Augmenting Internet-based Card Not Present Transactions with Trusted Computing: An Analysis

In this paper, we demonstrate how the staged roll out of Trusted Computing technology, beginning with ubiquitous client-side Trusted Platform Modules (TPMs), can be used to enhance the security of Internet-based Card Not Present (CNP) transactions. This approach can be seen as an alternative to the proposed mass deployment of unconnected card readers in the provision of CNP transaction authorisation. Using TPM functionality (and the new PC architecture that will evolve around it) we demonstrate how TPM-enabled platforms can integrate with SSL, 3-D Secure and server-side SET. We highlight how the use of TPM functionality, as is currently being deployed in the marketplace, is not a panacea for solving all the problems associated with CNP transactions. In this instance, a more holistic approach requiring additional Trusted Computing components incorporating Operating System, processor and chipset support is required to combat the threat of malware

Autorização de serviços com garantias de QoS baseada em perfis de usuário

Dissertação (mestrado) - Universidade Federal de Santa Catarina, Centro Tecnológico. Programa de Pós-Graduação em Ciência da Computação.Vários trabalhos recentes propõem soluções de QoS permitindo que os usuários especifiquem explicitamente a qualidade de serviço requisitada durante a chamada invocação explícita de serviço com QoS. Esta flexibilidade requer uma negociação dinâmica de QoS, incluindo novos mecanismos para autenticação, autorização e contabilidade (AAA). Em especial, uma organização deveria ser capaz de controlar o uso dos serviços de rede, de modo a atender aos seus objetivos de negócios, autorizando somente serviços de rede com QoS baseados em regras de destino de serviços, de aplicações e de usuários. Esta dissertação trata do modelo do conjunto de dados e conhecimentos para suportar o processo de concessão de autorização para requisições de acesso a serviços com requisitos de QoS, e propõe um modelo de perfil de usuário para autorização de serviços com QoS, baseado em uma descrição semântica do SLA contratado com a operadora, utilizando uma ontologia para a definição de conceitos empregados. Nesta proposta, os usuários podem ser classificados de acordo com as necessidades das funções que exercem em perfis específicos. Cada perfil de usuário indica os serviços que onusuário está autorizado a requisitar, seus limites de consumo e escopo. Políticas de autorização baseadas em perfil de usuário podem ser definidas e executadas durante a invocação de serviços com QoS explícita. Recent works propose QoS solutions allowing the users to explicitly specify the quality level they are requesting, during a so-called explicit QoS service invocation. This flexibility requires dynamic QoS service negociation including new mechanisms for authentication, authorization and accounting (AAA). In particular, an organization should be able to control their network services usage so as to support their main business objectives, by bauthorizing only network QoS services based on service destinations, applications and users to support the authoriza ion concession of explicit QoS services requests and proposes a user profile model for QoS service authorization, based on a semantic description of the SLA signed with the NSP, using an ontology for the definition of applied concepts. In this proposal, the users may be classified according to their job activities into specific profiles. Each user profile indicates the services that the user is authorized to request, their consumption limits and scope. User profile-based authorization polices may be defined and executed during explicit QoS service invocations

Uma arquitetura de controle de acesso dinâmico baseado em risco para computação em nuvem

Dissertação (mestrado) - Universidade Federal de Santa Catarina, Centro Tecnológico, Programa de Pós-Graduação em Ciência da Computação, Florianópolis, 2013Computação em nuvem é um modelo para computação distribuída que ainda enfrenta problemas. Novas ideias surgem para aproveitar ainda mais suas características e entre os desafios de pesquisa encontrados na computação em nuvem destaca-se a gerência de identidades e controle de acesso. Os principais problemas da aplicação de controle de acesso em computação em nuvem são a necessária flexibilidade e escalabilidade para suportar um grande número de usuários e recursos em um ambiente dinâmico e heterogêneo, com as necessidades de colaboração e compartilhamento de recursos e informações. Esse trabalho de pesquisa propõe o uso de controle de acesso dinâmico baseado em risco para computação em nuvem. A proposta é apresentada na forma de um modelo para controle de acesso, baseado em uma extensão do padrão XACML com três novos componentes principais: o Risk Engine, os Risk Quantification Web Services e as políticas de risco. As políticas de risco apresentam um método para descrever métricas de risco e sua quantificação, que pode ser através de funções locais ou remotas. O uso de políticas de risco permite que usuários e provedores de serviços de nuvens definam como desejam tratar o controle de acesso baseado em risco para seus recursos, utilizando métodos de quantificação e agregação de risco apresentados em trabalhos relacionados. O modelo atinge a decisão de acesso baseado em uma combinação de decisões XACML e análise de risco. Uma especificação das políticas de risco utilizando XML é apresentada e um estudo de caso utilizando federações de nuvens é descrito. Um protótipo do modelo é implementado, mostrando que tem expressividade suficiente para descrever os modelos de trabalhos relacionados. Nos resultados experimentais o protótipo atinge decisões de acesso com o uso de políticas de trabalhos relacionados com um tempo entre 2 e 6 milissegundos. Uma discussão sobre os aspectos de segurança do modelo também é apresentada Abstract: Cloud computing is a distributed computing model that still faces problems. New ideas emerge to take advantage of its features and among the research challenges found in cloud computing, we can highlight Identity and Access Management. The main problems of the application of access control in the cloud are the necessary ?exibility and scalability to support a large number of users and resources in a dynamic and heterogeneous environment, with collaboration and information sharing needs. This research work proposes the use of risk-based dynamic access control for cloud computing. The proposal is presented as an access control model based on an extension of the XACML standard with three new main components: the Risk Engine, the Risk Quanti?cation Web Services and the Risk Policies. The risk policies present a method to describe risk metrics and their quanti?cation, using local or remote functions. The use of risk policies allows users and cloud service providers to de?ne how they wish to handle risk-based access control for their resources, using quanti?cation and aggregation methods presented in related works. The model reaches the access decision based on a combination of XACML decisions and risk analysis. A speci?cation of the risk policies using XML is presented and a case study using cloud federations isdescribed. A prototype of the model is implemented, showing it has enough expressivity to describe the models of related works. In the experimental results, the prototype reaches access decisions using policies based on related works with a time between 2 and 6 milliseconds. A discussion on the security aspects of the model is also presented

