A Trust Model for Web Services Ph.D Dissertation Proposal

1
A Trust Model for Web ServicesPh.D
Dissertation Proposal Candidate Nelly A.
Delessy, Advisor Dr E.B. FernandezDepartment
of Computer Science and EngineeringFlorida
Atlantic University, Boca Raton FL
2
Introduction

• Web services
• Ubiquitous web W3C05
• ? Trust becomes a complex and sensitive issue for
  web services
• Access control models have been proposed for web
  services Aga04, Sir02, Fen04, Ber04, Won04
• None of these models includes or relates to any
  trust model

3
Introduction

• Trust models have been proposed for other open
  computing environments such as peer-to-peer
  networks, mobile ad hoc networks, the Semantic
  Web
• Only few trust models have been developed for Web
  services WST05, Max02.
• None of them is generic enough to be applied in
  all web services usage scenarios.

4
Introduction

• Dissertations goal to develop a unified trust
  model for web services
• Will indicate how it can be interfaced to
  existing access control model for web services
• Will include trust management through trust
  policies, and dynamic aspects such as trust
  negotiation
• Using UML and some mathematical formalism
• Develop requirements for, and possibly design a
  language for trust policies

5
Background Trust

• One definition of trust asserts Generally, an
  entity can be said to trust' a second entity
  when it (the first entity) makes the assumption
  that the second entity will behave exactly as the
  first entity expects. IET00
• Trust is one entitys belief in the honesty of
  another entity
• ? A trust relationship between two entities is
  measurable. It can be assigned a trust level
  (discrete or continuous)
• A trust relationship can be formalized as a
  binary relation.
• In general, this relation is not symmetric, nor
  transitive

6
Background Trust Models

• Enables the formalization of the trust
  relationships among the entities of a particular
  domain
• Describes which trustors can trust which trustees
• in a specific context
• and how the trust levels are obtained
• Some low-level trust models provide the
  underlying architecture that enables trust
  evaluation and trust management.

7
Background Trust Models

• Trust models can be classified as
• Deterministic trust models
• Trust lists
• Hierarchy model
• Mesh model
• Bridge model

8
Background Trust Models

• Trust models can be classified as
• Non deterministic trust models
• Web of trust
• Statistical trust models
• History-based
• Recommendation-based
• Probabilistic trust models
• Hybrid models

9
Background WS-Trust Trust Model

• WS-Trust is a proposal that enables security
  token interoperability
• It provides
• Methods for issuing, renewing, and validating
  security tokens.
• Ways to establish, assess the presence of, and
  broker trust relationships.
• It defines a request/response protocol by which
  web services actors can request of some trusted
  authority that a particular security token be
  exchanged for another.

10
Background WS-Trust Trust Model
11
Background WS-Trust Trust Model

• The following key steps are performed by the
  trust engine of a Web service
• Verify that the claims in the token are
  sufficient to comply with the policy and that the
  message conforms to the policy.
• Verify that the attributes of the claimant are
  proven by the signatures. In brokered trust
  models, the signature may not verify the identity
  of the claimant it may verify the identity of
  the intermediary, who may simply assert the
  identity of the claimant.
• Verify that the issuers of the security tokens
  (including all related and issuing security
  token) are trusted to issue the claims they have
  made. The trust engine may need to externally
  verify or broker tokens (that is, send tokens to
  a security token service in order to exchange
  them for other security tokens that it can use
  directly in its evaluation).

12
Background WS-Trust Trust Model

• In addition, the proposal provides a general
  mechanism for multi-message exchanges during
  token acquisition. One example use of this is a
  challenge-response protocol.
• This is used by a web service for additional
  challenges to a requestor to ensure message
  freshness and verification of authorized use of a
  security token.
• This model is a deterministic trust model. It
  proposes a recursive schema to establish trust
  relationships.

13
Background Web Service Reputation Trust model
14
Background Web Service Reputation Trust model
Max02

• Example
• A travel service might include functions to
  return a list of trips for a particular airline
  on a specified date, time, origin and destination
  airport.
• For each service we can extract a series of
  attributes that apply to the service (e.g., speed
  at which a search produces its results, accuracy
  of the return results).

