360 likes | 570 Views
A Trust Model for Web Services Ph.D Dissertation Proposal Candidate: Nelly A. Delessy, Advisor: Dr E.B. Fernandez Department of Computer Science and Engineering Florida Atlantic University, Boca Raton FL. Introduction. Web services + U biquitous web [W3C05]
E N D
A Trust Model for Web ServicesPh.D Dissertation ProposalCandidate: Nelly A. Delessy, Advisor: Dr E.B. FernandezDepartment of Computer Science and EngineeringFlorida Atlantic University, Boca Raton FL
Introduction • Web services • + Ubiquitous web [W3C05] • Trust becomes a complex and sensitive issue for web services • Access control models have been proposed for web services [Aga04, Sir02, Fen04, Ber04, Won04] • None of these models includes or relates to any trust model
Introduction • Trust models have been proposed for other open computing environments such as peer-to-peer networks, mobile ad hoc networks, the Semantic Web • Only few trust models have been developed for Web services [WST05, Max02]. • None of them is generic enough to be applied in all web services usage scenarios.
Introduction • Dissertation’s goal: to develop a unified trust model for web services • Will indicate how it can be interfaced to existing access control model for web services • Will include trust management through trust policies, and dynamic aspects such as trust negotiation • Using UML and some mathematical formalism • Develop requirements for, and possibly design a language for trust policies
Background: Trust • One definition of “trust” asserts: “Generally, an entity can be said to ‘trust' a second entity when it (the first entity) makes the assumption that the second entity will behave exactly as the first entity expects.” [IET00] • Trust is one entity’s belief in the honesty of another entity • A trust relationship between two entities is measurable. It can be assigned a trust level (discrete or continuous) • A trust relationship can be formalized as a binary relation. • In general, this relation is not symmetric, nor transitive
Background: Trust Models • Enables the formalization of the trust relationships among the entities of a particular domain • Describes which trustors can trust which trustees • in a specific context • and how the trust levels are obtained • Some low-level trust models provide the underlying architecture that enables trust evaluation and trust management.
Background: Trust Models • Trust models can be classified as: • Deterministic trust models • Trust lists • Hierarchy model • Mesh model • Bridge model
Background: Trust Models • Trust models can be classified as: • Non deterministic trust models • Web of trust • Statistical trust models • History-based • Recommendation-based • Probabilistic trust models • Hybrid models
Background: WS-Trust Trust Model • WS-Trust is a proposal that enables security tokeninteroperability • It provides: • Methods for issuing, renewing, and validating security tokens. • Ways to establish, assess the presence of, and broker trust relationships. • It defines a request/response protocol by which web services actors can request of some trusted authority that a particular security token be exchanged for another.
Background: WS-Trust Trust Model • The following key steps are performed by the trust engine of a Web service : • Verify that the claims in the token are sufficient to comply with the policy and that the message conforms to the policy. • Verify that the attributes of the claimant are proven by the signatures. In brokered trust models, the signature may not verify the identity of the claimant – it may verify the identity of the intermediary, who may simply assert the identity of the claimant. • Verify that the issuers of the security tokens (including all related and issuing security token) are trusted to issue the claims they have made. The trust engine may need to externally verify or broker tokens (that is, send tokens to a security token service in order to exchange them for other security tokens that it can use directly in its evaluation).
Background: WS-Trust Trust Model • In addition, the proposal provides a general mechanism for multi-message exchanges during token acquisition. One example use of this is a challenge-response protocol. • This is used by a web service for additional challenges to a requestor to ensure message freshness and verification of authorized use of a security token. • This model is a deterministic trust model. It proposes a recursive schema to establish trust relationships.
Background: Web Service Reputation Trust model [Max02] • Example: • A travel service might include functions to return a list of trips for a particular airline on a specified date, time, origin and destination airport. • For each service we can extract a series of attributes that apply to the service (e.g., speed at which a search produces its results, accuracy of the return results).
Background: Web Service Reputation Trust model [Max02] • This model is a non-deterministic one. • It does not specify the trust relationships between the principals that rate a service and the principal that uses the service. • Ratings are provided by people that you do not fully trust • you cannot fully trust its history.