QoS provisioning and mobility management for IP-based wireless LAN

Today two major technological forces drive the telecommunication era: the wireless cellular systems and the Internet. As these forces converge, the demand for new services, increasing bandwidth and ubiquitous connectivity continuously grows. The next-generation mobile systems will be based solely or in a large extent, on the Internet Protocol (IP). This thesis begins by addressing the problems and challenges faced in a multimedia, IP-based Wireless LAN environment. The ETSI HiperLAN/2 system has been mainly selected as the test wireless network for our theoretical and simulation experiments. Apart from the simulations, measurements have been taken from real life test scenarios, where the IEEE 802.11 system was used (UniS Test-bed). Furthermore, a brief overview of the All-IP network infrastructure is presented. An extension to the conventional wireless (cellular) architecture, which takes advantage of the IP network characteristics, is considered. Some of the trends driving the 3G and WLANs developments are explored, while the provision of quality of service on the latter for real-time and non-real-time multimedia services is investigated, simulated and evaluated. Finally, an efficient and catholic Q0S framework is proposed. At the same time, the multimedia services should be offered in a seamless and uninterrupted manner to users who access the all-IP infrastructure via a WLAN, meeting the demands of both enterprise and public environments anywhere and anytime. Thus providing support for mobile communications not only in terms of terminal mobility, as is currently the case, but also for session, service and personal mobility. Furthermore, this mobility should be available over heterogeneous networks, such as WLANs, IJMTS, as well as fixed networks. Therefore, this work investigates issues such as, multilayer and multi-protocol (SIP-Mobile IP-Cellular IP) mobility management in wireless LAN and 3G domains. Several local and global mobility protocols and architectures have been tested and evaluated and a complete mobility management framework is proposed. Moreover, integration of simple yet efficient authentication, accounting and authorisation mechanisms with the multimedia service architecture is an important issue of IP-based WLANs. Without such integration providers will not have the necessary means to control their provided services and make revenue from the users. The proposed AAA architecture should support a robust AAA infrastructure providing secure, fast and seamless access granting to multimedia services. On the other hand, a user wishing a service from the All-IP WLAN infrastructure needs to be authenticated twice, once to get access to the network and the other one should be granted for the required service. Hence, we provide insights into these issues by simulating and evaluating pre-authentication techniques and other network authentication scenarios based on the wellknown IEEE 802.lx protocol for multimedia IP-based WLANs.EThOS - Electronic Theses Online ServiceGBUnited Kingdo

An Access Definition and Query Language : Towards a Unified Access Control Model

In this work we suggest a meta access control model emulating established access control models by configuration and offering enhanced features like the delegation of rights, ego-centered roles, and decentralized administration. The suggested meta access control model is named \\u27\\u27Access Definition and Query Language\\u27\\u27 (ADQL). ADQL is represented by a formal, context-free grammar allowing to express the targeted access control model, policies, facts, and access queries as a formal language

User-controlled access management to resources on the Web

PhD ThesisThe rapidly developing Web environment provides users with a wide set of rich services as varied and complex as desktop applications. Those services are collectively referred to as "Web 2.0", with such examples as Facebook, Google Apps, Salesforce, or Wordpress, among many others. These applications are used for creating, managing, and sharing online data between users and services on the Web. With the shift from desktop computers to the Web, users create and store more of their data online and not on the hard drives of their computers. This data includes personal information, documents, photos, as well as other resources. Irrespective of the environment, either desktop or the Web, it is the user who creates the data, who disseminates it and who shares this data. On the Web, however, sharing resources poses new security and usability challenges which were not present in traditional computing. Access control, also known as authorisation, that aims to protect such sharing, is currently poorly addressed in this environment. Existing access control is often not well suited to the increasing amount of highly distributed Web data and does not give users the required flexibility in managing their data. This thesis discusses new solutions to access control for the Web. Firstly, it shows a proposal named User-Managed Access Control (UMAC) and presents its architecture and protocol. This thesis then focuses on the User-Managed Access (UMA) solution that is researched by the User- Managed Access Work Group at Kantara Initiative. The UMA approach allows the user to play a pivotal role in assigning access rights to their resources which may be spread across multiple cloud-based Web applications. Unlike existing authorisation systems, it relies on a user’s centrally located security requirements for these resources. The security requirements are expressed in the form of access control policies and are stored and evaluated in a specialised component called Authorisation Manager. Users are provided with a consistent User Experience for managing access control for their distributed online data and are provided with a holistic view of the security applied to this data. Furthermore, this thesis presents the software that implements the UMA proposal. In particular, this thesis shows frameworks that allow Web applications to delegate their access control function to an Authorisation Manager. It also presents design and implementation of an Authorisation Manager and discusses its evaluation conducted with a user study. It then discusses design and implementation of a second, improved Authorisation Manager. Furthermore, this thesis presents the applicability of the UMA approach and the implemented software to real-world scenarios