Attribute-Based Authentication and Authorisation Infrastructures for E-Commerce Providers

Authentication and authorisation has been a basic and necessary service for internet transactions. With the evolution of e-commerce, traditional mechanisms for data security and access control are becoming outdated. Several new standards have emerged which allow dynamic access control based on exchanging user attributes. Unfortunately, while providing highly secure and flexible access mechanisms is a very demanding task, it cannot be considered a core competency for most e-commerce corporations. Therefore, a need to outsource or at least share such services with other entities arises. Authen-tication and Authorisation Infrastructures (AAIs) can provide such integrated federations of security services. They could, in particular, provide attribute-based access control (ABAC) mechanisms and mediate customers’ demand for privacy and vendors’ needs for information. We propose an AAI reference model that includes ABAC functionality based on the XACML standard and lessons learned from various existing AAIs. AAIs analysed are AKENTI, CARDEA, CAS, GridShib, Liberty ID-FF, Microsoft .NET Passport, PAPI, PERMIS, Shibboleth and VOMS.

[1]  Christian Schläger,et al.  Towards a Risk Management Perspective on AAIs , 2006, TrustBus.

[2]  David W. Chadwick,et al.  The PERMIS X.509 role based privilege management infrastructure , 2003, Future Gener. Comput. Syst..

[3]  Jin Tong,et al.  Attributed based access control (ABAC) for Web services , 2005, IEEE International Conference on Web Services (ICWS'05).

[4]  Rebekah Lepro,et al.  Cardea: Dynamic Access Control in Distributed Systems , 2004 .

[5]  Ákos Frohner,et al.  VOMS, an Authorization System for Virtual Organizations , 2003, European Across Grids Conference.

[6]  David Wasley,et al.  Shibboleth Architecture Protocols and Profiles , 2005 .

[7]  Javier López,et al.  Trust, Privacy and Security in E-Business: Requirements and Solutions , 2005, Panhellenic Conference on Informatics.

[8]  Rolf Oppliger,et al.  Authentication and authorization infrastructures (AAIs): a comparative survey , 2004, Comput. Secur..

[9]  Günther Pernul,et al.  Authrule: A Generic Rule-Based Authorization Module , 2006, DBSec.

[10]  Ian T. Foster,et al.  The Community Authorization Service: Status and Future , 2003, ArXiv.

[11]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[12]  Srilekha Mudumbai,et al.  Certificate-based authorization policy in a PKI environment , 2003, TSEC.

[13]  Nora Kamprath,et al.  Supporting attribute-based access control with ontologies , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[14]  Dong Il Shin,et al.  Design and Implementation of a Java-Based Single Sign-On Library Supporting SAML (Security Assertion Markup Language) for Grid and Web Services Security , 2005 .

[15]  Günther Pernul,et al.  Authentication and Authorisation Infrastructures in b2c e-Commerce , 2005, EC-Web.

[16]  Diego R. López,et al.  The PAPI system: point of access to providers of information , 2001, Comput. Networks.