| Federated login to TeraGrid | | BIBAK | Full-Text | 1-11 | |
| Jim Basney; Terry Fleury; Von Welch | |||
| We present a new federated login capability for the TeraGrid, currently the
world's largest and most comprehensive distributed cyberinfrastructure for open
scientific research. Federated login enables TeraGrid users to authenticate
using their home organization credentials for secure access to TeraGrid high
performance computers, data resources, and high-end experimental facilities.
Our novel system design links TeraGrid identities with campus identities and
bridges from SAML to PKI credentials to meet the requirements of the TeraGrid
environment. Keywords: GridShib, MyProxy, PKI, SAML, Shibboleth, TeraGrid, grid computing, identity
federation | |||
| CardSpace-liberty integration for CardSpace users | | BIBAK | Full-Text | 12-25 | |
| Haitham S. Al-Sinani; Waleed A. Alrodhan; Chris J. Mitchell | |||
| Whilst the growing number of identity management systems have the potential
to reduce the threat of identity attacks, major deployment problems remain
because of the lack of interoperability between such systems. In this paper we
propose a novel scheme to provide interoperability between two of the most
widely discussed identity management systems, namely Microsoft CardSpace and
Liberty. In this scheme, CardSpace users are able to obtain an assertion token
from a Liberty-enabled identity provider that will satisfy the security
requirements of a CardSpace-enabled relying party. We specify the operation of
the integration scheme and also describe an implementation of a
proof-of-concept prototype. Additionally, security and operational analyses are
provided. Keywords: CardSpace, Liberty Alliance project, SAML, browser extension, identity
management, interoperability | |||
| An identity provider to manage reliable digital identities for SOA and the web | | BIBAK | Full-Text | 26-36 | |
| Ivonne Thomas; Christoph Meinel | |||
| In this paper, we describe the implementation of our identity provider,
based on open web service standards, which has been extended to distinguish
between different qualities of identity attributes; therefore enabling a
relying party to distinguish between verified and unverified digital
identities.
Our contribution is the definition and representation of identity meta information for identity attributes on the identity provider side and the conveyance of this information as Identity Attribute Context Classes to a relying party. As a main result, we propose a format and semantic to include identity attribute meta information into security token which are sent from the identity provider to a relying party in addition to the attribute value itself. Keywords: SOA security, attribute management, identity management, identity provider | |||
| An attribute-based authorization policy framework with dynamic conflict resolution | | BIBAK | Full-Text | 37-50 | |
| Apurva Mohan; Douglas M. Blough | |||
| Policy-based authorization systems are becoming more common as information
systems become larger and more complex. In these systems, to authorize a
requester to access a particular resource, the authorization system must verify
that the policy authorizes the access. The overall authorization policy may
consist of a number of policy groups, where each group consists of policies
defined by different entities. Each policy contains a number of authorization
rules. The access request is evaluated against these policies, which may
produce conflicting authorization decisions. To resolve these conflicts and to
reach a unique decision for the access request at the rule and policy level,
rule and policy combination algorithms are used. In the current systems, these
rule and policy combination algorithms are defined on a static basis during
policy composition, which is not desirable in dynamic systems with fast
changing environments.
In this paper, we motivate the need for changing the rule and policy combination algorithms dynamically based on contextual information. We propose a framework that supports this functionality and also eliminates the need to recompose policies if the owner decides to change the combination algorithm. It provides a novel method to dynamically add and remove specialized policies, while retaining the clarity and modularity in the policies. The proposed framework also provides a mechanism to reduce the set of potential target matches, thereby increasing the efficiency of the evaluation mechanism. We developed a prototype system to demonstrate the usefulness of this framework by extending some basic capabilities of the XACML policy language. We implemented these enhancements by adding two specialized modules and several new combination algorithms to the Sun XACML engine. Keywords: attribute-based authorization, authorization policy, conflict resolution | |||
| Computational techniques for increasing PKI policy comprehension by human analysts | | BIBAK | Full-Text | 51-62 | |
| Gabriel A. Weaver; Scott Rea; Sean W. Smith | |||
| Natural-language policies found in X.509 PKI describe an organization's
stated policy as a set of requirements for trust. The widespread use of X.509
underscores the importance of understanding these requirements. Although many
review processes are defined in terms of the semantic structure of these
policies, human analysts are confined to working with page-oriented PDF texts.
