24,098 research outputs found
A 3GPP open-ID framework
Currently Mobile Network Operators (MNO) rely on an authentication, authorization and profile management architecture which has proved, by its generalized use and acceptance, as being appropriate. The use of a secure component, the SIM-Card, provides a set of capabilities not seen in other access architectures and an advantage for MNOs. Nevertheless upcoming requirements in terms of open interfaces, new services and customer demands are questioning the actual architecture. This paper presents a novel approach to authentication and profile management that can be reused by both MNOs and 3rd party providers to answer the upcoming requirements. Here, a user is able to store his own identity information in different places, while taking advantage of the strong authentication mechanisms provided by the MNO. Furthermore, by integrating MNOs' generic authentication architecture with user-centric identity management, we are creating a generic way for service providers to reuse this authentication infrastructure, providing both single sign-on and strong authentication. Copyright © 2010 The authors
Contributions to the privacy provisioning for federated identity management platforms
Identity information, personal data and userâs profiles are key assets for organizations
and companies by becoming the use of identity management (IdM) infrastructures a prerequisite
for most companies, since IdM systems allow them to perform their business
transactions by sharing information and customizing services for several purposes in more
efficient and effective ways.
Due to the importance of the identity management paradigm, a lot of work has been done
so far resulting in a set of standards and specifications. According to them, under the
umbrella of the IdM paradigm a personâs digital identity can be shared, linked and reused
across different domains by allowing users simple session management, etc. In this way,
usersâ information is widely collected and distributed to offer new added value services
and to enhance availability. Whereas these new services have a positive impact on usersâ
life, they also bring privacy problems.
To manage usersâ personal data, while protecting their privacy, IdM systems are the ideal
target where to deploy privacy solutions, since they handle usersâ attribute exchange.
Nevertheless, current IdM models and specifications do not sufficiently address comprehensive
privacy mechanisms or guidelines, which enable users to better control over the
use, divulging and revocation of their online identities. These are essential aspects, specially
in sensitive environments where incorrect and unsecured management of userâs data
may lead to attacks, privacy breaches, identity misuse or frauds.
Nowadays there are several approaches to IdM that have benefits and shortcomings, from
the privacy perspective.
In this thesis, the main goal is contributing to the privacy provisioning for federated
identity management platforms. And for this purpose, we propose a generic architecture
that extends current federation IdM systems. We have mainly focused our contributions
on health care environments, given their particularly sensitive nature. The two main
pillars of the proposed architecture, are the introduction of a selective privacy-enhanced
user profile management model and flexibility in revocation consent by incorporating an
event-based hybrid IdM approach, which enables to replace time constraints and explicit
revocation by activating and deactivating authorization rights according to events. The
combination of both models enables to deal with both online and offline scenarios, as well
as to empower the user role, by letting her to bring together identity information from
different sources.
Regarding userâs consent revocation, we propose an implicit revocation consent mechanism
based on events, that empowers a new concept, the sleepyhead credentials, which
is issued only once and would be used any time. Moreover, we integrate this concept
in IdM systems supporting a delegation protocol and we contribute with the definition
of mathematical model to determine event arrivals to the IdM system and how they are
managed to the corresponding entities, as well as its integration with the most widely
deployed specification, i.e., Security Assertion Markup Language (SAML).
In regard to user profile management, we define a privacy-awareness user profile management
model to provide efficient selective information disclosure. With this contribution a
service provider would be able to accesses the specific personal information without being
able to inspect any other details and keeping user control of her data by controlling
who can access. The structure that we consider for the user profile storage is based on
extensions of Merkle trees allowing for hash combining that would minimize the need of
individual verification of elements along a path. An algorithm for sorting the tree as we
envision frequently accessed attributes to be closer to the root (minimizing the accessâ
time) is also provided.
Formal validation of the above mentioned ideas has been carried out through simulations
and the development of prototypes. Besides, dissemination activities were performed in
projects, journals and conferences.Programa Oficial de Doctorado en IngenierĂa TelemĂĄticaPresidente: MarĂa Celeste Campo VĂĄzquez.- Secretario: MarĂa Francisca Hinarejos Campos.- Vocal: Ăscar Esparza MartĂ
An Innovative Workspace for The Cherenkov Telescope Array
The Cherenkov Telescope Array (CTA) is an initiative to build the next
generation, ground-based gamma-ray observatories. We present a prototype
workspace developed at INAF that aims at providing innovative solutions for the
CTA community. The workspace leverages open source technologies providing web
access to a set of tools widely used by the CTA community. Two different user
interaction models, connected to an authentication and authorization
infrastructure, have been implemented in this workspace. The first one is a
workflow management system accessed via a science gateway (based on the Liferay
platform) and the second one is an interactive virtual desktop environment. The
integrated workflow system allows to run applications used in astronomy and
physics researches into distributed computing infrastructures (ranging from
clusters to grids and clouds). The interactive desktop environment allows to
use many software packages without any installation on local desktops
exploiting their native graphical user interfaces. The science gateway and the
interactive desktop environment are connected to the authentication and
authorization infrastructure composed by a Shibboleth identity provider and a
Grouper authorization solution. The Grouper released attributes are consumed by
the science gateway to authorize the access to specific web resources and the
role management mechanism in Liferay provides the attribute-role mapping
Identity in research infrastructure and scientific communication: Report from the 1st IRISC workshop, Helsinki Sep 12-13, 2011
Motivation for the IRISC workshop came from the observation that identity and digital identification are increasingly important factors in modern scientific research, especially with the now near-ubiquitous use of the Internet as a global medium for dissemination and debate of scientific knowledge and data, and as a platform for scientific collaborations and large-scale e-science activities.

