A Semantic Approach for context-aware Authorization in Enterprise Systems

From its-wiki.no

Jump to: navigation, search

A Semantic Approach for context-aware Authorization in Enterprise Systems

by Hans Martin Sydskogen Folkeseth
Supervisor(s) Josef.Noll, Zahid.Iqbal
Due date 2013/05/12
Status Finished
Problem description: Single-Sign-On (SSO) is one of the dominant sign on mechanisms for the web. Though implementations of SSO are known for quite some year, with implementations from e.g. myopenid.org and Feide, they have only recently reached the mass market. Social networks like LinkedIN, Facebook and Google allow for SSO or rather remote authentication, which is then used for access authorisation of specific tasks on the server of the requiring party.

Current Single-Sign-On Systems are only delivering the "yes/no" authentication string back to requiring party. This binary authentication is not state-of-the-art, as it does not provide any information of the role of the person in the remote organisation or the trust-level resulting from the authentication. Advanced access systems include the notation of roles (RBAC) or even attributes (ABAC). Semantic technologies are seen as enablers for context information, which can be add as on of the attributes in an ABAC system.

This master thesis consists of research around the topic of authentication methods. We are interested what different kinds of policies that are available to us, third party authentication and what other purposes does the authentication mechanism (e.g. password) have other than pure authentication for common platforms (UNIX, Windows and OSX). The main purpose here is to find the effect of each method/policy that are available to us and henceforth theorize on some best practices.

This thesis will establish a model describing the cost-/benefit analysis for a company providing advanced authentication mechanisms, including SSO. A specific focus is on the use of passwords, as they are seen to be critical both with respect to security, but also with respect to usability.

The envisaged outcome of the thesis is a policy-based decision tree, allowing companies to define a required security level, and then adopt criteria which will met this required security. Common- and best-praxis examples are foreseen to elaborate on how close industrial solutions are to satisfy the security policy in conjunction with an easy-to-use algorithm.

Methods and Tools: The tools and methods in this thesis are based on
  • A set of scenario, describing the challenges
  • A list of requirements being extracted from the scenarios
  • A description and evaluation of technologies and tools being candidates for solutions
  • A functional architecture/description of the envisaged system
  • An implementation of the core concepts
  • A demonstration of the solution
  • An evaluation of the solution, including a critical review of the descisions taken earlier
  • Conclusions
  • References
Time schedule Time Schedule:

T0 0 starting month=August 2012, T0+m denotes the month where the contribution to a certain chapter shalle be finalized

T0+2 months: create an initial page describing the scenario
T0+3: Provide a list of technologies which you think are necessary for the thesis
T0+4: Establish the table of content (TOC) of the envisaged thesis. Each section shall contain 3-10 keywords describing the content of that section
T0+7: Provide a draft of section 2 (scenario) and 3 (technologies)
T0+10: Establish a draft on what to implement/architecture
T0+11: Set-up an implementation, testing and evaluation plan
T0+15: Evaluate your solution based on a set of parameters, keep in mind there is no such thing as a free lunch
T0+17: Deliver the thesis
Pre-Knowledge The user should have a decent understanding of programming. He should also be interested to learn about Semantic Technologies
Approved Approved by Kirsti Dalseth
Keywords SSO, login, Liberty Alliance, Microsoft Card Space, Semantic Technologies, Access control

this page was created by Special:FormEdit/Thesis, and can be edited by Special:FormEdit/Thesis/A Semantic Approach for context-aware Authorization in Enterprise Systems

Thesis is delivered

The thesis was delivered in December 2013 and can be downloaded here: Media:201312Semantic_Approach_for_Authorization_Enterprise_Systems_Folkeseth.pdf

Driving Questions

  • Provide an overview on security policies
    • What are their advantages/limitations?
    • Provide examples on implementations
  • Provide an overview on various authentication schemes, including role-based and attribute-based authentication
  • Establish a model for the cost/benefit analysis of authentication schemes
    • Evaluate implementations/practices against this model
    • Time/resource saver?
  • Extend the model taken into considerations
    • Third-party access control schemes
    • Password recycling
    • Password reset self-service
    • Policies

  • Perform a study on SSO extensions to include advanced authentication schemes such as RBAC and ABAC
    • Single sign-on?
    • Duration
    • Common practice
  • Apply the model for SSO-based systems with RBAC/ABAC
  • Different practices for different purposes?

Scientific papers

Semantic web
Mushfiq Ph.d
Mushfiq publication #1 2010

Claim based authentication
ederated Claims Based Authentication and Access Control in the Vehicular Networks, 2011

Single Sign-on
Single Sign-On Architectures, 2002

Role Based Access Control
An Approach to Access Control under Uncertainty, 2011

Attribute-based access control
Towards Semantic-Enhanced Attribute-Based Access Control for Cloud Services, UNIK, June 2012

Papers for UNIK4710
A Semantic Model For Authentication Protocols, 1993
Towards a Precise Semantics for Authenticity and Trust, 2006
The Semantic Web, 2001
A semantic based access control model, 2006
Authorization and privacy for semantic Web services, 2004
Semantic Authorization of Mobile Web Services, 2006


  • PGP (Pretty Good Privacy)
  • Public-key cryptography