8 research outputs found
Augmenting Internet-based Card Not Present Transactions with Trusted Computing: An Analysis
In this paper, we demonstrate how the staged roll out of Trusted
Computing technology, beginning with ubiquitous client-side Trusted
Platform Modules (TPMs), can be used to enhance the security of
Internet-based Card Not Present (CNP) transactions. This approach can be
seen as an alternative to the proposed mass deployment of unconnected
card readers in the provision of CNP transaction authorisation. Using
TPM functionality (and the new PC architecture that will evolve around
it) we demonstrate how TPM-enabled platforms can integrate with SSL, 3-D
Secure and server-side SET. We highlight how the use of TPM
functionality, as is currently being deployed in the marketplace, is not
a panacea for solving all the problems associated with CNP transactions.
In this instance, a more holistic
approach requiring additional Trusted Computing components incorporating
Operating System, processor and chipset support is required to combat
the threat of malware
Autorização de serviços com garantias de QoS baseada em perfis de usuário
Dissertação (mestrado) - Universidade Federal de Santa Catarina, Centro TecnolĂłgico. Programa de PĂłs-Graduação em CiĂŞncia da Computação.Vários trabalhos recentes propõem soluções de QoS permitindo que os usuários especifiquem explicitamente a qualidade de serviço requisitada durante a chamada invocação explĂcita de serviço com QoS. Esta flexibilidade requer uma negociação dinâmica de QoS, incluindo novos mecanismos para autenticação, autorização e contabilidade (AAA). Em especial, uma organização deveria ser capaz de controlar o uso dos serviços de rede, de modo a atender aos seus objetivos de negĂłcios, autorizando somente serviços de rede com QoS baseados em regras de destino de serviços, de aplicações e de usuários. Esta dissertação trata do modelo do conjunto de dados e conhecimentos para suportar o processo de concessĂŁo de autorização para requisições de acesso a serviços com requisitos de QoS, e propõe um modelo de perfil de usuário para autorização de serviços com QoS, baseado em uma descrição semântica do SLA contratado com a operadora, utilizando uma ontologia para a definição de conceitos empregados. Nesta proposta, os usuários podem ser classificados de acordo com as necessidades das funções que exercem em perfis especĂficos. Cada perfil de usuário indica os serviços que onusuário está autorizado a requisitar, seus limites de consumo e escopo. PolĂticas de autorização baseadas em perfil de usuário podem ser definidas e executadas durante a invocação de serviços com QoS explĂcita. Recent works propose QoS solutions allowing the users to explicitly specify the quality level they are requesting, during a so-called explicit QoS service invocation. This flexibility requires dynamic QoS service negociation including new mechanisms for authentication, authorization and accounting (AAA). In particular, an organization should be able to control their network services usage so as to support their main business objectives, by bauthorizing only network QoS services based on service destinations, applications and users to support the authoriza ion concession of explicit QoS services requests and proposes a user profile model for QoS service authorization, based on a semantic description of the SLA signed with the NSP, using an ontology for the definition of applied concepts. In this proposal, the users may be classified according to their job activities into specific profiles. Each user profile indicates the services that the user is authorized to request, their consumption limits and scope. User profile-based authorization polices may be defined and executed during explicit QoS service invocations
Uma arquitetura de controle de acesso dinâmico baseado em risco para computação em nuvem
Dissertação (mestrado) - Universidade Federal de Santa Catarina, Centro TecnolĂłgico, Programa de PĂłs-Graduação em CiĂŞncia da Computação, FlorianĂłpolis, 2013Computação em nuvem Ă© um modelo para computação distribuĂda que ainda enfrenta problemas. Novas ideias surgem para aproveitar ainda mais suas caracterĂsticas e entre os desafios de pesquisa encontrados na computação em nuvem destaca-se a gerĂŞncia de identidades e controle de acesso. Os principais problemas da aplicação de controle de acesso em computação em nuvem sĂŁo a necessária flexibilidade e escalabilidade para suportar um grande nĂşmero de usuários e recursos em um ambiente dinâmico e heterogĂŞneo, com as necessidades de colaboração e compartilhamento de recursos e informações. Esse trabalho de pesquisa propõe o uso de controle de acesso dinâmico baseado em risco para computação