A Configurable Matchmaking Framework for Electronic Marketplaces

E-marketplaces constitute a major enabler of B2B and B2C e-commerce activities. This paper proposes a framework for one of the central activities of e-marketplaces: matchmaking of trading intentions lodged by market participants. The framework identifies a core set of concepts and functions that are common to all types of marketplaces and can serve as the basis for describing the distinct styles of matchmaking employed within various market mechanisms. A prototype implementation of the framework based on Web services technology is presented, illustrating its ability to be dynamically configured to meet specific market needs and its potential to serve as a foundation for more fully fledged e-marketplace frameworks

Interoperability of DRM Systems

The study deals with the cutting-edge subject of electronic contracts which have the potential to automatically process and control the access rights for (electronic) goods. It shows the design and the implementation of a rights expression exchange framework. The framework allows DRM systems to exchange electronic contracts, formulated in a standardized rights expression language, and thus provides DRM system interoperability. The work introduces a methodology for the standardized composition, exchange and processing of electronic contracts or rights expressions

A framework for usage management

This thesis proposes a formal framework for usage management in distributed systems. The principles of system design are applied in order to standardize certain features of the framework, such as the operational semantics, and leave free of standards areas that necessitate choice and innovation. The framework enables use of multiple policy languages, and dynamic interpretation of usage policies in different computing environments. In addition, the framework provides formal semantics to reason about interoperability of policies with respect to computing environments. The use of this framework in different usage management scenarios is demonstrated including multi-level security, cloud computing and digital rights management (DRM) systems. Furthermore, DRM is cast in a setting that allows the modeling of a number of current approaches within a game theoretic setting. Current strategies that attempt to influence the outcome of such games are analyzed, and a new type of architectural infrastructure that makes novel use of a trust authority is considered in order to create a suitable environment for constructing DRM games that may prove useful in the future

A message-level security approach for RESTful services

In the past ten years Web Services have positioned themselves to be one of the leading distributed technologies. The technology, supported by major IT companies, offers specifications to many challenges in a distributed environment like strong interface and message contacts, service discovery, reliable message exchange and advanced security mechanisms. On the other hand, all these specifications have made Web Services very complex and the industry is struggling to implement those in a standardized manner. REST based services, also known as RESTful services, are based on pure HTTP and have risen as competitors to Web Services, mainly because of their simplicity. Now they are being adopted by the majority of the big industry corporations including Microsoft, Yahoo and Google, who have deprecated or passed on Web Services in favor of RESTful services. However, RESTful services have been criticized for lacking functionality offered by Web Services, especially message-level security. Since security is an important functionality which may tip the scale in a negative direction for REST based services, this thesis proposes a prototype solution for message-level security for RESTful services. The solution is for the most part technical and utilizes well-known, cross-platform mechanisms which are composed together while a smaller part of the solution discusses a non-technical approach regarding the token distribution. During the development of the prototype, much of the focus was to adapt the solution according to the REST principals and guidelines, such are multi-format support (XML or JSON) and light-weight, human readable messages

Greenpass Client Tools for Delegated Authorization in Wireless Networks

Dartmouth\u27s Greenpass project seeks to provide strong access control to a wireless network while simultaneously providing flexible guest access; to do so, it augments the Wi-Fi Alliance\u27s existing WPA standard, which offers sufficiently strong user authentication and access control, with authorization based on SPKI certificates. SPKI allows certain local users to delegate network access to guests by issuing certificates that state, in essence, he should get access because I said it\u27s okay. The Greenpass RADIUS server described in Kim\u27s thesis [55] performs an authorization check based on such statements so that guests can obtain network access without requiring a busy network administrator to set up new accounts in a centralized database. To our knowledge, Greenpass is the first working delegation-based solution to Wi-Fi access control. My thesis describes the Greenpass client tools, which allow a guest to introduce himself to a delegator and allow the delegator to issue a new SPKI certificate to the guest. The guest does not need custom client software to introduce himself or to connect to the Wi-Fi network. The guest and delegator communicate using a set of Web applications. The guest obtains a temporary key pair and X.509 certificate if needed, then sends his public key value to a Web server we provide. The delegator looks up her guest\u27s public key and runs a Java applet that lets her verify her guests\u27 identity using visual hashing and issue a new SPKI certificate to him. The guest\u27s new certificate chain is stored as an HTTP cookie to enable him to push it to an authorization server at a later time. I also describe how Greenpass can be extended to control access to a virtual private network (VPN) and suggest several interesting future research and development directions that could build on this work.My thesis describes the Greenpass client tools, which allow a guest to introduce himself to a delegator and allow the delegator to issue a new SPKI certificate to the guest. The guest does not need custom client software to introduce himself or to connect to the Wi-Fi network. The guest and delegator communicate using a set of Web applications. The guest obtains a temporary key pair and X.509 certificate if needed, then sends his public key value to a Web server we provide. The delegator looks up her guest\u27s public key and runs a Java applet that lets her verify her guests\u27 identity using visual hashing and issue a new SPKI certificate to him. The guest\u27s new certificate chain is stored as an HTTP cookie to enable him to push it to an authorization server at a later time. I also describe how Greenpass can be extended to control access to a virtual private network (VPN) and suggest several interesting future research and development directions that could build on this work

