230 likes | 343 Views
Using Certified Policies to Regulate E-Commerce Transactions. Victoria Ungureanu Rutgers University. The Problem. Ensuring that actions of agents involved in e-commerce conform with a-priori established contracts. A contract example:
E N D
Using Certified Policies to Regulate E-Commerce Transactions Victoria Ungureanu Rutgers University
The Problem • Ensuring that actions of agents involved in e-commerce conform with a-priori established contracts. • A contract example: • An airline company, say FlyAway, agrees to sell discounted tickets to a travel company, say TravelRUS, subject to the following provisions: • The purchases are to be made between January 1 2005 and June 30 2005; • The price of each ticket is discounted by 10%; • Only agents duly certified as travel agents may buy tickets at discounted prices.
The Problem (cont.) • An enterprise is bound by a potentially large number of disparate contracts: • Ex: Wall-Mart, Ford, Daimler-Chrysler, GM have in excess of 20,000 suppliers operating under different contracts; • New contracts are continuously being established, and previously established contracts end. • A contract has a limited, predefined validity period.
The Problem (cont.) • Contracts may be annulled for various reasons • For example: the travel agency is bankrupt. • Contracts may be revised • For example: the travel agency establishes a new certifying authority which issues certificates for sale representatives; • Contracts may be stateful: • Examples of stateful contract provisions: • Only a limited number of tickets, say 100, may be purchased at the discounted price. • FlyAway accepts reservations. A PO for a reserved ticket is honored only if made within 24 hours from the reservation.
The Problem (cont.) • Need to support a large set of autonomous, evolving and stateful contracts. • Current access control mechanisms deal mostly with monolithic, relatively stable, stateless policies.
Traditional Approaches • Have a dedicated server for each contract: • Problematic, if the number of contracts is large • Combine all contracts in a super policy: • The super policy is difficult to construct if the number of contracts is large; • The super policy needs to change every time a new contract is established, or a contract ends; • The super policy needs to change when a contract is anulled or revised.
Overview • Motivation • Certificates • Certified policies • The enforcement mechanism • Conclusion
A Necessary Parenthesis: Certificates • Are used to prove certain attributes regarding the owner: • Ex: the owner is John Doe, and he is employed by TravelRus, and he is a travel agent; • Are signed by a certification authority; • Are presented by the owner to gain certain rights • Are valid for a limited time period; • May be revoked for various reasons;
request certificates granted request certificates denied Certificate-based Authorization Policy Alice server Eve
request certificates granted request certificates Policy Policy denied Contract Enforcement • Idea: a client presents the policy embedding contract terms together with other credentials. server
Certified Policies (CPs) • Are obtained by: • expressing contract terms in a formal, interpretable language; • certifying the contract terms, by signing them by an authority, trusted by the parties involved in the contract. • Advantages: • no need for composing a super policy, nor for establishing a dedicated server for each contract;
The Elements of a Certified Policy • Id • Validity period • Revocation server • Version number • Repository • Initial control state • State server • Rules formalizing contract terms regarding access and control regulations
Deployment of Certified Policies • Traditional certificates are maintained by repositories; • Similarly, an enterprise can: • Express the contracts it is involved in as certified policies; • Store certified policies on designated repositories, from where agents may retrieve them as needed.
Contract Annulment and Revision • If a contract is annulled, the corresponding CP should be invalidated • CP invalidation may be modeled by certificate revocation; • If contract terms need to be revised this can be achieved simply by: • revoking the obsolete version of the corresponding CP, • deploying the new version of the CP on a repository
System Architecture • Assumes the following trusted entities: • Repositories: provide persistent storage for CPs • Revocation servers: maintain and disseminate revocation information; • Application servers: • Each server has an associated policy engine, called observer; • Observers verify certificates and interpret and carry out the rules of a CP; • A server is trusted to serve only requests sanctioned by its associated observer. • State servers: maintain the current value of contract states.
repository state server Enforcement of Certified Policies request, subject-certificate(s), CP revocation server application server observer
back-end server Cluster-based Application Servers • Application servers often use cluster architectures in order to handle effectively high volume traffic. • Cluster-based servers consists of a dispatcher and several back-end servers; dispatcher back-end server back-end server
Effective Assignment Policies for Cluster-based Servers • The problem: short waiting periods for clients. • A (first) solution: the TDA (Type Dependent Assignment) policy • In broad outline, under TDA: • A back-end server acts as state server for a set of CPs; • The dispatcher assigns: • a request governed by a stateful CP to the back-end server that maintains the state of the CP. • a request governed by a stateless CP to the least loaded back-end server.
TDA’s Performance • Gauged by running a simulation study driven by empirical data: • compares TDA with Least-Connected policy; • performance metric used by the study is waiting time. • The simulation models: • 4 back-end servers • 100 contracts • uses a trace containing ~170,000 requests arriving over 200 second • considers that 80% of requests are governed by stateful contracts • TDA outperforms Least-Connected by a factor of 4!
Conclusion • Policy management operations are easy to perform: • Deployment: simply store CPs on appropriate repositories. • Annulment: revoke the corresponding CP; • Update: revoke the previous version and deploy the new one • Easy to deploy: • Uses an infrastructure already in place • Requires no modifications to the infrastructure, and only minimal modifications to application servers; • Efficient enforcement.
The papers discussing some of these topics appeared in: • IEEE Cluster, December 2003; • ACM Transactions on Internet Technologies, February 2005. • These papers can be found at: research.rutgers.edu/~ungurean/ Thanks!
request certificates granted denied Certificate-based Authorization Policy Alice request certificates server Eve
request certificates granted Policy Policy request certificates denied Contract Enforcement • Idea: a client presents the policy embedding contract terms together with other credentials. server