Department of Computer Science
A flexible
access control model
for web services
Elisa Bertino, Anna Cinzia Squicciarini
Lorenzo Martino, Federica Paci
CERIAS and CS Department, Purdue University
DICO, University of Milano
SLIDE 1
Outline
Overview of Ws-Attribute Based Access
control (Ws-AC1)
Underlying technologies
– Digital identity management
– Trust negotiation system
 Access control model
System architecture
Conclusions and future work
Web Services
 A Web service is a Web-Based application that
can be
 Published
 Located
 Invoked
Compared to centralized systems and clientserver environments, a Web service is much
more dynamic and security for such an
environment poses unique challenges.
Web Services: Access Control
An important issue is represented by the development of
suitable access control models, able to restrict access to Web
services to authorized users.
Web services are quite different with respect to objects typically protected in
conventional systems, since they consist of software modules, to be executed,
upon service requests, according to a set of associated input parameters.
security technologies commonly adopted for Web sites and
traditional access control models are not enough!
WS-AC1
Fine-grained access control system for Web
services
– Supporting gradual verification of user attributes
– Characterized by capabilities for negotiating service
parameters
– Fully integrated with existing standards (WSDL, UDDI,
Ws-Policy).
An adaptive system, supporting the notion
of context influencing service provisioning
Ws-AC1: goals
The goal of Ws-AC1 is to express, validate
and enforce access control policies
without assuming pre-established trust
in the users invoking the web services.
Underlying Technologies Digital Identity Management
What is digital identity?
– Digital identity can be defined as the digital representation of the
information known about a specific individual or organization
Technically, the term DI usually refers to two different concepts:
– Nym – a nym gives a user an identity under which to operate when
interacting with other parties. Nyms can be strongly bound to a
physical identity
– Partial identity – partially identities refer to the set of properties
that can be associated with an individual, such as name, birth-date,
credit cards. Any subset of such properties represents a partial
identity of the user
Underlying Technologies -Trust Negotiation
Interactions between strangers
- In conventional systems user identity is known in advance
and can be used for performing access control
- In open systems partecipants may have no pre-existing
relationship and may not share a common security domain

Mutual authentication
-
Assumption on the counterpart honesty no longer holds
Both participants need to authenticate each other
Underlying Technologies - Trust Negotiation
A promising approach for open systems where
most of the interactions occur between strangers.
The goal: establish trust between parties in
order to exchange sensitive information and
services
The approach: establish trust by verifying
properties of the other party.
Ws-AC1: service description
Services are defined in terms of a description,
containining information like identity attributes
(AuthAttrs) and service parameters (Parameters),
required to submit access requests.
– Service parameters represent information the requester has to
provide to activate the operation supported by the service and
information related to level of QoS required by the user. Each
parameter has an associated domain specifying the legal values
Each service has an associated type defined
according to the existing classifications
supported by the UDDI registries.
Service Description - example
The service description of the TravelAgency web service can
be defined as follows:
– Serv-descr = <TravelAgency;Business;
(Departure, Destination, DepartureDate, ReturnDate,
MeansofTransport, HotelPreferences, Fare);
(Age, PictureId)>
where TravelAgency is the service identifier, Departure,
Destination, DepartureDate, ReturnDate,
MeansofTransport, HotelPreferences are the service
parameters necessary to invoke the booking service, Age
and PictureId are two attributes used by the WS-AC1
system to identify the service requester.
Ws-AC1 access control model
Access conditions
– expressed in terms of partial identities
– take into account also the parameters characterizing
web services.
Concept of access negotiation
– Web service negotiation in Ws-AC deals with the
possibility for trusted users to dynamically change
their access requests in order to obtain
authorizations.
Ws-AC1 access control policies
An access control policy is defined by:
– A service identifier or a service type
– A set of conditions against partial identities of
subjects
– A set of parameter specifications
– A set of parameter constraints
 A constraint restricts the set of values associated with a
parameter on the basis of value of the context variables
and/or of the values assumed by other parameters defining
the service.
Ws-AC1 access control policies -examples
Policy Pol1
– pol1 = < Travel; {Age > 26, Student}; {Departure, Destination, Fare};
{Fare=gold  Departure= Chicago} {Destination  {Toronto, Rome,
Berlin}  Student>
– It authorizes subjects older than 26 traveling from Chicago to get a
special fare and restrict possible destinations for students;
Policy Pol2
– < Travel; {Age < 18, Citizenship=America}; { Departure, Destination,
MeansofTransport}; {MeansofTransport  {bus, plane}
Departure=Rome AND Destination= Milan} >
– It authorizes subjects that are younger than 18 travelling from Rome to
Milan to use either a bus or a plane for reaching the destination
Ws-AC1 protocol
1. Access requests are received