em nuvem. A proposta Ă© apresentada na forma de um modelo para controle de acesso, baseado em uma extensĂŁo do padrĂŁo XACML com trĂŞs novos componentes principais: o Risk Engine, os Risk Quantification Web Services e as polĂticas de risco. As polĂticas de risco apresentam um mĂ©todo para descrever mĂ©tricas de risco e sua quantificação, que pode ser atravĂ©s de funções locais ou remotas. O uso de polĂticas de risco permite que usuários e provedores de serviços de nuvens definam como desejam tratar o controle de acesso baseado em risco para seus recursos, utilizando mĂ©todos de quantificação e agregação de risco apresentados em trabalhos relacionados. O modelo atinge a decisĂŁo de acesso baseado em uma combinação de decisões XACML e análise de risco. Uma especificação das polĂticas de risco utilizando XML Ă© apresentada e um estudo de caso utilizando federações de nuvens Ă© descrito. Um protĂłtipo do modelo Ă© implementado, mostrando que tem expressividade suficiente para descrever os modelos de trabalhos relacionados. Nos resultados experimentais o protĂłtipo atinge decisões de acesso com o uso de polĂticas de trabalhos relacionados com um tempo entre 2 e 6 milissegundos. Uma discussĂŁo sobre os aspectos de segurança do modelo tambĂ©m Ă© apresentada Abstract: Cloud computing is a distributed computing model that still faces problems. New ideas emerge to take advantage of its features and among the research challenges found in cloud computing, we can highlight Identity and Access Management. The main problems of the application of access control in the cloud are the necessary ?exibility and scalability to support a large number of users and resources in a dynamic and heterogeneous environment, with collaboration and information sharing needs. This research work proposes the use of risk-based dynamic access control for cloud computing. The proposal is presented as an access control model based on an extension of the XACML standard with three new main components: the Risk Engine, the Risk Quanti?cation Web Services and the Risk Policies. The risk policies present a method to describe risk metrics and their quanti?cation, using local or remote functions. The use of risk policies allows users and cloud service providers to de?ne how they wish to handle risk-based access control for their resources, using quanti?cation and aggregation methods presented in related works. The model reaches the access decision based on a combination of XACML decisions and risk analysis. A speci?cation of the risk policies using XML is presented and a case study using cloud federations isdescribed. A prototype of the model is implemented, showing it has enough expressivity to describe the models of related works. In the experimental results, the prototype reaches access decisions using policies based on related works with a time between 2 and 6 milliseconds. A discussion on the security aspects of the model is also presented
QoS provisioning and mobility management for IP-based wireless LAN
Today two major technological forces drive the telecommunication era: the wireless cellular systems and the Internet. As these forces converge, the demand for new services, increasing bandwidth and ubiquitous connectivity continuously grows. The next-generation mobile systems will be based solely or in a large extent, on the Internet Protocol (IP). This thesis begins by addressing the problems and challenges faced in a multimedia, IP-based Wireless LAN environment. The ETSI HiperLAN/2 system has been mainly selected as the test wireless network for our theoretical and simulation experiments. Apart from the simulations, measurements have been taken from real life test scenarios, where the IEEE 802.11 system was used (UniS Test-bed). Furthermore, a brief overview of the All-IP network infrastructure is presented. An extension to the conventional wireless (cellular) architecture, which takes advantage of the IP network characteristics, is considered. Some of the trends driving the 3G and WLANs developments are explored, while the provision of quality of service on the latter for real-time and non-real-time multimedia services is investigated, simulated and evaluated. Finally, an efficient and catholic Q0S framework is proposed. At the same time, the multimedia services should be offered in a seamless and uninterrupted manner to users who access the all-IP infrastructure via a WLAN, meeting the demands of both enterprise and public environments anywhere and anytime. Thus providing support for mobile communications not only in terms of terminal mobility, as is currently the case, but also for session, service and personal mobility. Furthermore, this mobility should be available over heterogeneous