Analyzing the Interoperability of WS-Security and WS-ReliableMessaging Implementations

Since their invention as lightweight integration technology about a decade ago, Web Services have matured significantly. Today, major middleware solution vendors as well as industry communities like RosettaNet are propagating Web services even for exchanging business-critical data and implementing inter-organizational business processes. Core enablers for using Web services in this domain are stateful interactions using the Web Services Business Process Execution Language (WS-BPEL) as well as advanced communication features like security and reliability using the WS-Security and WS-ReliableMessaging standard specifications. However, advanced communication features come at the price of complexity which challenges interoperability across different Web services stack implementations. Interoperability, in turn, is a predominant requirement for an integration technology such as Web services, in particular if inter-organizational business processes are supposed to be implemented on top of that technology. This paper approaches the problem of testing the interoperability of the so-called WS-* standards, advanced Web services communication features that are typically defined as SOAP extensions and configured using WS-Policy. Being essential to business process integration, WS-Security and WS-ReliableMessaging are selected as representatives of this group and the two major Java-based Web services stack implementations Metro and Axis2 are tested for interoperability. We operationalize the notion of interoperability for testing WS-* standards, suppose an approach for deriving test cases from WS-* specifications as well as a method for performing the test cases, and we provide a comprehensive interoperability review of the two selected Web services stack implementations

XML Signature Wrapping Still Considered Harmful: A Case Study on the Personal Health Record in Germany

XML Signature Wrapping (XSW) has been a relevant threat to web services for 15 years until today. Using the Personal Health Record (PHR), which is currently under development in Germany, we investigate a current SOAP-based web services system as a case study. In doing so, we highlight several deficiencies in defending against XSW. Using this real-world contemporary example as motivation, we introduce a guideline for more secure XML signature processing that provides practitioners with easier access to the effective countermeasures identified in the current state of research.Comment: Accepted for IFIP SEC 202

Policies for Web Services

Web services are predominantly used to implement service-oriented architectures (SOA). However, there are several areas such as temporal dimensions, real-time, streaming, or efficient and flexible file transfers where web service functionality should be extended. These extensions can, for example, be achieved by using policies. Since there are often alternative solutions to provide functionality (e.g., different protocols can be used to achieve the transfer of data), the WS-Policy standard is especially useful to extend web services with policies. It allows to create policies to generally state the properties under which a service is provided and to explicitly express alternative properties. To extend the functionality of web services, two policies are introduced in this thesis: the Temporal Policy and the Communication Policy. The temporal policy is the foundation for adding temporal dimensions to a WS-Policy. The temporal policy itself is not a WS-Policy but an independent policy language that describes temporal dimensions of and dependencies between temporal policies and WS-Policies. Switching of protocol dependencies, pricing of services, quality of service, and security are example areas for using a temporal policy. To describe protocol dependencies of a service for streaming, real-time and file transfers, a communication policy can be utilized. The communication policy is a concrete WS-Policy. With the communication policy, a service can expose the protocols it depends on for a communication after its invocation. Thus, a web service client knows the protocols required to support a communication with the service. Therefore, it is possible to evaluate beforehand whether an invocation of a service is reasonable. On top of the newly introduced policies, novel mechanisms and tools are provided to alleviate service use and enable flexible and efficient data handling. Furthermore, the involvement of the end user in the development process can be achieved more easily. The Flex-SwA architecture, the first component in this thesis based on the newly introduced policies, implements the actual file transfers and streaming protocols that are described as dependencies in a communication policy. Several communication patterns support the flexible handling of the communication. A reference concept enables seamless message forwarding with reduced data movement. Based on the Flex-SwA implementation and the communication policy, it is possible to improve usability - especially in the area of service-oriented Grids - by integrating data transfers into an automatically generated web and Grid service client. The Web and Grid Service Browser is introduced in this thesis as such a generic client. It provides a familiar environment for using services by offering the client generation as part of the browser. Data transfers are directly integrated into service invocation without having to perform data transmissions explicitly. For multimedia MIME types, special plugins allow the consumption of multimedia data. To enable an end user to build applications that also leverage high performance computing resources, the Service-enabled Mashup Editor is presented that lets the user combine popular web applications with web and Grid services. Again, the communication policy provides descriptive means for file transfers and Flex-SwAs reference concept is used for data exchange. To show the applicability of these novel concepts, several use cases from the area of multimedia processing have been selected. Based on the temporal policy, the communication policy, Flex-SwA, the Web and Grid Service Browser, and the Service-enabled Mashup Editor, the development of a scalable service-oriented multimedia architecture is presented. The multimedia SOA offers, among others, a face detection workflow, a video-on-demand service, and an audio resynthesis service. More precisely, a video-on-demand service describes its dependency on a multicast protocol by using a communication policy. A temporal policy is then used to perform the description of a protocol switch from one multicast protocol to another one by changing the communication policy at the end of its validity period. The Service-enabled Mashup Editor is used as a client for the new multicast protocol after the multicast protocol has been switched. To stream single frames from a frame decoder service to a face detection service (which are both part of the face detection workflow) and to transfer audio files with the different Flex-SwA communication patterns to an audio resynthesis service, Flex-SwA is used. The invocation of the face detection workflow and the audio resynthesis service is realized with the Web and Grid Service Browser