Background: Web services Access Control Models • Several access control models have been proposed for web services [Aga04, Sir02, Fen04, Ber04, Won04] • They implement two more general access control models, role-based access control (RBAC) [San96, Fer01], and metadata-based access control (MBAC) [Pri04] which are heavily used in the Web context. • We illustrate access control models for web services by two implementation examples
Backgound: XML Firewall [Del04] • The XML Firewall’s primary goal is to enforce the organization’s access control policies by filtering messages based on the users’ identities or roles and the intended type of access, while performing XML content checking.
Backgound: XML Firewall [Del04] • This pattern implements the Reference Monitor pattern, • And the role-based access control model, which is a flexible way to implement the Authorization pattern. • In the literature, many access control models for web services use this model [Fen04], [Won04], [Sir02].
Backgound: XACML Access Control Evaluation Pattern [Del05] • XACML (eXtensible Access Control Markup Language) is a web services standard defined by OASIS. • It includes a policy and an access decision language. • One of the pattern for these languages captures how the access control is evaluated within XACML.
Backgound: XACML Access Control Evaluation Pattern [Del05] • This pattern implements the meta-data based access control pattern (MBAC), • In addition, it supports the role-based access control model. • Compared to the role-based access control model, MBAC is more generic, insofar as it can be implemented in open environments in which the users may not be registered in advance. • This latter model has been used in the literature for web services [Aga04], [Ber04].
Conceptual Framework • Here, we give a deeper analysis of the dissertation’s problem. • We refine the concept of trust, • We analyze the interface between access control model and trust model for web services.
Conceptual Framework: Trust • In the real world, trust is related to a specific context and to a corresponding risk. • For instance, an patient (the trustor) ‘trusts’ its surgeon (trustee) when he is treated by him, and the corresponding risk could be severe (death, injury). • Trust is then measured based on an evaluation of: • the risk, • the rewards, • the reputation of the trustee, • its history with the trustor, • the recommendations he holds.
Conceptual Framework: Trust • Since reputation and recommendation are also based on other trust relationships, trust can be seen as recursive. We will need to set up some initial parameters. • The context in which the trust relationship is evaluated could include many attributes: • action type to be performed by the trustee on the trustor, • the time that this action is to be realized, etc… • The model should be clear about how trust establishment is delegated. • A trust relationship is generally not transitive. • However, in reality, trust delegation should be a useful feature. We should be able to propose a non deterministic way to delegate trust.
C F: The interface between AC model and trust model • In general, access control models assume that the system trusts the user claims. • This is the case for the authorization model, RBAC and MBAC models. • In addition, they assume that only the owner of the object is responsible for the access decision. • Typically, a service has policies that control access to a user, whereas this latter has no policies for this access.
C F: The interface between AC model and trust model (Resource, action, context, effect) Credential types Trust level Assigned trust level Required trust level Trust policies Access policies
C F: The interface between AC model and trust model • An access has to be granted by the subject too. • We can apply this model in reverse. • The server presents some credentials, which allows the calculation of a trust level. If this level is greater or equal to the trust level required for the subject (in the privacy policies), then access is granted. • For an access to actually occur, access should be granted in both directions.
C F: The interface between AC model and trust model (Resource, action, context, effect) Credential types Trust level For this 4-tuple, what trust level requirement? For this credential, what trust level? • Policy composition could thus be necessary at two levels: • one 4-tuple (or one credential) that is a part of 2 different sets, belongs to what trust level?
C F: The interface between AC model and trust model Client’s Credential types (Resource, action, context, effect) Trust level Client’s side What is the result of these policies? (Resource, action, context, effect) Server’s Credential types Trust level Server’s side • The access is decided two times, by the server, and by the user. How to decide whether or not the access will actually occur?
