Abstract
Model-based risk analysis methods use graphical models to facilitate participation, risk communication and documentation and thereby improve the risk analysis process. Currently, risk analysis methods for identity management systems (IDMSs) mainly rely on time consuming and expensive manual inspections and lack graphical models. This article introduces the executable model-based risk analysis method (EM-BRAM) with the aim of addressing these challenges. The EM-BRAM employs graphical models to enhance risk analysis in IDMSs. It identifies risk contributing factors for IDMSs and uses them as inputs to a colored petri nets (CPNs) model of a targeted IDMS. It then verifies the system’s risk using CPNs’ state space analysis and queries.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Audun, J., Simon, P.: User centric identity management. In: AusCERT Conference (2005)
Lund, M.S., Bjørnar Solhaug, K.S.: Model-Driven Risk Analysis, The CORAS Approach, 1st edn. Springer (2011) 978-3-642-12322-1
Cabarcos, P.: Risk assessment for better identity management in pervasive environments. In: 2011 IEEE International Conference on Pervasive Computing and Communications Workshops (PERCOM Workshops), pp. 389–390 (2011)
Kurt, J., Lars, K.M.: Colored Petri Nets: Modelling and Validation of Concurrent Systems: Modeling and Validation of Concurrent Systems. Springer, Heidelberg (2009) ISBN:978-3-642-00283-0
Gajek, S., Schwenk, J., Steiner, M., Xuan, C.: Risks of the cardspace protocol. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 278–293. Springer, Heidelberg (2009)
Gross, T.: Security analysis of the saml single sign-on browser/artifact profile. In: Proceedings of the 19th Annual Computer Security Applications Conference, pp. 298–307 (2003)
Suriadi, S., Foo, E., Jøsang, A.: A user-centric federated single sign-on system. J. Netw. Comput. Appl. 32, 388–401 (2009)
Paintsil, E.: Evaluation of privacy and security risks analysis construct for identity management systems. IEEE Systems Journal PP(99), 1 (2012)
Paintsil, E.: A model for privacy and security risks analysis. In: 2012 5th International Conference New Technologies, Mobility and Security (NTMS), pp. 1–8 (2012)
Naumann, I., Hogben, G.: Privacy features of european eid card specifications. Technical Report 1.0.1, ENISA (2009)
WP3: D3.1: Structured overview on prototypes and concepts of identity management systems. Deliverable 1.1, Future of Identity in the Information Society (2005)
Maler, E., Reed, D.: The venn of identity: Options and issues in federated identity management. IEEE Security and Privacy 6, 16–23 (2008)
NIST: Electronic authentication guideline. Technical Report 1.0.2, NIST Special Publication 800-63 (2006)
Ratha, N.K., Connell, J.H., Bolle, R.M.: Enhancing security and privacy in biometrics-based authentication systems. IBM Systems Journal 40(3), 614–634 (2001)
Mac Gregor, W., Dutcher, W., Khan, J.: An Ontology of Identity Credentials - Part 1: Background and Formulation. Technical report, National Institute of Standard and Technology, Gaitersburg, MD, USA (2006)
Google: SAML Single Sign-On Service for Google Apps (2012), https://developers.google.com/google-apps/sso/saml_reference_implementation
Armando, A., Carbone, R., et al.: Formal analysis of saml 2.0 web browser single sign-on: breaking the saml-based single sign-on for google apps. In: Proceedings of the 6th ACM Workshop on Formal Methods in Security Engineering, FMSE 2008, pp. 1–10. ACM, New York (2008)
Gerber, M., von Solms, R.: From risk analysis to security requirements. Computers and Security 20(7), 577–584 (2001)
Yamada, et al.: Information security incident survey report. Technical report, NPO Japan Network Security Association, JNSA (2006)
Kurt Jensen, S.C., Kristensen, L.M.: Cpn tools state space manual. Technical report, University of Aarhus (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Paintsil, E., Fritsch, L. (2013). Executable Model-Based Risk Analysis Method for Identity Management Systems: Using Hierarchical Colored Petri Nets. In: Furnell, S., Lambrinoudakis, C., Lopez, J. (eds) Trust, Privacy, and Security in Digital Business. TrustBus 2013. Lecture Notes in Computer Science, vol 8058. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40343-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-40343-9_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40342-2
Online ISBN: 978-3-642-40343-9
eBook Packages: Computer ScienceComputer Science (R0)