Seminar: Solutions and Infrastructure to ensure Trust in E-Commerce Marco Casassa Mont [email protected] Trusted E-Services Laboratory Hewlett-Packard

Seminar:Solutions and

Infrastructure to ensure

Trust in E-Commerce

Marco Casassa [email protected]

Trusted E-Services LaboratoryHewlett-Packard Laboratories,

Bristol, UKwww.hpl.hp.com

mailto:[email protected]






http://www.hpl.hp.com/



Presentation Outline

1. Overview of Concepts and basic Infrastructure: - Access Control - PKI & Trust - Policy and Policy Management

2. Solutions and Infrastructure to underpin Trust in E-Commerce: - PASTELS (HPL Bristol): Trust & Authorization Management in B2B

3. Moving Towards the Future - Trust Services eco-system … creating a Safety Net for E-Commerce

Terminology• Access Control: controllo di accessoAccess Control: controllo di accesso

• Role: ruoloRole: ruolo

• Authorization: autorizzazioneAuthorization: autorizzazione

• Authentication: identificazioneAuthentication: identificazione

• Policy: politiche, regole, condizioniPolicy: politiche, regole, condizioni

• PKI: Public Key InfrastructurePKI: Public Key Infrastructure (infrastr. di crittografia pubblica)(infrastr. di crittografia pubblica)

• Trust: fiducia, …Trust: fiducia, …

• Certificate, Credential: certificato, credenzialeCertificate, Credential: certificato, credenziale

PART 1

Overview of Concepts and

Basic Infrastructure

Access ControlOverview

Access Control

• Defines what a user can do on a resource

• Limits the operations that a user of a system can do

• It is enforced by a Reference Monitor which mediates every attempted access by a user to objects in the system

Access Control Lists

User 1User 1

User 2User 2

User 3User 3

User nUser n

Resource 1Resource 1 Resource 2Resource 2 Resource 3Resource 3 Resource KResource K

R, W, ER, W, E

RR

R, WR, W

EE

Access Control ListAccess Control List

• Complexity in administering large number of users

Role Based Access Control (RBAC)

• Role (General) : set of actions and responsabilities associated with a particular activity

• Definition of Roles in the system (administrator, engineer, project manager, etc.) • Role: contains authorizations on objects

• Users are assigned to roles

• Simple RBAC model = Group-based ACL (Windows NT access control, …)

Role Based Access Control (RBAC)

User 1User 1

Resource 1:Resource 1: Document XYZDocument XYZUser 2User 2

User 3User 3

Rights 1:Rights 1: - read- read - write- write

Rights 2:Rights 2: - read- read

Role 1: ManagerRole 1: Manager

Role 2: EmployeeRole 2: Employee

Public Key Infrastructure (PKI)

and Trust

Outline

• Basic Problem: Confidence and Trust

• Background: Cryptography, Digital Signature, Digital Certificates

• (X509) Public Key Infrastructure (PKI)

Basic Problem

IntranetIntranetExtranetExtranetInternetInternet

AliceAliceBobBob

Bob and Alice want to exchange data in a digital world.

There are Confidence and Trust Issues …

Confidence and Trust Issues• In the Identity of an Individual or Application

AUTHENTICATION

• That the information will be kept Private

CONFIDENTIALITY

• That information cannot be Manipulated

INTEGRITY

• That information cannot be Disowned

NON-REPUDIATION


AliceAliceBobBob

Starting Point: Cryptography

Cryptography

It is the science of making the cost of acquiring or altering data greater than the potential value gained

PlaintextPlaintext EncryptionEncryption DecryptionDecryption PlaintextPlaintextCiphertextCiphertext

KeyKey KeyKeyHello WorldHello World &$*£(“!273&$*£(“!273 Hello WorldHello World

Cryptographic AlgorithmsAll cryptosystems are based only on three Cryptographic Algorithms:

• MESSAGE DIGEST (MD2-4-5, SHA, SHA-1, …)

• SECRET KEY (Blowfish, DES, IDEA, RC2-4-5, Triple-DES, …)

