Corrado Aaron Visaggio 1 - unisannio.itstaff.rcost.unisannio.it/visaggio/Bolzano10_09_07.pdf ·...

Corrado Aaron Visaggio 1

Data Privacy Enhancing Technology

Corrado Aaron VisaggioResearch Centre on Software Technology

Università del [email protected]

@ Free University of BozenBozen, 11.09.07


General Concepts

The more I spend, the less I own – (Jeremy Rifkin, writer)Traditional transactions are anonymous, electronic ones require authentication and authorization.

Identity is: sense of affiliation and sense of separation (Salvador Minuchin –therapist 1974).

IdentityIdentity

PrivacyPrivacySecuritySecurity

Level 3: AbstractIdentity

Level 3: AbstractIdentity

Demographical Groups: without consensus -bothering (Spam profiles)

Level 2: Shared IdentityLevel 2: Shared Identity Assigned by others with consensus - beneficial (driving license)

Level 1: Personal Identity

Level 1: Personal Identity Constant attributes (name)

[Andre Durand Taxonomy]


IMA

An Identity Management Architecture consists of:Process Architecture: it is a methodology which lets you to determine how the organization deals with issues concerning identity.Data Architecture: is a model for organizing personal/sensitive dataTechnical Architecture: guide document for responsible technicians for implementation and deployment of systems.Policy: it is the behavior of people to determine if the IMA achieves the purpose or not.Interoperability schemas: standards’ list which organization decides to choose and support


Request Process

Identity DatabaseIdentity Database

1. Credential + Requests

7. Denied / Allowed

2. Authentication: Y/N

3 Access Request

4. Security policy

5. Permissions and rights of requester

User

Authentication Server Policy Decision

Point

Policy Enforcement Point

6 ADA


How does it happen in the physical world?

A client (requester) wants to buy a super alcoholic (action on aresource). The guy should be 18 years old (security policy).The client gives his driving license (credential) to the clerk (Authentication Server).Authentication through photography (biometrical system). Then, credential should be validated: is the license expired? Isit fake?

3-4-5: The clerk verifies the age (identity’s attribute) of Mark: Mark must be older than 18 if he wants some alcohol (security policy)

6. Ok, Mark can have what he has come for.7. Mark goes to the party with his bottle of grappa.Before stepping out, Mark tosses his credit card on the desk: the

authentication process starts again.


Trust

Fukuyama demonstrates as the trust reduces the costs of transaction and the inefficiencies of an economy (“Trust: The social virtues and the Creation of Prosperity” – F. Fukuyama)

Trust is expected to be but it is not:TransitiveSharedSymmetricSelf-assurance (“Do trust on me!” typical invitation of person who is deceiving me)

Reputation is a common means to ensure trust into organizations (think of e-bay):

GovernancePeopleProcessesToolsEconomic model


Anonymity

Pure anonymity is not feasible in the context of web transactions-> Pseudoanonymity: users are identified into a unique way, but data set which identify them are not delivered.

Canadian law of identity protection establishes ten principles:ResponsibilityGoals identificationConsensusLimitation to the quantity of data collectedLimits to use, delivery and preservationAccuratenessProtection measuresDivulgation of management policyIndividual accessManagement Policy compliance


Lifecycle of Digital Identity

Provisioning: creation of identity record, population of database.Propagation: forward the records toward system which will use themUse: elaboration of dataMaintenance: change of content and structure of recordsDeprovisioning: errors may cause inconsistency in the system

ProvisioningProvisioning PropagationPropagation UseUse DeprovisionigDeprovisionig

MaintenanceMaintenance


Sensitive Data

Sensitive in an inborn way. The value of the data item indicates itssensitiveness, i.e. the income of a person. Coming from a sensitive source. The source of data can requireconfidentiality. Data are sensitive because their delivery willdisclose the origin, i.e. “John paid taxes for 50k$”. Declared as sensitive. The database administrator or the data owner could declare that their data are sensitive. i.e., mypassword.Sensitive because of information previously delivered. Some data items become sensitive in presence of other data items. The knowledge of aggregated data which are non-sensitive individually, could deliver protected information. i.e., “John is a manager” & “a manager earns 200K$ per year”


Type of delivery

Not only the exact value of a sensitive data is confidential, but also their features:

1. The probability that a data assumes a certain valueThere is the 90% of probability that John took the flight 456z.

2. The interval the value of data item falls in.John is sick. His illness belongs to the set of the infective ones.

3. The fact that the data assumes a certain value or not.John booked a room in the Luxury Hotel.


P3P

Platform for Privacy Preferences (P3P) is a technology for data privacy management developed by World Wide Web Consortium(W3C).

