Agent based one shot authorisation scheme in a commercial extranet environment

Distributed authorisation, extranet, Intranet, smart card, personal secure device,authentication, security architecture, security server, trust establishment, trust token,credential-base

Bachelor of Science (Honours) (HKU) - 1980

Graduate Diploma of Information Technology (QUT) - 1998

Thesis submitted in accordance with the regulations for

Degree of Doctor of Philosophy

Information Security Institute Faculty of Information Technology Queensland University of Technology

1 August 2005

CANDIDATE NAME Wai Ki Richard Au

RESEARCH CONCENTRATION Information Security Institute

PRINCIPAL SUPERVISOR Associate Professor Mark Looi

ASSOCIATE SUPERVISOR(S) Dr Paul Ashley

Professor William J Caelli

THESIS TITLE Agent-based One-Shot

Authorisation Scheme in aCommercial Extranet Environment

Under the requirements of PhD regulation 9.2, the above candidate was examinedorally by the Faculty The members of the panel set up for this examination recommendthat the thesis be accepted by the University and forwarded to the appointed Committeefor examination

Under the requirements of PhD regulation 9.15, it is hereby certified that the thesis

of the above-named candidate has been examined I recommend on behalf ofthe Thesis Examination Committee that the thesis be accepted in fulfilment of theconditions for the award of the degree of Doctor of Philosophy

Name Signature Date

Chair of Examiners (Thesis Examination Committee)

iii

Distributed authorisation, extranet, Intranet, smart card, personal secure device,authentication, security architecture, security server, trust establishment, trust token,credential-based authorisation, one-shot authorisation token, one-task authorisationkey, anonymous attribute certificate, key binding certificate, anonymous authorisation,referee server, privilege negotiation agent, authorisation agent, secure client agentenvironment

v

The enormous growth of the Internet and the World Wide Web has providedthe opportunity for an enterprise to extend its boundaries in the global businessenvironment While commercial functions can be shared among a variety ofstrategic allies - including business partners and customers, extranets appear to bethe cost-effective solution to providing global connectivity for different user groups.Because extranets allow third-party users into corporate networks, they need to

be extremely secure and external access needs to be highly controllable Accesscontrol and authorisation mechanisms must be in place to regulate user access toinformation/resources in a manner that is consistent with the current set of policiesand practices both at intra-organisational and cross-organisational levels

In the business-to-customer (B2C) e-commerce setting, a service provider faces

a wide spectrum of new customers, who may not have pre-existing relationshipsestablished Thus the authorisation problem is particularly complex In thisthesis, a new authorisation scheme is proposed to facilitate the service provider toestablish trust with potential customers, grant access privileges to legitimate usersand enforce access control in a diversified commercial environment Four moduleswith a number of innovative components and mechanisms suitable for distributedauthorisation on extranets are developed:

• One-shot Authorisation Module - One-shot authorisation token is designed as

a flexible and secure credential for access control enforcement in client/serversystems;

• Token-Based Trust Establishment Module - Trust token is proposed for

server-centric trust establishment in virtual enterprise environment

vii

authorisation in a multi-organisational setting;

• Agent-Based Privilege Negotiation Module - Privilege negotiation agents are

proposed to provide dynamic authorisation services with secure client agentenvironment for hosting these agents on user’s platform

