Skip to main content
SpringerLink
Log in

ProProtect3: An Approach for Protecting User Profile Data from Disclosure, Tampering, and Improper Use in the Context of WebID

  • Chapter
  • First Online:
Transactions on Large-Scale Data- and Knowledge-Centered Systems XIX

Part of the book series: Lecture Notes in Computer Science ((TLDKS,volume 8990))

Abstract

WebID is a new identification approach of the W3C. It enables managing profile data associated to persons and services at self-defined places in the cloud. By relying on RDF vocabularies like FOAF for describing user profile data, WebID contributes to the Semantic Web vision. While access to user profiles can be controlled with existing security mechanisms, they are not designed to protect sensitive data within user profiles from unwanted retrieval, malicious manipulation, and improper use. This article analyzes the risks that affect the knowledge stored in WebID-based user profiles. It therefore describes potential attack scenarios and outlines the challenges a solution must deal with. To tackle the problem of insufficient protection, we propose ProProtect3. This approach enables identity owners (1) to create customized filters for sensitive data, (2) to verify the profile data integrity, and (3) to restrict the rights of delegatees. For evaluating the ProProtect3 approach, we integrate it into a WebID identity provider.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The sequence diagram is based on the WebID authentication sequence (cf. [34]).

  2. 2.

    This common risk affects all unencrypted files hosted on third party operated servers.

  3. 3.

    N-Triples: A line-based syntax for RDF graphs, http://www.w3.org/TR/n-triples/.

  4. 4.

    Notation3 (N3): A readable RDF syntax, http://www.w3.org/TeamSubmission/n3/.

  5. 5.

    RDF/XML syntax specification, http://www.w3.org/TR/REC-rdf-syntax/.

  6. 6.

    Besides the identity owner’s private key, a hash is the basis of the digital signature.

  7. 7.

    Turtle Terse RDF Triple Language, http://www.w3.org/TeamSubmission/turtle/.

  8. 8.

    In contrast to whitelisting, blacklisting data is also supported by SPARQL CONSTRUCT queries via MINUS statements.

  9. 9.

    Lines 3 and 4 create the context needed to include city and country. Address data is described via the PIM ontology, http://www.w3.org/2000/10/swap/pim/contact#.

  10. 10.

    Since we used security methods considered as safe, it is unlikely to find a collision to the hash value in a WebID URI or to create a private key from a given public key.

  11. 11.

    Only Alice, as the primary delegator, can specify the person acting on her behalf.

  12. 12.

    https://developer.mozilla.org/en-US/docs/Mozilla/Persona/FAQ.

  13. 13.

    https://code.google.com/p/openinfocard/.

  14. 14.

    http://www.w3.org/ns/auth/acl.

References

  1. Akhawe, D., Li, F., He, W., et al.: Data-Confined HTML5 Applications. Technical Report, Electrical Engineering and Computer Sciences, UCB (2013)

    Google Scholar 

  2. Bai, G., Lei, J., Meng, G., et al.: AuthScan: Automatic extraction of web authentication protocols from implementations. In: Proceedings of 20th Annual Network & Distributed System Security Symposium (2013)

    Google Scholar 

  3. Bamberg, W., et al.: Persona - Protocol Overview (2013). https://developer.mozilla.org/en-US/docs/Mozilla/Persona/Protocol_Overview. Accessed 24 March 2014

  4. Barker, E., Barker, W., Burr, W., et al.: NIST Special Publication 800–57: Recommendation for Key Management - Part 1: General (Revision 3). Technical Report, National Institute of Standards and Technology (2012)

    Google Scholar 

  5. Bonneau, J., Anderson, J., Anderson, R., Stajano, F.: Eight friends are enough: Social graph approximation via public listings. In: Proceedings of the 2nd ACM EuroSys Workshop on Social Network Systems, pp. 13–18 (2009)

    Google Scholar 

  6. Brickley, D., Miller, L.: FOAF Vocabulary Specification 0.99 (2014). http://xmlns.com/foaf/spec/. Accessed 24 March 2014

  7. Carroll, J.J.: Signing RDF graphs. In: Fensel, D., Sycara, K., Mylopoulos, J. (eds.) ISWC 2003. LNCS, vol. 2870, pp. 369–384. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  8. Chudnovskyy, O., Wild, S., Gebhardt, H., Gaedke, M.: Data portability using Webcomposition/Data grid service. Int. J. Adv. Internet Technol. 4(3 and 4), 123–132 (2012)

    Google Scholar 

  9. Cooper, D.: Internet X.509 Public key infrastructure certificate and certificate revocation list (CRL) profile (2008). http://tools.ietf.org/html/rfc5280. Accessed 10 August 2013