15
Background Web Service Reputation Trust model
Max02

• This model is a non-deterministic one.
• It does not specify the trust relationships
  between the principals that rate a service and
  the principal that uses the service.
• Ratings are provided by people that you do not
  fully trust
• ? you cannot fully trust its history.

16
Background Web services Access Control Models

• Several access control models have been proposed
  for web services Aga04, Sir02, Fen04, Ber04,
  Won04
• They implement two more general access control
  models, role-based access control (RBAC) San96,
  Fer01, and metadata-based access control (MBAC)
  Pri04 which are heavily used in the Web
  context.
• We illustrate access control models for web
  services by two implementation examples

17
Backgound XML Firewall Del04

• The XML Firewalls primary goal is to enforce the
  organizations access control policies by
  filtering messages based on the users identities
  or roles and the intended type of access, while
  performing XML content checking.

18
Backgound XML Firewall Del04
19
Backgound XML Firewall Del04

• This pattern implements the Reference Monitor
  pattern,
• And the role-based access control model, which is
  a flexible way to implement the Authorization
  pattern.
• In the literature, many access control models for
  web services use this model Fen04, Won04,
  Sir02.

20
Backgound XACML Access Control Evaluation
Pattern Del05

• XACML (eXtensible Access Control Markup Language)
  is a web services standard defined by OASIS.
• It includes a policy and an access decision
  language.
• One of the pattern for these languages captures
  how the access control is evaluated within XACML.

21
Backgound XACML Access Control Evaluation
Pattern Del05
22
Backgound XACML Access Control Evaluation
Pattern Del05
23
Backgound XACML Access Control Evaluation
Pattern Del05

• This pattern implements the meta-data based
  access control pattern (MBAC),
• In addition, it supports the role-based access
  control model.
• Compared to the role-based access control model,
  MBAC is more generic, insofar as it can be
  implemented in open environments in which the
  users may not be registered in advance.
• This latter model has been used in the literature
  for web services Aga04, Ber04.

24
Conceptual Framework

• Here, we give a deeper analysis of the
  dissertations problem.
• We refine the concept of trust,
• We analyze the interface between access control
  model and trust model for web services.

25
Conceptual Framework Trust

• In the real world, trust is related to a specific
  context and to a corresponding risk.
• For instance, an patient (the trustor) trusts
  its surgeon (trustee) when he is treated by him,
  and the corresponding risk could be severe
  (death, injury).
• Trust is then measured based on an evaluation of
• the risk,
• the rewards,
• the reputation of the trustee,
• its history with the trustor,
• the recommendations he holds.

26
Conceptual Framework Trust

• Since reputation and recommendation are also
  based on other trust relationships, trust can be
  seen as recursive. We will need to set up some
  initial parameters.
• The context in which the trust relationship is
  evaluated could include many attributes
• action type to be performed by the trustee on
  the trustor,
• the time that this action is to be realized, etc
• The model should be clear about how trust
  establishment is delegated.
• A trust relationship is generally not transitive.
  
• However, in reality, trust delegation should be a
  useful feature. We should be able to propose a
  non deterministic way to delegate trust.

27
C F The interface between AC model and trust
model

• In general, access control models assume that the
  system trusts the user claims.
• This is the case for the authorization model,
  RBAC and MBAC models.
• In addition, they assume that only the owner of
  the object is responsible for the access
  decision.
• Typically, a service has policies that control
  access to a user, whereas this latter has no
  policies for this access.

28
C F The interface between AC model and trust
model
29
C F The interface between AC model and trust
model

• An access has to be granted by the subject too.
• We can apply this model in reverse.
• The server presents some credentials, which
  allows the calculation of a trust level. If this
  level is greater or equal to the trust level
  required for the subject (in the privacy
  policies), then access is granted.
• For an access to actually occur, access should be
  granted in both directions.

30
C F The interface between AC model and trust
model

• Policy composition could thus be necessary at two
  levels
• one 4-tuple (or one credential) that is a part of
  2 different sets, belongs to what trust level?

