Negotiated Privacy and Security
Policies for Web Services
George Yee
(Joint work with Larry Korba)
www.iit-iti.nrc-cnrc.gc.ca/personnel/yee_george_e.html
www.georgeyee.ca
Contents
•
•
•
•
•
•
•
•
•
Introduction
The current landscape
Personal privacy policy
E-services security policy
Negotiation requirements
Help for negotiation
Policy negotiation for web services
Related work
Conclusions
Introduction
• Drivers for personal privacy policies
– Growth of the Internet  greater consumer exposure to eservices (e-commerce, e-gov’t, e-health, etc.) growth of
consumer awareness to lack of privacy
– Privacy legislation  greater consumer awareness of privacy
rights
• Drivers for personal security policies
– Nature of e-service consumer’s business (e.g. defense
contractor)
– Consumer’s resources (e.g. mobile device)
• Negotiation required if mismatch between consumer and
provider polices
The current landscape
• Privacy and security policies on the Internet
– Posted privacy policies
– P3P privacy policies for web sites
• Browser plug-in allows checking of personal privacy preferences
against web site’s policy
• “Privacy Bird”: check preferences, display policy in easy to
understand language, customizable warnings
• No negotiation, “take it or leave it”
– No personal security policies for e-services
• Web services
– Some elements to allow policies and negotiation are in place:
WS-Policy, WS-SecurityPolicy, WS-Agreement
– No negotiation protocol
Personal privacy policy
• Necessary content
implied by privacy
legislation
• Simple so that it can be
understood by the
average e-service
consumer
• Machine processable, e.g.
using XML-based
language such as APPEL
{
{
{
Header
Privacy
Rule
Privacy
Rule
Policy Use: E-learning
Owner: Alice Consumer
Valid: unlimited
Collector: Any
What: name, address, tel
Purposes: identification
Retention Time: unlimited
Disclose-To: none
Collector: Any
What: Course Marks
Purposes: Records
Retention Time: 2 years
Disclose-To: none
E-Services security
policy
• ISO 7498-2 (Reference
Model for Security
Architectures), ITU-T X800
(Security Architecture for
Open Systems
Interconnection) suggest
the following security
services:
1. Authentication,
2. Access Control,
3. Data Confidentiality,
4. Data Integrity,
5. Non-repudiation
• We add:
6. Secure Logging,
7. Certification,
8. Malware Detection,
9. Application Monitoring
Certification
Authority
Consumer
Private
Information
Database
7
3, 4
3
Consumer
3, 4
1, 5, 7, 8, 9
3, 4
3, 4
Internet
E-Service
Provider
1, 2, 5, 6, 7, 8
E-Services security
policy
• Security mechanisms (e.g. digital signature) are used to
support security services.
• Negotiation can be over security services or security
mechanisms but since the security services are usually
required, negotiation tends to be over mechanisms.
E-Services security
policy - example
CONSUMER PROVISIONS
Consumer Authentication
Implement: yes (default)
Mechanism: password
Mechanism: V+F biometrics
PROVIDER PROVISIONS
Provider Authentication
Implement: yes (default)
Mechanism: security token
Mechanism: digital signature
Consumer Malware Detect
Implement: yes (default)
Mechanism: Norton
Secure Logging
What: order transactions
Mechanism: 3DES encrypt
What: user input
Mechanism: 3DES encrypt
Application Monitoring
Implement: yes (default)
Mechanism: IIT-ISG
Access Control
Negotiation requirements
1. The policy measures to be negotiated must be clear and
understandable.
2. The consumer may negotiate any subset of measures in the
policy.
3. There needs to be some form of trusted online help for the
consumer in cases where it is difficult to know what choice to
make in a particular step in the negotiation.
4. The consumer normally initiates negotiation after finding the eservice that he wants to use. However, when a provider changes
its service and requires new measures, it may initiate a policy
negotiation with the consumer.
5. Negotiation may be terminated by either the consumer or the
provider, at any step in the negotiation. If so terminated, the
associated e-service may not proceed.
6. The user interface for the negotiation must be easy to use,
intuitive, and trustable (i.e. give the user a sense of ease that
everything is working as stated or planned).
Negotiation requirements
• Each side is represented by a software agent. Agent acts
on behalf of the consumer to receive/send negotiation
messages from/to the provider. Another agent serves the
provider in the same way. These agents also perform
validation checks on the information to be sent.
Consumer
Provider
CA
sp
PA
CA – Consumer Agent
PA – Provider Agent
SP – Security Policy
sp – security preferences
SP
Negotiation requirements
• Steps in negotiations
• Order of negotiations
Consumer
Provider
Req SP
SP
Start
Look for eservice
Negotiate
security
policy
Found?
yes
no
Success?
no
yes
Consumer compares SP to
his security preferences,
finds mismatch
SP1
SP2
SP3
no
Negotiate
privacy
policy
Success?
yes
Execute
e-service
Stop
SPn
SPn
Successful
negotiation after n
steps (SPn = SPn)
Help for negotiation
• Fulfilling negotiation requirement 3:
– For privacy policy negotiation, help for the consumer to
know what offer to make can be obtained using the
experience of reputable others who have negotiated the
same or similar items before.
– For security policy negotiation, similar help can be
obtained by looking at policies that have been successful
in thwarting attacks and then using these policies to guide
what offers to make.
Policy negotiation for
Web Services
• The SOAP message that initiates a web service would
instead request a comparison of policies and then if
necessary carry on with the above negotiation steps
through an exchange of SOAP messages.
• Only after the privacy policy negotiation is successful
would the SOAP message to execute the service be sent.
Where a negotiation fails, the consumer would access the
UDDI directory again to find another provider and start the
negotiation stages all over again (or find ways to satisfy
the provider’s security policy).
• Provider privacy and security policies could be stored in
the UDDI.
Other related work
• Semi-automated generation of personal privacy policies –
uses community consensus to normalize privacy levels
which are then used to map privacy rules as selected by
the consumer using a privacy slider.
• Comparing and matching personal privacy policies by
comparing and matching privacy levels assigned to
privacy rules through community consensus.
• Use of a Privacy Policy Compliance System (PPCS) for
ensuring privacy policy compliance.
• Prototype for negotiating privacy and security policies.
Conclusions
• Consumers will want their privacy and security preferences
respected. Providers will have to comply or loose
business. Negotiation of personal privacy and security
policies is a good way for providers to respect consumer
preferences.
• Personal privacy and security policies have to be
understandable by consumers and therefore should not be
obscure or too complex. They should resemble as much as
possible processes with which consumers are already
familiar.
• The approach given above for policy negotiation can be
implemented in web services.
About Us
• National Research Council Canada
–
–
–
–
Herzberg Institute of Astrophysics
Institute for Aerospace Research
National Institute for Nanotechnology
…
– Institute for Information Technology
•
•
•
•
•
•
•
Software Engineering
Computational Video
Visual Information Technology
Integrated Reasoning
Interactive Information
High Performance Computing
…
• Information Security (4 full-time researchers)
Thank-you