P3P allows a web site to definy its privacy policy into a standard format, which could be interpreted by super-agent.

A P3P policy contains information about: publishing entity, data collected by the site, where they will be stored and how long.

(-) There is no guarantee that data will be used accordingly to the privacy policy defined.

i.e. the user could establish that anagraphical data can not be usedfor commercial purposes.

Example

<POLICIES xmlns="http://www.w3.org/2002/01/P3Pv1" xml:lang="en" ><POLICY name="logs-only"discuri = "http://www.example.com/privacy/policy.html"><ENTITY><DATA-GROUP><DATA ref="#business.name">Example Corp.</DATA><DATA ref="#business.contact-info.online.email">[email protected]</DATA>

</DATA-GROUP></ENTITY><ACCESS><nonident/></ACCESS> <STATEMENT><PURPOSE><current/><admin/><develop/></PURPOSE><RECIPIENT><ours/></RECIPIENT><RETENTION><indefinitely/></RETENTION><DATA-GROUP><DATA ref="#dynamic.clickstream"/><DATA ref="#dynamic.http"/>

</DATA-GROUP></STATEMENT>

</POLICY></POLICIES>


Data privacy

Too many data are exchanged thanks to the net.Who can assure that data are used accordingly to the purposes they have been delivered? Who can assure that data reveal only the information permitted?


Hippocratic Databases…

They are inspired toIppocrate di Kos, who invented the Hippocratic hoath. Those principles are applied to the privacy management:

Specify the purposes. The database should caputre the purposes why the information has beencollected.

Consensus. The purposes should be associated with the consensus of the data owner.Limited collection. Personal Information should be collected at the minimum number for the purposes.

Limited Use. The data base should execute only the queries which are compliant with the purpose.

Limited Disclosure. Personal information should be never delivered for purposes different fromthe ones expressed by the owner.

Limited preservation. Personal inoformation should be preserved only for the time necessary toachieve the specified goals.

Exactness. Personal Information should be exact and up to date. Security. Personal information should be protected against stealingOpeness. A donor should be able to have access to all the information stored within the database.

Compliance. A donor should be able to assess the compliance of the database againsts theseprinciples.


… Hippocratic DatabasesHippocratic databases are purpose-driven, than their design isbased on the realization of privacy protection. Strawman proposesan architecture .

(-) The application issuitable for trust environment, as a malicious user couldcheat the Privacy Control


Anonymization…

The main goal of these techniques is to decouple sensitive data from the person they belong to. That’s not enough.

A recent studies demonstrated that the 87% of the USA citizens can be identified by using attributes apparently non sensitive, such as nationality, zip code, and birth date.

Data which can identify univocally a person are called quasi-identifiers.

The k-anonymity algorithm presented by Samarati and Sweeney is aimed at solving this problem.

A tabel satisfies the k-anonimity if each record can not be distinguished by other k-1 records by means of quasi-identifiers.


… Anonymization

The technique of k-anonymity relies on the concept of generalization and suppression.

Within a relational database, there is a domainassociated to each attribute of a relation. Given a domain a more general one can be built.

The domain of zip codes can be generalized bysuppriming less significative digits.

Perturbation of data entails a loss of information and data quality as much as the generalization degreeincreases.


Generalization

44G0B44FBachelors

44G0B44MMasters

33G0B44FMasters

11G0B44FDoctorate

64G2B42FBachelors

3G1B

2G3B

0G4B

0G3B

Class

535F11th

437F12th

432M10th

330F9th

# of Recs.AgeSexEducation

44G0B44FBachelors

44G0B44MGrad School

44G0B44FGrad School

64G2B42FBachelors

3G1B

2G3B

0G4B

0G3B

Class

535F11th

437F12th

432M10th

330F9th

# of Recs.AgeSexEducation


Vulnerability

Omogeneity attack

34Italian13026RossiMario

AgeNationalityZIPSurnameNameVoters List

Tabella diagnosi


Fine Grained Access Control

FGAC constructs are designed for being integrated with the architecture of a Relational DBMS. They have the followingfeatures:the problem should be solved without any impact on the application.

