Negotiated Privacy and Security Policies for Web Services George Yee (Joint work with Larry Korba) www.iit-iti.nrc-cnrc.gc.ca/personnel/yee_george_e.html www.georgeyee.ca Contents • • • • • • • • • Introduction The current landscape Personal privacy policy E-services security policy Negotiation requirements Help for negotiation Policy negotiation for web services Related work Conclusions Introduction • Drivers for personal privacy policies – Growth of the Internet greater consumer exposure to eservices (e-commerce, e-gov’t, e-health, etc.) growth of consumer awareness to lack of privacy – Privacy legislation greater consumer awareness of privacy rights • Drivers for personal security policies – Nature of e-service consumer’s business (e.g. defense contractor) – Consumer’s resources (e.g. mobile device) • Negotiation required if mismatch between consumer and provider polices The current landscape • Privacy and security policies on the Internet – Posted privacy policies – P3P privacy policies for web sites • Browser plug-in allows checking of personal privacy preferences against web site’s policy • “Privacy Bird”: check preferences, display policy in easy to understand language, customizable warnings • No negotiation, “take it or leave it” – No personal security policies for e-services • Web services – Some elements to allow policies and negotiation are in place: WS-Policy, WS-SecurityPolicy, WS-Agreement – No negotiation protocol Personal privacy policy • Necessary content implied by privacy legislation • Simple so that it can be understood by the average e-service consumer • Machine processable, e.g. using XML-based language such as APPEL { { { Header Privacy Rule Privacy Rule Policy Use: E-learning Owner: Alice Consumer Valid: unlimited Collector: Any What: name, address, tel Purposes: identification Retention Time: unlimited Disclose-To: none Collector: Any What: Course Marks Purposes: Records Retention Time: 2 years Disclose-To: none E-Services security policy • ISO 7498-2 (Reference Model for Security Architectures), ITU-T X800 (Security Architecture for Open Systems Interconnection) suggest the following security services: 1. Authentication, 2. Access Control, 3. Data Confidentiality, 4. Data Integrity, 5. Non-repudiation • We add: 6. Secure Logging, 7. Certification, 8. Malware Detection, 9. Application Monitoring Certification Authority Consumer Private Information Database 7 3, 4 3 Consumer 3, 4 1, 5, 7, 8, 9 3, 4 3, 4 Internet E-Service Provider 1, 2, 5, 6, 7, 8 E-Services security policy • Security mechanisms (e.g. digital signature) are used to support security services. • Negotiation can be over security services or security mechanisms but since the security services are usually required, negotiation tends to be over mechanisms. E-Services security policy - example CONSUMER PROVISIONS Consumer Authentication Implement: yes (default) Mechanism: password Mechanism: V+F biometrics PROVIDER PROVISIONS Provider Authentication Implement: yes (default) Mechanism: security token Mechanism: digital signature Consumer Malware Detect Implement: yes (default) Mechanism: Norton Secure Logging What: order transactions Mechanism: 3DES encrypt What: user input Mechanism: 3DES encrypt Application Monitoring Implement: yes (default) Mechanism: IIT-ISG Access Control Negotiation requirements 1. The policy measures to be negotiated must be clear and understandable. 2. The consumer may negotiate any subset of measures in the policy. 3. There needs to be some form of trusted online help for the consumer in cases where it is difficult to know what choice to make in a particular step in the negotiation. 4. The consumer normally initiates negotiation after finding the eservice that he wants to use. However, when a provider changes its service and requires new measures, it may initiate a policy negotiation with the consumer. 5. Negotiation may be terminated by either the consumer or the provider, at any step in the negotiation. If so terminated, the associated e-service may not proceed. 6. The user interface for the negotiation must be easy to use, intuitive, and trustable (i.e. give the user a sense of ease that everything is working as stated or planned). Negotiation requirements • Each side is represented by a software agent. Agent acts on behalf of the consumer to receive/send negotiation messages from/to the provider. Another agent serves the provider in the same way. These agents also perform validation checks on the information to be sent. Consumer Provider CA sp PA CA – Consumer Agent PA – Provider Agent SP – Security Policy sp – security preferences SP Negotiation requirements • Steps in negotiations • Order of negotiations Consumer Provider Req SP SP Start Look for eservice Negotiate security policy Found? yes no Success? no yes Consumer compares SP to his security preferences, finds mismatch SP1 SP2 SP3 no Negotiate privacy policy Success? yes Execute e-service Stop SPn SPn Successful negotiation after n steps (SPn = SPn) Help for negotiation • Fulfilling negotiation requirement 3: – For privacy policy negotiation, help for the consumer to know what offer to make can be obtained using the experience of reputable others who have negotiated the same or similar items before. – For security policy negotiation, similar help can be obtained by looking at policies that have been successful in thwarting attacks and then using these policies to guide what offers to make. Policy negotiation for Web Services • The SOAP message that initiates a web service would instead request a comparison of policies and then if necessary carry on with the above negotiation steps through an exchange of SOAP messages. • Only after the privacy policy negotiation is successful would the SOAP message to execute the service be sent. Where a negotiation fails, the consumer would access the UDDI directory again to find another provider and start the negotiation stages all over again (or find ways to satisfy the provider’s security policy). • Provider privacy and security policies could be stored in the UDDI. Other related work • Semi-automated generation of personal privacy policies – uses community consensus to normalize privacy levels which are then used to map privacy rules as selected by the consumer using a privacy slider. • Comparing and matching personal privacy policies by comparing and matching privacy levels assigned to privacy rules through community consensus. • Use of a Privacy Policy Compliance System (PPCS) for ensuring privacy policy compliance. • Prototype for negotiating privacy and security policies. Conclusions • Consumers will want their privacy and security preferences respected. Providers will have to comply or loose business. Negotiation of personal privacy and security policies is a good way for providers to respect consumer preferences. • Personal privacy and security policies have to be understandable by consumers and therefore should not be obscure or too complex. They should resemble as much as possible processes with which consumers are already familiar. • The approach given above for policy negotiation can be implemented in web services. About Us • National Research Council Canada – – – – Herzberg Institute of Astrophysics Institute for Aerospace Research National Institute for Nanotechnology … – Institute for Information Technology • • • • • • • Software Engineering Computational Video Visual Information Technology Integrated Reasoning Interactive Information High Performance Computing … • Information Security (4 full-time researchers) Thank-you