1 / 20

Integrating Authorization and Privacy in Semantic Web Services: A Policy-Based Approach

This paper discusses the integration of security into semantic web services by focusing on authorization and privacy. The outlined approach goes beyond traditional credential-based security to encompass more expressive, policy-based frameworks. By utilizing OWL-S profiles and the Rei policy language, security annotations are tied to various parameters including requester attributes, service context, and privacy regulations. This allows for fine-grained control and reasoning at higher abstraction levels, facilitating better matchmaking and composition for secure web services.

lester
Télécharger la présentation

Integrating Authorization and Privacy in Semantic Web Services: A Policy-Based Approach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authorization and Privacy for Semantic Web Services Lalana Kagal, Tim Finin (UMBC) Grit Denker (SRI) Massimo Paolucci, Naveen Srinivasan, Katia Sycara (CMU)

  2. Purpose • Integrate security into semantic web services • Security levels • Specification • Enforcement • Security requirements include authorization, authentication, data integrity, delegation, trust, privacy, and more. • GOAL : to provide security annotations for web services at high abstraction levels to enable reasoning, matchmaking, execution, composition, etc.

  3. Previous Work • Extension of OWL-S profile • Capabilities and requirements associated with both services and requesters • Ontology for describing security protocols and credentials • Security Reasoner matched over security requirements and capabilities • OWL-S MatchMaker + SecurityReasoner = clients and services matched over functional and security

  4. Previous Work A Web Service Matchmaker + Security Reasoner Agent Functional matching Security matching Req: Encryption Cap: XKMS Req: Authentication, XML Cap: OpenPGP

  5. Why is this not enough ? • Authorization only based on • Protocols • Credentials (login/password, certificate) required • Need more expressive policies • Based on attributes of requester, service and other context • Did not handle privacy at all • Should be able to handle prohibitions as well • E.g.. No undergraduate student should be able to access this service

  6. Current Idea • Policy-based security infrastructure • Why policies ? • More expressive, not just requirements and capabilities • Can be over different attributes of the Requester, Service, and Context • Authorization • Rules for access control • Privacy • Rules for protecting information Policies + Semantic Web Services

  7. Example policies • Authorization • Policy 1 : Stock service is not accessible after the market closes • Policy 2 : Only members of the LAIT lab who are Ph.D. students can use the LAIT lab laser printer • Privacy/Confidentiality • Policy 3 : Do not disclose my my SSN • Policy 4 : Do not disclose my telephone number • Policy 5 : Do not use a service that doesn’t encrypt all input/output • Policy 6 : Use only those services that required an SSN if it is encrypted

  8. Our Approach • Is mainly at the specification level • Extension of OWL-S profile with an attribute for describing policies • policyEnforced • subPropertyOf securityRequirement which is a subproperty of profile:parameter • Range: Policy in Rei ontology • Ontology for describing cryptographic characteristics of service parameters • Encrypted/Signed object

  9. Our Approach (cont) • Use of a policy specification language, Rei • Authorization and Privacy Policy are subclasses of Policy in Rei • Authorization policies are usually associated with services • Privacy policies are usually associated with clients • Algorithm for matching policies • Integration of the algorithm into CMU’s Matchmaker and OWL-S Virtual Machine (future work)

  10. Rei Policy Language • A declarative policy language for describing policies over actions • Represented in RDF-S + logic like variables • Based on deontic concepts • Right, Prohibition, Obligation and Dispensation • Conflict resolution through the use of meta policy specifications

  11. Rei Example • All members of the LAIT lab have the right to use action ‘printing’ • Constraint <constraint:SimpleConstraint rdf:about="&labpolicy;members_of_lait" constraint:subject="&labpolicy;var1" constraint:predicate="&univ;affiliation" constraint:object="&labpolicy;LaitLab"/> • Right <deontic:Right rdf:about="&labpolicy;right_to_print”> <deontic:actor rdf:resource="&labpolicy;var1"/> <deontic:action rdf:resource="&labpolicy;printing"/> <deontic:constraint rdf:resource="&labpolicy; members_of_lait "/> </deontic:Right> Unify

  12. Example • Mary is looking for a reservation service • foaf description • Confidentiality policy • BravoAir is a reservation service • OWL-S description • Authorization policy • Only users belonging to the same project as John can access the service

  13. Mary <!-- Mary's FOAF description --> <foaf:Person rdf:ID="mary"> <foaf:name>Mary Smith</foaf:name> <foaf:title>Ms</foaf:title> <foaf:firstName>Mary</foaf:firstName> <foaf:surname>Smith</foaf:surname> <foaf:homepage rdf:resource="http://www.somewebsite.com/marysmith.html"/> <foaf:currentProject rdf:resource=" http://www.somewebsite.com/SWS-Project.rdf "/> <sws:policyEnforced rdf:resource="&mary;ConfidentalityPolicy"/> </foaf:Person> </rdf:RDF>