• PUBLIC KEY (DSA, RSA, …)

Maps variable length plaintext into fixed length ciphertextNo key usage, computationally infeasible to recover the plaintext

Encrypt and decrypt messages by using the same Secret Key

Encrypt and decrypt messages by using two different Keys: Public Key, Private Key (coupled together)

PlaintextPlaintext EncryptionEncryption DecryptionDecryption PlaintextPlaintextCiphertextCiphertext

KeyKey KeyKey

Digital Signature

A Digital Signature is a data item that vouches the origin and the integrity of a Message


AliceAliceBobBob

CERTIFICATE

Digital Identity Certificate

Issuer

Subject

IssuerDigitalSignature

Subject Public Key

Digital Certificate

• How are Digital Certificates Issued?

• Who is issuing them?

• Why should I Trust the Certificate Issuer?

• How can I check if a Certificate is valid?

• How can I revoke a Certificate?

• Who is revoking Certificates?

Problems

Moving towards PKI …


•A Public Key Infrastructure is an Infrastructure

to support and manage Public Key-based

Digital Certificates

• Potentially it is a complex distributed Infrastructure over the Internet


Focus on: on:

• X509 PKIX509 PKI

• X509 Digital CertificatesX509 Digital Certificates

Standards defined by IETF, PKIX WG: Standards defined by IETF, PKIX WG:

http://www.ietf.org/http://www.ietf.org/

… … even if X509 is not the only approach (e.g. SPKI)even if X509 is not the only approach (e.g. SPKI)

X509 PKI – Technical ViewBasic Components:

• Certificate Authority (CA)

• Registration Authority (RA)

• Certificate Distribution System

• PKI enabled applications“Consumer” Side

“Provider” Side

X509 PKI – Simple Model

CA

RA

Certification

Entity

Directory

Application

Service

Remote

Person

Local

Person

Certs,

CRLs

Cert. Request

Signed Certificate

Internet

Try to reflect Try to reflect Real world Trust ModelsReal world Trust Models

CA CA

CA

RA RA

CA

RA

LRALRA

CA

CA

RA

CA

CA

RA RA

DirectoryServices

InternetInternet

InternetInternet

CA Technology Evolution

Certificate Revocation List

Revoked Certificates

remain in CRL

until they expire

Certificate Revocation ListCertificate Revocation List

CRL vs OCSP Server

User CACRL

Directory

Download CRL

CRL

User CACRL

Directory

Download

CRL

Certificate IDs

to be checked

Answer about

Certificate States

OCSP

Server

OCSP

X509 PKI Trust by

Hierarchies andCross Certification

Each entity has its own certificate (and may have more than one). The root CA’s certificate is self signed and each sub-CA is signed by its parent CA.

Each CA may also issue CRLs. In particular the lowest level CAs issue CRLs frequently.

End entities need to “find” a certificate path to a CA that they trust.

Simple Certificate HierarchyRoot CA

Sub-CAs

End Entities

Certification Path

12 3

1. Multiple Roots

2. Simple cross-certificate

3. Complex cross-certificate

Cross-Certification andMultiple Hierarchies

Things are getting more and more

complex when Hierarchies and

Cross-Certifications are used

X509 PKI Approach to Trust : Problems

Identity is Not Enough:Attribute Certificates

IETF (PKIX WG) is also defining standards for Attribute Certificates (ACs):

• Visa Card (Attribute) vs. Passport (Identity)• Attribute Certificates specify Attributes associated

to an Identity• Attribute Certificates don’t contain a Public key

but a reference to an Identity Certificate

CERTIFICATE

Attribute Certificate

Issuer

Link toOwner’s IdentityCertificate

DigitalSignature

Attributes

Issuer: Bank of BristolSerial number: 4776457Identity certificate link: 64564656Expiration: 1/12/2001AttributesCredit card number: 54356 435 2343Issue date: 23/04/2000Expiration date: 23/04/2005

Digital Signature: 2kjr3rno2;klnm2

Policiesand

Policy Management

34

What is Policy

Policy is about the constraints and preferences on the state, or the state transition, of a system.