Non-functional properties in the model-driven development of service-oriented systems

Systems based on the service-oriented architecture (SOA) principles have become an important cornerstone of the development of enterprise-scale software applications. They are characterized by separating functions into distinct software units, called services, which can be published, requested and dynamically combined in the production of business applications. Service-oriented systems (SOSs) promise high flexibility, improved maintainability, and simple re-use of functionality. Achieving these properties requires an understanding not only of the individual artifacts of the system but also their integration. In this context, non-functional aspects play an important role and should be analyzed and modeled as early as possible in the development cycle. In this paper, we discuss modeling of non-functional aspects of service-oriented systems, and the use of these models for analysis and deployment. Our contribution in this paper is threefold. First, we show how services and service compositions may be modeled in UML by using a profile for SOA (UML4SOA) and how non-functional properties of service-oriented systems can be represented using the non-functional extension of UML4SOA (UML4SOA-NFP) and the MARTE profile. This enables modeling of performance, security and reliable messaging. Second, we discuss formal analysis of models which respect this design, in particular we consider performance estimates and reliability analysis using the stochastically timed process algebra PEPA as the underlying analytical engine. Last but not least, our models are the source for the application of deployment mechanisms which comprise model-to-model and model-to-text transformations implemented in the framework VIATRA. All techniques presented in this work are illustrated by a running example from an eUniversity case study

C-business et urbanisation d'entreprise

Les évolutions permanentes du marché ont forcé la plupart des entreprises à se focaliser sur les processus liés à leur coeur de métier. Ce recentrage les conduit alors soit à externaliser certaines parties de leurs processus, soit former temporairement une association avec d autres partenaires. Ces scénarios de collaboration imposent plusieurs contraintes sur la conception et l organisation du système d information à fin de le rendre facilement adaptable pour suivre les changements au niveau d organisation. Pour que le système d information soit facilement adaptable il est possible de restructurer le système d information en respectant les principes de l urbanisation du système d information couplé par une architecture orienté service, toute fois, cette organisation conduit à des systèmes assez rigides ne donnant pas réellement les capacités d initier des processus collaboratifs. Or, la collaboration impose de prendre en compte les contraintes de sécurité car l approche traditionnelle d urbanisation ne prend pas en considération la possibilité de collaboration et forme des îlots de sécurité ce qui s oppose à la nature transversale de la sécurité. En plus,dans un modèle orienté services, les applications distribuées sur plusieurs site ont peu ou pas de visibilité en matière de l information nécessaires pour assurer la sécurité au nouveau globale. C est dans ce contexte que nous avons proposé d adopter une démarche d urbanisation d entreprise qui promeut une organisation transversale du système de production de l entreprise qui permet une construction incrémentale des processus collaboratifs. Nous sommes parvenus à spécifier un modèle de service industriel construit par regroupement de toutes les fonctions nécessaires autour de la fabrication du produit. Ensuite, nous nous somme proposé de construire un middleware supportant ces services industriels. Cela induit d ajouter un niveau sémantique capable de gérer les propriétés fonctionnelles et non fonctionnelles (qualité de service et sécurité) aux bus de services traditionnels (ESB). Dans le cadre du projet ANR SEMEUSE visant à doter un ESB Open source (PETALS) d un niveau sémantique, notre contribution a plus particulièrement portée sur la spécification et la mise en oeuvre des composants permettant d intégrer de manière contextuelle les politiques de sécuritéMarket evolution has lead most of the enterprise to focus on their core business while setting outsourcing and collaborative strategies to be able to propose the best product-service offers. This Collaborative Business environment challenges Information System (IS) re-organisation to set agile, reactive and interoperable IT supports. To fulfil these requirements, one can reorganise the information system according to the urbanisation paradigm. Coupled to Service Oriented Architecture, this approach provides interoperable information systems. Nevertheless, traditional urbanization strategies lead to a partitioned and rather rigid IS organization aligned on the company s functional structure, which hinders initiating collaborative production processes, since production process is transversal and bypasses all enterprise business areas. To overcome these limits, we propose to adopt a new urbanization strategy that combines the transversal production logic with a service orientation to allow incremental production process building, based on goals to be reached. Despite of the advantages of the collaboration, in the dynamic collaboration scenarios, lack of trust can be a braking force while developing collaborative strategies. To this end, we proposed to integrate security needs and constraints into the definitions of business processes, organizational structure and technical components. Hence, the architecture we propose to implement our enterprise urbanization approach is based on a service-oriented model. We extend the traditional IT service to capture semantics associated to the industrial activity so that an industrial service model is proposed. Then security requirements are added in this model to govern access to different interfaces in a composite service. The implementation of this architecture is achieved using an industrial service bus by adding a security module extended with semantic layer on the top of PEtALS , an open source ESBVILLEURBANNE-DOC'INSA-Bib. elec. (692669901) / SudocSudocFranceF

