3PAC: Enforcing Access Policies for Web Services

Web services fail to deliver on the promise of ubiquitous deployment and seamless interoperability due to the lack of a uniform, standards-based approach to all aspects of security. In particular, the enforcement of access policies in a service oriented architecture is not addressed adequately. We present a novel approach to the distribution and enforcement of credentials-based access policies for Web services (3PAC) which scales well and can be implemented in existing deployments

Solving identity delegation problem in the e-government environment

At present, many countries allow citizens or entities to interact with the government outside the telematic environment through a legal representative who is granted powers of representation. However, if the interaction takes place through the Internet, only primitive mechanisms of representation are available, and these are mainly based on non-dynamic offline processes that do not enable quick and easy identity delegation. This paper proposes a system of dynamic delegation of identity between two generic entities that can solve the problem of delegated access to the telematic services provided by public authorities. The solution herein is based on the generation of a delegation token created from a proxy certificate that allows the delegating entity to delegate identity to another on the basis of a subset of its attributes as delegator, while also establishing in the delegation token itself restrictions on the services accessible to the delegated entity and the validity period of delegation. Further, the paper presents the mechanisms needed to either revoke a delegation token or to check whether a delegation token has been revoked. Implications for theory and practice and suggestions for future research are discussed

A new revocable and re-delegable proxy signature and its application

With the popularity of cloud computing and mobile Apps, on-demand services such as on-line music or audio streaming and vehicle booking are widely available nowadays. In order to allow efficient delivery and management of the services, for large-scale on-demand systems, there is usually a hierarchy where the service provider can delegate its service to a top-tier (e.g., countrywide) proxy who can then further delegate the service to lower level (e.g., region-wide) proxies. Secure (re-)delegation and revocation are among the most crucial factors for such systems. In this paper, we investigate the practical solutions for achieving re-delegation and revocation utilizing proxy signature. Although proxy signature has been extensively studied in the literature, no previous solution can achieve both properties. To fill the gap, we introduce the notion of revocable and re-delegable proxy signature that supports efficient revocation and allows a proxy signer to re-delegate its signing right to other proxy signers without the interaction with the original signer. We define the formal security models for this new primitive and present an efficient scheme that can achieve all the security properties. We also present a secure on-line revocable and re-delegate vehicle ordering system (RRVOS) as one of the applications of our proposed scheme

Improvements of Pan-European IDM Architecture to Enable Identity Delegation Based on X.509 Proxy Certificates and SAML

To foster the secure use of telematic services provided by public institutions, most European countries – and others in the rest of the world – are promoting electronic identification systems among their citizens to enable fully reliable identification. However, in today’s globalized environment, it is becoming more common for citizens and entities of a given country, with their own electronic credentials under the legal framework of their country, to seek access to the public services provided by other countries with different legal frameworks and credentials. At present, a number of projects in the European Union are attempting to solve the problem through the use of pan-European identity management systems that ensure interoperability between the public institutions of different Member States. However, the solutions adopted to date are inadequate, for they do not envision all possible cases of user interaction with institutions. Specifically, they fail to address a very important aspect provided in different national legal systems, namely delegation of identity, by which a citizen can authorize another to act on his or her behalf in accessing certain services provided by public institutions. This paper provides a thorough analysis of problems of delegation and proposes an architecture based on X.509 Proxy Certificates and SAML assertions to enable delegation in provision of services in the complex and heterogeneous environment presented by the public institutions of the European Union as a whole

PKI Scalability Issues

This report surveys different PKI technologies such as PKIX and SPKI and the issues of PKI that affect scalability. Much focus is spent on certificate revocation methodologies and status verification systems such as CRLs, Delta-CRLs, CRS, Certificate Revocation Trees, Windowed Certificate Revocation, OCSP, SCVP and DVCS.Comment: 23 pages, 2 figure

Secure Dynamic Cloud-based Collaboration with Hierarchical Access

In recent years, the Cloud has emerged as an attractive way of hosting and delivering services over the Internet. This has resulted in a renewed focus on information security in the case where data is stored in the virtual space of the cloud and is not physically accessible to the customer. Through this thesis the boundaries of securing data in a cloud context, while retaining the benefits of the cloud, are explored. The thesis addresses the increasing security concerns of migrating to the cloud andutilising it for data storage.The research of this thesis is divided into three separate areas: securing data in an untrusted cloud environment, ensuring data access control in the cloud, and securing data outside the cloud in the user's environment. Each area is addressed by separate conceptual designs. Together these comprise a secure dynamic cloud-based collaboration environment with hierarchical access. To further validate the conceptual designs, proof of concept prototypes have been constructed.The conceptual designs have been devised by exploring and extending the boundaries of existing secure data-storage schemes, and then combining these with well-known security principles and cutting-edge research within the field of cryptography. The results of this thesis are feasible conceptual designs for a cloud-based dynamic collaboration environment. The conceptual designs address the challenges of secure cloud-based storage and allow the benefits of cloud-based storage to be utilised. Furthermore, this thesis provides a solid foundation for further work within this field