DÃ©partement RÃ©seau, SÃ©curitÃ© et MultimÃ©dia Rapport d'ActivitÃ©s 2008

More documents

Recommendations

Info

execution in a distributed manner. For thispurpose, we define an algorithm to generatethe local security policy associated with theexecution of each task that composes theworkflow. The global policy and the petri netmodel associated with the workflow executionare provided as inputs of the algorithm [4].Our approach differs from previous works bydefining a dynamic management of workflowauthorizations and by considering a securitypolicy that takes into account information flowcontrol. This approach based on the DTEmodel is more robust and flexible than the MLS(Multi-Level Security) approach used in otherworks.ConclusionUntil now, we have presented a petri netbased model for moddeling workflows and wehave defined the associated security policy.This model and security policy are based onOrBAC concepts. Thus, they reuse organizationand context notions defined in this accesscontrol model. Our security policy takes intoaccount different temporal constraints betweentwo tasks. It is composed of a general securitypolicy, a coordination security policy and aninformation flow control policy. In a secondpart, we have presented an algorithm allowingus to synchronize authorization flows withworkflow execution. This algorithm defineshow to execute the suggested model in adistributed WFMS environment.As part of future work, we shall enrich ouralgorithm by handling information flowsbetween different organizations. Indeed,organizations must exchange flows to haveknowledge of what is happening globally in thesystem. These flows must be managed inorder to keep a secure execution environmentof the process. Exchanging flows betweenorganizations must be compliant with theconfinement principle. Thus, these exchangeshave to be controlled in order to keep a secureenvironment of execution processes.References[1] Workflow Management Coalition. WorkflowSecurity Considerations. White Paper.Document number WFMC-TC-1019, DocumentStatus – Issue 1.0. 1998.[2] Samiha Ayed, Nora Cuppens-Boulahia,Frédéric Cuppens. Deploying Access Control inDistributed Workflow. Australian InformationSecurity Conference, Wollongong, Australia(AISC), January 2008.[3] Samiha Ayed, Nora Cuppens-Boulahia,Frédéric Cuppens. An integrated model foraccess control and information flowrequirements. 12th Annual Asian ComputingScience Conference Focusing on SecureSoftware and Related Issues (ASIAN), Doha,Qatar, December 2007.[4] Samiha Ayed, Nora Cuppens-Boulahia,Frédéric Cuppens. Managing access and flowcontrol requirements in distributed workflows.6th ACS/IEEE International Conference onComputer Systems and Applications (AICCSA)Doha, Qatar, March 2008.PROTEKTO : Security platform for content providersResearch Staff : Nora et Frédéric Cuppens, François WangKeywords : Authentication, Authorization, OpenId, SAML, OrBACApplications : Secure content managementPartners & Funding : Partial funding in the framework of Carnot institutesIntroductionThe Protekto project's goal is to create aplatform for content providers which integratesthe recent technologies for authentication andauthorization, capitalising on TélécomBretagne work and competences of the SWIDcompany. Regarding authentication, Protektowill use the OASIS standard SAML 2.0(Security Assertion Markup Language) [1] andthe OpenID 2.0 protocol (seehttp://openid.net/developers/specs/) adoptedby users. And for the authorization part of38 Extract of Pracom’s Annual Report 2008
Protekto, the OrBAC model and the XACMLstandard will be used.Delegation of this security functions is asolution that reduces costs and increasessecurity, moreover users will take advantage ofthe last technological advancements insecurity. The content provider’s work will befacilitated with only the contents productionand the users will appreciate the single sign onand the identity management.RealisationThe first part of the project is aboutauthentication, researches about how tointegrate OpenID and SAML together in theplatform were performed. SAML 2.0 is anadvanced solution for exchanging securityinformation but is also more complex thanOpenID. As for OpenID, the number of usersand sites is growing and potential usersnumber is more than 350 millions, this recentprotocol is very interesting for users with themanaging of their identity.We made an OpenID identity provider (usingthe version 2.0 of OpenID), allowing users tocreate their identity, manage attributes withprofiles and information sent to sites they visit,and personalized their OpenID identity page.Interaction between users was also a