All users should be included, independently from the kind of the access

Complexity and necessity of FGAC policies maintenance must bemimimized

Every grain of access to the database should be allowed.

FGAC are implemented by views, withspecific constraints.


Conclusions

Data Privacy is an emerging topics and it is stimulating new challenges for software engineers (practitioners & researchers):

1. Pervasiveness: software is becoming pervasive in many contexts data privacy awareness is required into

processes, systems, machines.2. Different Grains: data cannot be handle only at a coarse grain,

as they are exchanged between different smart-devices.3. Data Quality: too much security can deteriorate data quality,

which should be kept at acceptable levels.


Bibligraphy…

P.J. Windley, Digital Identity, O'Reilly Media, Inc.; 1 edition, 2005 C.P. Pfleefer and S.L. Pfleeger, Security in Computing, Prentice Hall, fourth

edition, 2007.L. Sweeney, “k-anonymity: a model for protecting privacy”,

International Journal on Uncertainty,Fuzziness and Knowledge-based Systems, 10 (5): 557-570, 2002

R. Agrawal, J. Kiernan, R. Srikant, Y. Xu, “Hippocratic Databases”,IBM Almaden Research Center, U.S.A, 2002

L.Cranor, M. Lanheirinrch, M.Marchiori, M. Presler-Marshall, J. Reagle, “The Platform for Privacy Preferences 1.0 (P3P1.0) Specification”, W3C Recommendation, April 2002.

R.J. Bayardo, and R. Srikant, “Technology Solutions for Protecting Privacy”, Computer, Septemebr 2003, IEEE CS, pp.115-119.


…Bibliography

K. Wang, P.S: Yu, and S. Chakraborty, “Bottom-up Generalization: A Data Mining Solution to privacy Protection”, proc. Of the Fourth IEEE Int’l Conference on Data Mining (ICDM’04), Brighton, UK; 2004, IEEE CS, pp. 249-256.

S. Sackman, J. Struker, and R. Accorsi, “Personalization in Privacy-Aware Highly dynamic Systems”, Communications of the ACM, Vol. 49 No.9, Sept 2006, pp. 33-38.

M. Langheinrich, “Personal privacy in ubiquitous computing –Tools and System Support”, PhD. Dissertation, ETH Zurich, Switzerland, May 2005.

Privacy-enhancing Technolgies, White Paper for Decision-makers, Ministry of the Interior and Kingdom Relations, the Netherlands, December 2004.


Message Digest

Fixed length sequence of bits which is generated by a transformation of a variable length message, with the following features:

Irreversibility, the original message can not be obtained by an inverse transformationNot selectability, to find a message which is able to generate a given digest must be impossibleUniqueness, two different messages should not generate the same digest.


Digital Signatures

MessageMessage

Hash Hash

DigestDigest

Encrypt Encrypt

SignatureSignature

MessageMessage

Hash Hash

DigestDigest

DecryptDigest

DecryptDigest

comparecompare

Transmit

Transmit Decrypt Decrypt

sender receiver


Digital Certificate

Problems:1. you loose the control of your private key (AA problem)2. Someone convinces me that his public key is your public key (digital

certificate & PKI).The entity identification data refer to will be called subject of the

certificate1. Certificate is populated with information2. Certificate is signed by who delivers it3. Digest is created by encrypting the certificate with its own private key.A digital certificate consists of two parts:

DataDigital signature

Who assures the relation between the public key and the data content.It is codified with the Distinguished Encoding Rules, with an ottet

sequence in Base64.


Three fundamental concepts

Integrity. A message or transaction is not modifiable.Message DigestDigital Signature

Non repudiation. Undeniable evidence that the message was sent or received.

Digital SignatureDigital Certificate

Confidentiality. Only authorized people or processes can read the content of a message.

Cryptography. To make the cost of information discovery higher than the value of information.Steganography. Hide a message into another and more visible message.