It is a guide on the way to achieving the overall objective which itself is also represented by a desirable system state.

Examples of Policies

• The IT infrastructure of this company must be secure

• Only authorised people can access company confidential documents

• Each employee must renew their password every 3 months

• The network throughput must at least be 2 Mbits/sec

Policies• Focus on multiple “IT infrastructure” levels • Can be very abstract: need for refinement

• Can be programmatically enforceable or not (focus on the former ones)

Policy Targets

Network Layer: - routers - firewall - etc.

System layer: - OSs - PCs - Servers - Domains - etc.

Application Layer: - storage (DBs) - web servers - workflow - etc.

Service Layer

policiesBusiness Layer

38

Policy Refinement

Policy P0Policy P0

policy P1,1 policy P1,1

Policy PXPolicy PX

policy P1,2 policy P1,2 policy P1,3 policy P1,3

I4I4I3

I3 IiIi

IX,2IX,2IX,1

IX,1

iterative refinementof policy

= State Transition Plan

Policy PYPolicy PY

II = implementable

S1 S2 S3 S4 SiSY

IY,1IY,1

OBJECTIVEOBJECTIVE

Si= desired state

high-level descriptionof what to achieve

concrete description of state to achieve

Policy Refinement: ExampleThe company

IT infrastructure must be secure

The company network

must be secure

The company systems

must be secure

The company applications

must be secure…

Each PC must run

an antivirus

Each PC must be

Passwordprotected

…

Work on Policies• Imperial College London - Morris Sloman, Emil Lupu http://www.doc.ic.ac.uk/~mss/MSSPubs.html Policies for Distributed Systems (Authorization, Obligation Policies …)

• IETF working groups: www.ietf.org policies at the networking level

• Other people: Masullo M.: Policy Management Wies, R. – Neumair, R.: Application of policies Wies: policy specification and transformation Heiler, K.: Policy driven Configuration Mnagement …

• …

http://www.doc.ic.ac.uk/~mss/MSSPubs.html







http://www.ietf.org/



Providing Solutions and Infrastructure

to underpin Trust in B2B E-Commerce

PASTELS

PART 2

Context Dynamic B2B Environment

User xUser x

Enterprise 1Enterprise 1

OperationOperation

Web Web Service1Service1

WebWebService2Service2

WebWebService3Service3

OperationOperation

OperationOperation

OperationOperation

OperationOperation

OperationOperation

OperationOperation

Service Service ProviderProvider

Service Service Provider KProvider K

InternetInternet

Enterprise Enterprise ZZ

B-2-BB-2-B



Not TrustedNot Trusted

TrustedTrusted

PASTELS Project: Focus

• Framework to deal with Digital Credentials - End to End Credential Exchange - Solutions for Client and Server Side

• Integration of Digital Credentials with Authorization at the E-Service level

Trust and Trust Management is potentially a huge area. Focus on:

E-Market Context

Market Governance

Market Makers

Market Mediator

Marketplaces

Enterprises

Traders

Internet

Trusted Third Parties

Market Governance

Market Mediator

Marketplaces

Bank

Enterprise/Trader

Credential Validation

Authorization Service

IC1IC1

Citizenship Credential (AC2)

Market Maker

Credential Credential ValidationValidation

AuthorizationAuthorization

Credential Credential Usage MonitoringUsage Monitoring

Trading Trading

ServicesServices

IdentityCredential (IC1)

Financial Credential(AC1)

Simplified E-Market Scenario

InternetInternet

Credential Issuance

User

Example: Market Maker

• The Market Maker Administrator has to decide which Credential Issuers it is going to Trust

• The Administrator has to decide how to deal with Credentials Content:

- Attribute Semantic - Defining policies on which Credential Attributes must be accepted - Map to Local Interpretation

Example: Market Maker• The Administrator has to define Vetting Policies to allow/deny an Enterprise to enter in a Marketplace:

- for example based on Credentials content: Credit Limit, Ranking, Issuer of Credentials, etc.