  10. Dhamija, R., Dusseault, L.: The seven flaws of identity management: Usability and security challenges. IEEE Secur. Priv. 6(2), 24–29 (2008)

    Article  Google Scholar 

  11. Dierks, T.: The Transport Layer Security (TLS) Protocol Version 1.2 (2008). http://tools.ietf.org/html/rfc5246. Accessed 10 August 2013

  12. El Maliki, T., Seigneur, J.M.: A survey of user-centric identity management technologies. In: International Conference on Emerging Security Information, Systems, and Technologies. SecureWare 2007, pp. 12–17. IEEE (2007)

    Google Scholar 

  13. Ellison, C., Schneier, B.: Ten risks of PKI: What you’re not being told about public key infrastructure. Comput. Secur. 16(1), 1–7 (2000)

    Google Scholar 

  14. European Commission: ICT - Work Programme 2013. EC (2012)

    Google Scholar 

  15. Fitzpatrick, B., Recordon, D., Hardt, D., Hoyt, J.: OpenID Authentication 2.0 - Final (2007). http://openid.net/specs/openid-authentication-2_0.html. Accessed 10 August 2013

  16. Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666. ACM Press (2007)

    Google Scholar 

  17. Gellman, B., Poitras, L.: U.S., British Intelligence Mining Data from Nine U.S. Internet Companies in Broad Secret Program. The Washington Post, 6 June 2013

    Google Scholar 

  18. Hackett, M., Hawkey, K.: Security, privacy and usability requirements for federated identity. In: Workshop on Web 2.0 Security & Privacy (2012)

    Google Scholar 

  19. Hardt, D.: The OAuth 2.0 Authorization Framework (2012). http://tools.ietf.org/html/rfc6749. Accessed 24 March 2014

  20. Hardt, D., Bufu, J., Hoyt, J.: OpenID Attribute Exchange 1.0 - Final (2007). http://openid.net/specs/openid-attribute-exchange-1_0.html. Accessed 24 March 2014

  21. Harris, S., Seaborne, A.: SPARQL 1.1 Query Language (2013). http://www.w3.org/TR/sparql11-query/. Accessed 24 March 2014

  22. Heitmann, B., Kim, J.G., Passant, A., et al.: An architecture for privacy-enabled user profile portability on the Web of Data. In: Proceedings of the 1st International Workshop on Information Heterogeneity and Fusion in Recommender Systems, HetRec 2010, pp. 16–23. ACM (2010)

    Google Scholar 

  23. Hollenbach, J., et al.: Using RDF metadata to enable access control on the social semantic web. In: Proceedings of the Workshop on Collaborative Construction, Management and Linking of Structured Knowledge (2009)

    Google Scholar 

  24. Jøsang, A., Zomai, M.A., Suriadi, S.: Usability and privacy in identity management architectures. In: Proceedings of the Fifth Australasian Symposium on ACSW Frontiers, vol. 68, pp. 143–152. Australian Computer Society (2007)

    Google Scholar 

  25. Josefsson, S.: The Base16, Base32, and Base64 Data Encodings (2006). http://tools.ietf.org/html/rfc4648. Accessed 24 March 2014

  26. Kasten, A., Scherp, A.: Iterative signing of RDF(S) graphs, named graphs, and OWL graphs: Formalization and application. Arbeitsberichte aus dem Fachbereich Informatik 3, 3–28 (2013)

    Google Scholar 

  27. Maler, E., Reed, D.: The venn of identity: Options and issues in federated identity management. IEEE Secur. Priv. 6(2), 16–23 (2008)

    Article  Google Scholar 

  28. Manola, F., Miller, E.: RDF Primer (2004). http://www.w3.org/TR/rdf-primer/. Accessed 29 January 2014

  29. Pérez, J., Arenas, M., Gutierrez, C.: Semantics and complexity of SPARQL. ACM Trans. Database Syst. 34(3), 1–45 (2009)

    Article  Google Scholar 

  30. Rivest, R.L., et al.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)

    Article  MATH  MathSciNet  Google Scholar 

  31. Savitz, E., Medrano, R.: Welcome To The API Economy - Forbes (2012). http://www.forbes.com/sites/ciocentral/2012/08/29/welcome-to-the-api-economy/. Accessed 24 March 2014

  32. Sayers, C., Karp, A.H.: Computing the Digest of an RDF Graph. Mobile and Media Systems Laboratory, HP Laboratories, Palo Alto (2004)

    Google Scholar 

  33. Seaborne, A.: SPARQL 1.1 Property Paths (2010). http://www.w3.org/TR/sparql11-property-paths/. Accessed 24 March 2014

  34. Sporny, M., Inkster, T., Story, H., et al.: WebID 1.0: Web Identification and Discovery (2011). http://www.w3.org/2005/Incubator/webid/spec/. Accessed 10 Feb 2014