Into a textInto an imageInto a binary file


Certificate Authorities

Anyone can deliver certificates, by using tools like OpenSSL. Certificate Authorities are trusted. They provide the following services:

Accept certification requestsRequester authenticationCertificate GenerationCertificates distributionCertificates RevocationDatabase Management

The policies are publicly available within a document named Certification Practice Statement.


Revocation List

An x.509 certification has an expiration date. Anyway something can make the certificate invalid before. In this case the certificate is revoked.

In this case, the CA adds the certificate to the Certificate Revocation List (CRL). Then the CA signs the list, in order to guarantee the authenticity.

Usually CRLs are frequently distributed. CRL can be verified by three ways:1. Polling: the software that uses a certificate can require the most recent CRL

to the CA. Frequent polling can cause resources overhead (-). 2. The software can receive all the CRLs. An hacker should hinder that the CRL

to be sent (-).3. The CA should provide a service which delivers specific information about a

certain certificate. Higher management costs for the CA (-).

Revocation mechanism is a serious weakness point for software systems, as CA makes difficult to access to CRL.


Public Key Infrastructure

In order to diffuse certificates, it should exist an infrastructure which provides policies, rules, interoperability and standard: the PKIs.

Two requirements: security and scalability.Instead of verifying the certification path, the browser (IE andNetscape) usually checks in the list of the trusted CAs. This is a clear limit to the potentialities of the certification mechanism.

CA1CA1

CA3CA3CA2CA2

DC1DC1 DC2DC2 DC3DC3 DC4DC4 DC5DC5 DC 6DC 6


Authentication

We usually do two things in order to authenticate someone: 1. Verify the credentials contained within a document2. Decide if the authority that delivered that document can be

trusted or not.A credential can be created by using four kinds of authentication factors:

Something you knowSomething you haveSomething characterizing youA combination of the three.

A cookie is an identification of a transaction between two programs. They were invented in order to recognize the same user among different sessions.

A cookie is a weak authentication factor:I can modify a cookie [no guarantee on the integrity]I can use the cookie of another person [no guarantee on the identity].


ID-Password

Two factors: something owned (ID) and something known (Password). Limitations:Human memory (7+/-1): passwords are easy to guess and usually they are short (social engineering + brute force attack).Passwords are left within files which are easy to obtain (did you never experience google hacking?)Passwords should be frequently changed.

More than 25% help desk calls concern passwords handling.Usually users are recognized by a question or e-mail.


Challenge-Response

The server generates a challenge, which is a string, and the user replies with a response, which is usually another string. Sometimes a secret key is used.

The secret key could be a number, a string or a picture.The advantage: the algorithm for elaborating the response could be as much complicate as you like.

The disadvantage: such an algorithm must be stored into a (hw/sw) system.

A token could be used in order to generate pseudo-random numbers (servers and client’s clocks should be synchronized).

ID= token, password = challenge/response.


Digital Certificates

The secret algorithm is the signature algorithm. 1. The server generates a casual string2. User signs the string and sends it to the server3. Server verifies the signatures.

Two advantages: cryptography and the possibility to add more than one certificates to the same account, by using the attributes of the certificate.

Problems:People do not understand them easily;Their management is costly;The certificate can be stolen.


Others

Biometric devices:(+) they are intrinsically associated to a person(-) the biometric characteristic could be duplicated or faked.

SmartcardTheir memory could be used to memorize a digital certificate or algorithms for implementing challenge/response systems.(-) costs for the smartcard driver (initial and maintenance)(-) mechanisms for tampering or stealing data contained in the memory already exist.


Properties for the authentication Systems

Handiness. Easy to use & not invasive.Security Level. Continuous assessment of the security level.Geographical Transparency. Resources are located in different places.

Independent from the protocol. Compliance between application, platforms and infrastructure is very hard.

Privacy Level. Reliability.Verificability. Actions of users must be traceable.Easy to Manage. A complex management can affect the overall quality of security.

Federability. Different resources must be accessed by different organizations.


Access Control

Responsibilities on resources:Owners: who created the resource. Ownership can be assigned and delegated. They are responsible for the entire lifecycle of the resource.Guardians: who daily manage the resources. They are responsible for the correct implementation of the data access policies.Users: they could become temporary guardians of a resource for the time they use it.

Policies

AC

Business objectives and Security Reqs


Principles

The principle of the minimum privilege: an user should not have a privileges set greater than the one strictly needed to accomplish the assigned task.

