Christian Schläger

Attribute-Based authentication and authorisation infrastructures for e-commerce providers

Authentication and authorisation has been a basic and necessary service for internet transactions. With the evolution of e-commerce, traditional mechanisms for data security and access control are becoming outdated. Several new standards have emerged which allow dynamic access control based on exchanging user attributes. Unfortunately, while providing highly secure and flexible access mechanisms is a very demanding task, it cannot be considered a core competency for most e-commerce corporations. Therefore, a need to outsource or at least share such services with other entities arises. Authen-tication and Authorisation Infrastructures (AAIs) can provide such integrated federations of security services. They could, in particular, provide attribute-based access control (ABAC) mechanisms and mediate customers’ demand for privacy and vendors’ needs for information. We propose an AAI reference model that includes ABAC functionality based on the XACML standard and lessons learned from various existing AAIs. AAIs analysed are AKENTI, CARDEA, CAS, GridShib, Liberty ID-FF, Microsoft .NET Passport, PAPI, PERMIS, Shibboleth and VOMS.

A search engine for RDF metadata

This paper presents a search engine for RDF metadata. Existing search facilities in this environment only support exact queries. We argue that a fuzzy approach as known from classic (full-text) Information Retrieval, providing fuzzy result sets ranked by relevance, is also desirable for metadata-based searches. Consequently, we develop an information retrieval model based on the similarity of RDF descriptions. The role of an ontology and implicit information that can be inferred from it will be discussed and the implementation within a knowledge portal prototype will be presented

A reference model for Authentication and Authorisation Infrastructures respecting privacy and flexibility in b2c eCommerce

Authentication and Authorisation Infrastructures (AAIs) are gaining momentum throughout the Internet. Solutions have been proposed for various scenarios among them academia, grid computing, company networks, and above all eCommerce applications. Products and concepts vary in architecture, security features, target group, and usability containing different strengths and weaknesses. In addition security needs have changed in communication and business processes. Security on the Internet is no longer defined as only security measures for an eCommerce provider against an untrustworthy customer but also vice versa. Consequently, privacy, data canniness, and security are demands in this area. The authors define criteria for an eCommerce provider federation using an AAI with a maximum of privacy and flexibility. The criteria is derived concentrating on b2c eCommerce applications fulfilling the demands. In addition to best practices found, XACML policies and an attribute infrastructure are deployed. Among the evaluated AAIs are Shibboleth, Microsoft Passport, the Liberty Alliance Framework, and PERMIS.

Patterns for Authentication and Authorisation Infrastructures

In line with the growing success of e-commerce demands for an open infrastructure providing security services are growing stronger. Authentication and authorisation infrastructures (AAIs) enhanced with an attribute-based access control model (ABAC) offer such services to service federations and customers. As AAIs are a security enhancing technology, design and implementation must comply with extremely high quality standards. Failures and vulnerabilities in the provided basic security services exponentially affect the service providing processes. Various AAI concepts, frameworks, and products have been developed in the past. Building on these experiences, we define a pattern system for AAIs. It will ensure interoperability and quality of future AAI solutions. The derived pattern system consists of security patterns already published and in use, as well as on open standards like SAML and XACML and related patterns. It can be directly used in the software development cycle, as proposed by different methodologies.

Effects of Architectural Decisions in Authentication and Authorisation Infrastructures

AAIs - infrastructures for authentication and authorisation provide services for service providers on the Internet. Especially if combined with an attribute infrastructure these AAIs can offer additional functionalities like a single sign-on, enhanced privacy, strengthened trust and security, or improved usability. In respect to security and privacy, the AAI acts as a mediator within the client service provider relationship, or, more likely, the client federation relation. Since an AAI is a loosely coupled combination of services architectural decisions influence its effects on privacy and security focusing either on customer demands or service provider requirements. This work shows how architecture and allocation decisions alone can shape the security and privacy contribution of AAIs leading to different levels of contentment for the user groups

Towards a risk management perspective on AAIs

Authentication and Authorisation Infrastructures (AAIs) support service providers on the internet to outsource security services. Motivations for their usage stem from software engineering and economics. For the latter an assessment of inherent risks is needed. In this work the authors deduct an appropriate, formalistic risk assessment method for AAIs and analyse outsource able security services in comparison to traditional – non AAI involved – service providing. To achieve the assessment of risks various methods for risk management have been analysed and finally a suitable qualitative method has been chosen. As AAIs differ in their potential to cover security services, combinations of these services are compared. The given risk assessment method enables providers to decide on a special infrastructure for their purpose and lets users of AAIs determine if given advantages surpass the immanent risks. This work also enables service providers to estimate costs for such an infrastructure and calculate potential savings.

Intensive Programme on Information and Communication Security

IT Security is a problem that can only be addressed and taught holistically. Just as broad as the field of ICT itself, IT Security is an integral part of all network and software applications. Security must be guaranteed throughout services. Too often, a single university or department cannot offer the complete range of IT Security subjects to their students or provide the up-to-date information and knowledge needed. Consequently, the demand of keeping up with hackers, threats, and risks is hardly met. Our proposal is a combination of the know-how of multiple institutions, aligned in an Intensive Programme for Master- and PhD Students of Computer Science, Information Systems, and Business Informatics. The proposed Intensive Programme on Information and Communication Security (IPICS) uses e-learning and traditional learning methods to form a blended learning course. Using the synergies of 19 contracted European Universities and their IT Security experts, IPICS will deliver momentum for IT Security education and training to those who take part and furthermore through their networks.