Skip to main content
SpringerLink
Log in

Interactive Credential Negotiation for Stateful Business Processes

  • Conference paper
Trust Management (iTrust 2005)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 3477))

Included in the following conference series:

Abstract

Business Processes for Web Services are the new paradigm for lightweight enterprise integration. They cross organizational boundaries, are provided by entities that see each other just as business partners, and require access control mechanisms based on trust management. Stateful Business Processes, enforcing separation of duties or service limitations based on past or current usage, pose additional research challenges. Clients, which may not know the right set of credentials to supply to each partner, may end up in dead-ends and servers should help them find out what must be revoked and what missing is that grant access to a particular resource.

We propose a logical framework and an interactive algorithm based on negotiation of credentials for access control that works for Stateful Business Processes. We show that our algorithm is sound (no grant is given to unauthorized clients), complete (authorized clients get grant) and resistant against DoS attempt.

This work is partially funded by the IST programme of the EU Commission FET under the IST-2001-37004 WASP project and by the FIRB programme of MIUR under the RBNE0195K5 ASTRO Project and RBAU01P5SS Project.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Yu, T., Winslett, M., Seamons, K.E.: Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation. ACM Transactions on Information and System Security (TISSEC) 6, 1–42 (2003)

    Article  MATH  Google Scholar 

  2. Bonatti, P., Samarati, P.: A unified framework for regulating access and information release on the web. Journal of Computer Security 10, 241–272 (2002)

    Google Scholar 

  3. Koshutanski, H., Massacci, F.: Interactive access control for Web Services. In: Proceedings of the 19th IFIP Information Security Conference (SEC 2004), Toulouse, France, pp. 151–166. Kluwer Press, Dordrecht (2004)

    Google Scholar 

  4. Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security (TISSEC) 2, 65–104 (1999)

    Article  Google Scholar 

  5. Apt, K.: Logic programming. In: van Leeuwen, J. (ed.) Handbook of Theoretical Computer Science. Elsevier, Amsterdam (1990)

    Google Scholar 

  6. De Capitani di Vimercati, S., Samarati, P.: Access control: Policies, models, and mechanism. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, p. 137. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  7. Koshutanski, H., Massacci, F.: Interactive access control for stateful web services business processes. Technical Report DIT-05-002, Department of Information and Communication Technology, University of Trento (2005)

    Google Scholar 

  8. Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM TISSEC 4, 224–274 (2001)

    Article  Google Scholar 

  9. Park, J., Sandhu, R.: Towards usage control models: beyond traditional access control. In: Seventh ACM SACMAT, pp. 57–64. ACM Press, New York (2002)

    Chapter  Google Scholar 

  10. Giuri, L.: Role-based access control on the web. ACM Transactions on Information and System Security (TISSEC) 4, 37–71 (2001)

    Article  Google Scholar 

  11. Park, J.S., Sandhu, R.: RBAC on the Web by smart certificates. In: Proceedings of the fourth ACM workshop on Role-based access control, pp. 1–9. ACM Press, New York (1999)

    Chapter  Google Scholar 

  12. Joshi, J.B.D., Aref, W.G., Ghafoor, A., Spafford, E.H.: Security models for web-based applications. Communications of the ACM 44, 38–44 (2001)

    Article  Google Scholar 

  13. Roscheisen, M., Winograd, T.: A communication agreement framework for access/action control. In: Proceedings of the Symposium on Security and Privacy, pp. 154–163. IEEE Press, Los Alamitos (1996)

    Google Scholar 

  14. Li, N., Grosof, B.N., Feigenbaum, J.: Delegation logic: A logic-based approach to distributed authorization. ACM Transactions on Information and System Security (TISSEC) 6, 128–171 (2003)

    Article  Google Scholar 

  15. Jajodia, S., Samarati, P., Subrahmanian, V.S., Bertino, E.: A unified framework for enforcing multiple access control policies. In: Proceedings of the 1997 ACM SIGMOD conference on Management of data, pp. 474–485. ACM Press, New York (1997)

    Chapter  Google Scholar 

  16. Wijesekera, D., Jajodia, S.: Policy algebras for access control the predicate case. In: Proceedings of the 9th ACM conference on Computer and Communications Security, pp. 171–180. ACM Press, New York (2002)

    Chapter  Google Scholar 

  17. Koshutanski, H., Massacci, F.: An access control framework for business processes for Web services. In: Proceedings of the 2003 ACM workshop on XML security, Fairfax, VA, pp. 15–24. ACM Press, New York (2003)

    Chapter  Google Scholar 

  18. Koshutanski, H., Massacci, F.: An interactive trust management and negotiation scheme. In: Proceedings of the 2nd International Workshop on Formal Aspects in Security and Trust (FAST), Toulouse, France, pp. 139–152. Kluwer Press, Dordrecht (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dip. di Informatica e Telecomunicazioni, Univ. di Trento, via Sommarive 14, 38050, Povo di Trento, Italy

    Hristo Koshutanski & Fabio Massacci

Authors
  1. Hristo Koshutanski
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fabio Massacci
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Telematics, Norwegian University of Science and Technology (NTNU), N-7491, Trondheim, Norway

    Peter Herrmann

  2. INRIA-Rocquencourt, Domaine de Voluceau, 78153, Le Chesnay, France

    Valérie Issarny

  3. Department of Computing, The Hong Kong Polytechnic University, HungHom, Kowloon, Hong Kong

    Simon Shiu

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Koshutanski, H., Massacci, F. (2005). Interactive Credential Negotiation for Stateful Business Processes. In: Herrmann, P., Issarny, V., Shiu, S. (eds) Trust Management. iTrust 2005. Lecture Notes in Computer Science, vol 3477. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11429760_18

Download citation

  • DOI: https://doi.org/10.1007/11429760_18

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-26042-4

  • Online ISBN: 978-3-540-32040-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation