Etude du concept de confiance pour les infrastructures à clés publiques

Les infrastructures à clés publiques (ICPs) constituent à ce jour un élément majeur de la construction d’espaces sécurisés dans les environnements numériques. L’ICP se base sur un modèle de confiance composé de trois entités, à savoir les autorit´es de certification (ACs), les porteurs de certificat et les entités d´ependantes (EDs). Historiquement, ce modèle de confiance a été conçu pour des cas où les porteurs de certificat et les EDs ont des relations directes avec les ACs (par exemple tous font partie de la même entreprise). Aujourd’hui dans Internet, les EDs n’ont aucune relation directe avec les ACs. Cette nouvelle situation nécessite donc une définition plus précise de la notion de la confiance entre les ACs et les EDs. Nous montrons que l’évaluation de la confiance selon cette définition nécessite des expertises juridiques et techniques. Nous proposons donc de modifier le modèle de confiance à trois entités en ajoutant le rôle de l’expert technique et juridique qui aide les EDs à prendre des décisions sur les certificats

La culture des élèves : enjeux et questions

Lorsque l’école, les enseignants et, au-delà d’eux, les chercheurs en éducation perçoivent ou s’interrogent sur les propriétés sociales et culturelles des élèves, ils les associent aux classes sociales dont proviennent ces derniers – et ce sont alors les enfants des milieux populaires qui retiennent l’attention pour ce qu’ils constituent les « nouveaux publics », entrés en masse dans l’enseignement secondaire après les grandes réformes de la Ve République. Mais il arrive aussi qu’on attache l..

G-Cloud on Openstack : Adressing access control and regulation requirements

It is well known that e-Government applications bring several benefits to citizens in terms of efficiency, accessibility and transparency. Today, most of governments tend to propose cloud computing based e-services to their citizens. A key component in these services is the access control management issue. In this paper, we present our research works for building an access control system for the Djiboutian e-Government project that is built using Openstack framework. Specifically, we demonstrate the limitation of the integrated access control system in Openstack for the Djiboutian e-Government access control requirements and for the compliance to the related regulation. Thus, we propose to extend the existing access control system of Openstack by integrating the features of the XACML V3 to the Openstack framework

Difficulties to enforce your privacy preferences on Android? Kapuer will help you

Smartphones and mobile computing have changed our world and we are now over connected. Millions of applications are available to help us in every way possible. However applications can collect data from users for different purposes. Many private data are used to profile users. How to control privacy in this environment? We propose a system called Kapuer that improves the management of applications permissions on Android by combining access control and decision support. We present in this article the Android implementation of Kapuer

A Requirements Engineering-based Approach for evaluating Security Requirements Engineering Methodologies

The significance of security requirements in building safety and security critical systems is widely acknowledged. However, given the multitude of security requirements engineering methodologies that exists today, selecting the best suitable methodology remains challenging. In a previous work, we proposed a generic evaluation methodology to elicit and evaluate the anticipated characteristics of a security requirements engineering methodology with regards to the stakeholders' working context. In this article, we provide the empirical evaluation of three security requirements engineering methodologies KAOS, STS and SEPP with respect to the evaluation criteria elicited for network SRE context. The study show that none of them provide good support to derive network security requirements

L'inclusion sociale. les enjeux de la culture et de l'éducation.

International audienc

Toward Authorization as a Service: A Study of the XACML Standard

Cloud computing has promoted the notion of service as the leading way to deliver and consume computing resources. Today, security is going down that road and the term security as a service is emerging. Authorization that consists in managing permissions is one of the main classic security services. We propose in this article to study how authorization could be delivered/consumed as a Service. We focus on the XACML standard that has been adopted by the cloud security community because of its native flexibility and adaptability properties. Although XACML seems to fulfill the requirements of authorization as a Service in theory, it is very complex to realize it in practice. We propose a service oriented component architecture together with the concept self-contained policy to cope with this issue. This approach allows both the cloud consumers to adapt the authorization system to their authorization policies and the cloud providers to minimize the cost of providing a flexible authorization service

Gestion des habilitations : modèles et architectures

National audienceAccess control is of major importance in nowadays information systems which are open, multi-domains and multi-suppliers. We address architectural and modelling issues of authorization systems allowing a clear separation of concerns between the requirements of the services to deploy and the access control management including the assurance of the identities of the subjects willing to access a given resource in a given environment. From AAA solutions to the de facto XACML standard, the policy-based management model has been improved bringing a real and consistent approach to overcome the issues related to the interoperability of open identity and access management systems.La gestion des habilitations intègre la problématique de la gestion des identités et des accès (Identity & Access Management - IAM). Celle-ci est aujourd’hui considérée comme une application a part entière. Entre respect des obligations règlementaires et optimisation de l’administration des droits, les projets IAM renforcent le niveau de sécurité général tant sur les plans fonctionnel (ressources humaines) que technique. La multiplicité des applications métiers nécessitant chacune un contrôle d’accès propre et une administration des droits spécifiques a favorise les exigences d’une vision globale et l’émergence de processus de gestion des accréditations bien identifies [1]. La séparation claire des préoccupations et des problèmes de responsabilité a conduit a adopter un modèle organisationnel faisant apparaitre différentes entités : fournisseur de service (SP), fournisseur d’identité (IdP), demandeur, et plate- forme de gestion des identité

An adaptive XACMLv3 policy enforcement point

International audiencePolicies are rules that govern the choices in behavior of a system. Policy based management aims at supporting dynamic adaptability of behavior by changing policy without recoding or stopping the system. The common accepted architecture of such systems includes two main management agents: the Policy Decision Point that analyses requests and set decisions based on a policy and the Policy Enforcement Point (PEP) that enforces the PDP's decision. Modern access control policies include more and more obligations. As a consequence, PEPs must adapt dynamically to enforce them. We propose in this article a dynamically adaptable PEP compliant with XACMLv3 standard

Specification and Enforcement of Dynamic Authorization Policies oriented by Situations

International audienceNowadays, accessing communication networks and systems faces multitude applications with large-scale requirements dimensions. Mobility -roaming services in particular- during urgent situations exacerbate the access control issues. Dynamic authorization then is required. However, traditional access control fails to ensure policies to be dynamic. Instead, we propose to externalize the dynamic behavior management of networks and systems through situations. Situations modularize the policy into groups of rules and orient decisions. Our solution limits policy updates and hence authorization inconsistencies. The authorization system is built upon the XACML architecture coupled with a complex event- processing engine to handle the concept of situations. Situation- oriented attribute based policies are defined statically allowing static verification and validation