Policy-driven access control for mobile environments

Abstract

SOA (Service Oriented Architecture) enables interoperability between heterogeneous systems or domains. By complying with proper SOA specifications that are usually XML based, a service provider can provide service to any group of service consumers. A service consumer or requester can ask for a service from any service providers that satisfy its service criteria without knowing any implementation specifications that the service providers adopt. However, a transaction or a set of message exchanges between mutually interactive parties cannot be realized prior to the establishment of a trusted relationship that is embodied in granting or denying access to certain resources under the governance of any involved party. This thesis proposes XACML-based, policy-driven, access-control architecture and a key exchange/authentication framework/protocol at layer 7. The thesis examines a number of authorization and secure-channel establishment issues found not only in a normal service requester-provider environment, but also in an environment that involves mobile requesters. The proposal is derived from a careful study of authorization request/decision rendering procedures in a number of realistic business and leisure scenarios. The scenarios are characterized mainly by (a) the distribution of access control; (b) the indeterminacy of the access control model that is implemented; (c) the distributed storage of policies/organization guidelines/regional laws; (d) the lack of common representations of basic access-control elements such as subject (principle) IDs/resource IDs; and (e) the need to establish secure communication channels over unsecured public networks between security domains. In order to solve these problems, some novel concepts are raised, such as (a) a subject ID mapping service; (b) meta policy server (MPS); (c) reverse authorization; and (d) private reputation server. Furthermore, a peer-to-peer security handshake protocol infrastructure (KEAML/KEAML-KE) at layer 7 and its implementation are presented. Key words. Access control, Authorization in mobile environments, Subject ID mapping, Meta Policy Server, Reverse Authorization, XACML, Key Exchange and Authentication, KEAML/KEAML-KE, Standard security handshake protocol, XML