Self-reconfigurable, intrusion-tolerant, web-service composition framework

The Internet has provided an opportunity for businesses to offer their services as Web Services (WSs). WSs are used to implement Service Ori-ented Architecture (SOA). They enable composition of independent services with complementary functionalities to produce value-added services, which results in less development effort, time consumption and cost, enabling com-panies and organizations to implement their core business only and out-source other service components over the Internet, either pre-selected or on-the-fly. Simple Object Access Protocol (SOAP) based WSs are at risk of se-curity vulnerabilities related to their specific implementation technologies such as Extensible Markup Language (XML) as well as those of their under-lying platforms (e.g., operating systems and frameworks) and their applica-tions (e.g., vulnerability to SQL Injection attacks). Cyber-attacks on WSs may cause unavailability, loss of confidentiality and/or integrity as well as signifi-cant monetary penalties. Security issues become more challenging when Off-The-Shelf Web Services (OTSWSs) are used since they are beyond the con-trol of their clients. The central question underlying this work is: Can a self-reconfigurable Intrusion-Tolerant Web Ser-vice, implemented using N-version programming and diversity formed by composing Off-The-Shelf Web Services that are selected through penetration testing, Principal Component Analysis, and Cluster Analysis process-es mitigate XML-related security vulnerabilities? While aiming to answer the above question, this dissertation presents a novel framework to increase dependability by constructing an Intrusion-Tolerant Web Service (ITWS) in which N-version programming and diversity, formed by composing SOAP-OTSWSs, is used. It describes how penetration testing can be used as a measure of security vulnerabilities of available SOAP-OTSWSs (that offer the required functionality) and the resultant ITWS, how Principal Component Analysis (PCA) and Cluster Analysis (CA) and be utilized to group the SOAP-OTSWSs based on their security vulnerabilities diversity and how a further penetration testing on each group of diverse SOAP-OTSWSs can be used to select the optimal set (most secure among the groups) for construction of ITWS. This dissertation also demonstrates how the dynamic reconfiguration of ITWS, created in Business Process Engineering Language (BPEL), can be enabled using a combination of BPEL constructs and Java as BPEL exten-sion approach and using only Java as BPEL extension approach. The novelty of the work presented in this dissertation is twofold. On the one hand, it is security informed and on the other hand, it demonstrates the use of Java (as BPEL 2.0 extension) to implement self-reconfigurable composite WS. It has the advantage of, at the same time, facilitating a de-pendable service to users and exploiting existing standard technologies. This work also assesses the effectiveness of the proposed solutions through vari-ous case studies and discusses the implications of the proposed framework

Model Driven Service Description and Discovery Framework for Carrier Applications

