Département Réseau, Sécurité et Multimédia Rapport d'Activités 2008

Security of NGN servicesResearch Staff : Ahmed Bouabdallah, Frédéric Cuppens, Nora Cuppens – Ph.D. Student: Nabil AjamKeywords : location-based service, location privacy, Parlay gateway, web serviceApplications : B2B application, NGN platform, Service composition policy, parlay gatewaysPartners & Funding : partially funded by FNADTcommands into particular signalling protocolsIntroductiondepending on the specificity of networks.Next Generation Network (NGN) constitutesthe convergence between telecommunicationand IT infrastructures, which is a looselycoupled layered architecture. The keyevolution is the service creation in thosenetworks where now third parties manage iteither by operators.This approach drastically differs from the oneused in traditional circuit networks where thevertical integration induces a centralization ofthe computational resource, of the servicecreation process and of the underlyingbusiness model.Service providers can now access corenetwork capabilities through open andstandardized interfaces, the parlay gatewaybased on APIs or through the parlay Xgateway based on web services.On the other hand, location service is one ofthe most important capabilities provided byoperator cellular networks. We studied thearchitecture and the added nodes that allowaccuracy up to 5 meters in indoor and outdoorareas. It is expected that locations basedservices will be the killer application in NGN.Location information is a sensitive informationthat can imperil user integrity. We areinterested on one security issue of thoseservices delivered through Parlay X gateway,which is the privacy of end users.To secure service creation in NGN, we have tointroduce some strict constraints on the accessof third parties on operator networks throughparlay gateways. In this way, privacy issue isinvestigated in service creation.This work is part of a Ph.D, funded by theFNADT project “Platform of securitysupervision and application to web service”,dedicated to securing service creation forParlay and Parlay X which began in March2006.RealizationWe studied Parlay gateways. Parlay and ParlayX gateways play two essential roles: (1)protect operator networks from maliciousmanipulation of networks, and (2) map serviceThe location-based services are presented asthe future killer application [1]. Thisapplication uses a sensitive personal data sothat protecting privacy of subscribers isrequired. To secure this application, we firststudied the network architectures that provideusers positioning. We then specify securityproperties and personal data to enforcesecurity. We suggested to use pseudonymitywhen location based services are used throughParlay X gateway. So, we proposed to add anew "Privacy web service" to Parlay X gatewayto act as a proxy between third parties andend user that ensures the use of pseudonymsof subscribers [2].We are currently investigating how to improveprivacy web service to permit end userconfigure their privacy policy and how it canact as a complete retailer of location service.Future workWe planned in future work to formally describeend user privacy and privacy providers. Weintend to prove formally that end user privacyis ensured in services provided through ParlayX gateway. We tend to model privacy policyusing the Orbac model.We also investigate the security requirementsof composition. No standards and consensusexist. Many researchers suggest includingsecurity aspects in semantics for compositions.We aim to prove that a composed serviceobeys the security policies of each composedservice. The service creation throughcomposition is a new research field wheresecurity is not addressed. The expression of aglobal privacy policy of composed services canbe addressed in future works.References[1] 3 rd Generation Partnership Project,"Technical Report: Enhanced support for UserPrivacy in Location Service," 2002.[2] Nabil Ajam, "Privacy based access to ParlayX locations based services", ICNS, Guadeloupe,2008.Pracom’s Annual Report 2008 51