viii

Certificate Recommending Acceptance iii

1.1 Overview 1

1.2 Research Approaches and Scopes 4

1.2.1 Infrastructure of Domain-based Servers 5

1.2.2 User-Centric Authorisation 5

1.2.3 Credential-based Access Control 6

1.2.4 Mobile Agent for Authorisation Services 6

1.3 Thesis Outline 7

ix

2.2 Access Control 10

2.2.1 Access Control Models 11

2.2.2 Implementations of Access Control 12

2.3 Authentication and Authorisation 13

2.3.1 Authorisation Mechanisms 14

2.4 Security Architectures 15

2.4.1 Kerberos V5 15

2.4.2 Distributed Computing Environment (DCE) 17

2.4.3 SESAME (Secure European System for Applications in a Multi-vendor Environment) 18

2.4.4 Policymaker and Keynote 20

2.4.5 Shibboleth 20

2.4.6 OASIS 20

2.4.7 Liberty Alliance 21

2.4.8 Anonymous Credential Systems 21

2.5 Security Standards 22

2.5.1 SAML and XACML 22

2.5.2 Privilege Certificates 23

2.6 Personal Secure Devices 25

2.6.1 Smart Card 26

2.6.2 iButtonT M 28

2.7 Code Mobility and Mobile Agent 28

2.7.1 Protection of Mobile Agent 30

2.7.2 Chapter Summary 31

3 Requirements and Framework 33 3.1 Overview of Requirements on Commercial Extranets 33

3.1.1 Requirements on Access Control and Security Mechanisms 34 3.1.2 Requirements on Network Architecture and Topologies 37