31
C F The interface between AC model and trust
model

• The access is decided two times, by the server,
  and by the user. How to decide whether or not the
  access will actually occur?

32
C F The interface between AC model and trust
model

• Dynamics

1) Trust negotiation Each party evaluates the
other side trust level. Negotiation refers to the
process of requiring and sending the right
credentials. 2) Policy selection On each side,
the policies corresponding to the trust level are
selected, and possibly exchanged 3) Access
(policy composition) Access is determined by the
composition of the selected policies on both
sides. Either done by a third entity, or
independently by both sides, or in a coordinated
manner from both sides, etc
33
C F The interface between AC model and trust
model

• Advantages of this model are
• like in RBAC, it facilitates the administration
  trust relationships evolve independently to
  access policies.
• It is generic enough to implement more specific
  models

34
Research Approach
35
References
Aga04S. Agarwal, B. Sprick, and S. Wortmann.
"Credential based access control for semantic web
services". In AAAI Spring Symposium Semantic
Web Services, 2004. Ber04E. Bertino, A. C.
Squicciarini and D. Mevi, A Fine-grained Access
Control Model for Web Services, Proceedings of
the 2004 IEEE International Conference on
Services Computing Boo98G. Booch, J. Rumbaugh,
I. Jacobson The Unified Modeling Language User
Guide, Addison-Wesley Pub Co 1st edition
(September 30, 1998). Del04N. Delessy-Gassant,
E.B. Fernandez, S. Rajput and M.
Larrondo-Petrie,Patterns for application
firewalls, Procs. of the Pattern Languages of
Programs Conference, 2004, http//hillside.net/pat
terns Del05N. Delessy and E.B. Fernandez,
Patterns for XACML, In preparation, Fen04X.
Feng, L. Guoyuan, H. Hao, X. Li, "Role-based
Access Control System for Web Services", in
Proceedings of the Fourth International
Conference on Computer and Information Technology
(CIT04) Fer01E. B. Fernandez and R. Pan, A
Pattern Language for security models, Proc. of
PLoP 2001, http//jerry.cs.uiuc.edu/plop/plop20
01/accepted_submissions Fer05aE.B.Fernandez, T.
Sorgente, M. M. Larrondo-Petrie, and N. Delessy,
Web services security Standards, industrial
practice, and research issues, submitted for
publication. GraTyrone Grandison, "Trust
Specification and Analysis for Internet
Applications" PhD Transfer Report IET00IETF
(Internet Engineering Security Task Force)
security glossary http//www.ietf.org/rfc/rfc2828
.txt
36
References
Lib03Liberty Alliance Project Liberty Trust
Models Guidelines http//www.projectliberty.org/s
pecs/liberty-trust-models-guidelines-v1.0.pdf
Max02E. Maximilien and M. Singh, "Conceptual
Model of Web Service Reputation" ??????????ACM
02 Pri04T. Priebe, E. B. Fernandez, J. I.
Mehlau, and G. Pernul, "A pattern system for
access control ", in Research Directions in Data
and Applications Security XVIII, C. Farkas and P.
Samarati (Eds.), Proc. of the 18th. Annual IFIP
WG 11.3 Working Conference on Data and
Applications Security, Sitges, Spain, July 25-28,
2004. San96R. Sandhu, E. J. Coyne, H. L.
Feinstein, and C. E. Youman., "Role-based access
control models", Computer , Vol. 29 , No. 2,
February 1996, 38-47. Sen02S. Sen and N. Sajja,
"Robustness of Reputation-based Trust Boolean
Case", AAMAS02, July 15-19, 2002, Sir02E.
Sirer and K. Wang, "An Access Control Language
for Web Services", SACMAT 02, June 3-4,
2002, W3C03http//www.w3.org/2003/glossary/subgl
ossary/xkms2-req W3C05http//www.w3.org/2005/02/
tp-2005-ubiweb.pdf Won04R. Wonohoesodo and Z.
Tari, A Role based Access Control for Web
Services, Proceedings of the 2004 IEEE
International Conference on Services
Computing WST05Web Services Trust Language
(WS-Trust) http//msdn.microsoft.com/library/en-us
/dnglobspec/html/WS-trust.pdf