Our research accelerates PKI operations by enabling machines to translate
between policy page numbers and policy reference structure. Adapting
technologies supporting the analysis of Classical texts, we introduce two new
tools. Our Vertical Variance Reporter helps analysts efficiently compare the
reference structure of two policies. Our Citation-Aware HTML enables machines
to process human-readable displays of policies in terms of this reference
structure. We evaluate these contributions in terms of real-world feedback and
observations from organizations that audit or accredit policies. Keywords: PKI, XML, certificate policy formalization | |||
| Efficient and privacy-preserving enforcement of attribute-based access control | | BIBAK | Full-Text | 63-68 | |
| Ning Shang; Federica Paci; Elisa Bertino | |||
| Modern access control models, developed for protecting data from accesses
across the Internet, require to verify the identity of users in order to make
sure that users have the required permissions for accessing the data. User's
identity consists of data, referred to as identity attributes, that encode
relevant-security properties of the users. Because identity attributes often
convey sensitive information about users, they have to be protected. The
Oblivious Commitment-Based Envelope (OCBE) protocols address the protection
requirements of both users and service providers. The OCBE protocols makes it
possible for a party, referred as sender, to send an encrypted message to a
receiver such that the receiver can open the message if and only if its
committed value satisfies a predicate and that the sender does not learn
anything about the receiver's committed value. The possible predicates are
comparison predicates =, ≠, >, <, ≤, ≥. In this paper, we
present an extension that improves the efficiency of EQ-OCBE protocol, that is,
the OCBE protocol for equality predicates. Our extension allows a party to
decrypt data sent by a service provider if and only if the party satisfies all
the equality conditions in the access control policy. Keywords: Agg-EQ-OCBE, identity, privacy | |||
| Privacy-preserving DRM | | BIBAK | Full-Text | 69-83 | |
| Radia Perlman; Charlie Kaufman; Ray Perlner | |||
| This paper describes and contrasts two families of schemes that enable a
user to purchase digital content without revealing to anyone what item he has
purchased. One of the basic schemes is based on anonymous cash, and the other
on blind decryption. In addition to the basic schemes, we present and compare
enhancements to the schemes for supporting additional features such as variable
costs, enforcement of access restrictions (such as "over age 21"), and the
ability of a user to monitor and prevent covert privacy-leaking between a
content-provider-provided box and the content provider. As we will show, the
different variants have different properties in terms of amount of privacy
leaking, efficiency, and ability for the content provider to prevent sharing of
encryption keys or authorization credentials. Keywords: DRM, algorithms, blindable parameterizable public key, privacy, protocols | |||
| Biometrics-based identifiers for digital identity management | | BIBAK | Full-Text | 84-96 | |
| Abhilasha Bhargav-Spantzel; Anna Squicciarini; Elisa Bertino; Xiangwei Kong; Weike Zhang | |||
| We present algorithms to reliably generate biometric identifiers from a
user's biometric image which in turn is used for identity verification possibly
in conjunction with cryptographic keys. The biometric identifier generation
algorithms employ image hashing functions using singular value decomposition
and support vector classification techniques. Our algorithms capture generic
biometric features that ensure unique and repeatable biometric identifiers. We
provide an empirical evaluation of our techniques using 2569 images of 488
different individuals for three types of biometric images; namely fingerprint,
iris and face. Based on the biometric type and the classification models, as a
result of the empirical evaluation we can generate biometric identifiers
ranging from 64 bits up to 214 bits. We provide an example use of the biometric
identifiers in privacy preserving multi-factor identity verification based on
zero knowledge proofs. Therefore several identity verification factors,
including various traditional identity attributes, can be used in conjunction
with one or more biometrics of the individual to provide strong identity
verification. We also ensure security and privacy of the biometric data. More
specifically, we analyze several attack scenarios. We assure privacy of the
biometric using the one-way hashing property, in that no information about the
original biometric image is revealed from the biometric identifier. Keywords: biometrics, cryptography, identity, multi-factor authentication, privacy,
security | |||
| Practical and secure trust anchor management and usage | | BIBAK | Full-Text | 97-107 | |
| Carl Wallace; Geoff Beier | |||
| Public Key Infrastructure (PKI) security depends upon secure management and
usage of trust anchors. Unfortunately, widely used mechanisms, management
models and usage practices related to trust anchors undermine security and
impede flexibility. In this paper, we identify problems with existing
mechanisms, discuss emerging standards and describe a solution that integrates
with some widely used applications. Keywords: public key infrastructure (PKI), trust anchor management | |||
| A proposal for collaborative internet-scale trust infrastructures deployment: the public key system (PKS) | | BIBAK | Full-Text | 108-116 | |
| Massimiliano Pala | |||
| Public Key technology is about multiple parties across different domains
making assertions that can be chained together to make trust judgments. Today,
the need for more interoperable and usable trust infrastructures is urgent in
order to fulfill the security needs of computer and mobile devices. Developing,
deploying, and maintaining information technology that provides effective and
usable solutions has yet to be achieved. In this paper, we propose a new
framework for a distributed support system for trust infrastructure deployment:
the Public Key System (PKS). We describe the general architecture based on
Distributed Hash Tables (DHTs), how it simplifies the deployment and usability
of federated identities, and how existing infrastructures can be integrated
into our system. This paper lays down the basis for the deployment of
collaborative Internet-scale trust infrastructures. Keywords: PKI, distributed systems, federated identities, peer-to-peer | |||