Enhancing Security Modeling for Web Services Using Delegation and Pass-On

In recent years, security issues in web service environments have been widely studied and various security standards and models have been proposed. However, most of these standards and models focus on individual web services and do not consider the security issues in composite services. In this article, the authors propose an enhanced security model to control the information flow in service chains. It extends the basic web service security models by introducing the concepts of delegation and pass-on. Based on these concepts, new certificates, certificate chains, delegation and pass-on policies, and how they are used to control the information flow are discussed. The authors also introduce a case study from a healthcare information system to illustrate the protocols.

[1]  Yuan Rao,et al.  SX-RSRPM: a security integrated model for Web services , 2004, Proceedings of 2004 International Conference on Machine Learning and Cybernetics (IEEE Cat. No.04EX826).

[2]  Fabio Casati,et al.  Model-Driven Trust Negotiation for Web Services , 2003, IEEE Internet Comput..

[3]  Elisa Bertino,et al.  A Trust-Based Context-Aware Access Control Model for Web-Services , 2004, Proceedings. IEEE International Conference on Web Services, 2004..

[4]  Tero Hasu,et al.  A Revocation, Validation and Authentication Protocol for SPKI Based Delegation Systems , 2000, NDSS.

[5]  Vijayalakshmi Atluri,et al.  Supporting conditional delegation in secure workflow management systems , 2005, SACMAT '05.

[6]  Steven Tuecke,et al.  X.509 Proxy Certificates for Dynamic Delegation , 2004 .

[7]  Ravi Sandhu,et al.  A Role-Based Delegation Model and Some Extensions , 2000 .

[8]  Fabio Massacci,et al.  An access control framework for business processes for web services , 2003, XMLSEC '03.

[9]  Ravi S. Sandhu,et al.  PBDM: a flexible delegation model in RBAC , 2003, SACMAT '03.

[10]  Barbara Carminati,et al.  Web Service Composition: A Security Perspective , 2005, International Workshop on Challenges in Web Information Retrieval and Integration.

[11]  I. V. Ramakrishnan,et al.  A Framework for Building Privacy-Conscious Composite Web Services , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).

[12]  Morris Sloman,et al.  A Security Framework Supporting Domain Based Access Control in Distributed Systems , 1996, NDSS.

[13]  Bhavani M. Thuraisingham,et al.  Enhancing Security Modeling for Web Services Using Delegation and Pass-On , 2008, 2008 IEEE International Conference on Web Services.

[14]  Tuomas Aura,et al.  Distributed Access-Rights Managements with Delegations Certificates , 2001, Secure Internet Programming.

[15]  Elisa Bertino,et al.  Ws-AC: A Fine Grained Access Control System for Web Services , 2006, World Wide Web.

[16]  Morrie Gasser,et al.  An architecture for practical delegation in a distributed system , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[17]  Jun Wang,et al.  Extending the security assertion markup language to support delegation for Web services and grid services , 2005, IEEE International Conference on Web Services (ICWS'05).

[18]  Bhavani Thuraisingham,et al.  Delegation-Based Security Model for Web Services , 2007 .

[19]  Gang Yin,et al.  A rule-based framework for role-based constrained delegation , 2004, InfoSecu '04.

[20]  Barbara Carminati,et al.  Security Conscious Web Service Composition , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).

[21]  Dieter Fensel,et al.  The Web Service Modeling Framework WSMF , 2002, Electron. Commer. Res. Appl..