x

3.2.2 Basic Entities 41

3.2.3 Entity Interactions 42

3.2.4 Four Main Modules 42

3.3 Chapter Summary 47

4 One-Shot Authorisation 49 4.1 Introduction 49

4.2 One-Shot Authorisation Architecture (OSAA) 51

4.2.1 Separation of User Authentication and Authorisation 51

4.2.2 Architectural Overview 52

4.2.3 Distinctive Features 56

4.3 One-Shot Authorisation Token (OSAT) 58

4.3.1 Token Contents 59

4.4 Protocol Overview 61

4.5 Security Issues of Authorisation Token 66

4.5.1 Cryptography and Certification 67

4.5.2 Use of Personal Secure Device 67

4.6 A Simple Prototype: Authorisation Token Manager on Java Card 69

4.6.1 The Java Card Applet 69

4.6.2 Performance 71

4.6.3 Multiple Applications on Java Card 73

4.6.4 Downloading Applications On-line 73

4.7 Cross-Domain Authorisation 75

4.7.1 Architectural Components 75

4.7.2 Authorisation Process 78

4.7.3 Token-based Delegation 79

4.8 Evaluation and Analysis 81

4.8.1 Comparison with Existing Technologies 82

4.8.2 Limitations 84

xi

5 Token-Based Trust Establishment for Extranets 87

5.1 Introduction 87

5.2 Trust Management on Extranets 89

5.2.1 Classification of Extranet 89

5.2.2 Requirements on Trust Management 90

5.2.3 Requirements on Trust 91

5.3 Trust Distribution for Authorisation 92

5.3.1 Credential-based Approach 93

5.3.2 Infrastructure for Trust Distribution 94

5.4 A New Paradigm of Trust Distribution for Extranets 95

5.4.1 Central Security Servers as Trust Intermediaries 96

5.4.2 Trust Referees for Recommendation 97

5.4.3 Trust Tokens 98

5.4.4 A Dynamic Web of Trust 99

5.4.5 An Illustrative Scenario 101

5.5 A New Algorithm for Trust Derivation 102

5.5.1 Quantification of Trust 102

5.5.2 Composition of Trust 103

5.6 Discussion 106

5.7 Chapter Summary 108

6 User-Centric Anonymous Authorisation for B2C e-Commerce 109 6.1 Introduction 109

6.1.1 Anonymous Authorisation 111

6.2 A New Collaborated Authorisation Framework 112

6.2.1 Dynamic Collaborated Authorisation 112

6.2.2 Architectural Overview 114

6.3 Anonymous Attribute Certificates (AAC) 117

xii

Public Key 119

6.4 Linking Identity with Anonymous Attribute Certificates 121

6.4.1 Key Binding Certificate (KBC) 122

6.4.2 Binding Signature 123

6.5 Authorisation Protocol Overview 126

6.5.1 Credential-based Authorisation Protocol 127

6.6 Anonymity Revocation Service 132

6.6.1 Trustee as Identity Escrow Agent 134

6.7 Chain Referral 134

6.7.1 Anonymous Chained Referral 135

6.7.2 Chained Referral with User Authentication 136

6.7.3 Anonymity Revocation for Chained Certificates 137

6.7.4 Personal Tree of Authorisation Keys 137

6.7.5 Illustrative Scenarios 138

6.8 Analysis 138

6.8.1 Comparison of Different Certificates 138

6.8.2 Security Analysis of the Protocol 139

6.8.3 Analysis Summary 141

6.8.4 Limitations 142

6.9 Chapter Summary 143

7 Privilege Negotiation Agents for Distributed Authorisation 145 7.1 Introduction 145

7.2 Intelligent Agents for Authorisation 147

7.3 The Agent-based Authorisation Architecture 148

7.3.1 Privilege Negotiation Agents for Collaborative Authorisation 150 7.4 Privilege Negotiation Protocols 151

7.4.1 Agent-to-Agent Communications 153

7.5 Authorisation Agent for Access Control Enforcement 159

xiii

7.6 An Illustrative Application: RBAC Authorisation Agent 164

7.6.1 Role-Based Access Control (RBAC) 164

7.6.2 RBAC Authorisation Agent on Client Workstation 166

7.6.3 RBAC Authorisation Manager on Application Server 166

7.6.4 Role Activation Token 167

7.6.5 Interactions between Client and Application Server 168

7.6.6 Enforcing Role-Based Access Control 169

7.7 Secure Client Agent Environment (SCAE) 171

7.7.1 Securing the Agent-based Authorisation 171

7.7.2 Agent Manager for Central Administration 172

7.7.3 Platform for Agent Collaboration 172

7.7.4 Security Model of SCAE 173

7.7.5 A Prototype: iButton as SCAE for Hosting Multiple Agents 177 7.7.6 Securing the Agent Interactions 180

7.7.7 Secure Communications 184

7.8 Discussion 188

7.9 Chapter Summary 190

8 Conclusions and Future Work 191 8.1 Introduction 191

8.2 Summary of Contribution 191

8.3 New Challenges 195

A List of Acronyms 199 B List of Definitions 201 C Illustrative Scenarios in Anonymous Authorisation Module 203 C.1 Anonymous Online Purchase with Payment 203

xiv

D Illustrative Scenarios in

Agent-based Privilege Negotiation Module 207

D.1 Anonymous Online Purchase with Discount 207D.2 SCAE as a marketplace for e-Sales 210

2.1 ISO Access Control Model 10

2.2 Components in Kerberos 16

2.3 Components in DCE 18

2.4 Components in SESAME 19

3.1 Entities and New Components in The Authorisation Framework 40

3.2 Four Modules in the Authorisation Framework 43

4.1 Intra-domain One-Shot Authorisation 53

4.2 One-Shot Authorisation Interactions 62

4.3 Cross-Domain One-Shot Authorisation 74

4.4 One-Shot Authorisation for Extranet 76

4.5 System Walkthrough for Internal and External Users 80

5.1 Trust Establishment through the Web of Trust 99

6.1 User-Centric Anonymous Authorisation 115

6.2 Certificates for Authentication and Authorisation 120

6.3 Use of Binding Signature 123

6.4 Binding Signature Algorithm 124

6.5 Linking Multiple Certificates 126

6.6 Credential-based Authorisation Protocol 127

6.7 Personal Tree of Keys 137

7.1 Agent-based Authorisation Architecture 149

7.2 Elements in Decision Making 151

xvii

7.5 Cross Domain Authorisation using Authorisation Agent and Token 163

7.6 Role Hierarchy 168

7.7 User-Centric Agent Collaboration 174

7.8 Configuration of Agents and SCAE 175

7.9 Trust Link Requirements in different Models 177

7.10 Downloading and Installation of Agent 179

7.11 Domain-based Separation 186

D.1 Communication Among Agents 215

xviii

4.1 Suggested Attributes in One-Shot Authorisation Token 59

4.2 Table of Notations 63

4.3 Cryptographic Workload 72

4.4 Performance of ATM in Java Card 72

4.5 Comparison of Different Security Architectures 81

6.1 Table of Notations 125

6.2 Comparison of Different Certificates 138

7.1 Computation Parameters for Different Agents 151

7.2 Notations 181

8.1 Comparison of The Four Modules 192

D.1 Access Control List 211

D.2 Yellow Page 212

D.3 Transaction Log 212

xix

The work contained in this thesis has not been previously submitted for a degree

or diploma at any higher education institution To the best of my knowledge andbelief, the thesis contains no material previously published or written by anotherperson except where due reference is made