The most dominant architecture in the contemporary business domain is Service Oriented Architecture (SOA). The large number of the existing service description and discovery systems available today, including the ones proposed in research proposals, reveals an increasing need for adaptive, semantically enriched and context-aware, wide-area service discovery. This need will become more intense in the years to come as the number of available services increases rapidly. The main reason behind the existence of a plethora of such systems is that before these initiatives, the standard in service discovery was taking into account only the syntactic descriptions of the services, causing conflicts when services, with similar syntactic descriptions, needed to be evaluated. The research solutions available today offer efficient and accurate discovery at the syntactic, functional semantic and non-functional semantic level. However, the problem is that there is no general consensus yet regarding service discovery. Research by its very nature, leads to point solutions rather than complete systems. Based on these observations, we propose an adaptive service description and discovery framework for carrier applications, enabling the model-driven specification of services and client profiles, and also, for allowing the dynamic configuration of the services to meet specific quality requirements defined by the clients. The framework was implemented in the context of Model Driven Development, to ensure platform independence at the level of the specification of services. The framework takes the union of the point solutions offered by research proposals in the area of service description and discovery, creates an abstract model, and can compile that model to platform specific code. More specifically, services for carrier applications can be specified in a platform independent way both in terms of service signatures (syntactic properties) and in terms of the functionality and the QoS service characteristics (semantic properties). A model transformation framework allows for the creation of a platform specific model for the description of services in a specific technology platform (e.g., Web services). The framework is extensible to accommodate future extensions. In addition, as a proof of concept, we designed and developed an Eclipse Rich Client Platform (RCP) prototype tool, implementing our proposal

Architectures and Standards for Spatial Data Infrastructures and Digital Government: European Union Location Framework Guidelines

This document provides an overview of the architecture(s) and standards for Spatial Data Infrastructures (SDI) and Digital Government. The document describes the different viewpoints according to the Reference Model for Open and Distributed Processing (RM-ODP) which is often used in both the SDI and e-Government worlds: the enterprise viewpoint, the engineering viewpoint, the information viewpoint, the computational viewpoint and the technological viewpoint. The document not only describes these viewpoints with regard to SDI and e-Government implementations, but also how the architecture(s) and standards of SDI and e-Government relate. It indicates which standards and tools can be used and provides examples of implementations in different areas, such as process modelling, metadata, data and services. In addition, the annex provides an overview of the most commonly used standards and technologies for SDI and e-Government.JRC.B.6-Digital Econom

The CHORCH Approach: How to Model B2Bi Choreographies for Orchestration Execution