“A User with a Credit Limit greater that $100000 and Certified by Issuers “Issuer ABC“ can trade in the Marketplace XYZ, during business hours”

Example: Market Maker

• The Administrator has to define Authorization Policies for Marketplace Services:

- for example based on Credentials content: Credit Limit, Citizenship Validity, Ranking, etc.

“A User can bid if they have a valid Citizenship, the bid is less than the associated Credit Limit and greater than the current price”

PASTELSInfrastructure &

Solutions

PASTELS: Areas of Interest

Credential Credential ValidationValidation

AuthorizationAuthorization

Credential Credential Usage MonitoringUsage Monitoring

ServicesServices

Enterprise 1Enterprise 1ConsumerConsumer

Enterprise 2Enterprise 2Service ProviderService Provider

Common TrustedCommon TrustedThird PartiesThird Parties

Client Identity CertificateClient Identity Certificate

Server Identity CertificateServer Identity Certificate

Server Attribute CredentialsServer Attribute Credentials

Client Attribute CredentialsClient Attribute Credentials

Publishing MechanismPublishing Mechanismfor Semantic of Credentialfor Semantic of Credential

Credential Credential ManagementManagement

BrowserBrowserPlug-inPlug-in

Infrastructure and solutions to underpin Trust in B2B:

PASTELS

• Models: Credentials, User and Roles, Policies, Services

• Runtime Validation and Authorization Components

PASTELS:Model of

Digital Credentials

Digital Credentials

• Identity Certificates - real life: your passport, identity card, etc.

• Attribute Credentials - real life: your driving license, bank statement, your credit card, etc.

PASTELS: Attribute CredentialBased on Digital Signed XML

• Attribute Credentials are associated to Identity Certificates by using its Issuer DN and Serial Number:

Attribute Credential (XML File)

SignatureIdentity Credential

IssuerDN

Serial NumberName: …

IssuerDNSerial NumberCredit card: …Expiration: …

PASTELS:Attribute Credentials

• Attribute Credentials carry “Attributes” with no Explicit Authorization purposes

• Authorization Policies at Service Level are defined within the Enterprise that provides Services.

• An Attribute defined in a Credential becomes relevant for Authorization purposes in the context of an Authorization Policy

PASTELS:

Model of

Users and Roles

Model - Users, RolesUser1

Role1Role1

Role2Role2

User2

User3

User4

User-Role Association

User, Role, User-Role Association Models based on Attributes:

- Core Attributes - Management Attributes - Customisable Attributes

Name: Marco Casassa Mont

Organisation: Company1

email: [email protected]

Account creation date: 11/03/1999Account expiration date: 31/12/1999

createdBy: dddda

authorizedBy:cccc

Activation Condition: time>9:00, time<16:00

User: XYZUser: XYZ

Trade Limit: 500

Core Attributes

Management Attributes

Customizable Attributes

Role Name: Share Trader

creation date: 11/03/1999

expiration date: 31/12/1999

createdBy: eeee

authorizesBy:ffff

Activation Condition: true

Role: Share TraderRole: Share Trader

state: active

Can TradeCan Trade: yes

Core Attributes


Customizable Attributes

creation date: 11/03/1999

expiration date: 31/12/1999

createdBy: dddda

authorizesBy:cccc

Activation Condition: true

User-Role AssociationUser-Role Association

state: active

Role Name: Share TraderUser Name: Marco Casassa Mont

Core Attributes


Model - Users, Roles

PASTELS:

Model of

Authorization Policies

Policy• Logical expression containing constraints on user profile,

user’s roles, system information, service parameters, credential

content, nature of credentials, external information

• Java like policy language. No PROLOG.