Signed: Date:

xxi

The material in this thesis is a subset of the research performed by the authorbetween February 1998 and December 2004 in Information Security ResearchCentre, Queensland University of Technology Much of the material has beenpublished in the proceedings of the following conference papers:

Academically Refereed Conference Papers

[1] Mark Looi, Paul Ashley, Loo Tang Seet, Richard Au, Gary Gaskell, Mark

Vandenwauver Enhancing SESAMEV4 with Smart Cards In Proceedings of

Third Smart Card Research and Advanced Application Conference (CARDIS’ 98), Louvain-la-Neuve, Belgium, 14 – 16 September 1998.

[2] Richard Au, Mark Looi, Paul Ashley Towards a New AuthorisationParadigm on Extranet In Proceedings of 5th Australasian Conference

on Information Security and Privacy (ACISP’ 2000), Volume 1841 of

Lecture Note in Computer Science, Springer-Verlag, pages 18–29, Brisbane,Australia, 20 – 21 August 2000

(Material is included in Chapter 4)

[3] Richard Au, Mark Looi, Paul Ashley Cross Domain One-Shot Authorisation

using Smart Card In Proceedings of 5th ACM Conference on Computer and

Communication Security (CCS’ 2000), pages 220–227, ACM Publication,

Athens, Greece, 1 – 4 November 2000

(Material is included in Chapter 4)

xxiii

for Virtual Enterprise 2001 (ITVE’ 2001), Australian Computer Science

Communications, Volume 23, Number 6, pages 3 – 11, Gold Coast, 1 – 4February 2001

(Material is included in Chapter 5)

[5] Richard Au, Mark Looi, Paul Ashley, Loo Tang Seet SecureAuthorisation Agent for Cross-Domain Access Control in a Mobile

Computing Environment In Proceedings of the 4th International Conference

on Information Security and Cryptology (ICISC’ 2001), Volume 2288 of

Lecture Note in Computer Science, Springer-Verlag, pages 369 – 381, Seoul,South Korea, 6 – 7 December 2001

(Material is included in Chapter 7)

[6] Richard Au, Ming Yao, Mark Looi, Paul Ashley Secure Client AgentEnvironment (SCAE) for World Wide Web In Proceedings of the 3rd

International Conference on Electronic Commerce and Web Technologies (EC-Web 2002), Volume 2455 of Lecture Note in Computer Science,

Springer-Verlag, pages 234 – 244, Aix-en-Provence, France, 2 – 6 September2002

(Material is included in Chapter 7)

[7] Richard Au, Ming Yao, Mark Looi Agent-based Privilege Negotiation for

E-commerce on World Wide Web In Proceedings of the 3rd International

Conference on Web Engineering (ICWE 2003), Volume 2722 of Lecture Note

in Computer Science, Springer-Verlag, pages 68 – 71, Oviedo, Spain, 14– 18July 2003

(Material is included in Chapter 7)

xxiv

International Conference on Intelligent Agent Technology (IAT 2003), IEEE

Computer Society, pages 519 – 522, Halifax, Canada, 13 – 17 October 2003

(Material is included in Chapter 7)

[9] Richard Au, Harikrishna Vasanta, Kim-Kwang Raymond Choo, MarkLooi A User-Centric Anonymous Authorisation Framework in E-CommerceEnvironments In Proceedings of the Sixth International Conference

on Electronic Commerce (ICEC 2004), ACM Publication ISBN Number

1-5113-930-6, pages 138 – 147, Delft, The Netherlands, 25 – 27 October2004

(Material is included in Chapter 6)

[10] Richard Au, Kim-Kwang Raymond Choo, Mark Looi A Secure

Anonymous Authorisation Architecture for E-Commerce In Proceedings of

IEEE International Conference on e-Technology, e-Commerce and e-Service (EEE’05), Hong Kong, China, 29 March – 1 April 2005.

