Digital Identity Management – An advanced policy based Authorisation infrastructure

We describe a more advanced Authorisation infrastructure for identity management systems which in addition to the traditional Policy Enforcement Point (PEP) and Policy Decision Point (PDP) has an application independent policy enforcement point (AIPEP), a credential validation service (CVS) and a master PDP. The AIPEP is responsible for handling sticky policies, calling the master PDP, performing application independent obligations, and validating credentials using the CVS. The master PDP is responsible for calling multiple traditional PDPs that support a variety of policy languages, and resolving conflicts between the various Authorisation decisions. Whilst this Authorisation infrastructure may seem more complex to implement, it is in fact easier for applications to integrate since nearly all of the complexity is hidden beneath the PEP interface.

an advanced policy based Authorisation infrastructure

We describe a more advanced Authorisation infrastructure for identity management systems which in addition to the traditional Policy Enforcement Point (PEP) and Policy Decision Point (PDP) has an application independent policy enforcement point (AIPEP), a credential validation service (CVS) and a master PDP. The AIPEP is responsible for handling sticky policies, calling the master PDP, performing application independent obligations, and validating credentials using the CVS. The master PDP is responsible for calling multiple traditional PDPs that support a variety of policy languages, and resolving conflicts between the various Authorisation decisions. Whilst this Authorisation infrastructure may seem more complex to implement, it is in fact easier for applications to integrate since nearly all of the complexity is hidden beneath the PEP interface.

Adding Authorisation to EduRoam

EduRoam allows universities to cooperate to authenticate users as they roam between the federated institutions. However, authentication is not always sufficient since the host institution does not know how to differentiate between different groups of roaming users in order to give them access to different network resources. We have designed and built a fine grained Authorisation infrastructure which allows different groups of users to be given access to different network resources. The infrastructure uses JRadius to intercept radius server events and gain the appropriate Authorisation using the PERMIS Authorisation infrastructure. The Network Access Server (NAS) then grants access to the appropriate VLAN given the user’s access permissions.

Adding privacy protection to policy based Authorisation systems

An Authorisation system determines who is authorised to do what i.e. it assigns privileges to users and provides a decision on whether someone is allowed to perform a requested action on a resource. A traditional Authorisation decision system, which is simply called Authorisation system or system in the rest of the thesis, provides the decision based on a policy which is usually written by the system administrator. Such a traditional Authorisation system is not sufficient to protect privacy of personal data, since users (the data subjects) are usually given a take it or leave it choice to accept the controlling organisation’s policy. Privacy is the ability of the owners or subjects of personal data to control the flow of data about themselves, according to their own preferences. This thesis describes the design of an Authorisation system that will provide privacy for personal data by including sticky Authorisation policies from the issuers and data subjects, to supplement the Authorisation policy of the controlling organisation. As personal data moves from controlling system to controlling system, the sticky policies travel with the data.

A number of data protection laws and regulations have been formulated to protect the privacy of individuals. The rights and prohibitions provided by the law need to be enforced by the
Authorisation system. Hence, the designed Authorisation system also includes the Authorisation rules from the legislation. This thesis describes the conversion of rules from the EU Data Protection
Directive into machine executable rules. Due to the nature of the legislative rules, not all of them could be converted into deterministic machine executable rules, as in several cases human intervention or human judgement is required. This is catered for by allowing the machine rules to be configurable.

Since the system includes independent policies from various authorities (law, issuer, data subject and controller) conflicts may arise among the decisions provided by them. Consequently, this thesis describes a dynamic, automated conflict resolution mechanism. Different conflict resolution algorithms are chosen based on the request contexts.

As the EU Data Protection Directive allows processing of personal data based on contracts, we designed and implemented a component, Contract Validation Service (ConVS) that can validate an XML based digital contract to allow processing of personal data based on a contract.

The Authorisation system has been implemented as a web service and the performance of the system is measured, by first deploying it in a single computer and then in a cloud server. Finally the validity of the design and implementation are tested against a number of use cases based on scenarios involving accessing medical data in a health service provider’s system and accessing personal data such as CVs and degree certificates in an employment service provider’s system. The machine computed Authorisation decisions are compared to the theoretical decisions to ensure that the system returns the correct decisions.

an advanced policy based Authorisation infrastructure

We describe a more advanced Authorisation infrastructure for identity management systems which in addition to the traditional Policy Enforcement Point (PEP) and Policy Decision Point (PDP) has an application independent policy enforcement point (AIPEP), a credential validation service (CVS) and a master PDP. The AIPEP is responsible for handling sticky policies, calling the master PDP, performing application independent obligations, and validating credentials using the CVS. The master PDP is responsible for calling multiple traditional PDPs that support a variety of policy languages, and resolving conflicts between the various Authorisation decisions. Whilst this Authorisation infrastructure may seem more complex to implement, it is in fact easier for applications to integrate since nearly all of the complexity is hidden beneath the PEP interface.

Digital Identity Management – An advanced policy based Authorisation infrastructure

We describe a more advanced Authorisation infrastructure for identity management systems which in addition to the traditional Policy Enforcement Point (PEP) and Policy Decision Point (PDP) has an application independent policy enforcement point (AIPEP), a credential validation service (CVS) and a master PDP. The AIPEP is responsible for handling sticky policies, calling the master PDP, performing application independent obligations, and validating credentials using the CVS. The master PDP is responsible for calling multiple traditional PDPs that support a variety of policy languages, and resolving conflicts between the various Authorisation decisions. Whilst this Authorisation infrastructure may seem more complex to implement, it is in fact easier for applications to integrate since nearly all of the complexity is hidden beneath the PEP interface.

specification and analysis of dynamic Authorisation policies

This paper presents a language, based on transaction logic, for specifying dynamic Authorisation policies, i.e., rules governing actions that may depend on and update the Authorisation state. The language is more expressive than previous dynamic Authorisation languages, featuring conditional bulk insertions and retractions of Authorisation facts, non-monotonic negation, and nested action definitions with transactional execution semantics. Two complementary policy analysis methods are also presented, one based on AI planning for verifying reachability properties in finite domains, and the second based on automated theorem proving, for checking policy invariants that hold for all sequences of actions and in arbitrary, including infinite, domains. The combination of both methods can analyse a wide range of security properties, including safety, availability and containment.

CSF – Specification and Analysis of Dynamic Authorisation Policies

This paper presents a language, based on transaction logic, for specifying dynamic Authorisation policies, i.e., rules governing actions that may depend on and update the Authorisation state. The language is more expressive than previous dynamic Authorisation languages, featuring conditional bulk insertions and retractions of Authorisation facts, non-monotonic negation, and nested action definitions with transactional execution semantics. Two complementary policy analysis methods are also presented, one based on AI planning for verifying reachability properties in finite domains, and the second based on automated theorem proving, for checking policy invariants that hold for all sequences of actions and in arbitrary, including infinite, domains. The combination of both methods can analyse a wide range of security properties, including safety, availability and containment.