Title: A Trust Model for Web Services Ph.D Dissertation Proposal
1A Trust Model for Web ServicesPh.D
Dissertation Proposal Candidate Nelly A.
Delessy, Advisor Dr E.B. FernandezDepartment
of Computer Science and EngineeringFlorida
Atlantic University, Boca Raton FL
2Introduction
- Web services
- Ubiquitous web W3C05
- ? Trust becomes a complex and sensitive issue for
web services - Access control models have been proposed for web
services Aga04, Sir02, Fen04, Ber04, Won04 - None of these models includes or relates to any
trust model
3Introduction
- Trust models have been proposed for other open
computing environments such as peer-to-peer
networks, mobile ad hoc networks, the Semantic
Web - Only few trust models have been developed for Web
services WST05, Max02. - None of them is generic enough to be applied in
all web services usage scenarios.
4Introduction
- Dissertations goal to develop a unified trust
model for web services - Will indicate how it can be interfaced to
existing access control model for web services - Will include trust management through trust
policies, and dynamic aspects such as trust
negotiation - Using UML and some mathematical formalism
- Develop requirements for, and possibly design a
language for trust policies
5Background Trust
- One definition of trust asserts Generally, an
entity can be said to trust' a second entity
when it (the first entity) makes the assumption
that the second entity will behave exactly as the
first entity expects. IET00 - Trust is one entitys belief in the honesty of
another entity - ? A trust relationship between two entities is
measurable. It can be assigned a trust level
(discrete or continuous) - A trust relationship can be formalized as a
binary relation. - In general, this relation is not symmetric, nor
transitive
6Background Trust Models
- Enables the formalization of the trust
relationships among the entities of a particular
domain - Describes which trustors can trust which trustees
- in a specific context
- and how the trust levels are obtained
- Some low-level trust models provide the
underlying architecture that enables trust
evaluation and trust management.
7Background Trust Models
- Trust models can be classified as
- Deterministic trust models
- Trust lists
- Hierarchy model
- Mesh model
- Bridge model
8Background Trust Models
- Trust models can be classified as
- Non deterministic trust models
- Web of trust
- Statistical trust models
- History-based
- Recommendation-based
- Probabilistic trust models
- Hybrid models
9Background WS-Trust Trust Model
- WS-Trust is a proposal that enables security
token interoperability - It provides
- Methods for issuing, renewing, and validating
security tokens. - Ways to establish, assess the presence of, and
broker trust relationships. - It defines a request/response protocol by which
web services actors can request of some trusted
authority that a particular security token be
exchanged for another.
10Background WS-Trust Trust Model
11Background WS-Trust Trust Model
- The following key steps are performed by the
trust engine of a Web service - Verify that the claims in the token are
sufficient to comply with the policy and that the
message conforms to the policy. - Verify that the attributes of the claimant are
proven by the signatures. In brokered trust
models, the signature may not verify the identity
of the claimant it may verify the identity of
the intermediary, who may simply assert the
identity of the claimant. - Verify that the issuers of the security tokens
(including all related and issuing security
token) are trusted to issue the claims they have
made. The trust engine may need to externally
verify or broker tokens (that is, send tokens to
a security token service in order to exchange
them for other security tokens that it can use
directly in its evaluation).
12Background WS-Trust Trust Model
- In addition, the proposal provides a general
mechanism for multi-message exchanges during
token acquisition. One example use of this is a
challenge-response protocol. - This is used by a web service for additional
challenges to a requestor to ensure message
freshness and verification of authorized use of a
security token. - This model is a deterministic trust model. It
proposes a recursive schema to establish trust
relationships.
13Background Web Service Reputation Trust model
14Background Web Service Reputation Trust model
Max02
- Example
- A travel service might include functions to
return a list of trips for a particular airline
on a specified date, time, origin and destination
airport. - For each service we can extract a series of
attributes that apply to the service (e.g., speed
at which a search produces its results, accuracy
of the return results).
