SLIDE 1

Department of Computer Science

A flexibleaccess control model

for web servicesElisa Bertino, Anna Cinzia Squicciarini

Lorenzo Martino, Federica Paci

CERIAS and CS Department, Purdue UniversityDICO, University of Milano

Outline

Overview of Ws-Attribute Based Access control (Ws-AC1)

Underlying technologies– Digital identity management

– Trust negotiation system

Access control model System architecture Conclusions and future work

A Web service is a Web-Based application that can be

Published Located Invoked

Compared to centralized systems and client-server environments, a Web service is much more dynamic and security for such an environment poses unique challenges.

Web Services

Web Services: Access Control

An important issue is represented by the development of suitable access control models, able to restrict access to Web

services to authorized users.

security technologies commonly adopted for Web sites and security technologies commonly adopted for Web sites and traditional access control models are not enough!traditional access control models are not enough!

Web services are quite different with respect to objects typically protected in conventional systems, since they consist of software modules, to be executed, upon service requests, according to a set of associated input parameters.

Fine-grained access control system for Web services

– Supporting gradual verification of user attributes

– Characterized by capabilities for negotiating service parameters

– Fully integrated with existing standards (WSDL, UDDI, Ws-Policy).

An adaptive system, supporting the notion of context influencing service provisioning

WS-AC1

Ws-AC1: goals

The goal of Ws-AC1 is to express, validate and enforce access control policies

without assuming pre-established trust in the users invoking the web services.

Underlying Technologies - Digital Identity Management

What is digital identity?– Digital identity can be defined as the digital representation of the

information known about a specific individual or organization

Technically, the term DI usually refers to two different concepts:– Nym – a nym gives a user an identity under which to operate when

interacting with other parties. Nyms can be strongly bound to a physical identity

– Partial identity – partially identities refer to the set of properties that can be associated with an individual, such as name, birth-date, credit cards. Any subset of such properties represents a partial identity of the user

Underlying Technologies -Trust Negotiation

Mutual authentication

- Assumption on the counterpart honesty no longer holds- Both participants need to authenticate each other

Interactions between strangers

- In conventional systems user identity is known in advance and can be used for performing access control- In open systems partecipants may have no pre-existing relationship and may not share a common security domain

A promising approach for open systems where most of the interactions occur between strangers.

The goal: establish trust between parties in order to exchange sensitive information and services

The approach: establish trust by verifying properties of the other party.

Underlying Technologies - Trust Negotiation

Ws-AC1: service description

Services are defined in terms of a description, containining information like identity attributes (AuthAttrs) and service parameters (Parameters), required to submit access requests.

– Service parameters represent information the requester has to provide to activate the operation supported by the service and information related to level of QoS required by the user. Each parameter has an associated domain specifying the legal values

Each service has an associated type defined according to the existing classifications supported by the UDDI registries.

Service Description - example

The service description of the TravelAgency web service can be defined as follows:

– Serv-descr = <TravelAgency;Business;

(Departure, Destination, DepartureDate, ReturnDate, MeansofTransport, HotelPreferences, Fare);

(Age, PictureId)>

where TravelAgency is the service identifier, Departure, Destination, DepartureDate, ReturnDate, MeansofTransport, HotelPreferences are the service parameters necessary to invoke the booking service, Age and PictureId are two attributes used by the WS-AC1 system to identify the service requester.

Ws-AC1 access control model

Access conditions – expressed in terms of partial identities– take into account also the parameters characterizing

web services.

Concept of access negotiation– Web service negotiation in Ws-AC deals with the

possibility for trusted users to dynamically change their access requests in order to obtain authorizations.

Ws-AC1 access control policies

An access control policy is defined by:– A service identifier or a service type

– A set of conditions against partial identities of subjects

– A set of parameter specifications

– A set of parameter constraints A constraint restricts the set of values associated with a

parameter on the basis of value of the context variables and/or of the values assumed by other parameters defining

the service.

Ws-AC1 access control policies -examples

Policy Pol1– pol1 = < Travel; {Age > 26, Student}; {Departure, Destination, Fare}; {Fare=gold Departure= Chicago} {Destination {Toronto, Rome,

Berlin} Student>– It authorizes subjects older than 26 traveling from Chicago to get a

special fare and restrict possible destinations for students; Policy Pol2

– < Travel; {Age < 18, Citizenship=America}; { Departure, Destination, MeansofTransport}; {MeansofTransport {bus, plane} Departure=Rome AND Destination= Milan} >

– It authorizes subjects that are younger than 18 travelling from Rome to Milan to use either a bus or a plane for reaching the destination

Ws-AC1 protocol

1. Access requests are received specified by constraining service parameters, and

subject partial identities Note: a subject before releasing partial identity

information may require to establish trust by using trust negotiation

2. Ws AC1 access control consists of two phases: 1. Subject authentication2. Parameter negotiation

Subject Authentication

If the attribute values specified by the user in the access request do not satisfy all the conditions of any corresponding access control policy, the access request is said partially compliant.

The system can then require the user to provide the additional attributes of the policy not appearing in the service description.

Parameter Negotiation

Once the subject has been authenticated, the system extracts the compliant access control policies, in order to establish whether the subject request can be:

accepted as it is must be rejected has to be negotiated.

A request negotiation results in eliminating and/or modifying some of the service parameters specified within an access request that made it not immediately acceptable.

Access responses in Ws-AC1

There are three possible replies:

1. The submitted attributes match with a policy for the specified service request and the specified service parameters are acceptable by the policy

2. The submitted attributes do not match with any policy for the specified service request

3. The submitted attributes match with a policy for the specified service request but the specified service parameters are not acceptable by the policy

Request is granted

Request is rejected

Negotiate request

Access responses in Ws-AC1 - example

Requests:

– [Travel; {Student}; { Departure=Rome, Destination=New York, Fare=Gold }] It is partially compliant with Pol1, since attribute AGE is lacking. It requires further attributes to be submitted in order to be processed.

– [Travel;{Student, Age=25}; { Departure=Rome, Fare=Gold}] It fully complies with Pol2; however it must be negotiated since the

parameter DESTINATION is missing

– [Travel;{DrivingLicence_Issuer=Italy}; { Departure=Rome, Fare=Gold}] It is rejected since it does not match the subject specification of any

policy

Encoding WS-AC1 policies using Ws-Policy

In order to be as flexible as possible the system is implementation independent and can thus function with any specific web service technology

In addition, it is compliant with the existing standards for security for web services. Indeed, services are described using WSDL and access control policies describing the conditions required to grant access to services are represented using Ws-Policy

Ws-AC1 policies vs WS-Policies

Ws-Policy is a specification that defines a general framework to describe a broad range of Web service policies. Ws-Policy defines a policy as a collection of alternatives. Each alternative is a collection of assertions.

To encode Ws-AC1 access control policies we define a new type of policy assertions, since no public specification we are aware of define assertions suitable for expressing attribute conditions and parameter conditions required by Ws-AC1 policy formalism.

WS- AC1 System Architecture

Open issues

– Negotiation of parameters: How can subjects negotiate service parameters?

– Delegation: How to manage delegated access requests?

– Cached policies: How and where keep track of previous access requests?

– Policy protection: How to protect UDDI registries where AC policies are stored?

Future work

– Delegation mechanisms for credentials– Automated mechanisms supporting

negotiations of parameters– Authorization derivation rules, allowing

authorizations on a service to be automatically derived from authorizations specified on other services.

– Security analysis of Ws-AC1 to test system security and reliability.