Reforço da privacidade através do controlo da pegada digital

Dissertação de mestrado em Engenharia InformáticaAtualmente existe ainda uma relação assimétrica entre os utilizadores e os fornecedores de serviços disponibilizados pela internet. É prática comum, aquando da apresentação de um serviço, que o utilizador seja questionado sobre a aceitação, ou não, de um conjunto de políticas referentes ao uso de informação privada facultada ao fornecedor (por exemplo, a morada, o número de telefone, preferências, etc...). Geralmente os utilizadores aceitam a política com base na confiança que têm no fornecedor e/ou no contrato formal que lhes é apresentado. Os casos de violação de privacidade por parte de alguns fornecedores de serviços, vendendo ou facultando informação privada sobre os seus clientes a outros, são amplamente conhecidos e resultam em grande medida da falta de controlo que os utilizadores finais têm sobre a informação que entregam aos fornecedores. Este problema também tem grande impacto no ambiente empresarial. Quase toda a informação de uma organização é guardada em claro. Mesmo que esta seja guardada num local seguro, aqueles que conhecerem bem o sistema poderão ter indevidamente acesso a informação privada da organização. Além disto, se a organização for alvo de um ataque informático e o atacante conseguir aceder aos dados poderá consulta-los livremente. Neste trabalho propomos a implementação de um mecanismo que possibilite o envio de informações sem que o utilizador tenha necessidade de confiar no local onde as mesmas serão armazenadas, através da utilização do conceito de “sticky policies”. Através da utilização de técnicas criptográficas, é estabelecido um vínculo entre a informação cifrada e as políticas de acesso à informação. O sistema desenvolvido garante que, para um terceiro aceder às informações pessoais de um utilizador, terá que cumprir o conjunto de regras definidas pelo dono da informação. Visto que um utilizador autorizado a aceder às informações pode ter um comportamento incorreto, partilhando indevidamente as informações, propomos também adicionar mecanismos de auditoria dos acessos à informação gerida pelo sistema.Nowadays there is an asymmetrical relationship between users and service providers available over the internet. A common practice during service subscription is to ask users to accept a set of policies regarding use of private information (for example, address, telephone number, preferences, etc...). Generally users agree to the policy based on the confidence they have in the supplier and/or the formal contract that is presented to them. Cases of violation of privacy by some service providers, selling or providing private information about their customers to others, are widely known and result in large part from the lack of control that end users have over the information they deliver to suppliers. This issue also has great impact on business environment. Almost all the information of an organization is stored in clear. Even though it is stored in a safe place, those who know the system may have improper access to private information. In this work we propose the implementation of a mechanism for sending information without the user ever need to trust where they will be stored, using the concept of sticky policies. Through the use of cryptographic techniques, a link is established between the encrypted information and their access control policies. The system ensures that when a third party tries to access the information, has to fulfill the set of rules defined by the owner of the information. Since a user authorized to access the information may have an incorrect behavior, by improperly sharing information, we also propose to add auditing mechanisms to the information managed by the system

Intelligent XML Tag Classification Techniques for XML Encryption Improvement

Flexibility, friendliness, and adaptability have been key components to use XML to exchange information across different networks providing the needed common syntax for various messaging systems. However excess usage of XML as a communication medium shed the light on security standards used to protect exchanged messages achieving data confidentiality and privacy. This research presents a novel approach to secure XML messages being used in various systems with efficiency providing high security measures and high performance. system model is based on two major modules, the first to classify XML messages and define which parts of the messages to be secured assigning an importance level for each tag presented in XML message and then using XML encryption standard proposed earlier by W3C [3] to perform a partial encryption on selected parts defined in classification stage. As a result, study aims to improve both the performance of XML encryption process and bulk message handling to achieve data cleansing efficiently

Digital Rights Management and Consumer Acceptability: A Multi-Disciplinary Discussion of Consumer Concerns and Expectations

The INDICARE project – the Informed Dialogue about Consumer Acceptability of DRM Solutions in Europe – has been set up to raise awareness about consumer and user issues of Digital Rights Management (DRM) solutions. One of the main goals of the INDICARE project is to contribute to the consensus-building among multiple players with heterogeneous interests in the digital environment. To promote this process and to contribute to the creation of a common level of understanding is the aim of the present report. It provides an overview of consumer concerns and expectations regarding DRMs, and discusses the findings from a social, legal, technical and business perspective. A general overview of the existing EC initiatives shows that questions of consumer acceptability of DRM have only recently begun to draw wider attention. A review of the relevant statements, studies and reports confirms that awareness of consumer concerns is still at a low level. Five major categories of concerns have been distinguished so far: (1) fair conditions of use and access to digital content, (2) privacy, (3) interoperability, (4) transparency and (5) various aspects of consumer friendliness. From the legal point of view, many of the identified issues go beyond the scope of copyright law, i.e. the field of law where DRM was traditionally discussed. Often they are a matter of general or sector-specific consumer protection law. Furthermore, it is still unclear to what extent technology and an appropriate design of technical solutions can provide an answer to some of the concerns of consumers. One goal of the technical chapter was exactly to highlight some of these technical possibilities. Finally, it is shown that consumer acceptability of DRM is important for the economic success of different business models based on DRM. Fair and responsive DRM design can be a profitable strategy, however DRM-free alternatives do exist too.Digital Rights Management; consumers; Intellectual property; business models

BlogForever: D3.1 Preservation Strategy Report

This report describes preservation planning approaches and strategies recommended by the BlogForever project as a core component of a weblog repository design. More specifically, we start by discussing why we would want to preserve weblogs in the first place and what it is exactly that we are trying to preserve. We further present a review of past and present work and highlight why current practices in web archiving do not address the needs of weblog preservation adequately. We make three distinctive contributions in this volume: a) we propose transferable practical workflows for applying a combination of established metadata and repository standards in developing a weblog repository, b) we provide an automated approach to identifying significant properties of weblog content that uses the notion of communities and how this affects previous strategies, c) we propose a sustainability plan that draws upon community knowledge through innovative repository design

Digital rights management for electronic documents

Ph.DDOCTOR OF PHILOSOPH