15Background Web Service Reputation Trust model
Max02
- This model is a non-deterministic one.
- It does not specify the trust relationships
between the principals that rate a service and
the principal that uses the service. - Ratings are provided by people that you do not
fully trust - ? you cannot fully trust its history.
16Background Web services Access Control Models
- Several access control models have been proposed
for web services Aga04, Sir02, Fen04, Ber04,
Won04 - They implement two more general access control
models, role-based access control (RBAC) San96,
Fer01, and metadata-based access control (MBAC)
Pri04 which are heavily used in the Web
context. - We illustrate access control models for web
services by two implementation examples
17Backgound XML Firewall Del04
- The XML Firewalls primary goal is to enforce the
organizations access control policies by
filtering messages based on the users identities
or roles and the intended type of access, while
performing XML content checking.
18Backgound XML Firewall Del04
19Backgound XML Firewall Del04
- This pattern implements the Reference Monitor
pattern, - And the role-based access control model, which is
a flexible way to implement the Authorization
pattern. - In the literature, many access control models for
web services use this model Fen04, Won04,
Sir02.
20Backgound XACML Access Control Evaluation
Pattern Del05
- XACML (eXtensible Access Control Markup Language)
is a web services standard defined by OASIS. - It includes a policy and an access decision
language. - One of the pattern for these languages captures
how the access control is evaluated within XACML.
21Backgound XACML Access Control Evaluation
Pattern Del05
22Backgound XACML Access Control Evaluation
Pattern Del05
23Backgound XACML Access Control Evaluation
Pattern Del05
- This pattern implements the meta-data based
access control pattern (MBAC), - In addition, it supports the role-based access
control model. - Compared to the role-based access control model,
MBAC is more generic, insofar as it can be
implemented in open environments in which the
users may not be registered in advance. - This latter model has been used in the literature
for web services Aga04, Ber04.
24Conceptual Framework
- Here, we give a deeper analysis of the
dissertations problem. - We refine the concept of trust,
- We analyze the interface between access control
model and trust model for web services.
25Conceptual Framework Trust
- In the real world, trust is related to a specific
context and to a corresponding risk. - For instance, an patient (the trustor) trusts
its surgeon (trustee) when he is treated by him,
and the corresponding risk could be severe
(death, injury). - Trust is then measured based on an evaluation of
- the risk,
- the rewards,
- the reputation of the trustee,
- its history with the trustor,
- the recommendations he holds.
26Conceptual Framework Trust
- Since reputation and recommendation are also
based on other trust relationships, trust can be
seen as recursive. We will need to set up some
initial parameters. - The context in which the trust relationship is
evaluated could include many attributes - action type to be performed by the trustee on
the trustor, - the time that this action is to be realized, etc
- The model should be clear about how trust
establishment is delegated. - A trust relationship is generally not transitive.
- However, in reality, trust delegation should be a
useful feature. We should be able to propose a
non deterministic way to delegate trust.
27C F The interface between AC model and trust
model
- In general, access control models assume that the
system trusts the user claims. - This is the case for the authorization model,
RBAC and MBAC models. - In addition, they assume that only the owner of
the object is responsible for the access
decision. - Typically, a service has policies that control
access to a user, whereas this latter has no
policies for this access.
28C F The interface between AC model and trust
model
29C F The interface between AC model and trust
model
- An access has to be granted by the subject too.
- We can apply this model in reverse.
- The server presents some credentials, which
allows the calculation of a trust level. If this
level is greater or equal to the trust level
required for the subject (in the privacy
policies), then access is granted. - For an access to actually occur, access should be
granted in both directions.
30C F The interface between AC model and trust
model
- Policy composition could thus be necessary at two
levels - one 4-tuple (or one credential) that is a part of
2 different sets, belongs to what trust level?
31C F The interface between AC model and trust
model
- The access is decided two times, by the server,
and by the user. How to decide whether or not the
access will actually occur?
