A flexible access control model for web services

1
A flexibleaccess control model for web services

• Elisa Bertino, Anna Cinzia Squicciarini
• Lorenzo Martino, Federica Paci
• CERIAS and CS Department, Purdue University
• DICO, University of Milano

2
Outline

• Overview of Ws-Attribute Based Access control
  (Ws-AC1)
• Underlying technologies
• Digital identity management
• Trust negotiation system
• Access control model
• System architecture
• Conclusions and future work

3
Web Services

• A Web service is a Web-Based application that
  can be
• Published
• Located
• Invoked
• Compared to centralized systems and client-server
  environments, a Web service is much more dynamic
  and security for such an environment poses unique
  challenges.

4
Web Services Access Control

• An important issue is represented by the
  development of suitable access control models,
  able to restrict access to Web services to
  authorized users.

Web services are quite different with respect to
objects typically protected in conventional
systems, since they consist of software modules,
to be executed, upon service requests, according
to a set of associated input parameters.
security technologies commonly adopted for Web
sites and traditional access control models are
not enough!
5
An Example

• Suppose to have a travel agency selling flight
  tickets to generic customers offering a
  service, whose goal is to offer competitive
  flight tickets fare to requesting customers.
• As sketched (arrow 1), a customer request is
  sent by including also a set of attributes
  describing relevant properties of the customer
  and his/her preference or needs, to customize
  service release.
• The agency, in turn, forwards customer requests
  to flight companies.

6
WS-AC1

• Fine-grained access control system for Web
  services
• Supporting gradual verification of user
  attributes
• Characterized by capabilities for negotiating
  service parameters
• Fully integrated with existing standards (WSDL,
  UDDI, Ws-Policy).
• An adaptive system, supporting the notion of
  context influencing service provisioning

7
Ws-AC1 goals

• The goal of Ws-AC1 is to express, validate and
  enforce access control policies without assuming
  pre-established trust in the users invoking the
  web services.

8
Underlying Technologies - Digital Identity
Management

• What is digital identity?
• Digital identity can be defined as the digital
  representation of the information known about a
  specific individual or organization
• Technically, the term DI usually refers to two
  different concepts
• Nym a nym gives a user an identity under which
  to operate when interacting with other parties.
  Nyms can be strongly bound to a physical identity
• Partial identity partially identities refer to
  the set of properties that can be associated with
  an individual, such as name, birth-date, credit
  cards. Any subset of such properties represents a
  partial identity of the user

9
Underlying Technologies -Trust Negotiation

• Interactions between strangers
• - In conventional systems user identity is
  known in advance
• and can be used for performing access
  control
• - In open systems partecipants may have no
  pre-existing
• relationship and may not share a common
  security domain

?

• Mutual authentication
• - Assumption on the counterpart honesty no
  longer holds
• - Both participants need to authenticate each
  other

10
Underlying Technologies - Trust Negotiation

• A promising approach for open systems where most
  of the interactions occur between strangers.
• The goal establish trust between parties in
  order to exchange sensitive information and
  services
• The approach establish trust by verifying
  properties of the other party.

11
Ws-AC1 service description

• Services are defined in terms of a description,
  containining information like identity
  attributes (AuthAttrs) and service parameters
  (Parameters), required to submit access
  requests.
• Service parameters represent information the
  requester has to provide to activate the
  operation supported by the service and
  information related to level of QoS required by
  the user. Each parameter has an associated domain
  specifying the legal values
• Each service has an associated type defined
  according to the existing classifications
  supported by the UDDI registries.

12
Service Description - example

• The service description of the TravelAgency web
  service can be defined as follows
• Serv-descr ltTravelAgencyBusiness
• (Departure, Destination, DepartureDate,
  ReturnDate, MeansofTransport, HotelPreferences,
  Fare)
• (Age, PictureId)gt
• where TravelAgency is the service identifier,
  Departure, Destination, DepartureDate,
  ReturnDate, MeansofTransport, HotelPreferences
  are the service parameters necessary to invoke
  the booking service, Age and PictureId are two
  attributes used by the WS-AC1 system to identify
  the service requester.

13
Ws-AC1 access control model

• Access conditions
• expressed in terms of partial identities
• take into account also the parameters
  characterizing web services.
• Concept of access negotiation
• Web service negotiation in Ws-AC deals with the
  possibility for trusted users to dynamically
  change their access requests in order to obtain
  authorizations.