  14. <deontic:Right rdf:about="&bravo-policy;AccessRight"> <deontic:actor rdf:resource="&bravo-policy;var1"/> <deontic:action rdf:resource="&bravo-service;BravoAir_ReservationAgent"/> <deontic:constraint rdf:resource="&bravo-policy;AndCondition1"/> </deontic:Right> ……… <rdf:Description rdf:about="&bravo-service;BravoAir_ReservationAgent"> <sws:policyEnforced rdf:resource="&bravo-policy;AuthPolicy"/> </rdf:Description> Bravo Policy ` <entity:Variable rdf:about="&bravo-policy;var1"/> <entity:Variable rdf:about="&bravo-policy;var2"/> <constraint:SimpleConstraint rdf:about="&bravo-policy;GetJohnProject" constraint:subject="&john;John" constraint:predicate="&foaf;currentProject" constraint:object="&bravo-policy;var2"/> <constraint:SimpleConstraint rdf:about="&bravo-policy;SameProjectAsJohn" constraint:subject="&bravo-policy;var1" constraint:predicate="&foaf;currentProject" constraint:object="&bravo-policy;var2"/> <!-- constraints combined --> <constraint:And rdf:about="&bravo-policy;AndCondition1" constraint:first="&bravo-policy;GetJohnProject" constraint:second="&bravo-policy;SameProjectAsJohn"/>

  15. How it works BravoAirWeb service Mary URL to foaf desc+ query request <sws:policyEnforced rdf:resource = "&bravo-policy;AuthPolicy"/> Matchmaker+Reasoner Bravo Service OWL-S Desc

  16. How it works Mary’s query = Bravo Service ? YES Extract Bravo’s policy Does Mary meets Bravo’s policy ? <deontic:Right rdf:about="&bravo-policy;AccessRight"> <deontic:actor rdf:resource="&bravo-policy;var1"/> <deontic:action rdf:resource="&bravo-service;BravoAir_ReservationAgent"/> <deontic:constraint rdf:resource="&bravo-policy;AndCondition1"/> </deontic:Right> <policy:Granting rdf:about="&bravo-policy;AuthGranting"> <policy:to rdf:resource="&bravo-policy;var1"/> <policy:deontic rdf:resource="&bravo-policy;AccessRight"/> </policy:Granting> <sws:AuthorizationPolicy rdf:about="&bravo-policy;AuthPolicy"> <policy:grants rdf:resource="&bravo-policy;AuthGranting"/> </sws:AuthorizationPolicy> <rdf:Description rdf:about="&bravo-service;BravoAir_ReservationAgent"> <sws:policyEnforced rdf:resource="&bravo-policy;AuthPolicy"/> </rdf:Description> Authorization enforcement complete <constraint:SimpleConstraint rdf:about = "&bravo-policy;GetJohnProject” constraint:subject="&john;John" constraint:predicate="&foaf;currentProject" constraint:object="&bravo-policy;var2"/> var2 = http://www.somewebsite.com/SWS-Project.rdf BravoAirWeb service Mary <foaf:currentProject rdf:resource = "http://www.somewebsite.com/SWS-Project.rdf"/> <constraint:SimpleConstraint rdf:about="&bravo-policy;SameProjectAsJohn" constraint:subject="&bravo-policy;var1" constraint:predicate="&foaf;currentProject" constraint:object="&bravo-policy;var2"/> Is the constraint true when var2 = http://www.somewebsite.com/SWS-Project.rdfvar1 = http://www.cs.umbc.edu/~lkagal1/rei/examples/sws-sec/MaryProfile.rdf

  17. Algorithm for Matching Policies • After the client sends a query request, MatchMaker finds a matching service and fetches its OWL-S description • It extracts the service’s authorization policy from the policyEnforced attribute and sends it to the Rei Reasoning Engine along with the client’s description • Rei returns true or false based on whether the client meets the authorization policy of the service. If false, matching failed. • The matchmaker extracts the client’s privacy policy and sends it to the Rei Reasoning Engine along with the service’s OWL-S description • Rei returns true or false based on whether the privacy policy is met or violated. If false, matching failed. • Matching between client and service is complete

  18. Existing Work • WS-* • Lack of semantic expressiveness and reasoning capabilities • Most approaches are based on XML. • E.G., XML signature/encryption, WS-security, SAML. • Restricted extensibility • Possible solution is ontological approach • Policy Languages • XACML : OASIS eXtensible Access Control Markup Language • EPAL : IBM Enterprise Privacy Authorization Language • Ponder • KeyNote • KAoS : Knowledgeable Agent-oriented System

  19. Some open questions • Applicability of other policy languages • Integration with WS* standards • Enforcement of privacy, confidentiality and data integrity policies during execution • Confidentiality • One possible approach is for the OWL-S virtual machine to handle encryption/signing on behalf of the web service and the requester • Privacy • Reputation • Trusted third parties

  20. Summary • Contribution • Specification of security policies for web services • Authorization policies are enforced during discovery • Privacy policies are matched • Ontologies • http://www.csl.sri.com/users/denker/owl-sec/infObj.owlhttp://www.cs.umbc.edu/~lkagal1/rei/examples/sws-sec/swspolicy.owlhttp://www.cs.umbc.edu/~lkagal1/rei/ontologies/ • Examples • http://www.cs.umbc.edu/~lkagal1/rei/examples/sws-sec/

More Related