(-) too fine grain: a privilege for each action(-) kind and level of authorization may change over time(-) many privilege levels for different works.

Responsibility scales up better than imposition. Privileges are granted relying on the reputation. If you do not make mistakes in the use of resources your privileges set will grow up; conversely it will be reduced. They are economic but they are not free from risks.


Authorization Schemas…

Mandatory (MAC) versus Discretionary Access Control (DAC). Two fundamental findings:1. A discretionary access control system leads to grant the control

to unauthorized persons.2. When using a MAC you can not impede that authorized people

share information with unauthorized people (the principle of theimpermeability of information).

Unix-like System:Three permissions: r-w-x, referred to resources.Three roles: owner, owner group, and everyone.

(-) If more groups are owners of the same file, a super group mustbe created

(-) the creation of groups is too long and requires superuserprivileges.

(-) few utilities for group management exist.(-) group and users refer to different levels.


…Authorization Schemas

The Access Control List (ACL) confers flexibility to previous mechanism. Within the filesystem they are attributes of files. It is a list of users and groups with the correspondent privileges.

(-) management of privileges is harder(-) many redundancies

The Role Based Access Control (RBAC) associates privileges to roles within organization.

(+) is more secure(+) it is easy to add or remove a privilege ( - ) it is constrained to the modeling of roles in the organization


DRM

A digital escape is the loss, fortuitous or intentional, of sensitive data in digital format.

PricewaterhouseCoopers found that the biggest companies undergo digital escape about 2,45 times a year for a cost of 500 K$ per escape.

The technology of Digital Right Management (DRM) stemmed for this reason: the producers of digital goods want to freely distribute their products, but they do not want to allow the copy of their products.

A DRM technology should guarantee:Persistent SecurityManagement of different rights (display, print, modify, screenshot)Tracing of operation on the digital productIntegration with content management systems.

Such system does not exist (yet)!


Architecture of DRM

Content Server

License Server

Client

Content Database

Content Database

Product Information

Product Information

DRMPackager

DRMPackager

RightsRights

KeysKeys

DRMLicense

Generator

DRMLicense

Generator

DRMController

DRMController

DataData

CredentialsCredentials

Crypted

Content Package

Content

Metadata

Content Package

Keys

Rights

Identity System

Identity System

FinanceTransaction

FinanceTransaction

1

23

4

5

6

78

9


DRM Vulnerabilities

The major weakness of DRM is the number of vulnerabilities.1. Once the file audio is stored within a CD, it should be

copied in MP3 format, since protection cannot be transferred on the CD

2. It is possible to reproduce protected file by using published exploit.

3. The unprotected channel towards loudspeaker can be redirected towards a tape /(other) recorder.

All the components of the architecture needs appropriate protection.


XrMLDRM are managed with mechanisms similar to the ones used for the authorization schemas.

The only difference is in the grain: visualize but not copy, useallowed for a certain time.

The main part of the DRM technologies uses proprietary languages. The XrML(www.XrML.org) is a XML-based language, which is becoming a standard de-facto.

The basic structure of a license contains the following:A set of grants that convey to certain principals certain rights to certain resources under certain conditionsAn identification of the principal or principals who issued the license and thus bestow the grants upon their recipientsAdditional information such as a description of the license and validity date

A grant consists of the following:The principal to whom the grant is issuedThe right that the grant conveys to the specified principalThe resource against which the specified principal can exercise or carry out this rightThe condition that must be met before the right can be exercised


Example

<grant><keyHolder>

<info><dsig:KeyValue><dsig:RSAKeyValue>

<dsig:Modulus>Fa7wo6NYfmvGqy4ACSWcNmuQfbejSZx7aCibIgkYswUeTCrmS0h27GJrA15SS7TYZzSfaS0xR9lZdUEF0ThO4w==</dsig:Modulus>

<dsig:Exponent>AQABAA==</dsig:Exponent></dsig:RSAKeyValue></dsig:KeyValue></info>

</keyHolder><possessProperty />

<sx:commonName>Alice Richardson</sx:commonName></grant></license>


Standard

Let’s analyze the coverage of the digital identity lifecycle by the standards.

All these standards are based on XML.



