IMPERSONATION METHOD ON AUTHORIZATION SERVER USING CLIENT-INITIATED BACK-CHANNEL AUTHENTICATION PROTOCOL

There is an impersonation (login as) feature in several applications that can be used by system administrators who have special privileges. This feature can be utilized by development and maintenance teams that have administrator rights to reproduce errors or bugs, to check specific features in applications according to the specific users’ login sessions. Beside its benefits, there is a security vulnerability that allows administrators to abuse the rights. They can access users’ private data or execute some activities inside the system without account or resource owners’ consents.This research proposes an impersonation method on authorization server using Client-Initiated Back-channel Authentication (CIBA) protocol. This method prevents impersonation without account or resource owners’ consent. The application will ask users’ authentication and permission via authentication device possessed by resource owners before the administrator performs impersonation. By utilizing authentication device, the impersonation feature should be preceded by users’ consent and there is no direct interaction needed between the administrator and resource owners to prove the users’ identities. The result shows that the implementation of CIBA protocol can be used to complement the impersonation method and can also run on the authorization server that uses OAuth 2.0 and OpenID Connect 1.0 protocols. The system testing is done by adopting FAPI CIBA conformance testing

Self-Protecting Documents for Cloud Storage Security

International audienceInformation security is currently one of the most important issues in information systems. This concerns the confidentiality of information but also its integrity and availability. The problem becomes even more difficult when several companies are working together on a project and that the various documents "go out of" their respective information systems. We propose an architecture in which the documents themselves ensure their security and thus can be exchanged over uncontrolled resources such as cloud storage or even USB flash drives. For this we encapsulate within the document itself some security components (e.g. access control, usage control) to achieve an autonomic document architecture for Enterprise DRM (E-DRM). Using such self-protecting documents, a company can ensure security and privacy for its documents when outsourcing storage services (e.g. cloud)

A delegation model for extended RBAC

International audienceIn the field of access control, delegation is an important aspect that is considered part of the administration mechanism. Thus, a comprehensive access control model must provide a flexible administration model to manage delegation and revocation. Unfortunately, to our best knowledge, there is no complete model for describing all delegation requirements for role-based access control. Therefore, proposed models are often extended to support new delegation or revocation characteristics, which is a complex task to manage and requires the redefinition of these models. Moreover, since delegation is modelled separately from administration, this requires the specification of a separate security policy to deal with delegation.In this paper we describe a new delegation approach for extended role-based access control models. We show that our approach is flexible and is sufficient to deal with administration and delegation requirements in a homogeneous unified framework. Moreover, it provides means to express various delegation and revocation dimensions in a simple manner