14
Ws-AC1 access control policies

• An access control policy is defined by
• A service identifier or a service type
• A set of conditions against partial identities of
  subjects
• A set of parameter specifications
• A set of parameter constraints
• A constraint restricts the set of values
  associated with a parameter on the basis of value
  of the context variables and/or of the values
  assumed by other parameters defining the service.

15
Ws-AC1 access control policies -examples

• Policy Pol1
• pol1 lt Travel Age gt 26, Student Departure,
  Destination, Fare
• Faregold ? Departure Chicago Destination ?
  Toronto, Rome, Berlin ? Studentgt
• It authorizes subjects older than 26 traveling
  from Chicago to get a special fare and restrict
  possible destinations for students
• Policy Pol2
• lt Travel Age lt 18, CitizenshipAmerica
  Departure, Destination, MeansofTransport
  MeansofTransport ? bus, plane? DepartureRome
  AND Destination Milan gt
• It authorizes subjects that are younger than 18
  travelling from Rome to Milan to use either a
  bus or a plane for reaching the destination

16
Ws-AC1 protocol

• Access requests are received
• specified by constraining service parameters,
  and subject partial identities
• Note a subject before releasing partial identity
  information may require to establish trust by
  using trust negotiation
• Ws AC1 access control consists of two phases
• Subject authentication
• Parameter negotiation

17
Subject Authentication

• If the attribute values specified by the user in
  the access request do not satisfy all the
  conditions of any corresponding access control
  policy, the access request is said partially
  compliant.
• The system can then require the user to provide
  the additional attributes of the policy not
  appearing in the service description.

18
Parameter Negotiation

• Once the subject has been authenticated, the
  system extracts the compliant access control
  policies, in order to establish whether the
  subject request can be
• accepted as it is
• must be rejected
• has to be negotiated.
• A request negotiation results in eliminating
  and/or modifying some of the service parameters
  specified within an access request that made it
  not immediately acceptable.

19
Access responses in Ws-AC1

• There are three possible replies
• The submitted attributes match with a policy for
  the specified service request and the specified
  service parameters are acceptable by the policy
• The submitted attributes do not match with any
  policy for the specified service request
• The submitted attributes match with a policy for
  the specified service request but the specified
  service parameters are not acceptable by the
  policy

Request is granted
Request is rejected
Negotiate request
20
Access responses in Ws-AC1 - example

• Requests
• Travel Student DepartureRome,
  DestinationNew York, FareGold
• It is partially compliant with Pol1, since
  attribute AGE is lacking.
• It requires further attributes to be submitted in
  order to be processed.
• TravelStudent, Age25 DepartureRome,
  FareGold
• It fully complies with Pol2 however it must be
  negotiated since the parameter DESTINATION is
  missing
• TravelDrivingLicence_IssuerItaly
  DepartureRome, FareGold
• It is rejected since it does not match the
  subject specification of any policy

21
Encoding WS-AC1 policies using Ws-Policy

• In order to be as flexible as possible the
  system is implementation independent and can
  thus function with any specific web service
  technology
• In addition, it is compliant with the existing
  standards for security for web services.
  Indeed, services are described using WSDL and
  access control policies describing the conditions
  required to grant access to services are
  represented using Ws-Policy

22
Ws-AC1 policies vs WS-Policies

• Ws-Policy is a specification that defines a
  general framework to describe a broad range of
  Web service policies. Ws-Policy defines a policy
  as a collection of alternatives. Each alternative
  is a collection of assertions.
• To encode Ws-AC1 access control policies we
  define a new type of policy assertions, since no
  public specification we are aware of define
  assertions suitable for expressing attribute
  conditions and parameter conditions required by
  Ws-AC1 policy formalism.

23
WS- AC1 System Architecture
24
Open issues

• Negotiation of parameters
• How can subjects negotiate service parameters?
• Delegation
• How to manage delegated access requests?
• Cached policies
• How and where keep track of previous access
  requests?
• Policy protection
• How to protect UDDI registries where AC policies
  are stored?

25
Future work

• Delegation mechanisms for credentials
• Automated mechanisms supporting negotiations of
  parameters
• Authorization derivation rules, allowing
  authorizations on a service to be automatically
  derived from authorizations specified on other
  services.
• Security analysis of Ws-AC1 to test system
  security and reliability.