C F: The interface between AC model and trust model • Dynamics 1) Trust negotiation Each party evaluates the other side trust level. Negotiation refers to the process of requiring and sending the right credentials. 2) Policy selection On each side, the policies corresponding to the trust level are selected, and possibly exchanged 3) Access (policy composition) Access is determined by the composition of the selected policies on both sides. Either done by a third entity, or independently by both sides, or in a coordinated manner from both sides, etc …
C F: The interface between AC model and trust model • Advantages of this model are: • like in RBAC, it facilitates the administration : trust relationships evolve independently to access policies. • It is generic enough to implement more specific models
Research Approach Create a set of use cases for Web Services, ranging from simple applications to Semantic web services. We use liberty trust models guidelines [Lib03]. Done. Investigate further existing trust models, identify their inadequacies for web services 50% done. Define the static elements of the trust model formally. Summer 2005 /Fall2005 Develop the dynamic aspects of the trust model. Fall 2005 Define the interface towards existing access control models for web services Fall 2005 /Spring 2006 Identify patterns from the model Spring 2006 Develop requirements for a language for trust policies and possibly develop the language itself Summer 2006
References [Aga04]S. Agarwal, B. Sprick, and S. Wortmann. "Credential based access control for semantic web services". In AAAI Spring Symposium – Semantic Web Services, 2004. [Ber04]E. Bertino, A. C. Squicciarini and D. Mevi, “A Fine-grained Access Control Model for Web Services”, Proceedings of the 2004 IEEE International Conference on Services Computing [Boo98]G. Booch, J. Rumbaugh, I. Jacobson “The Unified Modeling Language User Guide”, Addison-Wesley Pub Co; 1st edition (September 30, 1998). [Del04]N. Delessy-Gassant, E.B. Fernandez, S. Rajput and M. Larrondo-Petrie,”Patterns for application firewalls”, Procs. of the Pattern Languages of Programs Conference, 2004, http://hillside.net/patterns [Del05]N. Delessy and E.B. Fernandez, ”Patterns for XACML”, In preparation, [Fen04]X. Feng, L. Guoyuan, H. Hao, X. Li, "Role-based Access Control System for Web Services", in Proceedings of the Fourth International Conference on Computer and Information Technology (CIT’04) [Fer01]E. B. Fernandez and R. Pan, “A Pattern Language for security models”, Proc. of PLoP 2001, http://jerry.cs.uiuc.edu/~plop/plop2001/accepted_submissions [Fer05a]E.B.Fernandez, T. Sorgente, M. M. Larrondo-Petrie, and N. Delessy, “Web services security: Standards, industrial practice, and research issues”, submitted for publication. [Gra]Tyrone Grandison, "Trust Specification and Analysis for Internet Applications" PhD Transfer Report [IET00]IETF (Internet Engineering Security Task Force) security glossary http://www.ietf.org/rfc/rfc2828.txt
References [Lib03]Liberty Alliance Project “Liberty Trust Models Guidelines” http://www.projectliberty.org/specs/liberty-trust-models-guidelines-v1.0.pdf [Max02]E. Maximilien and M. Singh, "Conceptual Model of Web Service Reputation" ??????????ACM 02 [Pri04]T. Priebe, E. B. Fernandez, J. I. Mehlau, and G. Pernul, "A pattern system for access control ", in Research Directions in Data and Applications Security XVIII, C. Farkas and P. Samarati (Eds.), Proc. of the 18th. Annual IFIP WG 11.3 Working Conference on Data and Applications Security, Sitges, Spain, July 25-28, 2004. [San96]R. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman., "Role-based access control models", Computer , Vol. 29 , No. 2, February 1996, 38-47. [Sen02]S. Sen and N. Sajja, "Robustness of Reputation-based Trust: Boolean Case", AAMAS’02, July 15-19, 2002, [Sir02]E. Sirer and K. Wang, "An Access Control Language for Web Services", SACMAT ’02, June 3-4, 2002, [W3C03]http://www.w3.org/2003/glossary/subglossary/xkms2-req [W3C05]http://www.w3.org/2005/02/tp-2005-ubiweb.pdf [Won04]R. Wonohoesodo and Z. Tari, “A Role based Access Control for Web Services”, Proceedings of the 2004 IEEE International Conference on Services Computing [WST05]Web Services Trust Language (WS-Trust) http://msdn.microsoft.com/library/en-us/dnglobspec/html/WS-trust.pdf