Towards Privacy-Enhancing Identity Management in Mashup-Providing Platforms

Mashups empower users to easily combine and connect resources from independent Web-based sources and domains. However, these characteristics also introduce new and amplify existing security and privacy problems. This is especially critical in the emerging field of enterprise Mashups. Despite several contributions in the field of Mashup security the issue of protecting exchanged resources against the Mashup-providing Platform has generally been neglected. In this contribution we address the security challenges of server-side Mashup-providing Platforms with the aim of minimizing the required amount of trust. We achieve this by implementing a privacy-enhancing identity management system into the Mashup-providing Platform using Reverse Identity Based Encryption.

[1]  Úlfar Erlingsson,et al.  End-to-End Web Application Security , 2007, HotOS.

[2]  Marianne Winslett,et al.  Please Permit Me: Stateless Delegated Authorization in Mashups , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[3]  Michael Steiner,et al.  SMash: secure component model for cross-domain mashups on unmodified browsers , 2008, WWW.

[4]  Tim Mather,et al.  Cloud Security and Privacy - An Enterprise Perspective on Risks and Compliance , 2009, Theory in practice.

[5]  Helen J. Wang,et al.  Subspace: secure cross-domain communication for web mashups , 2007, WWW '07.

[6]  Minos N. Garofalakis,et al.  MashMaker: mashups for the masses , 2007, SIGMOD '07.

[7]  Richard A. Kemmerer,et al.  Security issues in distributed software , 1997, ESEC '97/FSE-5.

[8]  Tyler Close,et al.  Web-key: Mashing with Permission , 2008 .

[9]  Simone Fischer-Hübner,et al.  Policies and Research in Identity Management - First IFIP WG11.6 Working Conference on Policies and Research in Identity Management (IDMAN'07), RSM Erasmus University, Rotterdam, The Netherlands, October 11-12, 2007 , 2008, IDMAN.

[10]  A. Shamm Identity-based cryptosystems and signature schemes , 1985 .

[11]  Hao Chen,et al.  OMash: enabling secure web mashups via object abstractions , 2008, CCS.

[12]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[13]  Rachna Dhamija,et al.  The Seven Flaws of Identity Management: Usability and Security Challenges , 2008, IEEE Security & Privacy.

[14]  Burton S. Kaliski,et al.  PKCS #5: Password-Based Cryptography Specification Version 2.0 , 2000, RFC.

[15]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[16]  Nigel Lockett,et al.  E-business, innovation and SMEs: the significance of hosted services and firm aggregations , 2007 .

[17]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[18]  Vinod Ganapathy,et al.  OMOS: A Framework for Secure Communication in Mashup Applications , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[19]  Jan Zibuschka,et al.  Implementing Strong Authentication Interoperability with Legacy Systems , 2007, IDMAN.

[20]  Mahesh K. Marina,et al.  Performance of route caching strategies in Dynamic Source Routing , 2001, Proceedings 21st International Conference on Distributed Computing Systems Workshops.

[21]  Xu Yan,et al.  Single Sign-On Architecture Design and Cooperation with Resin Container , 2007 .

[22]  Athman Bouguettaya,et al.  Service-Oriented Computing - ICSOC 2008, 6th International Conference, Sydney, Australia, December 1-5, 2008. Proceedings , 2008, ICSOC.

[23]  Marit Hansen,et al.  Privacy-enhancing identity management , 2004, Inf. Secur. Tech. Rep..

[24]  Zhi Guan,et al.  WebIBC: Identity Based Cryptography for Client Side Security in Web Applications , 2008, 2008 The 28th International Conference on Distributed Computing Systems.

[25]  Volker Hoyer,et al.  Market Overview of Enterprise Mashup Tools , 2008, ICSOC.

[26]  Vinod Ganapathy,et al.  Privacy-aware identity management for client-side mashup applications , 2009, DIM '09.

[27]  Brent Waters,et al.  A convenient method for securely managing passwords , 2005, WWW '05.

[28]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.