Effects of Architectural Decisions in Authentication and Authorisation Infrastructures

AAIs - infrastructures for authentication and authorisation provide services for service providers on the Internet. Especially if combined with an attribute infrastructure these AAIs can offer additional functionalities like a single sign-on, enhanced privacy, strengthened trust and security, or improved usability. In respect to security and privacy, the AAI acts as a mediator within the client service provider relationship, or, more likely, the client federation relation. Since an AAI is a loosely coupled combination of services architectural decisions influence its effects on privacy and security focusing either on customer demands or service provider requirements. This work shows how architecture and allocation decisions alone can shape the security and privacy contribution of AAIs leading to different levels of contentment for the user groups

[1]  David Wasley,et al.  Shibboleth Architecture Protocols and Profiles , 2005 .

[2]  Andrew S. Tanenbaum,et al.  Distributed systems: Principles and Paradigms , 2001 .

[3]  Antonio F. Gómez-Skarmeta,et al.  A network access control approach based on the AAA architecture and authorization attributes , 2005, 19th IEEE International Parallel and Distributed Processing Symposium.

[4]  Rolf Oppliger,et al.  Authentication and authorization infrastructures (AAIs): a comparative survey , 2004, Comput. Secur..

[5]  Eduardo B. Fernández,et al.  A Pattern System for Access Control , 2004, DBSec.

[6]  Günther Pernul,et al.  Authrule: A Generic Rule-Based Authorization Module , 2006, DBSec.

[7]  Javier López,et al.  Trust, Privacy and Security in E-Business: Requirements and Solutions , 2005, Panhellenic Conference on Informatics.

[8]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[9]  Günther Pernul,et al.  Authentication and Authorisation Infrastructures in b2c e-Commerce , 2005, EC-Web.

[10]  Diego R. López,et al.  The PAPI system: point of access to providers of information , 2001, Comput. Networks.

[11]  Christian Schläger,et al.  Towards a Risk Management Perspective on AAIs , 2006, TrustBus.

[12]  José A. Montenegro,et al.  A reference model for Authentication and Authorisation Infrastructures respecting privacy and flexibility in b2c eCommerce , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[13]  Günther Pernul,et al.  Attribute-Based Authentication and Authorisation Infrastructures for E-Commerce Providers , 2006, EC-Web.

[14]  Hannes Federrath Privacy Enhanced Technologies: Methods - Markets - Misuse , 2005, TrustBus.

[15]  Jin Tong,et al.  Attributed based access control (ABAC) for Web services , 2005, IEEE International Conference on Web Services (ICWS'05).