using digital credentials on the world wide web n.
Skip this Video
Loading SlideShow in 5 Seconds..
Using Digital Credentials On The World-Wide Web PowerPoint Presentation
Download Presentation
Using Digital Credentials On The World-Wide Web

Loading in 2 Seconds...

play fullscreen
1 / 19

Using Digital Credentials On The World-Wide Web - PowerPoint PPT Presentation

  • Uploaded on

Using Digital Credentials On The World-Wide Web. M. Winslett. Introduction. Problem Statement Traditional approaches for authenticating users is not enough to determine different types of users and their authorization to use services.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Using Digital Credentials On The World-Wide Web

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
  • Problem Statement
    • Traditional approaches for authenticating users is not enough to determine different types of users and their authorization to use services.
    • Internet is an open environment, identity does not give enough information about the authorization of users
    • Users may not want to reveal their identity if the service does not necessarily relevant with the identity.
example case
Example Case
  • Access to ACM SIGMOD web site?
    • A shared username-password pair for all users
      • Little protection: How to prevent former users? What happens if the users spread password to others?
    • A username-password pair for each user
      • Administrative overhead
      • Hard to control authorization
      • Strong relation with user identity: Privacy lose
    • SSL authentication facilities
      • SSL specific identity.
      • Not a portable ID with the user (smartcard?)
      • Revealing browser identity which is irrelevant with access control decisions
digital credentials
Digital Credentials
  • Give each ACM SIGMOD member a digital credential issued (signed) by ACM or a trusted party (Verisign).
  • However, server and client software should agree on digital credentials and how they will be handled (authorization?).
personal security assistant
Personal Security Assistant
  • Obtain, store digital credentials and policies
  • Negotiates with the server to decide which credentials are necessary
  • Attaches credentials to service requests according to client/server policies
  • May archive the credentials (including old ones)
server security assistant
Server Security Assistant
  • Store digital credentials and policies
  • Send server policy information and credentials to the client
  • Handle client credentials and credential acceptance policies
  • Assign roles to the users according to credentials
  • Cache credentials if necessary
  • A digital credential does not need to store information about user’s real life identity
    • Example: ACM SIGMOD digital credential does not need to store the name of user.
  • Issuer can use local names or public keys of users in digital credentials
  • Server can challenge the user to verify that he is the user that he is claiming (using PKCS)
  • To reduce the risk of disclosure of the information in digital credentials by the server, the client may request some credentials from server.
  • Server presents a policy to the client to explain what it needs for authorization
  • Client may present own policy that explains what and how it can disclose credentials to the server.
  • Server and Client may not want to reveal whole policy information in one step (step-by-step verification)
trust negotiation
Trust Negotiation
  • Interactions to setup a trust relationship between client and server is called as trust negotiation.
    • Client and Server policies, credentials
    • Client and Server’s agreement on the contents of credentials
    • Need for a common language for policies and credentials
    • Authorization and role assignments
trust negotiation1
Trust Negotiation
  • Categorizing services (to avoid unnecessary amount of policy creation)
  • Handling complex situations in credentials and policies (e.g. expiry dates, situations that may not be enforceable)
  • Scalability

Supporting Structured Credentials and Sensitive Policies through Interoperable Strategies for Automated Trust Negotiation

M. Winslett

  • Strategy: An ordering of credential disclosures to access a resource (or a service).
  • Between client and server, different strategies may be used.
  • However, the strategies should implement a common basic protocol (TrustBuilder protocol).
  • Formulate trust gain with respect to privacy loss
  • Self descriptiveness
  • Apoptosis (Clean self-destruction)
  • Proximity-based evaporation
  • The language to define policies and credentials is very important in trust negotiation
  • A common protocol for trust negotiation is necessary, but different strategies can be used.
  • Scalability, manageability of the protocols are important. Less human interaction is very important.
  • Privacy loss should be a major concern during trust negotiation.