• Interpreted at runtime by the Authorization Engine (policy internal representation)

• Policies can be used to describe constraints of different nature:

Validation, Credential Content Management, Authorization

Policy ExampleAuthorization Policy:

“A User can bid if they have a valid Citizenship Credential, the bid is less than the associated Credit Limit and greater than the current price”

EXISTS (ASSIGN(CitizenshipNumber, CONTEXT.CitizenshipNumber)) VERIFY ((CitizenshipNumber.value > 0) && (CitizenshipNumber.propertyQualifier == "attributeCredential") && ASSIGN(CitizenshipCredential, CitizenshipNumber.scope) && (CitizenshipCredential.IssuerDN == “CN=The MarketGovernance, …")) &&(bid.bidValue > 0 ) && (bid.bidValue > currentPrice.value ) &&(bid.bidValue <= CONTEXT.CreditLimit )

PASTELS

Model of Services

Model of Services

Service 1

Function 1

Function 2

Function 3

Authorization Policies

Explicit Service Model

Application/Service Name: Trading Service

Operation: Offer

Parameters:

endAuction: Date

initialPrice: Integer Operation: Bid

Parameters:

currentPrice: Integer bid: Integer

Authorization PolicyService Model (XML based)

EXISTS

(ASSIGN(CitizenshipNumber, CONTEXT.CitizenshipNumber))

VERIFY

((CitizenshipNumber.value > 0) &&

(CitizenshipNumber.propertyQualifier == "attributeCredential") &&

ASSIGN(CitizenshipCredential, CitizenshipNumber.scope) &&

(CitizenshipCredential.IssuerDN != “CN=The MarketGovernance,")) &&

(bid.bidValue > 0 ) &&

(bid.bidValue > currentPrice.value ) &&

(bid.bidValue <= CONTEXT.CreditLimit )

Explicit Service Model

PASTELS

Distributed System

Run-time

enterprise 3enterprise 3

e-service e-service credentialscredentials

e-servicee-service

PASTELS PASTELS frameworkframework

e-servicee-service

enterprise 2enterprise 2

e-service e-service credentialscredentials

PASTELS PASTELS frameworkframework

e-servicee-serviceenterprise 1enterprise 1

useruser

BrowserBrowser

the Internetthe Internet

SSL active sessionSSL active session

High Level Interaction

user attribute user attribute credentialscredentials

storagestorage

view server view server credentialscredentials

PULL server credentialsPULL server credentials

SSL active session

SSL active session

PULL server credentials

PULL server credentials

PULL newly-issued user credentialsPULL newly-issued user credentials

PUSH user credentials

PUSH user credentials

PASTELS FrameworkRuntime Components

- Login Service: manages login, after basic authentication

- Session Manager: manages user sessions

- Credential Validation Manager: validation of Credentials

- Credential Content Manager: manages credential’s content

- User Context Manager: collects user’s profile, roles and credentials

- Authorization Server: Policy driven Authorization Server

- Credential Proxy: PUSH/PULL of credentials (browser plug-in)

- User Context Gateway: gateway to the Credential Usage Monitoring Sys

- Object Pool Manager: cache for user’s profile, roles and credentials

ServicesServicesWebServer Function

Function

Plug In

RemoteUser’s

Browser

CredentialsCredentials

RemoteRemoteEnterpriseEnterprise

Internet

SSL

EnterpriseEnterprise

User’s Goal: Access Service

ServicesServices

Credential Credential Validation Validation

WebServer Function

Function

Plug In

RemoteUser’s

Browser




Internet

SSL

LoginService Identity

Certificate

Session Manager

Identity Certificate ValidationOCSP/CVSP

CA

AA

ServicesServices

AuthorizationAuthorization ServerServer


WebServer Function

Function

Plug In

RemoteUser’s

Browser




Internet

SSL

Policy Evaluation Request

LoginService

OCSP/CVSP

CA

AA

Session Manager

- Service Model- Service Model- Authorization- Authorization PoliciesPolicies

Credential Validation Credential Validation and Managementand ManagementPoliciesPolicies

Identity Certificate Validation

ServicesServices



WebServer Function

Function

Plug In

RemoteUser’s

Browser




Internet

SSL


LoginService

OCSP/CVSP

CA

AA

Session Manager

Credential Credential Content MgmtContent Mgmt


AbstractorAbstractor



Identity Certificate Content Mgmt

ServicesServices



WebServer Function

Function

Plug In

RemoteUser’s

Browser




Internet

SSL


LoginService

OCSP/CVSP

CA

AA

Session Manager




Users’ profilesUsers’ RolesUsers’ Identity CredentialsUsers’ Attribute CredentialUsers’ Anonymous Credential