(Material is included in Chapter 6)

Non-Academically Refereed Conference Papers

[11] Richard Au, Mark Looi, Paul Ashley Using Java Card as AuthorisationDevice in Multi-Application Environment In Proceedings of Gemplus

Developer Conference 2000 (GDC’ 2000), Montpellier, France, 20 – 21 July

2000

(Material is included in Chapter 4)

xxv

First and foremost I wish to express my sincere thanks to my principal supervisor,Associate Professor Mark Looi Throughout my years of postgraduate research,Mark has been a constant source of guidance, motivational advice and supportiveencouragement He always took the time, despite a busy schedule, to giveconstructive suggestions for enhancements He has inspired me to think aboutproblems in a much more profound way.

I would like to thank my associate supervisors, Dr Paul Ashley and ProfessorBill Caelli, for their supports in my Ph.D studies Of course, I am grateful for thescholarship from the university

Over the time I have spent on postgraduate studies, I have enjoyed workingwith my fellow students and staff in our research centre I wish to thank them all fortheir friendships and assistance in providing the research environment, especially,Christine Orme, Raymond Choo, Jason Reid, Ming Yao, Harikrishna Vasanta, LooTang Seet and Kapaleeswaran Viswanathan

Special thanks must go to my parents, for their unconditional love and care

as well as encouragement throughout the many years of education Finally butnot the least, I wish to express my deepest gratitude to my wife, Frances, for herlove, patience and faithful support in our time together I also need to show myappreciation to my two children, Cheryl and Carson, for their understanding andtolerance with my work when I spent many weekends and holiday time on preparingsome conference papers and especially this manuscript

xxvii

In the last few decades, the increasing use of information technology has beentransforming the world in many aspects There has been a clear trend in researchtoward the distribution of applications and resources on a global scale Conceptssuch as client/server, Internet, mobile codes, e-business, virtual enterprise andcyberspace are in vogue In this Ph.D program, the research domain is primarilyconcerned with the following areas:

• Internet and Extranet

• E-commerce Security

• Access control and Authorisation

The Internet is the largest distributed system ever built and it provides acomputational infrastructure that spans the earth From a technical perspective, theInternet is an unreliable, unpredictable and unmanageable as a whole internetworksystem It does not have the stable properties of traditional closed networksystems The fundamental reason for this is that the Internet is not centrallyadministered and managed in the global setting The Internet interconnects millions

of networks which are composed of heterogeneous hosts and links with different

1

bandwidths From a management perspective, the Internet is a dynamic collection

of countless independent administrative domains, which are widely different andmostly mutually distrustful Communications over such open distributed networksintroduces vulnerabilities Information security becomes a crucial component inmany Internet applications

With the popularity of Internet technology inside the organisation, morecomputing resources have been connected to networks in the form of intranets andextranets An intranet is a private, unique network implementation based on thetechnology and services of the Internet Its basic purpose is to support an internalinformation system, and it is usually either physically separate, or protects itselffrom the outside world through the use of security systems, for example, firewalls,

to restrict the type of traffic or access to a network Extranets are extended intranetsthat connect to outside customers and/or other more strategic partners Allowingcontrolled access by authorised outside parties over the public Internet, extranetshave extra layers of complexity in terms of functionality and security

In the sector of electronic commerce, the Internet is dynamically changing thecontext and boundaries of business markets and technologies A few decadesago, e-commerce was mainly about some inter-organisational systems, such asElectronic Data Interchange (EDI) and Electronic Funds Transfer (EFT), for formalbusiness relationships Through the rapid growth and acceptance of the Internetand the World Wide Web, the context of e-commerce includes a wider range ofdata, information and services provided electronically to many parties, both externaland internal to the firm With the development of extranets, enterprise networking

is being transformed Rather than using proprietary networks to exchange privateinformation, organisations can now set up extranets to exchange data and shareapplications with strategic partners, suppliers, and customers on a global scale.Because extranets allow third-party users into corporate networks, they need to

be extremely secure and external access needs to be highly controllable Accesscontrol mechanisms must be in place to regulate user access to information in

a manner that is consistent with the current set of policies and practices both

at intra-organisational and inter-organisational levels Access control is directly

related to two important security services:

• Authentication: The verifying of identity claimed by an entity.