The establishment and implementation of cross-organizational business processes is an implication of today's market pressure for efficiency gains. In this context, Business-To-Business integration (B2Bi) focuses on the information integration aspects of business processes. A core task of B2Bi is providing adequate models that capture the message exchanges between integration partners. Following the terminology used in the SOA domain, such models will be called choreographies in the context of this work. Despite the enormous economic importance of B2Bi, existing choreography languages fall short of fulfilling all relevant requirements of B2Bi scenarios. Dedicated B2Bi choreography standards allow for inconsistent outcomes of basic interactions and do not provide unambiguous semantics for advanced interaction models. In contrast to this, more formal or technical choreography languages may provide unambiguous modeling semantics, but do not offer B2Bi domain concepts or an adequate level of abstraction. Defining valid and complete B2Bi choreography models becomes a challenging task in the face of these shortcomings. At the same time, invalid or underspecified choreography definitions are particularly costly considering the organizational setting of B2Bi scenarios. Models are not only needed to bridge the typical gap between business and IT, but also as negotiation means among the business users of the integration partners on the one hand and among the IT experts of the integration partners on the other. Misunderstandings between any two negotiation partners potentially affect the agreements between all other negotiation partners. The CHORCH approach offers tailored support for B2Bi by combining the strengths of both dedicated B2Bi standards and formal rigor. As choreography specification format, the ebXML Business Process Specification Schema (ebBP) standard is used. ebBP provides dedicated B2Bi domain concepts such as so-called BusinessTransactions (BTs) that abstractly specify the exchange of a request business document and an optional response business document. In addition, ebBP provides a format for specifying the sequence of BT executions for capturing complex interaction scenarios. CHORCH improves the offering of ebBP in several ways. Firstly, the execution model of BTs which allows for inconsistent outcomes among the integration partners is redefined such that only consistent outcomes are possible. Secondly, two binary choreography styles are defined as B2Bi implementation contract format in order to streamline implementation projects. Both choreography styles are formalized and provided with a formal execution semantics for ensuring unambiguity. In addition, validity criteria are defined that ensure implementability using BPEL-based orchestrations. Thirdly, the analysis of the synchronization dependencies of complex B2Bi scenarios is supported by means of a multi-party choreography style combined with an analysis framework. This choreography style also is formalized and standard state machine semantics are reused in order to ensure unambiguity. Moreover, validity criteria are defined that allow for analyzing corresponding models for typical multi-party choreography issues. Altogether, CHORCH provides choreography styles that are B2Bi adequate, simple, unambiguous, and implementable. The choreography styles are B2Bi adequate in providing B2Bi domain concepts, in abstracting from low-level implementation details and in covering the majority of real-world B2Bi scenarios. Simplicity is fostered by using state machines as underlying specification paradigm. This allows for thinking in the states of a B2Bi scenario and for simple control flow structures. Unambiguity is provided by formal execution semantics whereas implementability (for the binary choreography styles) is ensured by providing mapping rules to BPEL-based implementations. The validation of CHORCH's choreography styles is performed in a twofold way. Firstly, the implementation of the binary choreography styles based on Web Services and BPEL technology is demonstrated which proves implementability using relatively low-cost technologies. Moreover, the analysis algorithms for the multi-party choreography styles are validated using a Java-based prototype. Secondly, an abstract visualization of the choreography styles based on BPMN is provided that abstracts from the technicalities of the ebBP standard. This proves the amenability of CHORCH to development methods that start out with visual models. CHORCH defines how to use BPMN choreographies for the purpose of B2Bi choreography modeling and translates the formal rules for choreography validity into simple composition rules that demonstrate valid ways of connecting the respective modeling constructs. In summary, CHORCH allows integration partners to start out with a high-level visual model of their interactions in BPMN that identifies the types and sequences of the BusinessTransactions to be used. For multi-party choreographies, a framework for analyzing synchronization dependencies then is available. For binary choreographies, an ebBP refinement can be derived that fills in the technical parameters that are needed for deriving the implementation. Finally, Web Services and BPEL based implementations can be generated. Thus, CHORCH allows for stepwise closing the semantic gap between the information perspective of business process models and the corresponding implementations. It is noteworthy that CHORCH uses international standards throughout all relevant layers, i.e., BPMN, ebBP, Web Services and BPEL, which helps in bridging the heterogeneous IT landscapes of B2Bi partners. In addition, the adoption of core CHORCH deliverables as international standards of the RosettaNet community give testament to the practical relevance and promise dissemination throughout the B2Bi community.Betriebsübergreifende