Object Pool Manager (Cache)Object Pool Manager (Cache)

User ContextUser Context

RepositoryRepository

User User ContextContextManagerManager



User Context Manager

ServicesServices



WebServer Function

Function

Plug In

RemoteUser’s

Browser




Internet

SSL


LoginService

OCSP/CVSP

CA

AA

Session Manager











CredentialsUsageMonitoringService

User ContextGateway

Link to “TrustView”

ServicesServices



WebServer Function

Function

Plug In

RemoteUser’s

Browser




Internet

SSL


LoginService

OCSP/CVSP

CA

AA

Session Manager












User ContextGateway

CredentialProxy

Push Credential

Pushing a User’s Attribute Credential

ServicesServices



WebServer Function

Function

Plug In

RemoteUser’s

Browser




Internet

SSL


LoginService

OCSP/CVSP

CA

AA

Session Manager












User ContextGateway

Credential Credential Issuer/PushIssuer/Push

CredentialProxy

Pull Credential

Pulling Attribute Credentials

ServicesServices







WebServer

Session Manager

AuthorizationRequest

Function

Function

Credential Credential Issuer/PusherIssuer/Pusher

Plug In

RemoteUser’s

Browser




Internet

SSL


CredentialProxy Credential Credential

Content MgmtContent Mgmt




LoginService

User ContextGateway




OCSP/CVSP

CA

AA

Authorization at Service Level

Credential UsageMonitoring Service

PASTELS Prototype• Prototype leverages State of the Art technology:Prototype leverages State of the Art technology:

- PKI and PKI toolkits (Baltimore UniCERT, J/PKI-Plus)- PKI and PKI toolkits (Baltimore UniCERT, J/PKI-Plus)

- Signed XML (Baltimore X/Secure)- Signed XML (Baltimore X/Secure)

- SSL with full handshake- SSL with full handshake

- Web server technology (IIS, JWS)- Web server technology (IIS, JWS)

- Enterprise Java Beans (EJB)- Enterprise Java Beans (EJB)

- Relational Database (MS SQL Server, MS Access)- Relational Database (MS SQL Server, MS Access)

- Object Oriented Database (Cloudscape)- Object Oriented Database (Cloudscape)

Trust Management Prior Relevant Work

• SPKI (Ellison): Delegation Model

• PolicyMaker (Blaze): Trust Management System - Assertions of certificates and policies - Policy: key <--> local policy - Verify that actions conform to policies and credentials

• IETF: X509 RFC, Attribute Certificate RFC

Trust Management Prior Relevant Work

• KeyNote (Blaze): Trust Management System - It derives from PolicyMaker - Common language for credentials and policies - Policy: action permitted by the holder of a public key

• REFEREE (LaMacchia): Trust Management System - Environment to evaluate compliance with policies - Self-regulated by policies - Based on Credentials

PART 3

Moving Towards The Future … …

Dealing with things when they go wrong

… Trust Services as a Safety Net

For E-Commerce

InternetInternet

B-2-BB-2-B

EnterprisEnterprisee

UseUserr

EnterprisEnterprisee

UseUserr

Trust Services

Moving Trust to the E-World

Trust Services exist in the physical

world. In the E-World the wheels still need greasing.

However, the interactions are

different.

Notary

Dispute Resolution

Underwriter

Repository Identitytracking

Greasing the wheels of E-Commerce

Notary

Restoration Services

Access Control

EvidentialAnalysis

Identitytracking

Storage-contracts-keys-evidential-documents

Monitoringreal time

Reliable Messaging

Underwriter

CredentialManagement

Policy

Trust Service Eco-system

Trust Services Research Problems …

• Integrity

• Authenticity

• Confidentiality

• Non-Repudiation

• Longevity

• Survivability

• Accountability

• Simplicity

Documents

Seminar: Solutions and Infrastructure to ensure Trust in E-Commerce Marco Casassa Mont [email protected] Trusted E-Services Laboratory Hewlett-Packard