• Authorisation: The granting of rights, which includes the granting of access

based on access rights

In traditional access control systems on the Internet, services and resourcesare provided by centralised providers Both authentication and authorisation areperformed at the end systems and seldom use other components in the distributedarchitecture Authorisation relies on reliable user authentication Identity-basedaccess control systems employ basic mechanisms for identifying legitimate usersbefore granting service access However, such authorisation mechanisms do notscale well as user account management is tedious, especially for cross-domainsettings In recent years, Public Key Infrastructure (PKI) has been developingrapidly to provide strong authentication on a global scale While PKI provides

a trusted infrastructure enabling the use of public key cryptography, anotherinfrastructure to provide authorisation services is required As an area in recentresearch, the Privilege Management Infrastructure (PMI) is an infrastructure forthe management, including distribution and revocation, of user/entity access rights

on a large scale However, the solution will be much more complex becauseauthorisation services are generally application-specific and involve many localparameters within different administrative domains, such as security policies andcertain environmental variables

Facing the authorisation problem for commercial extranets, the question ofmotivation in this Ph.D research is as below:

How can a service provider establish trust with new potential customers, who do not have pre-existing relationships with it, and then

allocate access privileges to those legitimate users in an efficient,

secure and scalable way on the public Internet?

In the e-commerce setting on the Internet, service providers often try to outreach

as many people as possible to promote or sell their products or services Most

of these potential customers surfing on the World Wide Web over the Internetare strangers and have no business nor relationship with the service providers.How can the service provider and the user trust each other in order to start thebusiness? In traditional server-centric systems, the service provider collects asmuch information about the user as possible in the initial user registration stage.These information/credentials need to be verified in some way before trust can

be established To date, there is no proper infrastructure for the management

of these information or credentials in large scale In most cases, some externaltrusted parties, for example credit card companies and governmental departments,are used In recent years, there have been a number of research studies in this area

of identity management In this thesis, new mechanisms for trust establishment

in such business-to-customer (B2C) e-commerce settings on the global scale areintroduced The ultimate goal is to establish a trust relationship for the purpose ofproviding an authorisation service Then the service provider can grant privileges

to legitimate users to access their protected resources For the purposes of privilegeallocation and access control enforcement, a new authorisation framework withfour modules is proposed in this thesis focusing on the scalability, functionalityand security issues for B2C e-commerce

With the scope of this research confined to authorisation architecture andmechanisms for business-to-customer commercial extranet environment, there are

a number of approaches employed to tackle the research problems as describedbelow:

• Infrastructure of domain-based servers;

• User-centric authorisation;

• Credential-based access control;

• Mobile agent for authorisation services.

1.2.1 Infrastructure of Domain-based Servers

The technological and methodological background developed for conventionaldistributed systems often fails in scaling up for a very large scale distribution,such as on the Internet Security architectures with centralised servers havebeen developed in recent years, such as Kerberos, SESAME and DCE, toprovide access control services in security domains This research extendsthese existing architectural design and proposes to build an infrastructure ofdomain-based centralised security servers and distributed application servers toenable intra-domain and cross-domain access control with higher scalability andefficiency

In this research, the user-centric approach to distributed authorisation is explored.The user is therefore an important entity in the proposed authorisation architecture

In order to interact with other entities in the architecture, the user needs tointerface with a computer system with one or more personal secure devices attached,for example smart card The user/client communicates with various servers in

remote systems through telecommunication networks, that is, the Internet or mobilenetwork The client platform provides a secure and trusted environment forcollaboration among different servers in the authorisation service.