Geschäftsprozessintegration ist eine logische Konsequenz allgegenwärtigen Wettbewerbsdrucks. In diesem Kontext fokussiert Business-To-Business integration (B2Bi) auf die Informationsaustausche zwischen Unternehmen. Eine B2Bi-Kernanforderung ist die Bereitstellung adäquater Modelle zur Spezifikation der Nachrichtenaustausche zwischen Integrationspartnern. Diese werden im Rahmen dieser Arbeit in Anlehnung an Service-orientierte Architekturen (SOA)-Terminologie Choreographien genannt. Bestehende Choreographiesprachen decken die Anforderungen an B2Bi-Choreographien nicht vollständig ab. Dedizierte B2Bi-Choreographiestandards definieren inkonsistente Austauschprozeduren für grundlegende Interaktionen und nur unvollständige Semantiken für fortgeschrittene Interaktionen. Formale oder Technik-getriebene Choreographiesprachen bieten die benötigte Präzision, lassen aber Domänenkonzepte vermissen oder operieren auf einer niedrigen Abstraktionsebene. Angesichts solcher Mängel wird die Spezifikation valider und vollständiger B2Bi-Choreographien zu einer echten Herausforderung. Gleichzeitig sind mangelhafte Choreographiemodelle gerade im B2Bi-Bereich besonders problematisch, da diese nicht nur zwischen Fach- und IT-Abteilung, sondern auch über Unternehmensgrenzen hinweg eingesetzt werden. Der CHORCH-Ansatz schafft an dieser Stelle mittels maßgeschneiderter Choreographien Abhilfe, welche die Vorteile von B2Bi-Choreographien und von formalen Ansätzen kombinieren. Als Ausgangspunkt wird das ebXML Business Process Specification Schema (ebBP) verwendet, das als B2Bi-Choreographiestandard Domänenkonzepte wie zum Beispiel sogenannte BusinessTransactions (BTs) bietet. Eine BT ist der Basisbaustein von B2Bi-Choreographien und spezifiziert den Austausch eines Geschäftsdokuments sowie eines optionalen Antwortdokuments. Darüber hinaus bietet ebBP ein Format zur Spezifikation von BT-Kompositionen zur Unterstützung komplexer Interaktionen. CHORCH erweitert ebBP wie folgt. Erstens, das Ausführungsmodell für BTs wird neu definiert, um inkonsistente Ergebniszustände zu eliminieren. Zweitens, für Entwicklungsprojekte werden zwei binäre Choreographieklassen definiert, die als B2Bi-Implementierungskontrakt dienen sollen. Die Formalisierung beider Klassen sowie formale operationale Semantiken gewährleisten Eindeutigkeit, während Validitätskriterien die Ausführbarkeit entsprechender Modelle mittels BPEL-basierter Orchestrationen garantieren. Drittens, zur Analyse der Synchronisationsbeziehungen komplexer B2Bi-Szenarien wird eine Multi-Party-Choreographieklasse nebst Analyseframework definiert. Wiederum wird für diese Klasse eine Formalisierung definiert, die mittels Standard-Zustandsautomatensemantik Eindeutigkeit gewährleistet. Ferner garantieren Validitätskriterien die Anwendbarkeit der definierten Analysealgorithmen. Insgesamt bieten die Choreographieklassen des CHORCH-Ansatzes ein B2Bi-adäquates, einfaches, eindeutiges und implementierbares Modell der Nachrichtenaustausche zwischen B2Bi-Partnern. B2Bi-Adäquatheit wird durch Verwendung von B2Bi-Domänenkonzepten, Abstraktion von rein technischen Kommunikationsdetails und Abdeckung der meisten praktisch relevanten B2Bi-Szenarien gewährleistet. Einfachheit ist ein Ausfluss der Verwendung eines Zustandsmaschinen-basierten Modellierungsparadigmas, das die Definition des Interaktionsfortschritts in Form von Zuständen sowie einfache Kontrollflussstrukturen ermöglicht. Eindeutigkeit wird durch die Verwendung formaler Semantiken garantiert, während Implementierbarkeit (für die beiden binären Choreographieklassen) durch Angabe von Mapping-Regeln auf BPEL-Orchestrationen sichergestellt wird. Die Validierung der CHORCH-Choreographieklassen erfolgt in zweierlei Hinsicht. Erstens, die Implementierbarkeit der binären Choreographieklassen mit Hilfe von Web Services und BPEL wird durch die Definition entsprechender Mappingregeln belegt. Weiterhin wird das Analyseframework der Multi-Party-Choreographieklasse als Java-Prototyp implementiert. Zweitens, für alle Choreographieklassen wird eine abstrakte Visualisierung auf BPMN-Basis definiert, die von diversen technischen Parametern des ebBP-Formats abstrahiert. Damit wird die Integrierbarkeit der CHORCH-Choreographieklassen in Entwicklungsansätze, die ein visuelles Modell als Ausgangspunkt vorsehen, belegt. CHORCH definiert, wie sogenannte BPMN-Choreographien zum Zweck der B2Bi-Choreographiemodellierung zu verwenden sind und übersetzt die Validitätskriterien der CHORCH-Choreographieklassen in einfache Modell-Kompositionsregeln. In seiner Gesamtheit bietet CHORCH somit einen Ansatz, mit Hilfe dessen B2Bi-Partner zunächst die Typen und zulässigen Reihenfolgen ihrer Geschäftsdokumentaustausche auf Basis eines abstrakten visuellen BPMN-Modells identifizieren können. Im Fall von Multi-Party-Choreographien steht dann ein Framework zur Analyse der Synchronisationsbeziehungen zwischen den Integrationspartnern zur Verfügung. Im Fall von binären Choreographien können ebBP-Verfeinerungen abgeleitet werden, welche die Modelle um technische Parameter anreichern, die zur Ableitung einer Implementierung benötigt werden. Diese ebBP-Modelle sind in Web Services- und BPEL-basierte Implementierungen übersetzbar. Damit erlaubt CHORCH die schrittweise Überbrückung der semantischen Lücke zwischen der Informationsaustauschperspektive von Geschäftsprozessmodellen und den zugehörigen Implementierungen. Ein beachtenswerter Aspekt des CHORCH-Ansatzes ist die Verwendung einschlägiger internationaler Standards auf allen Abstraktionsebenen, im Einzelnen BPMN, ebBP, Web Services und BPEL. Die Verwendung von Standards trägt dem heterogenen Umfeld von B2Bi-Szenarien Rechnung. Zusätzlich wurden Kernergebnisse des CHORCH-Ansatzes als internationale Standards der RosettaNet-B2Bi-Community veröffentlicht. Dies belegt die praktische Relevanz des Ansatzes und fördert die Verbreitung innerhalb der B2Bi-Community

