Pospisil, I. Muslukhov, N. Dindar, K. Hawkey, and K. Beznosov.

Catalyst 2002 SAML InterOp July 15, 2002 Prateek Mishra San Francisco Netegrity.

Identity Management Report By Jean Carreon and Marlon Gonzales.

Web 2.0: Concepts and Applications 6 Linking Data.

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.

Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.

Security and Information Assurance UC San Diego CSE 294 Winter Quarter 2008 Barry Demchak.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Computer Science 725 – Software Security Presentation “Decentralized Trust Management” Decentralized Trust ManagementDecentralized Trust Management M.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

UCLA Enterprise Directory Identity Management Infrastructure UC Enrollment Service Technical Conference October 16, 2007 Ying Ma

Catalyst 2002 SAML InterOp July 15, 2002 San Francisco.

An Investigation of Facebook Grouping Robin Brewer Yael Mayer Lorrie Cranor Patrick Kelley facebook Home Profile Account Search.

Network Security Introduction Light stuff – examples with Alice, Bob and Trudy Serious stuff - Security attacks, mechanisms and services.

Authority of Information Technology Application National Center of Digital Signature Authentication Ninh Binh, June 25, 2010.

Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.

Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

7 th FIM 4 R meeting April 2014 ESRIN Frascati.

What Makes Users Refuse Web Single Sign-On? An Empirical Investigation of OpenID Daniel Smith.

Introduction1-1 Data Communications and Computer Networks Chapter 6 CS 3830 Lecture 28 Omar Meqdadi Department of Computer Science and Software Engineering.

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.

1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Federated Identity Management for Scientific Collaborations The Common Vision David Kelsey (STFC) 3 Nov 2011.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

NSF Cyber Trust Annual Principal Investigator Meeting September 2005 Newport Beach, California UMBC an Honors University in Maryland Trust and Security.

Experiences Deploying OpenID for a Broad User Base Security and Usability Considerations Breno de Medeiros Identity Management 2009, September

b2access.eudat.eu B2ACCESS The simple and secure authorisation and authentication platform of EUDAT This work is licensed under the Creative.

Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.

Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Semantic Web Policy Systems Presented By: John Paul Dunning Usable Security – CS.

Federated Identity Management at Virginia Tech

Cloud Security– an overview Keke Chen

Federation made simple

eduTEAMS platform for collaboration Niels Van Dijk

Federated Identity Management for Researchers (FIM4R)

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Federated Identity Management for Scientific Collaborations

dCache, towards Federated Identities and Anonymized Delegation

Secure Authentication System for Public WLAN Roaming

PLUG-N-HARVEST ID: H2020-EU

Internet-based monitoring and control of embedded systems

AAI Architectures – current and future

The Attribute and the ecosystem

Presentation transcript:

University of British Columbia Towards Web 2.0 Content Sharing Beyond Walled Gardens San-Tsai Sun Supervisor: Kosta Beznosov Laboratory for Education and Research in Secure Systems Engineering (LERSSE) University of British Columbia

practical problem 2 lack of usable mechanisms for secure Web 2.0 user content sharing across content and service providers (CSPs)

content sharing scenario 3 CCA scouts only Colonial Coast Adventures (CCA) Girl Scouts Alice Jenny Picasa Web Alice’s CCA scout friends in Picasa Web

question 4 how to enable useful sharing of Web 2.0 content across CSPs? can existing technologies enable this type of sharing?

secret-link approach 5 Alice Picasa Web Jenny usable for Web users easy to implement by CSPs Alice does not have control over Jenny’s sharing of secret link with others Alice has to know Jenny’s secret-link

design goals content sharing useful for average users user-centric, i.e., access policy and identity follow the user only use browser, no special software or crypto on the user computer CSPs – separation of content hosting and content sharing – not required to change their existing access- control mechanism 6