SPMLSPML SPMLSPMLSAMLSAML

SPMLSPML

XACMLXACML


Integrity and not repudiation

XML Signatures defines how to utilize an XML syntax for assuring integrity of an XML document or a part of it. It describes how a digital signature can be used within an XML document.

A digital signature is contained in an element <Signature/> which consists of:<Signed Info/> contains: a reference to signed data, method used for the signature, data on digest and other transformation.<SignatureValue/> contains the signature itself<KeyInfo/> contains data on the key for verifying the validity of the signature.

It is also possible to sign different parts of a document, and by different roles.<CanonicalizationMethod/> helps to fix a syntax of reference for the xml file in order to make the signature process significant.


Example

<Signature xmlns=“http://www.w3.org/2000/09/xmldsig#”><signedInfo Id=“fizz”><CanonicalizationMethod Algorithm=“http://www.w3.org/TR/2001/REC-xml-c14n-20010315”/>

<SignatureMethod Algorithm=“http://www.w3.org/2000/09/xmldsig#dsa-sha1”/><Reference URI=http://www.fizzco.com/news/2003/07/27.xml/><DigestMethod Algorithm=“http://www.w3.org/2000/09/xmldsig#dsa-sha1”/><DigetsValue>fghff89465hhjk789</DigestValue></Reference></SignedInfo><SignatureValue>ghtr….ax56</SignatureValue><KeyInfo><X509Data><X509SubjectName>CN=John Johnny,o=The Something, INC, ST=utah, C=US</X509SubjectName><X509Certificate>MIID5J…Vn>/X509Certificate></X509Data></KeyInfo>


Further details On XLM signatures

Also XML documents need to be encrypted:SOAP allows to encrypt the entire message or part of it, but headings are left in clear.When we encrypt the channel, by SSL for instance, all the intermediate computers will have a look at the message in clear.

XML Encryption was ideated in order to encrypt the entire message or part of it. Each data to be encrypted is enclosed between the elements <EncryptedData/>, consisting in two parts:

<EncryptionMethod/>, which contains the information <keyInfo/> and it is optional<CipherData/> which contains an element <CipherValue/> with the ciphered data and the element <CipherReference/> with a reference.


Example

<PaymentInfo><CardName> John Smith </CardName><BillingAddress>..</BillingAddress><EncryptedDataType='http://www.w3.org/2001/04/xmlenc#Element'xmlns='http://www.w3.org/2001/04/xmlenc#'>

<CiperData><CiperValue>sh748jfg....</ChiperValue>

</CiperData></EncryptedData></PaymentInfo>

Credit card number and expiration date


A&A assertion

Automatic systems for identity management should have a method for creating and distributing the identity assertions available.

Kerberos system is an example for that.The standard Security Assertion Markup Language (SAML) is:

A way for representing security credentialsA protocol to transmit security credentials1. A client sends to an authority SAML a request about a subject2. The subject could be identified by the e-mail address

The responses SAML are called Assertions. Three kinds of SAML assertions:

Authentication AttributesAutorizations


Standard




SPMLSPML

XACMLXACML


Features

All the assertions contain:ID of whom is delivering and a time stampID which identifies the assertion itselfSubject the assertion refers toAdvices of the authorityConditions of validity for the assertionConstraints for the access to the assertionConstraints for the access to the resources references by the assertionOther conditions


Example of a SAML assertion

<samlp:responseMajorVersion=“1” MinorVersion=“2”RequestId=“124.14.234.20.90999999”

InResponseTo”123.45.678.90. 11699979”StatusCode=“Success”><saml:AssertionMajorVersion=“1” MinorVersion=“0”AssertionId=“123.45.678.90.12345678”Issuer=“Example Company, INC”IssueInstant=“2003-01-14T10:00:01Z”><saml:ConditionsNotBefore=“2003-01-14T10:00:30Z”NotAfter=“2003-01-14T10:23:60Z”><saml:AuthenticatonStatement

AuthenticationMetod=“Password”AuthenticationInstant=“2003-01-14T10:00:21Z”><saml:Subject><saml:NameIdentifier SecurityDomain=“A.com” Name=“cn-Alice”/></saml: Subject></saml: AuthenticationStatement></saml: Assertion></saml: Response>


Service Provisioning markup Language

The SPML standard is a language XML for the exchange or requests and responses of identity disposals. Three roles are involved:

Requesting authority, RA : requires the disposal

Provisioning service provider, PSP: it is a software service to reply to the SPML requests done by a RAProvisioning service target, PST: The entity which accomplishes the disposal. PST and PSP can coincide, but unlikely PST, the PSP must be able to understand the SPML

Between RA and PSP a trust relationship should exist. Such a relationship must be expressed with SAML.


