Abdelmalek Benzekri

An Adaptive XACMLv3 Policy Enforcement Point

Policies are rules that govern the choices in behavior of a system. Policy based management aims at supporting dynamic adaptability of behavior by changing policy without recoding or stopping the system. The common accepted architecture of such systems includes two main management agents: the Policy Decision Point that analyses requests and set decisions based on a policy and the Policy Enforcement Point (PEP) that enforces the PDPs decision. Modern access control policies include more and more obligations. As a consequence, PEPs must adapt dynamically to enforce them. We propose in this article a dynamically adaptable PEP compliant with XACMLv3 standard.

PEP = Point to Enhance Particularly

Policies are rules that govern the choices in behaviour of a system. Policy based management aims at supporting dynamic adaptability of behaviour by changing policy without receding or stopping the system. The common accepted architecture of such systems includes two main management agents: the policy decision point that analyses requests and set decisions based on a policy and the policy enforcement point that enforces the PDP s decision. While many works deal with PDP implementations, PEP is considered to be only an interface between applications to be managed and the PDP. PEPs are usually specific to an application and a context of use. As a consequence, they cannot be re-used for new applications and they are implemented from scratch each time. In this article, we present a modular architecture to implement reusable PEPs for policy based authorization systems.

Validating X.509 Certificates Based on their Quality

The growing number of PKIs (Public Key Infrastructure) and the increasing number of situations where partners of a transaction may carry certificates signed by different CAs (Certification Authority) point out the problematic of trust between the different CAs. The degree to which a relying party can trust a CA depends upon the quality of its announced policy and its commitment to this policy. In this paper, we present an approach that helps a relying party to assess the quality of a certificate that is related to the quality of CA policy and its commitment to it.

Inter-domains policy negotiation

While the Internet offers a favorable interconnection medium, security issues are still crucial to its development. One major problem that limits the increased use of security protocols is the sharing related issues. We propose a solution, as part of a complete architecture, to enable geographically separated administrators to agree on a common dynamic security policy.

Specification and Enforcement of Dynamic Authorization Policies Oriented by Situations

Nowadays, accessing communication networks and systems faces multitude applications with large-scale requirements dimensions. Mobility -roaming services in particular- during urgent situations exacerbate the access control issues. Dynamic authorization then is required. However, traditional access control fails to ensure policies to be dynamic. Instead, we propose to externalize the dynamic behavior management of networks and systems through situations. Situations modularize the policy into groups of rules and orient decisions. Our solution limits policy updates and hence authorization inconsistencies. The authorization system is built upon the XACML architecture coupled with a complex event- processing engine to handle the concept of situations. Situation- oriented attribute based policies are defined statically allowing static verification and validation.

A secure collaborative web-based environment for virtual organisations

The concept of the Virtual Organisation (VO) is a natural outcome of network evolution and the growth of collaborative work tools. In the projects Value Improvement thought a Virtual Aeronautical Collaborative Enterprise (VIVACE) and Transglobal Secure Collaboration Program (TSCP), we studied the different issues when setting VOs up. In this paper, we expose the requirements and characteristics of VOs through a use case where the partners produce a technical aeronautic specification, which was proposed by those consortiums. Then, we present a secured collaborative environment that we have deployed to deal with VO security constraints. It combines attribute-based access control models, privileges management infrastructure and identity federation to make VOs more dynamic.

Which Web Browsers Process SSL Certificates in a Standardized Way

SSL is the primary technology used to secure web communications. Before setting up an SSL connection, web browsers have to validate the SSL certificate of the web server in order to ensure that users access the expected web site. We have tested the handling of the main fields in SSL certificates and found that web browsers do not process them in a homogenous way. An SSL certificate can be accepted by some web browsers whereas a message reporting an error can be delivered to users by other web browsers for the same certifi- cate. This diversity of behavior might cause users to believe that SSL certifi- cates are unreliable or error prone, which might lead them to consider that SSL certificates are useless. In this paper, we highlight these different behaviors and we explain the reasons for them which can be either a violation of the standards or ambiguity in the standards themselves. We give our opinion of which it is in our analysis.

A secure collaborative web based environment for virtual organizations

The concept of Virtual Organization (VO) is a natural outcome of networks evolution and collaborative work tools growth. In the projects VIVACE and TSCP, we have studied the different issues when setting VOs up. In this paper, we expose requirements and characteristics of VOs through a use case, which was proposed by these consortiums. Then, we present a secured collaborative environment, which combines attribute based access control models, privileges management infrastructure and federation of identity, we have deployed to deal with VO security constraints.

G-Cloud on Openstack: Adressing access control and regulation requirements

It is well known that e-Government applications bring several benefits to citizens in terms of efficiency, accessibility and transparency. Today, most of governments tend to propose cloud computing based e-services to their citizens. A key component in these services is the access control management issue. In this paper, we present our research works for building an access control system for the Djiboutian e-Government project that is built using Openstack framework. Specifically, we demonstrate the limitation of the integrated access control system in Openstack for the Djiboutian e-Government access control requirements and for the compliance to the related regulation. Thus, we propose to extend the existing access control system of Openstack by integrating the features of the XACML V3 to the Openstack framework.

An Extensible XACML Authorization Web Service: Application to Dynamic Web Sites Access Control

Attribute Based Access Control can define permissions based on just about any security relevant characteristics of requestors, actions, resources, and environment, known as attributes. XACML is an access control OASIS standard compliant to this approach. Although XACML seems to allow the specification and enforcement of any access control policy, current tools can require modifying the source code of the authorization decision system when policy includes non-standard information. In this article, we present an XACML authorization web service that can be extended when needed. It is composed of a core element implementing OASIS standard and additional modules for new security information. We apply this approach to dynamic web sites access control management.