specified by constraining service parameters, and
subject partial identities
 Note: a subject before releasing partial identity
information may require to establish trust by using
trust negotiation
2. Ws AC1 access control consists of two phases:
1. Subject authentication
2. Parameter negotiation
Subject Authentication
If the attribute values specified by the user
in the access request do not satisfy all the
conditions of any corresponding access
control policy, the access request is said
partially compliant.
The system can then require the user to
provide the additional attributes of the policy
not appearing in the service description.
Parameter Negotiation

Once the subject has been authenticated, the
system extracts the compliant access control
policies, in order to establish whether the
subject request can be:



accepted as it is
must be rejected
has to be negotiated.
 A request negotiation results in eliminating
and/or modifying some of the service
parameters specified within an access request
that made it not immediately acceptable.
Access responses in Ws-AC1
There are three possible replies:
1.
The submitted attributes match with a policy for the specified
service request and the specified service parameters are acceptable
by the policy
Request is granted
2.
3.
The submitted attributes do not match with any policy for the
specified service request
Request
is
rejected
The submitted attributes match with
a policy for the specified
service request but the specified service parameters are not
acceptable by the policy
Negotiate request
Access responses in Ws-AC1 - example
Requests:
– [Travel; {Student}; { Departure=Rome, Destination=New York,
Fare=Gold }]
 It is partially compliant with Pol1, since attribute AGE is lacking.
 It requires further attributes to be submitted in order to be processed.
– [Travel;{Student, Age=25}; { Departure=Rome, Fare=Gold}]
 It fully complies with Pol2; however it must be negotiated since the
parameter DESTINATION is missing
– [Travel;{DrivingLicence_Issuer=Italy}; { Departure=Rome,
Fare=Gold}]
 It is rejected since it does not match the subject specification of any
policy
Encoding WS-AC1 policies using Ws-Policy
In order to be as flexible as possible the system
is implementation independent and can thus
function with any specific web service technology
 In addition, it is compliant with the existing
standards for security for web services. Indeed,
services are described using WSDL and access
control policies describing the conditions
required to grant access to services are
represented using Ws-Policy
Ws-AC1 policies vs WS-Policies
Ws-Policy is a specification that defines a
general framework to describe a broad range of
Web service policies. Ws-Policy defines a policy
as a collection of alternatives. Each alternative is
a collection of assertions.
To encode Ws-AC1 access control policies we
define a new type of policy assertions, since no
public specification we are aware of define
assertions suitable for expressing attribute
conditions and parameter conditions required by
Ws-AC1 policy formalism.
WS- AC1 System Architecture
Open issues
– Negotiation of parameters:
 How can subjects negotiate service parameters?
– Delegation:
 How to manage delegated access requests?
– Cached policies:
 How and where keep track of previous access requests?
– Policy protection:
 How to protect UDDI registries where AC policies are stored?
Future work
– Delegation mechanisms for credentials
– Automated mechanisms supporting
negotiations of parameters
– Authorization derivation rules, allowing
authorizations on a service to be automatically
derived from authorizations specified on other
services.
– Security analysis of Ws-AC1 to test system
security and reliability.