The 1 1/2 day IRISC2011 workshop sought to explore a series of interrelated topics under two main themes: i) unambiguously identifying authors/creators & attributing their scholarly works, and ii) individual identification and access management in the context of identity federations. Specific aims of the workshop included:

• Raising overall awareness of key technical and non-technical challenges, opportunities and developments.
• Facilitating a dialogue, cross-pollination of ideas, collaboration and coordination between diverse – and largely unconnected – communities.
• Identifying & discussing existing/emerging technologies, best practices and requirements for researcher identification.

This report provides background information on key identification-related concepts & projects, describes workshop proceedings and summarizes key workshop findings
Integrating security solutions to support nanoCMOS electronics research
The UK Engineering and Physical Sciences Research Council (EPSRC) funded Meeting the Design Challenges of nanoCMOS Electronics (nanoCMOS) is developing a research infrastructure for collaborative electronics research across multiple institutions in the UK with especially strong industrial and commercial involvement. Unlike other domains, the electronics industry is driven by the necessity of protecting the intellectual property of the data, designs and software associated with next generation electronics devices and therefore requires fine-grained security. Similarly, the project also demands seamless access to large scale high performance compute resources for atomic scale device simulations and the capability to manage the hundreds of thousands of files and the metadata associated with these simulations. Within this context, the project has explored a wide range of authentication and authorization infrastructures facilitating compute resource access and providing fine-grained security over numerous distributed file stores and files. We conclude that no single security solution meets the needs of the project. This paper describes the experiences of applying X.509-based certificates and public key infrastructures, VOMS, PERMIS, Kerberos and the Internet2 Shibboleth technologies for nanoCMOS security. We outline how we are integrating these solutions to provide a complete end-end security framework meeting the demands of the nanoCMOS electronics domain
ORACLE DATABASE SECURITY
This paper presents some security issues, namely security database system level, data level security, user-level security, user management, resource management and password management. Security is a constant concern in the design and database development. Usually, there are no concerns about the existence of security, but rather how large it should be. A typically DBMS has several levels of security, in addition to those offered by the operating system or network. Typically, a DBMS has user accounts that require a login password to be authenticated to access the data.data security, password administration, Oracle HTTP Server, OracleAS, access control
Managing Dynamic User Communities in a Grid of Autonomous Resources
One of the fundamental concepts in Grid computing is the creation of Virtual
Organizations (VO's): a set of resource consumers and providers that join
forces to solve a common problem. Typical examples of Virtual Organizations
include collaborations formed around the Large Hadron Collider (LHC)
experiments. To date, Grid computing has been applied on a relatively small
scale, linking dozens of users to a dozen resources, and management of these
VO's was a largely manual operation. With the advance of large collaboration,
linking more than 10000 users with a 1000 sites in 150 counties, a
comprehensive, automated management system is required. It should be simple
enough not to deter users, while at the same time ensuring local site autonomy.
The VO Management Service (VOMS), developed by the EU DataGrid and DataTAG
projects[1, 2], is a secured system for managing authorization for users and
resources in virtual organizations. It extends the existing Grid Security
Infrastructure[3] architecture with embedded VO affiliation assertions that can
be independently verified by all VO members and resource providers. Within the
EU DataGrid project, Grid services for job submission, file- and database
access are being equipped with fine- grained authorization systems that take VO
membership into account. These also give resource owners the ability to ensure
site security and enforce local access policies. This paper will describe the
EU DataGrid security architecture, the VO membership service and the local site
enforcement mechanisms Local Centre Authorization Service (LCAS), Local
Credential Mapping Service(LCMAPS) and the Java Trust and Authorization
Manager.Comment: Talk from the 2003 Computing in High Energy and Nuclear Physics
(CHEP03), La Jolla, Ca, USA, March 2003, 7 pages, LaTeX, 5 eps figures. PSN
TUBT00
- âŠ