Contributions to the privacy provisioning for federated identity management platforms

Identity information, personal data and user’s profiles are key assets for organizations and companies by becoming the use of identity management (IdM) infrastructures a prerequisite for most companies, since IdM systems allow them to perform their business transactions by sharing information and customizing services for several purposes in more efficient and effective ways. Due to the importance of the identity management paradigm, a lot of work has been done so far resulting in a set of standards and specifications. According to them, under the umbrella of the IdM paradigm a person’s digital identity can be shared, linked and reused across different domains by allowing users simple session management, etc. In this way, users’ information is widely collected and distributed to offer new added value services and to enhance availability. Whereas these new services have a positive impact on users’ life, they also bring privacy problems. To manage users’ personal data, while protecting their privacy, IdM systems are the ideal target where to deploy privacy solutions, since they handle users’ attribute exchange. Nevertheless, current IdM models and specifications do not sufficiently address comprehensive privacy mechanisms or guidelines, which enable users to better control over the use, divulging and revocation of their online identities. These are essential aspects, specially in sensitive environments where incorrect and unsecured management of user’s data may lead to attacks, privacy breaches, identity misuse or frauds. Nowadays there are several approaches to IdM that have benefits and shortcomings, from the privacy perspective. In this thesis, the main goal is contributing to the privacy provisioning for federated identity management platforms. And for this purpose, we propose a generic architecture that extends current federation IdM systems. We have mainly focused our contributions on health care environments, given their particularly sensitive nature. The two main pillars of the proposed architecture, are the introduction of a selective privacy-enhanced user profile management model and flexibility in revocation consent by incorporating an event-based hybrid IdM approach, which enables to replace time constraints and explicit revocation by activating and deactivating authorization rights according to events. The combination of both models enables to deal with both online and offline scenarios, as well as to empower the user role, by letting her to bring together identity information from different sources. Regarding user’s consent revocation, we propose an implicit revocation consent mechanism based on events, that empowers a new concept, the sleepyhead credentials, which is issued only once and would be used any time. Moreover, we integrate this concept in IdM systems supporting a delegation protocol and we contribute with the definition of mathematical model to determine event arrivals to the IdM system and how they are managed to the corresponding entities, as well as its integration with the most widely deployed specification, i.e., Security Assertion Markup Language (SAML). In regard to user profile management, we define a privacy-awareness user profile management model to provide efficient selective information disclosure. With this contribution a service provider would be able to accesses the specific personal information without being able to inspect any other details and keeping user control of her data by controlling who can access. The structure that we consider for the user profile storage is based on extensions of Merkle trees allowing for hash combining that would minimize the need of individual verification of elements along a path. An algorithm for sorting the tree as we envision frequently accessed attributes to be closer to the root (minimizing the access’ time) is also provided. Formal validation of the above mentioned ideas has been carried out through simulations and the development of prototypes. Besides, dissemination activities were performed in projects, journals and conferences.Programa Oficial de Doctorado en Ingeniería TelemáticaPresidente: María Celeste Campo Vázquez.- Secretario: María Francisca Hinarejos Campos.- Vocal: Óscar Esparza Martí