approach OpenID extension [1] to enable OpenID IdPs to use as an alternative identifier – vs. policy hosting service – role-based trust-management policy language (RT) for credentials and policies [2] – distributed membership and containment queries 7 [1] B. Adida, “EmID: Web authentication by address,” in The Proceedings of Web 2.0 Security and Privacy Workshop 2008, Oakland, California, USA, [2] N. Li, J. C. Mitchell, and W. H. Winsborough, “Design of a role-based trust-management framework,” in SP ’02 Proceedings of the 2002 IEEE Symposium on Security and Privacy, 2002

sharing scenario 8 CCA Alice Picasa Web policy service Gmail  CCA.scout  CCA.scout  CCA.scout  policy service Yahoo secret-link, memberships secret-link

access scenario 9 Picasa Web policy service Gmail  CCA CCA.scout  CCA.scout  CCA.scout  policy service Yahoo containment Jenny secret-link OpenID AOL yes/no

content sharing scenario 2 10 CCA scouts and their parents only Colonial Coast Adventures (CCA) Girl Scouts Mary Alice Jenny Picasa Web Alice’s scout friends in Picasa Web

sharing scenario 2 11 CCA Alice Picasa policy service Gmail   CCA.scout  CCA.scout  CCA.scout  policy service Yahoo Jenny policy service AOL 

  access scenario 2 12 Picasa CCA CCA.scout  CCA.scout  CCA.scout  policy service memberships secret-link yes/no policy service AOL  containment Jenny secret-link Mary policy service Gmail

progress up-to-date protocols/algorithms for distributed memberships and containment queries preliminary prototype initial performance evaluation 13

open questions what is the expressiveness of sharing control that users need? how to design useable interface for controlled sharing? how to limit transitive trust? – A trusts B  B trusts C  A trusts C how to preserve the confidentiality of credentials and policies? – CCA does not want everybody to know addresses of its scouts 14

future work investigate user needs in controlled sharing design user interface evaluate usability investigate an approach for limiting transitive trust preserve the confidentiality of credentials and policies investigate phishing/spam prevention improve performance 15

San-Tsai Sun 16  San-Tsai Sun and Konstantin Beznosov. Open problems in Web 2.0 user content sharing. Presented at iNetSec Workshop, April 23th  San-Tsai Sun, Kirstie Hawkey, and Konstantin Beznosov. Towards enabling web 2.0 content sharing beyond walled gardens. To be presented at the Workshop on Security and Privacy in Online Social Networking, August 29th 2009

literature review user content sharing practices federated identity management attribute-based access control systems distributed authorization systems current sharing solutions provided by CSPs 17

literature review results (1) is the most commonly used sharing mechanism [Voida 2006, Miller 2007, Whalen 2008] Open ID is an open and user-centric identity solution without pre-trust between CSPs and IdPs 18 S. Voida, W. K. Edwards, M. W. Newman, R. E. Grinter, and N. Ducheneaut, “Share and share alike: exploring the user interface affordances of file sharing,” in Proceedings of the SIGCHI conference on Human Factors in computing systems CHI ’06:. New York, NY, USA: ACM, 2006, pp. 221–230. A. D. Miller and W. K. Edwards, “Give and take: A study of consumer photo-sharing culture and practice,” in Proceedings of the CHI 2007, San Jose, California, USA, April 28 –May , pp. 347–356. T. Whalen, “Supporting file sharing through improved awareness,” Ph.D. Dissertation, Dalhousie University, Canada, D. Recordon and B. Fitzpatrick, “OpenID authentication final,” authentication-2 0.html, December 2007.

literature review results (2) characteristics of attribute-based access control [Li 2002] distributed authority attribute inference attribute-based delegation attribute with fields RT [Li 2002] policy language supports attribute-based credential and policy concise ( 4 types of policy statements) 19 N. Li, J. C. Mitchell, and W. H. Winsborough, “Design of a role-based trust-management framework,” in SP :’02 Proceedings of the 2002 IEEE Symposium on Security and Privacy, 2002c

secret-link approach supported by Google, Yahoo, Facebook, … a hard-to-guess URL that identifies a shared content usable for Web users Alice does not have control over Jenny’s sharing secret link with others no support for attribute-based sharing TBD: Show flicker secret link … 20