networks, such as WLANs, IJMTS, as well as fixed networks. Therefore, this work investigates issues such as, multilayer and multi-protocol (SIP-Mobile IP-Cellular IP) mobility management in wireless LAN and 3G domains. Several local and global mobility protocols and architectures have been tested and evaluated and a complete mobility management framework is proposed. Moreover, integration of simple yet efficient authentication, accounting and authorisation mechanisms with the multimedia service architecture is an important issue of IP-based WLANs. Without such integration providers will not have the necessary means to control their provided services and make revenue from the users. The proposed AAA architecture should support a robust AAA infrastructure providing secure, fast and seamless access granting to multimedia services. On the other hand, a user wishing a service from the All-IP WLAN infrastructure needs to be authenticated twice, once to get access to the network and the other one should be granted for the required service. Hence, we provide insights into these issues by simulating and evaluating pre-authentication techniques and other network authentication scenarios based on the wellknown IEEE 802.lx protocol for multimedia IP-based WLANs.EThOS - Electronic Theses Online ServiceGBUnited Kingdo
An Access Definition and Query Language : Towards a Unified Access Control Model
In this work we suggest a meta access control model emulating established access control models by configuration and offering enhanced features like the delegation of rights, ego-centered roles, and decentralized administration. The suggested meta access control model is named \\u27\\u27Access Definition and Query Language\\u27\\u27 (ADQL). ADQL is represented by a formal, context-free grammar allowing to express the targeted access control model, policies, facts, and access queries as a formal language
User-controlled access management to resources on the Web
PhD ThesisThe rapidly developing Web environment provides users with a wide set of rich services as
varied and complex as desktop applications. Those services are collectively referred to as "Web
2.0", with such examples as Facebook, Google Apps, Salesforce, or Wordpress, among many
others. These applications are used for creating, managing, and sharing online data between
users and services on the Web. With the shift from desktop computers to the Web, users create
and store more of their data online and not on the hard drives of their computers. This data
includes personal information, documents, photos, as well as other resources. Irrespective of
the environment, either desktop or the Web, it is the user who creates the data, who disseminates
it and who shares this data. On the Web, however, sharing resources poses new security
and usability challenges which were not present in traditional computing. Access control, also
known as authorisation, that aims to protect such sharing, is currently poorly addressed in this
environment. Existing access control is often not well suited to the increasing amount of highly
distributed Web data and does not give users the required flexibility in managing their data.
This thesis discusses new solutions to access control for the Web. Firstly, it shows a proposal
named User-Managed Access Control (UMAC) and presents its architecture and protocol. This
thesis then focuses on the User-Managed Access (UMA) solution that is researched by the User-
Managed Access Work Group at Kantara Initiative. The UMA approach allows the user to
play a pivotal role in assigning access rights to their resources which may be spread across
multiple cloud-based Web applications. Unlike existing authorisation systems, it relies on a
user’s centrally located security requirements for these resources. The security requirements are
expressed in the form of access control policies and are stored and evaluated in a specialised
component called Authorisation Manager. Users are provided with a consistent User Experience
for managing access control for their distributed online data and are provided with a holistic
view of the security applied to this data. Furthermore, this thesis presents the software that
implements the UMA proposal. In particular, this thesis shows frameworks that allow Web
applications to delegate their access control function to an Authorisation Manager. It also
presents design and implementation of an Authorisation Manager and discusses its evaluation
conducted with a user study. It then discusses design and implementation of a second, improved
Authorisation Manager. Furthermore, this thesis presents the applicability of the UMA approach
and the implemented software to real-world scenarios