1.2.3 Credential-based Access Control

Currently, the prevailing approach for access control on the Internet is still thetraditional method, where users are required to create their own accounts in theregistration process They need to authenticate themselves, commonly usingusernames and passwords, before being provided with any service This centralisedidentity-based authorisation inherits many problematic issues, including

• Management overhead and efficiency;

• Scalability and interoperability;

• User privacy

In the authorisation framework proposed in this thesis, the credential-basedapproach for distributed access control is adopted New mechanisms using certifiedcredentials solve some problems in identity-based systems, including scalability andprivacy More importantly, they facilitates trust establishment and access control incross-domain settings with increased flexibility and functionality

1.2.4 Mobile Agent for Authorisation Services

In the security architecture design in this thesis, the concept of single-hop mobileagent for distributed authorisation is explored In the client/server environment,

an authorisation agent can be downloaded from the server to the client side wherethe authorisation agent can work collaboratively with the client and parent serverssecurely The mechanism enhances the authorisation service in many aspectsincluding user mobility, system interoperability, communication efficiency anddynamic extension of application functionality Furthermore, different types ofprivilege negotiation agents from different entities in the authorisation frameworkcan be developed to provide dynamic authorisation on the client side

1.3 Thesis Outline

The thesis is composed of seven chapters, five appendixes and a bibliography Thechapters are briefly introduced as below

Chapter 2 contains some background material related to this research

Chapter 3 outlines the requirements and a framework of the proposedauthorisation architecture

In Chapter 4, a new authorisation scheme is introduced to enhance theperformance and scalability in a centrally administered security architecture A

novel mechanism of One-Shot Authorisation Token is proposed and it facilitate

the updating and revocation of the access rights of users in on-line or off-lineauthorisation models The authorisation framework is further extended to covercross-organisational interactions and to cope with the dynamic and outreachingcharacteristics of extranets The use of one-shot authorisation tokens provides anextranet user with flexible direct access to applications eliminating the repeat ofuser authentication in the cross-domain environment A prototype of the one-shotauthorisation token manager on a Java smart card is described

In Chapter 5, a new paradigm for trust distribution across multiple organisations

on extranets is proposed In the credential-based approach to trust establishment forauthorisation, the authorities of organisations administer their local users and, at thesame time, can act as trust referees for distributing trust management informationfor local or foreign users in the virtual enterprise Trust is propagated in the form

of trust tokens through the web of trust After collecting these trust tokens asrecommendations, a new user can submit them to the destined organisation in order

to acquire a secure trust relationship for authorisation purposes By representingtrust with a quantitative and comparable value, an automated mechanism forcomposing trust tokens is demonstrated

In Chapter 6, a new anonymous authorisation architecture is proposed In the

user-centric approach, the one-task authorisation key, instead of the user identity, is

used as the user’s unique identifier in a task/activity to preserve anonymity The idea

of dynamic distributed authorisation using external referee servers suitable for the

e-commerce environment is introduced The anonymous attribute certificate from a

referee server allows flexible trust establishment for authorisation in cross-domain

settings The trustee server issues key binding certificate to associate the user

identity with these anonymous attribute and facilitates well-controlled revocation

of anonymity

In Chapter 7, the use of intelligent agents to enhance the functionality andsecurity of distributed authorisation in the Web environment is introduced Firstly,

a novel family of privilege negotiation agents for dynamic trust establishment and

privilege allocation is proposed These privilege negotiation agents are downloadedfrom various external servers to the trusted client platform and work collaboratively

to provide authorisation services in a secure and automated way In this user-centricagent environment, communications is highly controllable by the user and privacy

can be well protected Secondly, the authorisation agent is further developed to

facilitate access control enforcement in a distributed authorisation service Anauthorisation agent from local domains migrates to the client platform to assist thetoken-based authorisation process An illustrative application of the authorisationagent using role based access control is described Thirdly, the security issues

of the agent-based authorisation service are discussed A Secure Client Agent

Environment (SCAE) is developed to provide a trusted and secure platform on client

side for hosting privilege negotiation agents, which can then operate collaborativelywith one another as well as with remote servers

Chapter 8 contains the conclusions and suggestions for future research

The aim of this chapter is to introduce the basic background information for the newresearch described in this thesis This chapter contains the following sections:

