Wei Jie,Alistair Young,Junaid Arshad,June Finch,Rob Procter,Andy Turner

DOI: https://doi.org/10.1109/edocw.2008.6

2008-01-01

Abstract:An e-Social Science infrastructure generally has security requirements to protect their restricted resources or services. As a widely accepted authentication and authorization technology, Shibboleth supports the sharing of resources on inter-institutional federation. Guanxi is an open source implementation of the Shibboleth protocol and architecture. In this paper, we propose a security infrastructure for e-social science based on the Guanxi Shibboleth. This security infrastructure presents two main features. Firstly, Guanxi Shibboleth is integrated into the user-friendly Sakai collaborative and learning environment which provides an ideal place for users to access a variety of federation resources in line with the Shibboleth authentication model. Secondly, PERMIS technology is used to enhance the authorization mechanisms thus enabling a policy-driven, role-based, fine-grained access control. As a result, the security infrastructure presents the advantages of Guanxi Shibboleth, PERMIS and Sakai, and it has been applied to e-Social Science application. We believe this security infrastructure provides a promising authentication and authorization solution for e-social science applications as well as applications in other domains.

Wei Jie,Michael Daw,Rob Procter,Alex Voss

2007-01-01

Abstract:The e-Infrastructure for e-Social Sciences project leverages Grid computing technology to provide an integrated platform which enables social science researchers to securely access a variety of e-Science resources. Security underpins the e-Infrastructure and a security framework with authentication and authorization functionality is a core component of the e-Infrastructure for social sciences. To build the security framework, we adopt Shibboleth as the basic authentication and authorization infrastructure and further combine PERMIS advanced authorization technology. As a result, this security framework integrates the advantages of both Shibboleth cross-domain identity federation and PERMIS policy driven role based authorization control, thus presenting a promising security model for secure access to the e-Infrastructure for the social sciences.

Tian-shu ZHOU,Xing-hua ZHU,Jing-song LI

DOI: https://doi.org/10.3969/j.issn.1673-7571.2015.06.025

2015-01-01

Abstract:To meet the demand of big data sharing and communication in regional medical systems in a secure manner, we designed and developed a security system within HIE-oriented EMR, including identity authentication, privilege management, access log, and data encryption modules. The establish and deployment of the system could prevent access from the illegal users, keep EMR system accessibility while controllability, record the modification traces and make it undeniability, protect the medical data from intercepted by intruders, keep the data confidentiality from none stakeholders, and finally construct a complete security system in EMR.

Di Wu,Yabo Dong,Jian Lin,Miaoliang Zhu

DOI: https://doi.org/10.1007/11563952_52

2005-01-01

Abstract:The fast development of E-Commerce and information technology brings much higher requirements for enterprise informationization. Because of the differences in platforms, development languages and standards etc, enterprise application integration (EAI) has become the important form of enterprise informationization to support complex business processes. Web services have emerged as the next generation of integration technology which provides the power to support interoperability. However EAI doesn’t just present new interoperability challenges; it also presents serious privacy and security challenges. This paper presents security architecture of Web Services based EAI which uses distributed Single Sign On authentication and distributed Role-based Access Control authorization. The basic concept and prototype system of the security architecture are described in detail.

Qinghuai Zeng,Changqin Huang,Deren Chen,Hualiang Hu

DOI: https://doi.org/10.1109/CACWD.2004.1349224

2004-01-01

Abstract:In grid environments, the dynamic and multi-institutional nature introduces challenging security issues. In this paper, we propose subtask-based authorization service (SAS) architecture to fully secure a type of application oriented to engineering and scientific computing. We minimize privileges for task by decomposing the parallel task and re-allotting the privileges required for each subtask. Community authorization module describes and applies community policies of resource permission and privilege for resource usage or task management. It separates proxy credentials from identity credentials. We adopt a relevant policy and task management delegation to describe rules for task management. The ultimate privileges are formed by the combination of relevant proxy credential, subtask-level privilege certificate and community policy for this user, as well as they conform to resource policy. To enforce the architecture, we extend the RSL specification and the proxy certificate, modify Globus' gatekeeper, jobmanager and the GASS library to allow authorization callouts, and evaluate the user's job management requests and job's resource request in the context of policies.

Jie Jiang,TieMing Chen,Bo Chen,Limin Jin,Deren Chen

2008-01-01

Abstract:In order to solve the security problems introduced by the dynamic characteristics of grid services in authentication and authorization, a security services access platform based on Grid Security Infrastructure is proposed, which can provide the security grid services including the single sign-on and unified authentication and dynamic authorization. In this platform, a self-signed proxy certificate technique and improved context-constrains role based access control mechanism are deployed. The application in Country Emergency Response Grid Service System shows that the proposed platform can satisfy the need of security for grid services access through the grid portal.

Wei Jie,Zhenghong Huang,Michael Daw,Rob Procter,Xiaorong Li,Lianggui Tang,Sheng Lu

DOI: https://doi.org/10.1109/CEC-EEE.2007.84

2007-01-01

Abstract:Grid Information Service (GIS) is a core functional component of a Grid that provides information about various resources and their status. Security underpins a GIS making secure access to a GIS an important issue. On the basis of our existing work on a GIS architecture, we further propose a security framework which leverages Shibboleth as the authentication infrastructure and combines PERMIS authorization technology. As a result, this security framework integrates the advantages of both Shibboleth cross-domain identity federation and PERMIS policy driven role based access control, thus presenting a new security model for secure access to a GIS.

Wu Chao,Yike Guo,Bo Zhou

DOI: https://doi.org/10.1016/j.compeleceng.2011.11.028

IF: 4.152

2012-01-01

Computers & Electrical Engineering

Abstract:This paper proposes the concept and the technology of social networking federation as a paradigm where information on various social network systems can be seamlessly integrated in order to provide users a uniform and semantic view of their social connections. Such a uniformly fused social network provides a single point of access where all information with respect to one’s social networks can be queried and reasoned about. The goal of the research is to establish a foundation of integrating and assimilating information within multiple social network systems. We designed a reference model of social networking federation system in this paper, as well as some prototype application to demonstrate its paradigm. We believe our work would provide a novel vision of future online social network.

Zeqing Guo,Weili Han,Liangxing Liu,Wenyuan Xu,Ruiqi Bu,Minyue Ni

DOI: https://doi.org/10.1145/2752952.2752974

2015-01-01

Abstract:More and more powerful personal smart devices take users, especially the elder, into a disaster of policy administration where users are forced to set personal management policies in these devices. Considering a real case of this issue in the Android security, it is hard for users, even some programmers, to generally identify malicious permission requests when they install a third-party application. Motivated by the popularity of mutual assistance among friends (including family members) in the real world, we propose a novel framework for policy administration, referring to Socialized Policy Administration (SPA for short), to help users manage the policies in widely deployed personal devices. SPA leverages a basic idea that a user may invite his or her friends to help set the applications. Especially, when the size of invited friends increases, the setting result can be more resilient to a few malicious or unprofessional friends. We define the security properties of SPA, and propose an enforcement framework where users' friends can help users set applications without the leakage of friends' preferences with the supports of a privacy preserving mechanism. In our prototype, we only leverage partially homomorphic encryption cryptosystems to implement our framework, because the fully homomorphic encryption is not acceptable to be deployed in a practical service at the moment. Based on our prototype and performance evaluation, SPA is promising to support major types of policies in current popular applications with acceptable performance.

Jie Jiang,Deren Chen,Tim Chen,Xiaodong Shen

DOI: https://doi.org/10.1109/imsccs.2006.169

2006-01-01

Abstract:With the development of grid service, there are two key problems to be improved. One is to access Web grid service with friend interface for user. Another is the security authentication for grid resource share. Nowadays, a solution of Web universal entrance for grid service has been given through a Web framework named grid portal. PKI based grid security infrastructure has been widely used in order to guarantee grid security. However, although proxy certificate has been well applied in GSI, there is still no integrated model for security grid portal based on PKI and proxy mechanism. From the view of cooperation, a security grid portal is proposed based on PKI and online proxy certificate repository. It can successfully move the user's credential from the PKI public key certificates to its proxy certificate issued by online proxy certificate repository, which makes a Web user be easily authenticated through Web client to any grid service process

Bo Zhou,Chao Wu

2011-01-01

Abstract:We propose the concept and technology of social networking federation, to solve the problem of lacking of semantic data and interoperability within online social network. Social networking federation is built based on semantic model we designed before, to federate various data and operations from current SNSes. In this paper, we describe the architecture of federation system, design and implement the federation gateway system. With federation system, users and applications could access distributed and heterogeneous social networking data through standardized interface.

michael daw,rob procter,yuwei lin,t e hewitt,wei jie,alex voss,k baird,aubrey r turner,mark birkin,ken miller,william h dutton,marina jirotka,ralph schroeder,grace de la flor,peter edwards,r j allan,xiaobo yang,robert crouchley

2007-01-01

Abstract:We outline the aims and progress to date of the National Centre for e-Social Science e-Infrastructure project. We examine the challenges faced by the project, namely in ensuring outputs are appropriate to social scientists, managing the transition from research projects to service and embedding software and data within a wider infrastructural framework. We also provide pointers to related work where issues which have ramifications for this and similar initiatives are being addressed.

Christopher Bayliss,Richard O. Sinnott,Wei Jie,Junaid Arshad

DOI: https://doi.org/10.1007/978-3-642-20862-1_15

2011-01-01

Abstract:Single sign-on and delegation of privileges are fundamental tenets upon which e-Infrastructures and Grid-based research more generally have been based. The realisation of single sign-on and delegation of privileges in accessing resources such as the UK e-Science National Grid Service is typically facilitated by X.509-based Public Key Infrastructures (PKI) and exploitation of proxy certificates. This model can be categorised by authentication-oriented access and usage of resources. It is the case however that proxy certificates, can potentially be obtained and abused by a malicious third party without the knowledge of the holder. In this paper we describe a novel proxy auditing solution that addresses this issue directly. We describe the design and implementation of this solution and illustrate its application in widely distributed and heterogeneous research environments.

Yu Zhang,Huimei Lu,Yong Xiang

DOI: https://doi.org/10.3969/j.issn.1001-3695.2017.03.061

2017-01-01

Abstract:Federated identity was applied to achieve single-sign-on for the situation in which users were from different organizations.However,the diversity of resources brought about trouble of management.To solve the problem,this paper selected Shibboleth as a method of federated identity.System in federation provided REST API of their own resources,and released the authorization code which identified the access rights of resource by the attribute publishing policy in Shibboleth,thus it accessed multi-resouce by users from different organazations after unified authentication.Taking online experimental platform based on OpenEdX as an example,it implemented unified authentication and authorization of complex resources.It applied Shibboleth to authenticate users,coupled with REST API and authorization code,and it shared complex resources during several systems.Moreover,it developed some XBlocks on OpenEdX to share data with other systems.

Yan Bai,Lirong Dai,Sam Chung,Durga D. Devaraj

DOI: https://doi.org/10.1002/sec.759

2014-01-01

Abstract:AbstracteHealth is being rapidly deployed. Lower cost and greater productivity attract government and healthcare enterprise to transit from traditional healthcare service to eHealth service. Security and privacy are growing concerns with the widespread deployment of eHealth and the development of next generation of eHealth services. In this paper, we discuss these security problems and propose a high-level security framework that captures required features in the next-generation eHealth infrastructure. Our framework consists of the following: i an adaptive trust-aware tag-based privacy control to specify which data to share and whom to share with. The fine-grained control of data access is guaranteed; ii a decentralized authorization that relies on trust propagation protocol to provide robust and resilient access control enforcement; and iii a hybrid trust management mechanism that addresses access control information depository on a cloud server. It enforces user-defined access control not only in a distributed environment but also in a privacy-preserving manner so as to minimize the disclosure of privileges and of access policies. Copyright © 2013 John Wiley & Sons, Ltd.

Wei Jie,Junaid Arshad,Pascal Ekin

DOI: https://doi.org/10.1007/s11227-009-0267-8

2009-01-01

Abstract:Authentication and authorization for Grids is a challenging security issue. In this paper, key issues for the establishment of Grid authentication and authorization infrastructures are discussed, and an overview of major Grid authentication and authorization technologies is presented. Related to this, recent developments in Grid authentication and authorization infrastructures suggest adoption of the Shibboleth technology which offers advantages in terms of usability, confidentiality, scalability and manageability. When combined with advanced authorization technologies, Shibboleth-based authentication and authorization infrastructures provide role-based, fine-grained authorization. We share our experience in constructing a Shibboleth-based authentication and authorization infrastructure and believe that such infrastructure provides a promising solution for the security of many application domains.

Yongkai Cai,Shaohua Tang

DOI: https://doi.org/10.1109/CIS.2008.187

2008-01-01

Abstract:A federated security scheme based on WS-Security standard for cross-domain Grid is proposed. It integrates the WS-Security standard and the Grid security mechanism. A trust model is established based on WS-Trust specification. A communication is established based on WS-SecureConversation specification. The architecture is implemented in a SAML-based federated authentication and authorization cross-domain Grid. Through experiment and analysis, it is shown that our scheme is secure, effective and efficient.

Chen Lyu,Shi-Feng Sun,Yuanyuan Zhang,Amit Pande,Haining Lu,Dawu Gu

DOI: https://doi.org/10.1016/j.jnca.2016.08.006

IF: 7.574

2016-01-01

Journal of Network and Computer Applications

Abstract:Social applications are becoming one of the most popular applications for users to share data and communicate online. These applications deal with a lot of personal data, e.g., users’ locations, interests and documents stored on the remote cloud storage servers. Therefore, we need to pay a deeper attention to data confidentiality and privacy. To address the problem of data confidentiality, existing solutions usually count the security requirement of data owner for data sharing in social applications. However, on the side of the data consumer or member, we want to securely and efficiently get our own interested data. Both the data owner and the member are two roles of users in data sharing applications, and there are little existing research efforts to investigate the implementation of achieving both of their requirements at the same time. In this paper, we propose DASS, a privacy-preserving DAta Sharing Scheme to comprehensively satisfy users’ security requirements for social applications. Our solution consists of a fine-grained access control scheme, a dynamic social attribute management model, and a multi-user searchable encryption scheme. We have described our scheme and provided performance evaluation. Validations are done to demonstrate that our scheme is secure, fine-grained and efficient.

Yi Zhao,Xia Wang,Wolfgang A. Halang

DOI: https://doi.org/10.4018/978-1-60566-650-1.ch025

2009-01-01

Abstract:With the increasing interest in Semantic Web-based applications, researchers have started to build tools enabling organisations to share information. An important aspect in maintaining the Semantic Web is, however, to preserve security during semantic interoperation of different entities. Security and privacy are indispensable to the success of Semantic Web services. Hence, this chapter aims to investigate the currently used security methods in semantic interoperation, including the security methods employing Semantic Web representation languages such as XML, RDF and ontologies, and their application methods in semantic interoperation such as secure access control and secure knowledge management. How to manage privacy, trust and reputation at the same time during semantic interoperation will also be discussed in this chapter. Finally, some directions for our further research will be presented.

邓绪水,宋庭新,黄必清

DOI: https://doi.org/10.3969/j.issn.1003-4684.2010.02.008

2010-01-01

Abstract:Single sign-on(SSO) is an important part of Enterprise Application Integration(EAI).By analyzing the project needs,a new SSO model based on certificate encryption and Agent Login is proposed.This model not only perfectly matches the original operational system,but also enables a flexible and safety SSO access control.The application of this model to the Enterprise Information Portal is introduced in detail,and some corresponding analyses on technical security are put forward.The current system will be on the Public Services Platform for Population and Reproductive Health at present.