Authorization and Privacy for Semantic Web Services

1
Authorization and Privacy for Semantic Web
Services

• Authors
• Lalana Kagal, Tim Finin (UMBC)
• Grit Denker (SRI)
• Massimo Paolucci, Naveen Srinivasan, Katia Sycara
  (CMU)
• Presented By
• Chaitali A Daftary

2
Purpose

• Integrate security into semantic web services
• Security requirements include authorization,
  authentication, data integrity, delegation,
  trust, privacy, and more.
• Security levels
• Specification
• Enforcement
• Goal To provide security annotations for web
  services at high abstraction levels to enable
  reasoning, matchmaking, execution, composition,
  etc.

3
Previous Work

• Existing OWL-S markup
• Set of ontology to describe Web Services
• 3 Modules
• Profile General description
• Process Model How task is performed
• Grounding How atomic process map
• Extension of OWL-S profile
• Capabilities and requirements associated with
  both services and requesters

4
Previous Work

• Ontology for describing security protocols and
  credentials
• Security Reasoner matched over security
  requirements and capabilities
• OWL-S MatchMaker SecurityReasoner clients and
  services matched over functionality and security

5
Why is this not enough ?

• Authorization only based on
• Protocols
• Credentials (login/password, certificate)
  required
• Need more expressive policies
• Based on attributes of requester, service and
  other context
• Did not handle privacy at all
• Should be able to handle prohibitions as well
• E.g. No undergraduate student should be able to
  access this service

6
Current Idea

• Policy-based security infrastructure
• Semantic Policy Language
• Distributed Policy Management Approach.
• Why policies ?
• More expressive, not just requirements and
  capabilities
• Can be over different attributes of the
  Requester, Service, and Context
• Authorization
• Rules for access control
• Privacy
• Rules for protecting information

7
Example policies

• Authorization
• Policy 1 Stock service is not accessible after
  the market closes
• Policy 2 Only members of the LAIT lab who are
  Ph.D. students can use the LAIT lab laser printer
• Privacy/Confidentiality
• Policy 3 Do not disclose my my SSN
• Policy 4 Do not disclose my telephone number
• Policy 5 Do not use a service that doesnt
  encrypt all input/output
• Policy 6 Use only those services that required
  an SSN if it is encrypted

8
Approach

• Is mainly at the specification level
• Extension of OWL-S profile with an attribute for
  describing policies
• policyEnforced
• subPropertyOf securityRequirement which is a
  subproperty of profileparameter
• Range Policy in Rei ontology
• Ontology for describing cryptographic
  characteristics of service parameters
• Encrypted/Signed object

9
Approach (cont)

• Use of a policy specification language, Rei
• Authorization and Privacy Policy are subclasses
  of Policy in Rei
• Authorization policies are usually associated
  with services
• Privacy policies are usually associated with
  clients
• Algorithm for matching policies
• Integration of the algorithm into CMUs
  Matchmaker and OWL-S Virtual Machine (future
  work)

10
Rei Policy Language

• A declarative policy language for describing
  policies over actions
• Represented in RDF-S logic like variables
• Based on deontic concepts
• Right (what agents can do)
• Prohibition (what agents cannot do)
• Obligation (what agents should do)
• Dispensation (what agents need no longer do)
• Conflict resolution through the use of meta
  policy specifications

11
Rei Example

• All members of the LAIT lab have the right to use
  action printing
• Constraint
• members_of_lait"
• constraintsubject"labpolicyvar1"
• constraintpredicate"univaffiliation"
• constraintobject"labpolicyLaitLab"/
• Right
• t
• "/
• members_of_lait "/

Unify
12
Example

• Mary is looking for a reservation service
• foaf description
• Confidentiality policy
• BravoAir is a reservation service
• OWL-S description
• Authorization policy
• Only users belonging to the same project as John
  can access the service

13
Mary

• Mary Smith
• Ms
• Mary
• Smith
• te.com/marysmith.html"/
• http//www.somewebsite.com/SWS-Project.rdf "/
• alityPolicy"/