• Authentication and Authorisation - The techniques of authentication are

described and different authorisation mechanisms are discussed

• Access Control - The ISO/IEC 10181-3 Access Control Framework and

access control models are reviewed

• Security Architectures - Security architectures, which provide infrastructure

for distributed network systems, such as Kerberos, SESAME and DCE areexplained

• Security Standards - A number of security related technologies and their

standards, such as SAML, X.509 Certificates and SDSI/SPKI are reviewed

• Personal Secure Devices - Personal tamper-resistant devices, such as smart

card and iButton, are introduced

• Code Mobility and Mobile Agent - The properties and benefits of mobile

agents are reviewed

9

Access Control Enforcement Function

ADF

Access Control Decision Function

Submitted Access Request

Decision Request Decision

Approved Access Request

Figure 2.1: ISO Access Control Model

• Access Control Decision Function (ADF) - This application-specific

component makes access control decisions based on Access control DecisionInformation (ADI) which describes security-relevant properties of theinitiator, target, access request, the system and its environment;

• Access Control Enforcement Function (AEF) - This component handles

access requests from initiators and also enforces access control decisionsmade by ADF

2.2.1 Access Control Models

Traditionally, there are two basic types of access control mechanisms used to protectinformation from unauthorised access: discretionary access controls (DAC) andmandatory access controls (MAC) Recently, role-based Access Control (RBAC)has received considerable attention as an alternative to traditional DAC and MAC

2.2.1.1 Discretionary Access Control (DAC)

According to Lampson [84], Discretionary Access Control (DAC) is an accesspolicy that restricts access to objects (such as files, directories and devices) based

on the identity of subjects (for example the user) and/or the groups to which theybelong Access is based on the discretion of another person, who has been grantedthat privilege, for example the security administrator and the object creator

2.2.1.2 Mandatory Access Control (MAC)

Mandatory Access Control (MAC) is formally defined in TCSEC [41] as: A means

of restricting access to objects based on the sensitivity (as represented by a label)

of the information contained in the objects and the formal authorisation (that isclearance) of subjects to access information of such sensitivity As explained byCaelli et al [20], a MAC and its concomitant labelling implement a multi-levelsecurity policy for handling multiple information classifications at a number ofdifferent security levels within a network

Access is granted specifically to an individual for access to specific types of data.MAC assigns sensitivity labels to all subjects (for example users) and all objects (forexample, files or devices) in a computer network system MACs use sensitivitylabels to determine which subjects can access what objects in the network Aspecific subject’s sensitivity label specifies the level of trust or clearance associatedwith that user An object’s sensitivity label specifies the level of trust that a user orprogram must have to access that object

2.2.1.3 Role Based Access Control (RBAC)

Recently, there has been considerable interest in role-based access control (RBAC)

as an alternative, or supplement, to the traditional discretionary and mandatoryaccess controls (DAC and MAC) embodied in the Orange Book [110] Schneier[114] argues that RBAC can be regarded as a form of MAC but is not based onmultilevel security requirements It is non-discretionary and is more central to thesecure processing needs of non-military systems than DAC The concept of a roleallows modelling of security from an organisational management perspective andmakes the security mechanisms more scalable The essence of RBAC is that rightsand permissions are assigned to roles rather than to individual users Users acquirethese rights and permissions by virtue of being assigned membership in appropriateroles The use of roles to control access can be an effective means for developingand enforcing enterprise-specific security policies

Sandhu et al [112] point out that RBAC is policy neutral and, hence, does notrepresent any means for implementing any particular policy It can, however, beeasily configured to specify a variety of policies

2.2.2 Implementations of Access Control

The classic access matrix model proposed by Lampson [85] and refined by Grahamand Denning [54] provides the basic framework to describe protection systems In

that model, a protection state is defined by the triple (S, O, A) where S is a set of subjects (active entities that perform action), O is a set of objects (entities being accessed) and A is an access matrix with A[s,o] denoting the access rights a subject

s has over an object o The model also contains a set of commands specifying how

to make state transitions

2.2.2.1 Access Control List (ACL)

Access Control Lists (ACLs) associate lists of users to types of access for a resource.Thus ACLs are inherently resource based and most systems store ACLs at theresource (for example within the application) While ACLs are widely used in many