Access control for web services

Get Complete Project Material File(s) Now! »

Trust management systems

The term trust management has been commonly used since 1996 when it was first introduced by Blaze and others (1996; 1999a; 1999b). Trust management was then defined as “a unified approach to specifying and interpreting security policies, credentials and relationships that allows direct authorisation of security-critical actions”. Trust management makes use of mechanisms such as identities, certificates, signatures and keys to establish trust relationships across domains. Even though the term trust is used in the title of these types of systems, it actually has a different meaning. Trust management does not refer to the problem of managing trust, but to the problem of managing access control performed with public keys (Grandison 2003).

The Liberty Alliance trust model

The mission of the Liberty Alliance Project is to establish an open standard for federated network identity through open technical specifications. Liberty Alliance specifications (Liberty Alliance Project Specifications 2005) from the Liberty Alliance Project (Liberty Alliance Project 2005) define circles of trust, where organisations and parties in the inner circle are more trusted than those in outer circles. A circle of trust therefore recognises that different parties are trusted to different extents. Trust can be established between web services in accordance to a Liberty Alliance trust model (Boeyen et al. 2003). This can be achieved by using SAML assertions to move identities of users across domains.

Trust negotiation

Trust negotiation (Winslett 2002) (Bertino et al. 2004a) is an approach towards access control whereby access to resources is granted based on trust that is established between a web services requestor and provider. The term Automated Trust Negotiation (ATN) is also used to refer to this very recent development in distributed access control research. In trust negotiation, credentials that describe the ability of their owner are exchanged iteratively to build trust between negotiating web services requestors and providers. A move is made away from traditional access control rules defined by (object, subject, action) tuples towards the specification of access restrictions based on subject attributes. The idea of using automated negotiation to establish trust is not new. A commonly known protocol, SSL, is an example of trust negotiation over the Internet. In SSL, a web services provider first discloses its credentials to a web services requestor in an attempt to establish trust. The web services requestor optionally submits its credentials to establish mutual trust with the web services provider. The established trust is limited in nature, as it is based only on the identity of web services requestors and providers, for the duration of a specific session.

Trust for web services

The aim of web services technology is to establish inter-organisational infrastructures via machine-to-machine communication. In ensuing interactions, machines act on behalf of humans and organisations. The absence of human contact should cause machine-to-machine trust formation to be fundamentally different from its humanistic counterpart. Ideally, trust formation for machines should be able to borrow from elements of human trust, as the latter is so highly developed. To establish whether web services trust can indeed include human elements, the next sub-paragraphs highlight properties and dimensions of trust for web services, motivate an assessment approach as a basis for web services trust, describe the nature of web services trust, and finally, propose an autonomous approach towards web services trust.

Dimensions of trust

Web services trust formation differs from its humanistic counterpart because of the absence of human contact. This excludes the emotional dimension of trust. Web services providers do have the ability to evolve trust over time through new experiences and observations. Experience and judgement can be used to form trust subjectively. For this reason, cognitive trust, defined on the basis of information and reasoning, can be investigated for the formation of machine-to-machine trust relationships. Cognitive trust is suited for web services environments, as it is used when participants do not know one another, or when participants are far removed from one another.

PART I :

• Chapter 1 Introduction
  • 1.1 Motivation for this study
  • 1.2 Problem statement
  • 1.3 Terminology used
    • 1.3.1 Web services
    • 1.3.2 Information security
    • 1.3.3 Access control service
    • 1.3.4 Message security
    • 1.3.5 Trust
    • 1.3.6 Loosely coupled
    • 1.3.7 Machine
  • 1.4 Layout of thesis
• Chapter 2 Access control for web services
  • 2.1 Web services architecture
  • 2.2 Functional components of web services
    • 2.2.1 Web services
    • 2.2.2 Web services operation
    • 2.2.3 Web services class
    • 2.2.4 Web services composition
  • 2.3 Web services technology
    • 2.3.1 XML (Extensible Markup Language)
    • 2.3.2 WSDL (Web Service Description Language)
    • 2.3.3 SOAP (Simple Object Access Protocol)
    • 2.3.4 UDDI (Universal Discovery Description and Integration)
  • 2.4 Web service security and related standards
    • 2.4.1 Specifications for XML-based security mechanisms
    • 2.4.2 Specifications for XML-based security interoperability
  • 2.5 Environmental access control requirements of web services
    • 2.5.1 Autonomy
    • 2.5.2 Loosely coupled
    • 2.5.3 Policy-based compatibility
    • 2.5.4 Policy negotiation
    • 2.5.5 Quality of service
• Chapter 3 Case study
  • 3.1 The virtual application
  • 3.1.1 eBooks
    • 3.1.1.1 Minimal inter-dependency
    • 3.1.1.2 Increased inter-dependency
  • 3.1.2 eLoans
  • 3.1.3 The virtual application
  • 3.2 Access control policy for eBooks
• Chapter 4 Web services access control service
  • 4.1 The scope of the web service access control service
  • 4.2 Internal access requirements of web services
    • 4.2.1 Flexibility
    • 4.2.2 Efficient administration
    • 4.2.3 Attribute-based access control
    • 4.2.4 Trust levels
    • 4.2.5 Exceptions
    • 4.2.6 Conflict resolution
  • 4.3 Access control
    • 4.3.1 Access control models
    • 4.3.2 Access control mechanisms
    • 4.3.3 Access control information
    • 4.4 Access control models
    • 4.4.1 Discretionary access control (DAC)
    • 4.4.2 Mandatory access control (MAC)
    • 4.4.3 Role-based access control (RBAC)
    • 4.4.4 Chinese Wall access control model
    • 4.4.5 Credential-based access control
  • 4.5 Web services access control service
• Chapter 5 Web services trust
  • 5.1 The management of trust
    • 5.1.1 Trust management systems
    • 5.1.2 The Liberty Alliance trust model
    • 5.1.3 WS-Trust
    • 5.1.4 Trust negotiation
• Chapter 6 Web services trust formation framework
  • 6.1 Trust formation phases
    • 6.1.1 Publish trust information
    • 6.1.2 Discover trust information
    • 6.1.3 Trust formation
    • 6.1.4 Trust evolution
  • 6.2 Trust context
  • 6.3 Trust level
  • 6.4 Trust computation
  • 6.5 Trust assessment for trust concept formation
    • 6.5.1 Environmental information
    • 6.5.2 References
    • 6.5.3 Recommendations
    • 6.5.4 Experience
  • 6.6 Taxonomy of trust concepts
    • 6.6.1 Trust in the internal environment
    • 6.6.2 Trust in the external environment
    • 6.6.3 Trust in the other party
  • 6.7 Definitions: trust management, trust assessment, trust relationships, trust types and trust concepts
  • 6.8 Conclusion
• Chapter 7 Access control policy specification
• Chapter 8 Web services access control service architecture
• Chapter 9 The WSACT model – an overview
• Chapter 10 WSACT – The authorisation interface
• Chapter 11 WSACT – The authorisation manager
• Chapter 13 WSACT – Prototype implementation
• Chapter 14 Conclusion

GET THE COMPLETE PROJECT
WSACT – A Model for Web Services Access Control incorporating Trust