Conference PaperPDF Available

CAFS: A Framework for Context-Aware Federated Services

Authors:

Abstract and Figures

In this paper we explore two issues: Federated Identity Management and Context-Aware Services. In the last decade or so we have seen these two technologies gaining considerable popularities as they offer a number of benefits to the user and other stakeholders. However, there are a few outstanding security and privacy issues that need to be resolved to harness the full potential of such services. We believe that these problems can be reduced significantly by integrating the federated identity architecture into the context-aware services. With this aim, we have developed a framework for Context-Aware Federated Services based on the Security Assertion Markup Lan-guage (SAML) and eXtensible Access Control Markup Language (XACML) standards. We have illustrated the applicability of our approach by showcasing some use-cases, analysed the security, privacy and trust issues involved in the framework and the advantages it offers.
Content may be subject to copyright.
A preview of the PDF is not available
Conference Paper
User identity linkage (UIL) refers to linking users’ assets and identities across social networks. With the rapid growth of social media in our day-to-day life, UIL’s importance has gone beyond being just a research topic, and it has become a necessary precondition for critical tasks like fraud detection.However, only a few models have been proposed to tackle UIL in different domains than social networks. This limitation becomes even more evident in academic federated identity management (FIM) domains. Service providers (SP) deal with restricted users’ data in these environments, and often data related to connections between entities and resources (i.e., network-based information) such as friends associations or the clients’ inclinations is not available.This research addresses the account linkage (AL) problem for organizations inside federated environments with limited or no access to users’ data. In the proposed model, we focus on analyzing users’ habits and behavior during login processes by utilizing a Variational Autoencoder’s (VAE) latent space. The learned structure in this space is used to derive related accounts owned by one user.To the best of our knowledge, the proposed model is the first approach attempting to solve the AL problem inside an academic FIM domain with its high requirements regarding data security and limited users’ information. Preliminary results show that the proposed model could achieve almost 90% accuracy in linking accounts possessed by one user.
Conference Paper
Full-text available
This paper analyses the prospect of having a Portable Personal Identity Provider (PPIdP, in short) in the mobile phone. The ubiquitous presence of powerful mobile phones equipped with high speed networks can be utilised to make the mobile phone act as a portable and personal Identity Provider (IdP, in short) on behalf of their users. Such an IdP would be helpful for the user in the sense that it will provide a central location to manage different user attributes which are generally scattered among different service providers in the traditional setting of online services. In addition, the user needs to trust the provider to store those attributes securely which may not be always honoured and crucial user attributes may be abused. Creating a Personal Identity Federation using a personal IdP can tackle many of these stated problems. Moreover, such an IdP may provide additional advantages. We have developed such a Mobile IdP for the Android platform based on the Security Assertion Markup Language (SAML) and OpenID as a proof of concept using the Jetty Web Server. In this paper, we discuss the functionalities of our developed IdP and the technical challenges we have faced. Moreover, we analyse the security, privacy and trust issues involved in having such an IdP and the advantages it offers.
Article
Full-text available
The area of MANets (Mobile Ad-hoc Networks) is still in its infancy in the research community, but it plays a vital role surrounded by the growing trend of mobile technology for business as well as private and governmental uses. The concept of ubiquitous/pervasive computing is almost intrinsically tied to wireless communications. Emerging next-generation wireless networks enable innovative service access in every situation. Apart from many remote services, proximity services (context-awareness) will also be widely available. People currently rely on numerous forms of identities to access these services. The inconvenience of possessing and using these identities creates significant security vulnerability, especially from network and device point of view in MANet environments. The emergent notion of ubiquitous computing also makes it possible for mobile devices to communicate and provide services via networks connected in an ad-hoc manner. Digital identities are at the heart of many contemporary strategic innovations for crime prevention and detection, internal and external security, business models etc. This requires disclosing personal information and the applicability of contextual information as well as allowing users to be in control of their identities. In this paper we discuss the requirements for the development of an innovative, easy-to- use identity management mechanism within MANet environments. We convey various possibilities, challenges, and research questions evolving in these areas. The issues of context-awareness, making use of partial identities as a way of user identity protection, and providing a better way for node identification are addressed. We also examine the area of user-centricity for MANets together with its security issues and implications. We propose a framework for MANets that makes the flow of partial identities explicit, gives users control over such identities based on the respective situation and context, and creates a balance between convenience and privacy .
Article
Full-text available
Context-awareness emerges as an important element of future wireless systems. In particular, concepts like ambient intelligence and ubiquitous computing rely on context information in order to personalize services provided to their target users. However, security implications of employing context-awareness in computing systems are not well understood. Security challenges in context- aware systems include integrity, confidentiality and availability of context information, as well as target user's privacy. Another interesting and open question is to what extent availability of additional context information could be used in order to optimise and reconfigure security-related services.
Conference Paper
Full-text available
Security Assertion Markup Language (SAML, in short) is one of the most widely used technologies to enable Identity Federation among organisations from different trust domains. Despite its several advantages, one of the key disadvantages of SAML is the mechanism by which an identity federation is established. This mechanism lacks flexibility to create a federation in a dynamic fashion to enable service provisioning (or de-provisioning) in real time. Several different mechanisms to rectify this problem have been proposed. However, most of them require a more elaborate change at the core of the SAML. In this pa-per we present a simple approach based on an already drafted SAML Profile which requires no change of the SAML, rather it depends on the implementation of SAML. It will allow users to create federations using SAML between two prior unknown organisations in a dynamic fashion. Implicit in each identity federation is the issue of trust. Therefore, we also analyse in detail the trust issues of dynamic federations. Finally, we discuss our implemented proof of concept to elaborate the practicality of our approach.
Conference Paper
Full-text available
With a view to provide more effective, enhanced and accessible services to their citizens, Governments around the globe have started different web services under the initiative of e-Government. Many such services extensively utilise the Federated Identity framework due to its huge number of benefits. This paper analyses how different e-initiatives in Bangladesh can take advantage of this technology by illustrating use-cases in two different domains. As the online service and the e-Governance paradigm in Bangladesh are relatively new and evolving rapidly, we believe that this is the high-time to consider the benefits this technology can bring for the Government as well as the citizen.
Conference Paper
Full-text available
In this paper, we present a comparative analysis of a few popular Identity Management Systems against a set of requirements. Identity Management and Identity Management Systems have gained significant attention in recent years with the proliferation of different web-enabled and e-commerce services leading to an extensive research on the field in the form of several projects producing many standards, prototypes and application models both in the academia and the industry. We have collected and compiled different requirements from different sources to profile an extensive set of requirements that are required for a Privacy-Enhancing Identity Management System and presented them in the form of a taxonomy. Then we have compared some Identity Management Systems against those requirements and presented them in a concise way to help readers find out instantly which systems satisfy what requirements and thus help them to choose the correct one to fit into their own scenarios.
Conference Paper
When humans talk with humans, they are able to use implicit situational information, or context, to increase the conversational bandwidth. Unfortunately, this ability to convey ideas does not transfer well to humans interacting with computers. In traditional interactive computing, users have an impoverished mechanism for providing input to computers. By improving the computer’s access to context, we increase the richness of communication in human-computer interaction and make it possible to produce more useful computational services. The use of context is increasingly important in the fields of handheld and ubiquitous computing, where the user?s context is changing rapidly. In this panel, we want to discuss some of the research challenges in understanding context and in developing context-aware applications.
Conference Paper
We introduce context-aware scalable authentication (CASA) as a way of balancing security and usability for authentication. Our core idea is to choose an appropriate form of active authentication (e.g., typing a PIN) based on the combination of multiple passive factors (e.g., a user's current location) for authentication. We provide a probabilistic framework for dynamically selecting an active authentication scheme that satisfies a specified security requirement given passive factors. We also present the results of three user studies evaluating the feasibility and users' receptiveness of our concept. Our results suggest that location data has good potential as a passive factor, and that users can reduce up to 68% of active authentications when using an implementation of CASA, compared to always using fixed active authentication. Furthermore, our participants, including those who do not using any security mechanisms on their phones, were very positive about CASA and amenable to using it on their phones.
Article
The basic concept of role-based access control (RBAC) is that permissions are associated with roles, and users are made members of appropriate roles, thereby acquiring the roles' permissions. This idea has been around since the advent of multi-user computing. Until recently, however, RBAC has received little attention from the research community. This chapter describes the motivations, results, and open issues in recent MAC research.