32C F The interface between AC model and trust
model
1) Trust negotiation Each party evaluates the
other side trust level. Negotiation refers to the
process of requiring and sending the right
credentials. 2) Policy selection On each side,
the policies corresponding to the trust level are
selected, and possibly exchanged 3) Access
(policy composition) Access is determined by the
composition of the selected policies on both
sides. Either done by a third entity, or
independently by both sides, or in a coordinated
manner from both sides, etc
33C F The interface between AC model and trust
model
- Advantages of this model are
- like in RBAC, it facilitates the administration
trust relationships evolve independently to
access policies. - It is generic enough to implement more specific
models
34Research Approach
35References
Aga04S. Agarwal, B. Sprick, and S. Wortmann.
"Credential based access control for semantic web
services". In AAAI Spring Symposium Semantic
Web Services, 2004. Ber04E. Bertino, A. C.
Squicciarini and D. Mevi, A Fine-grained Access
Control Model for Web Services, Proceedings of
the 2004 IEEE International Conference on
Services Computing Boo98G. Booch, J. Rumbaugh,
I. Jacobson The Unified Modeling Language User
Guide, Addison-Wesley Pub Co 1st edition
(September 30, 1998). Del04N. Delessy-Gassant,
E.B. Fernandez, S. Rajput and M.
Larrondo-Petrie,Patterns for application
firewalls, Procs. of the Pattern Languages of
Programs Conference, 2004, http//hillside.net/pat
terns Del05N. Delessy and E.B. Fernandez,
Patterns for XACML, In preparation, Fen04X.
Feng, L. Guoyuan, H. Hao, X. Li, "Role-based
Access Control System for Web Services", in
Proceedings of the Fourth International
Conference on Computer and Information Technology
(CIT04) Fer01E. B. Fernandez and R. Pan, A
Pattern Language for security models, Proc. of
PLoP 2001, http//jerry.cs.uiuc.edu/plop/plop20
01/accepted_submissions Fer05aE.B.Fernandez, T.
Sorgente, M. M. Larrondo-Petrie, and N. Delessy,
Web services security Standards, industrial
practice, and research issues, submitted for
publication. GraTyrone Grandison, "Trust
Specification and Analysis for Internet
Applications" PhD Transfer Report IET00IETF
(Internet Engineering Security Task Force)
security glossary http//www.ietf.org/rfc/rfc2828
.txt
36References
Lib03Liberty Alliance Project Liberty Trust
Models Guidelines http//www.projectliberty.org/s
pecs/liberty-trust-models-guidelines-v1.0.pdf
Max02E. Maximilien and M. Singh, "Conceptual
Model of Web Service Reputation" ??????????ACM
02 Pri04T. Priebe, E. B. Fernandez, J. I.
Mehlau, and G. Pernul, "A pattern system for
access control ", in Research Directions in Data
and Applications Security XVIII, C. Farkas and P.
Samarati (Eds.), Proc. of the 18th. Annual IFIP
WG 11.3 Working Conference on Data and
Applications Security, Sitges, Spain, July 25-28,
2004. San96R. Sandhu, E. J. Coyne, H. L.
Feinstein, and C. E. Youman., "Role-based access
control models", Computer , Vol. 29 , No. 2,
February 1996, 38-47. Sen02S. Sen and N. Sajja,
"Robustness of Reputation-based Trust Boolean
Case", AAMAS02, July 15-19, 2002, Sir02E.
Sirer and K. Wang, "An Access Control Language
for Web Services", SACMAT 02, June 3-4,
2002, W3C03http//www.w3.org/2003/glossary/subgl
ossary/xkms2-req W3C05http//www.w3.org/2005/02/
tp-2005-ubiweb.pdf Won04R. Wonohoesodo and Z.
Tari, A Role based Access Control for Web
Services, Proceedings of the 2004 IEEE
International Conference on Services
Computing WST05Web Services Trust Language
(WS-Trust) http//msdn.microsoft.com/library/en-us
/dnglobspec/html/WS-trust.pdf