Standard




SPMLSPML

XACMLXACML


Example of SPML

Process of registration of a new account for an e-commerce site: The RA sends a request of registration SPML to the PSP –server of disposal-

Disposal server creates the record into the access database. The server translates in SQL the request.The Disposal Server creates a directory in the filesystem with JNDI, in order to contain the proper filesThe authentication server creates the account.The disposal server, under the hat of an RA, sends a new SPML to the PSP of the bank of the credit card in order to create a new account.

RegistrationE-Commerce

RegistrationE-Commerce

Disposal ServerE-Commerce

Disposal ServerE-Commerce

DB AccountDB Account FileSystemFileSystem Server WebServer Web

Credit Card Company

Credit Card Company

CC PST 1CC PST 1 CC PST 2CC PST 2


Exstensible Access Control Markup Language

The XACML is one of the standard developed for describing the policy for the control of access to resources. XACML provides methods for using information delivered with SAML.

XACML is a programming language, which handles:Attributes of userPossible actionsTemporal periodsAuthentication mechanismAccess protocol

It is possible to apply different policies to the same resource


Standard




SPMLSPML

XACMLXACML


Example: login on a server

<Request><Subject/><Resource><Attribute

AttributeId=“urn:oasis:….:resource-id”><AttributeValue>MyServer</AttributeValue>

</Attribute></Resource><Action><Attribute AttributeId=“ServerAction”>

<AttributeValue>login</AttributeValue></Attribute>

</Action></request>


The policy: target+ rules

<PolicyPolicyId=“SamplePolicy”RuleCombiningAlgId=“urn:…:xacml:1.0:rule-combining-algorithm:first-applicable”>

<Target><Subjects></Subjects>

<Resources><Resource>

<ResourceMatch MatchId=“urn:…:xacml:1.0:function:string-equal”><AttributeValue>MyServer</AttributeValue><ResourceAttributeDesignator AttributeId=“urn:…:xacml:1.0:resource:resource-id”/>

</resourceMatch></Resource></Resources><Action></Action></Target>


The rule: require login and check it is done in the period 9.00-15.00

<Rule RuleId=“LoginRule” Effect=“Permit”>Target>

<Subjects></Subjects><Resources>

</Resources><Actions><Action>

<ActionMatch ;MatchId=“urn:…:xacml:1.0:function:string-equal”><AttributeValue> Login </AttributeValue>

<ActionAttributeDesignator AttributeId=“ServerAction”/></ActionMatch></Action>

</Actions></Target>


The Condition

<Condition FunctionId=“urn:…:xacml:1.0:function:and”><Apply FunctionId=“urn:…:xacml:1.0:function:time-greater-than-or-equal”><Apply Function-Id=“urn:…:xacml:1.0:function:time-one-and-only”><EnvironmentAttributeDesignatorAttributeId=“urn:…:xacml:1.0:environment:current-time”/>

</Apply><AttributeValue> 09:00:00</AttributeValue></Apply><Apply FunctionId=“urn:…:xacml:1.0:function:time-less-or-equal”><EnvironmentAttributeDesignatorDatatype=http://www.w3.org/2001/XMLSchema#time”

AttributeId=“urn:…:xacml:1.0:environment:current-time”/></Apply><AttributeValue>15:00:00</AttributeValue></Apply></Condition>


The Response

<Response><Result><Decision>Permit</Decision>

<Status><StatusCode Value=“urn:…:xacml:1.0:status:ok”/></Status>

</Result></Response>

Corrado Aaron Visaggio 1 - unisannio.itstaff.rcost.unisannio.it/visaggio/Bolzano10_09_07.pdf ·...

Documents

Transcript of Corrado Aaron Visaggio 1 - unisannio.itstaff.rcost.unisannio.it/visaggio/Bolzano10_09_07.pdf ·...