concern,users can manage a buddy list and sendmessages to friends registered on this identityprovider. Moreover in order to ease the use ofour provider, efforts were made for theinterface and two different implementations inXHTML and flash were developed.Protekto is also an OpenID consumer, andthen users registered to another OpenIDprovider are able to use our platform. AsOpenID is a fully decentralized system, wewere able to validate our work with differentOpenID enabled sites on the Internet.Regarding security requirement, OpenID is aweak form of authentication, and then it is notappropriate for sensitive transactions likeelectronic payment. SAML 2.0 is more securefor these operations, it permits assertionsabout authorization and can be used with theXACML standard. But it is less practical for theuser who needs to be registered to a providerbelonging to the circle of trust. That is why ourplatform uses these two protocols, OpenIDvery interesting for users and SAML moresecure for providers with sensitive contents.We began an authentication server using SAMLwith an OpenID consumer part. We let userschoose if they want to be authenticated usingtheir OpenID identity (from our OpenIDidentity provider but also from otherproviders). After authentication, informationare exchanged using SAML 2.0 and if anOpenID identity is used then a specific SAML2.0 authentication context for OpenID isneeded.A registration of Protekto at the Agency forProtection of Programs (APP) was made byNora Boulahia-Cuppens, Frédéric Cuppens,François Wang (Télécom Bretagne), andStéphane Morucci (SWID).Future workFuture work will consist in addingfunctionalities to our OpenID identity provider,and finishing to integrate SAML 2.0 to theProtekto platform. Then the second partconcerning authorization, the XACML profilewill be added for access control. TélécomBretagne work on the OrBAC model will bevalued thanks to their tools they developedwhich adapt OrBAC policies to XACML.Reference[1] Assertions and Protocols for the OASISSAML V2.0. OASIS SSTC, March 2005.Pracom’s Annual Report 2008 39
Page 2 and 3:
Présentation générale...........
Page 4 and 5:
Activités d’enseignementLe dépa
Page 6 and 7:
Activités de rechercheLe départem
Page 8 and 9:
Notre implication dans les organism
Page 10 and 11:
le cadre du projet NextTV4all où l
Page 12 and 13:
cloisonnement par domaine tels qu
Page 14 and 15: - le GIS ITS (Intelligent Transport
Page 16 and 17: Twente aux Pays Bas, Université de
Page 18 and 19: Liste des doctorants présents en 2
Page 20 and 21: Annexe 2 : liste des publicationsAr
Page 22 and 23: COMA-BREBEL Céline, CUPPENS Nora,
Page 24 and 25: PHAN LE Cam Tu, CUPPENS Frédéric,
Page 26 and 27: Annexe 3 : description détaillée
Page 28 and 29: Access Control ....................
Page 30 and 31: schemes specifically suitable for l
Page 32 and 33: An easy-to-use solution for IPv6 co
Page 34 and 35: Loss Synchronization and Router Buf
Page 36 and 37: Sensor NetworksRandom Walk Techniqu
Page 38 and 39: Suppressing Neighbor Discovery in W
Page 40 and 41: Media and NetworksIP-based transmis
Page 42 and 43: One of the most difficult aspects o
Page 44 and 45: Another direction is the associatio
Page 46 and 47: classes. In our simple study case,
Page 48 and 49: Management of Multiple Access Netwo
Page 50 and 51: Adaptation of Multimedia Flows in a
Page 52 and 53: Optimized mobility management in he
Page 54 and 55: ecause it offers a generic framewor
Page 56 and 57: Future workOur next step is to fina
Page 58 and 59: Security Analysis and ValidationAna
Page 60 and 61: RealizationFigure 1 shows a classif
Page 62 and 63: Policy AdministrationResearch Staff
Page 66 and 67: Intrusion DetectionDetection and co
Page 68 and 69: eported alerts have to be managed b
Page 70 and 71: inside the corresponding detection
Page 72 and 73: function has a limitation that it d
Page 74 and 75: 1) Normal Node behavior simulation:
Page 76 and 77: negotiation. These strategies speci
Page 78 and 79: A Fast Adaptative Secure Technology
Page 80 and 81: estricted to the organization to wh
Page 82 and 83: ights and external identities, and
Page 84 and 85: Peer 2 peerP2PIm@gesResearch Staff
Page 86 and 87: Managing a Peer-to-Peer Storage Sys
Page 88 and 89: Applications of networks to transpo
Page 90 and 91: Adaptive Application Support in Mob
Page 92 and 93: Wireless Mesh NetworksResearch Staf
Page 94 and 95: TestbedsA showroom for practical IP
Page 96 and 97: egistrar and proxies, video streami
show all

DÃ©partement RÃ©seau, SÃ©curitÃ© et MultimÃ©dia Rapport d'ActivitÃ©s 2008

Create successful ePaper yourself

Delete template?

Save as template?