Abstract
Service-oriented architectures (SOAs) are increasingly gaining popularity due to their considerable flexibility and scalability in open IT-environments. Along with their rising acceptance comes the need for well suited security components. In this respect, access control and privacy emerged to crucial factors.
Targeting the demands of a SOA, many promising authorization models have been developed, most notably the attribute-based access control (ABAC) model. In this paper we take up concepts from the OASIS XACML and WS-XACML specifications and introduce a dynamic ABAC system that incorporates privacy preferences of the service requestor in the access control process. Separating the Policy Decision Point from the service provider’s premises, our infrastructure enables the deployment of alternative PDPs the service requestor can choose from. We employ a PKI to reflect the sufficient trust relation between the service provider and a potential PDP. Our work is carried out within the European research project Access-eGov that aims at a European-wide e-Government service platform.
Keywords
- Service Provider
- Access Control
- Policy Language
- Service Requestor
- Access Policy
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
Chapter PDF
References
MacKenzie, C.M., Laskey, K., McCabe, F., Brown, P.F., Metz, R.: Reference Model for Service Oriented Architecture 1.0. OASIS Standard (October 2006)
Yuan, E., Tong, J.: Attributed Based Access Control (ABAC) for Web Services. In: Proc. of the IEEE International Conference on Web Services (ICWS 2005), Washington, DC, United States, pp. 561–569. IEEE Computer Society Press, Los Alamitos (2005)
Moses, T.: eXtensible Access Control Markup Language (XACML) Version 2.0. OASIS Standard (February 2005)
Anderson, A.: Web Services Profile of XACML (WS-XACML) Version 1.0. OASIS Working Draft, vol. 8 (December 2006)
Earp, J., Baumer, D.: Innovative Web Use to Learn About Consumer Behavior and Online Privacy. Communications of the ACM 46(4), 81–83 (2003)
Lopez, J., Oppliger, R., Pernul, G.: Authentication and Authorization Infrastructures (AAIs): A Comparative Survey. Computers & Security 23(7), 578–590 (2004)
Priebe, T., Dobmeier, W., Muschall, B., Pernul, G.: ABAC - Ein Referenzmodell für attributbasierte Zugriffskontrolle. In: Proc. of the 2nd Jahrestagung Fachbereich Sicherheit der Gesellschaft für Informatik (Sicherheit 2005), Regensburg, Germany, pp. 285–296 (2005)
Priebe, T., Dobmeier, W., Kamprath, N.: Supporting Attribute-based Access Control with Ontologies. In: Proc. of the 1st International Conference on Availability, Reliability and Security (ARES 2006), Washington, DC, United States, pp. 465–472. IEEE Computer Society Press, Los Alamitos (2006)
Nadalin, A., et al.: Web Services Security: SOAP Message Security 1.1. OASIS Standard Specification (2006)
World Wide Web Consortium: Web Services Policy 1.2 - Framework (WS-Policy). W3C Member Submission (April 2006)
Cranor, L., et al.: The Platform for Privacy Preferences 1.1 (P3P1.1) Specification. W3C Working Group Note (November 2006)
Cranor, L., Langheinrich, M., Marchiori, M.: A P3P Preference Exchange Language 1.0 (APPEL 1.0). World Wide Web Consortium Working Draft (April 2002)
Kolter, J., Schillinger, R., Pernul, G.: Building a Distributed Semantic-aware Security Architecture. In: Proc. of the 22nd International Information Security Conference (SEC 2007), Sandton, South Africa, May 2007 (to Appear)
Anderson, A.: The Relationship Between XACML and P3P Privacy Policies (November 2004), http://research.sun.com/projects/xacml/XACML_P3P_Relationship.html
Andersson, A.: Sun Position Paper. W3C Workshop on Languages for Privacy Policy Negotiation and Semantics-Driven Enforcement (October 2006)
Dierks, T., Rescorla, E.: RFC 4346: The Transport Layer Security (TLS) Protocol Version 1.1. Internet RFCs (April 2006)
Klischewski, R., Ukena, S., Wozniak, D.: User Requirements Analysis & Development/Test Recommendation. Access-eGov deliverable D2.2 (July 2006)
Tomasek, M., Paralic, M., et al.: Access-eGov Components Functional Descriptions. Access-eGov deliverable D3.2 (November 2006)
Thompson, M., Johnston, W., Mudumbai, S., Hoo, G., Jackson, K., Essiari, A.: Certificate-based Access Control for Widely Distributed Resources. In: Proc. of the 8th USENIX Security Symposium, Washington, DC, United States (1999)
Bonatti, P., Samarati, P.: A Uniform Framework for Regulating Service Access and Information Release on the Web. Journal of Computer Security 10(3), 241–271 (2002)
Hansen, M., Krasemann, H.: Privacy and Identity Management for Europe PRIME White Paper. PRIME deliverable D15.1.d (July 2005)
Ardagna, C., De Capitani di Vimercati, S., Samarati, P.: Enhancing User Privacy Through Data Handling Policies. In: Proc. of the 20th Annual IFIP WG 11.3 Working Conference on Data and Applications Security (DBSec 2006), Sophia Antipolis, France (July 2006)
Casassa Mont, M.: Towards Scalable Management of Privacy Obligations in Enterprises. In: Proc. of the Third International Conference on Trust, Privacy, and Security in Digital Business (TrustBus 2006), Krakow, Poland, pp. 1–10(Septmeber 2006)
Hommel, W.: Using XACML for Privacy Control in SAML-Based Identity Federations. In: Communications and Multimedia Security, pp. 160–169 (2005)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 IFIP International Federation for Information Processing
About this paper
Cite this paper
Kolter, J., Schillinger, R., Pernul, G. (2007). A Privacy-Enhanced Attribute-Based Access Control System. In: Barker, S., Ahn, GJ. (eds) Data and Applications Security XXI. DBSec 2007. Lecture Notes in Computer Science, vol 4602. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-73538-0_11
Download citation
DOI: https://doi.org/10.1007/978-3-540-73538-0_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-73533-5
Online ISBN: 978-3-540-73538-0
eBook Packages: Computer ScienceComputer Science (R0)