A Semantic Approach for context-aware Authorization in Enterprise Systems
Wiki for ITS | ||||||
---|---|---|---|---|---|---|
|
A Semantic Approach for context-aware Authorization in Enterprise Systems
by | Hans Martin Sydskogen Folkeseth |
---|---|
Supervisor(s) | Josef.Noll, Zahid.Iqbal |
Due date | 2013/05/12 |
Status | Finished |
Problem description: | Single-Sign-On (SSO) is one of the dominant sign on mechanisms for the web. Though implementations of SSO are known for quite some year, with implementations from e.g. myopenid.org and Feide, they have only recently reached the mass market. Social networks like LinkedIN, Facebook and Google allow for SSO or rather remote authentication, which is then used for access authorisation of specific tasks on the server of the requiring party.
Current Single-Sign-On Systems are only delivering the "yes/no" authentication string back to requiring party. This binary authentication is not state-of-the-art, as it does not provide any information of the role of the person in the remote organisation or the trust-level resulting from the authentication. Advanced access systems include the notation of roles (RBAC) or even attributes (ABAC). Semantic technologies are seen as enablers for context information, which can be add as on of the attributes in an ABAC system. This master thesis consists of research around the topic of authentication methods. We are interested what different kinds of policies that are available to us, third party authentication and what other purposes does the authentication mechanism (e.g. password) have other than pure authentication for common platforms (UNIX, Windows and OSX). The main purpose here is to find the effect of each method/policy that are available to us and henceforth theorize on some best practices. This thesis will establish a model describing the cost-/benefit analysis for a company providing advanced authentication mechanisms, including SSO. A specific focus is on the use of passwords, as they are seen to be critical both with respect to security, but also with respect to usability. The envisaged outcome of the thesis is a policy-based decision tree, allowing companies to define a required security level, and then adopt criteria which will met this required security. Common- and best-praxis examples are foreseen to elaborate on how close industrial solutions are to satisfy the security policy in conjunction with an easy-to-use algorithm. |
Methods and Tools: | The tools and methods in this thesis are based on
|
Time schedule | Time Schedule:
T0 0 starting month=August 2012, T0+m denotes the month where the contribution to a certain chapter shalle be finalized
|
Pre-Knowledge | The user should have a decent understanding of programming. He should also be interested to learn about Semantic Technologies |
Approved | Approved by Kirsti Dalseth |
Keywords | SSO, login, Liberty Alliance, Microsoft Card Space, Semantic Technologies, Access control |
Depiction |
this page was created by Special:FormEdit/Thesis, and can be edited by Special:FormEdit/Thesis/A Semantic Approach for context-aware Authorization in Enterprise Systems
Thesis is delivered
The thesis was delivered in December 2013 and can be downloaded here: Media:201312Semantic_Approach_for_Authorization_Enterprise_Systems_Folkeseth.pdf
Driving Questions
- Provide an overview on security policies
- What are their advantages/limitations?
- Provide examples on implementations
- Provide an overview on various authentication schemes, including role-based and attribute-based authentication
- Establish a model for the cost/benefit analysis of authentication schemes
- Evaluate implementations/practices against this model
- Time/resource saver?
- Extend the model taken into considerations
- Third-party access control schemes
- Password recycling
- Password reset self-service
- Policies
- Perform a study on SSO extensions to include advanced authentication schemes such as RBAC and ABAC
- Single sign-on?
- Duration
- Common practice
- Apply the model for SSO-based systems with RBAC/ABAC
- Different practices for different purposes?
Scientific papers
Semantic web
Mushfiq Ph.d
Mushfiq publication #1 2010
Claim based authentication
ederated Claims Based Authentication and Access Control in the Vehicular Networks, 2011
Single Sign-on
Single Sign-On Architectures, 2002
Role Based Access Control
An Approach to Access Control under Uncertainty, 2011
Attribute-based access control
Towards Semantic-Enhanced Attribute-Based Access Control for Cloud Services, UNIK, June 2012
Papers for UNIK4710
A Semantic Model For Authentication Protocols, 1993
Towards a Precise Semantics for Authenticity and Trust, 2006
The Semantic Web, 2001
A semantic based access control model, 2006
Authorization and privacy for semantic Web services, 2004
Semantic Authorization of Mobile Web Services, 2006
Keywords
- PGP (Pretty Good Privacy)
- Public-key cryptography