  35. The Nielsen Company: Social Media Report 2012 (2012). http://blog.nielsen.com/nielsenwire/social/2012/. Accessed 9 March 2014

  36. Tomaszuk, D., Gaedke, M., Gebhardt, H.: WebID+ACO: A distributed identification mechanism for social web. In: Proceedings of the Federated Social Web Europe (2011)

    Google Scholar 

  37. Toorani, M., Beheshti, A.: LPKI-a lightweight public key infrastructure for the mobile environments. In: 11th IEEE Singapore International Conference on Communication Systems, 2008, ICCS 2008, pp. 162–166. IEEE (2008)

    Google Scholar 

  38. Tramp, S., Frischmuth, P., Ermilov, T., Shekarpour, S., Auer, S.: An architecture of a distributed semantic social network. Semant. Web 5(1), 77–95 (2012)

    Google Scholar 

  39. Tramp, S., Story, H., Sambra, A., et al.: Extending the WebID protocol with access delegation. In: Proceedings of the Third International Workshop on Consuming Linked Data (COLD2012) (2012)

    Google Scholar 

  40. Tummarello, G., Morbidoni, C., Puliti, P., Piazza, F.: Signing individual fragments of an RDF graph. In: Special Interest Tracks and Posters of the 14th International Conference on WWW, pp. 1020–1021. ACM (2005)

    Google Scholar 

  41. Wild, S., Ast, M., Gaedke, M.: Towards a context-aware WebID certificate creation taking individual conditions and trust needs into account. In: Proceedings of the 15th International Conference on Information Integration and Web-based Applications & Services, pp. 532–541. ACM (2013a)

    Google Scholar 

  42. Wild, S., Chudnovskyy, O., Heil, S., Gaedke, M.: Customized views on profiles in webid-based distributed social networks. In: Daniel, F., Dolog, P., Li, Q. (eds.) ICWE 2013. LNCS, vol. 7977, pp. 498–501. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  43. Wild, S., Chudnovskyy, O., Heil, S., Gaedke, M.: Protecting user profile data in WebID-based social networks through fine-grained filtering. In: Sheng, Q.Z., Kjeldskov, J. (eds.) ICWE Workshops 2013. LNCS, vol. 8295, pp. 269–280. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  44. Wild, S., Gaedke, M.: WebComposition/EMS: A value-driven approach to evolution. In: Rossi, G., Iturrioz, J. (eds.) ICWE 2009 Doctoral Consortium, pp. 39–43. Onekin Research Group (2009)

    Google Scholar 

  45. Yeung, C.M.A., Liccardi, I., Lu, K., et al.: Decentralization: The future of online social networking. In: W3C Workshop on the Future of Social Networking Position Papers, vol. 2, pp. 2–7 (2009)

    Google Scholar 

Download references

Acknowledgment

Parts of this work were supported and funded by the European Commission (project OMELETTE, contract 257635).

The authors thank Markus Ast, Falko Braune, Dominik Pretzsch and Michel Rienäcker for their first experimental results on JavaScript-based WebID certificate creation and integrity protection, which have been partially used in this work.

Author information

Authors and Affiliations

  1. Technische Universität Chemnitz, Chemnitz, Germany

    Stefan Wild, Fabian Wiedemann, Sebastian Heil, Alexey Tschudnowsky & Martin Gaedke

Authors
  1. Stefan Wild
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fabian Wiedemann
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sebastian Heil
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Alexey Tschudnowsky
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Martin Gaedke
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Stefan Wild .

Editor information

Editors and Affiliations

  1. IRIT, Paul Sabatier University, Toulouse, France

    Abdelkader Hameurlain

  2. FAW, University of Linz, Linz, Austria

    Josef Küng

  3. FAW, University of Linz, Linz, Austria

    Roland Wagner

  4. University of Brescia, Brescia, Italy

    Devis Bianchini

  5. University of Brescia, Brescia, Italy

    Valeria De Antonellis

  6. University of Rome III, Rome, Italy

    Roberto De Virgilio

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Wild, S., Wiedemann, F., Heil, S., Tschudnowsky, A., Gaedke, M. (2015). ProProtect3: An Approach for Protecting User Profile Data from Disclosure, Tampering, and Improper Use in the Context of WebID. In: Hameurlain, A., Küng, J., Wagner, R., Bianchini, D., De Antonellis, V., De Virgilio, R. (eds) Transactions on Large-Scale Data- and Knowledge-Centered Systems XIX. Lecture Notes in Computer Science(), vol 8990. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-46562-2_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-46562-2_4

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-46561-5

  • Online ISBN: 978-3-662-46562-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation