1 / 19

Gregor v.Bochmann, Zhen Zhang, Carlisle Adams

A security framework combining access control and trust management for mobile e-commerce applications. Gregor v.Bochmann, Zhen Zhang, Carlisle Adams School of Information Technology and Engineering (SITE) and Jennifer Chandler Faculty of Law University of Ottawa. Abstract.

brandyreese
Download Presentation

Gregor v.Bochmann, Zhen Zhang, Carlisle Adams

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A security framework combining access control and trust management for mobile e-commerce applications Gregor v.Bochmann, Zhen Zhang, Carlisle Adams School of Information Technology and Engineering (SITE) and Jennifer Chandler Faculty of Law University of Ottawa

  2. Abstract In the context of e-commerce applications, access control must be combined with authentication and trust management. In this presentation, we consider several typical usage scenarios for mobile e-commerce users. We consider the security requirements which include authentication, authorization, privacy, and risk management, and discuss how these requirements can be met with various access control and trust management models. We then present a secure e-commerce framework including functions for authentication, role-based access control and trust management for clients as well as service providers. The distributed trust management system allows the client to choose the service provider based on trust information, and the service provider may determine his trust in the user before determining the access rights that will be granted; we note that this may raise certain privacy law issues. An experimental implementation of this framework is then presented which is based on our previous work [1,2,4] and incorporates the "XML Security Suite" from IBM. The presentation will introduce the architecture of this security framework, highlight some of the system components and discuss implementation choices and performance issues.

  3. Overview • Usage scenarios and security requirements • Background studies • Home directory for mobile users • Authentication for mobile users • A trust model • Combining trust and access control • Security and trust for mobile users • System Implementation • Conclusion

  4. Typical Scenarios Mobile users: in a foreign domain – using portable and ad hoc devices • VoIP Conversation Bob starts audio/video conversation with Alice over Internet while he is in a hotel. • Secure Printing Bob needs to print sensitive documentations from a commercial site • Anonymous Online Service Bob requests a online service from a hotel room without disclosing his identification to service provider

  5. Security requirements • Data integrity • Authentication • Privacy, Anonymity • Access control, Authorization • Signatures with non-repudiation • … and Trust …

  6. Background studyAuthentication for mobile users • Enable support for mobile user and services: The concept of home directory[1]

  7. Background studyAuthentication for mobile users • Proposed authentication model for mobile users: A secure authentication protocol for mobile users[2]

  8. Background studyTransactions based on trust • Existing access control model for mobile users: Autonomic Distributed Authorization Middleware [3] (Figure adapted from [3])

  9. Background studyTrust model with statistical foundation • Proposed trust model for mobile users: A trust model with statistical foundation[4]

  10. Overview of proposed system (with typical scenario II) While Bob is on a business trip in Paris, he wants to print his bank statement from a hotel’s business center of which he is staying at

  11. Phase I: Authentication & Role Assignment CERTFA(Role{R1,R2, R3,…}) At this point, Bob and F.A. share Ks2 while Bob and H.A. share Ks3. Additionally, Bob receive a set of Roles from F.A, each of which has the form of CERTFA( Rx, IDBob)

  12. Phase II: Service Selection

  13. Phase III: Service Request & Access Control

  14. Phase IV: Service Reputation update

  15. Implementation Environment • Open wireless LAN • Service Directory & Reputation Server: well-known URL • Use of XACL (XML-encoded) • Service request/response messages • Access policy representation • Role assignment: based on trust • Implementation: • Java (Sun JVM and Blackdown java on IPAQ) • IBM Security Suite (XACL support)

  16. Implementation architecture PC-1 Ipaq PC-3 PC-2

  17. Conclusion • Secure e-commerce framework for fixed and mobile users • authentication • role-based access control • trust management for clients as well as service providers • The general framework can be customized to fit any particular service requirement • Performance of a simplified system implementation is still under investigation

  18. Reference • K. El-Khatib, Zhen E. Zhang, N. Hadibi, and G. v. Bochmann, Personal and Service Mobility in Ubiquitous Computing Environments, Journal of Wireless communications and Mobile Computing, 2004 • G. v. Bochmann and Zhen E. Zhang, A secure authentication infrastructure for mobile users, Advances in Security and Payment Methods for Mobile Commerce, 2004 • A. Seleznyov, S. Hailes,An access control model based on distributed knowledge management, 18th International Conference on Advanced Information Networking and Applications, 2004. • Jianqiang Shi, G. v. Bochmann and Carlisle Adams, A trust model with statistical foundation, Workshop on Formal Aspects in Security and Trust (FAST '04), 18th IFIP World Computer Congress, 2004

  19. Thank you! Questions ?

More Related