A security framework combining access control and trust management for mobile e-commerce applications Gregor v.Bochmann, Zhen Zhang, Carlisle Adams School of Information Technology and Engineering (SITE) and Jennifer Chandler Faculty of Law University of Ottawa
19
Embed
A security framework combining access control and trust management for mobile e-commerce applications Gregor v.Bochmann, Zhen Zhang, Carlisle Adams School.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
A security framework combining access control and
trust management for mobile e-commerce
applications
Gregor v.Bochmann, Zhen Zhang, Carlisle Adams
School of Information Technology and Engineering (SITE)
and Jennifer Chandler Faculty of Law
University of Ottawa
AbstractIn the context of e-commerce applications, access control must be combinedwith authentication and trust management. In this presentation, we considerseveral typical usage scenarios for mobile e-commerce users. We consider thesecurity requirements which include authentication, authorization, privacy,and risk management, and discuss how these requirements can be met withvarious access control and trust management models. We then present a securee-commerce framework including functions for authentication, role-based accesscontrol and trust management for clients as well as service providers. Thedistributed trust management system allows the client to choose the serviceprovider based on trust information, and the service provider may determinehis trust in the user before determining the access rights that will begranted; we note that this may raise certain privacy law issues. Anexperimental implementation of this framework is then presented which is basedon our previous work [1,2,4] and incorporates the "XML Security Suite" fromIBM. The presentation will introduce the architecture of this securityframework, highlight some of the system components and discuss
implementationchoices and performance issues.
Overview Usage scenarios and security requirements Background studies
Home directory for mobile users Authentication for mobile users A trust model Combining trust and access control
Security and trust for mobile users System Implementation Conclusion
Typical Scenarios
Mobile users: in a foreign domain – using portable and ad hoc devices
I. VoIP ConversationBob starts audio/video conversation with Alice over Internet while he is in a hotel.
II. Secure PrintingBob needs to print sensitive documentations from a commercial site
III. Anonymous Online ServiceBob requests a online service from a hotel room without disclosing his identification to service provider
Security requirements
Data integrity Authentication Privacy, Anonymity Access control, Authorization Signatures with non-repudiation … and Trust …
Background study
Authentication for mobile users Enable support for mobile user and services: The
concept of home directory[1]
Background study
Authentication for mobile users Proposed authentication model for mobile users: A
secure authentication protocol for mobile users[2]
Background study
Transactions based on trust Existing access control model for mobile users:
and mobile users authentication role-based access control trust management for clients as well as service
providers The general framework can be customized
to fit any particular service requirement Performance of a simplified system
implementation is still under investigation
Reference1. K. El-Khatib, Zhen E. Zhang, N. Hadibi, and G. v. Bochmann,
Personal and Service Mobility in Ubiquitous Computing Environments, Journal of Wireless communications and Mobile Computing, 2004
2. G. v. Bochmann and Zhen E. Zhang, A secure authentication infrastructure for mobile users, Advances in Security and Payment Methods for Mobile Commerce, 2004
3. A. Seleznyov, S. Hailes, An access control model based on distributed knowledge management, 18th International Conference on Advanced Information Networking and Applications, 2004.
4. Jianqiang Shi, G. v. Bochmann and Carlisle Adams, A trust model with statistical foundation, Workshop on Formal Aspects in Security and Trust (FAST '04), 18th IFIP World Computer Congress, 2004