14
Bravo Policy

• rdfabout"bravo-policyGetJohnProject"
• constraintsubject"johnJohn"
• constraintpredicate"foafcurrentProject"
• constraintobject"bravo-policyvar2"/
• rdfabout"bravo-policySameProjectAsJohn"
• constraintsubject"bravo-policyvar1"
• constraintpredicate"foafcurrentProject"
• constraintobject"bravo-policyvar2"/
• ion1"
• constraintfirst"bravo-policyGetJohnPro
  ject"
• constraintsecond"bravo-policySameProje
  ctAsJohn"/

• t"
• oAir_ReservationAgent"/
• ndCondition1"/
• r_ReservationAgent"
• uthPolicy"/

15
How it works
BravoAirWeb service
Mary
URL to foaf desc query request
"bravo-policyAuthPolicy"/
MatchmakerReasoner
Bravo Service OWL-S Desc
16
How it works
Marys query Bravo Service ? YES
Extract Bravos policy
Does Mary meets Bravos policy ?

• t"
• oAir_ReservationAgent"/
• ndCondition1"/
• ting"
• sRight"/
• AuthPolicy"
• anting"/
• r_ReservationAgent"
• uthPolicy"/

Authorization enforcement complete
"bravo-policyGetJohnProject
constraintsubject"johnJohn"
constraintpredicate"foafcurrentProject"
constraintobject"bravo-policyvar2"/ var2
http//www.somewebsite.com/SWS-Project.rdf
BravoAirWeb service
Mary
"http//www.somewebsite.com/SWS-Project.rdf"/
rdfabout"bravo-policySameProjectAsJohn"
constraintsubject"bravo-policyvar1"
constraintpredicate"foafcurrentProject"
constraintobject"bravo-policyvar2"/ Is the
constraint true when var2 http//www.somewebsit
e.com/SWS-Project.rdfvar1 http//www.cs.umbc.ed
u/lkagal1/rei/examples/sws-sec/MaryProfile.rdf
17
Algorithm for Matching Policies

• After the client sends a query request,
  MatchMaker finds a matching service and fetches
  its OWL-S description
• It extracts the services authorization policy
  from the policyEnforced attribute and sends it to
  the Rei Reasoning Engine along with the clients
  description
• Rei returns true or false based on whether the
  client meets the authorization policy of the
  service. If false, matching failed.
• The matchmaker extracts the clients privacy
  policy and sends it to the Rei Reasoning Engine
  along with the services OWL-S description
• Rei returns true or false based on whether the
  privacy policy is met or violated. If false,
  matching failed.
• Matching between client and service is complete

18
Algorithm for Policy Adherence

• Requestor gathers the process model, grounding
  and WSDL and SOAP specifications
• Requestor detects what encryption algorithm is
  adopted
• The reasoner verifies that
• Requestors policies are satisfied
• Provider enforces its own policies
• Test 1 fails Requestor doesnt use the provider
• Test 2 fails Requestor makes its own decision.

19
Enforcement level

• Currently, through encrypting or signing I/O
  parameters
• In future, make cryptographic operation
  transparent to the requestors.
• Automate interactions between web services
• Extending OWL-S VM

20
Enforcement level
21
Existing Work

• WS-
• Lack of semantic expressiveness and reasoning
  capabilities
• Most approaches are based on XML.
• E.G., XML signature/encryption, WS-security,
  SAML.
• Restricted extensibility
• Possible solution is ontological approach
• Policy Languages
• XACML OASIS eXtensible Access Control Markup
  Language
• EPAL IBM Enterprise Privacy Authorization
  Language
• Ponder
• KeyNote
• KAoS Knowledgeable Agent-oriented System

22
Some open questions

• Applicability of other policy languages
• Integration with WS standards
• Enforcement of privacy, confidentiality and data
  integrity policies during execution
• Confidentiality
• One possible approach is for the OWL-S virtual
  machine to handle encryption/signing on behalf of
  the web service and the requester
• Privacy
• Reputation
• Trusted third parties

23
Summary

• Contribution
• Specification of security policies for web
  services
• Authorization policies are enforced during
  discovery
• Privacy policies are matched
• Ontologies
• http//www.csl.sri.com/users/denker/owl-sec/infObj
  .owlhttp//www.cs.umbc.edu/lkagal1/rei/examples/
  sws-sec/swspolicy.owlhttp//www.cs.umbc.edu/lkag
  al1/rei/ontologies/
• Examples
• http//www.cs.umbc.edu/lkagal1/rei/examples/sws-s
  ec/