This document presents the current PRIME architecture including infrastructural aspects for priva... more This document presents the current PRIME architecture including infrastructural aspects for privacy-enhancing identity management. The architecture describes how parties should interact in order that users can keep control over their data. We describe the mechanisms that are required for privacy protection and present the architectural building blocks that realize these mechanisms. Rules govern the operation of an implementation of the software systems defined by the architecture. An implementation of the architecture allows a user to manage her personal data, keep control over her data in interactions in electronic media, to minimize the disclosure of personal data in interactions, and gives her assurance of properties of other parties she interacts with. A service provider's implementation interacts with users and protects the user data once released. A basic design principle for the architecture is to minimize trust assumptions.
Devices supporting nomadic applications are assumed to be able to take advantage of the capabilit... more Devices supporting nomadic applications are assumed to be able to take advantage of the capabilities of surrounding devices. This paper discusses the access control requirements of such ad-hoc federations of communicating devices, some of which may be administered by a different authority, and illustrates how such scenarios would be handled in the Web Services Security and the framework proposed in the WiTness project. The adaptation of the WiTness flexible attribute certificate infrastructure as tokens for the Web Services Security specifications suite is finally discussed as an option to support scenarios where a full-time attachment to a global network is impossible. Key words: Web Services, attribute certificates and PKI, access control, mobile applications 1
In this paper we analyze secure access control and rights management concerns in a typical public... more In this paper we analyze secure access control and rights management concerns in a typical public sector Workflow Management System which orchestrates the control flow of an inter-European judicial process. We have classified a set of topics, that have not been adequately addressed so far, in our opinion, in three different categories: i) deriving consistent access control policies for workflow tasks, ii) the temporal (short-term) provisioning o f access rights with certificates, and iii) enforcing access control on workflow tasks , with a focus on interorganizational workflows. We will analyze these dif ferent concerns in this paper, and propose specific solutions where appropriate. W have validated our work in a case study, closely related to the scenarios deve loped within the eJustice project, concerning an inter-organizational workflo w regarding the issuing of rogatory letters and arrest warrants for the improv ement of inter-European investigations and prosecutions 1.
In this paper we analyze secure access control and rights management concerns in a typical public... more In this paper we analyze secure access control and rights management concerns in a typical public sector Workflow Management System which orchestrates the control flow of an inter-European judicial process. We have classified a set of topics, that have not been adequately addressed so far, in our opinion, in three different categories: i) deriving consistent access control policies for workflow tasks, ii) the temporal (short-term) provisioning of access rights with certificates, and iii) enforcing access control on workflow tasks, with a focus on interorganizational workflows. We will analyze these different concerns in this paper, and propose specific solutions where appropriate. We have validated our work in a case study, closely related to the scenarios developed within the eJustice project, concerning an inter-organizational workflow regarding the issuing of rogatory letters and arrest warrants for the improvement of inter-European investigations and prosecutions1.
Devices supporting nomadic applications are assumed to be able to take advantage of the capabilit... more Devices supporting nomadic applications are assumed to be able to take advantage of the capabilities of surrounding devices. This paper discusses the access control requirements of such ad-hoc federations of communicating devices, some of which may be administered by a different authority, and illustrates how such scenarios would be handled in the Web Services Securityand the framework proposed in the WiTness project. The adaptation of the WiTness flexible attribute certificate infrastructure as tokens for the Web Services Securityspecifications suite is finally discussed as an option to support scenarios where a full-time attachment to a global network is impossible.
A policy-based encryption scheme allows to encrypt a message according to a credential-based poli... more A policy-based encryption scheme allows to encrypt a message according to a credential-based policy formalized as monotone Boolean expression written in standard normal form. The encryption is so that only the users having access to a qualified set of credentials for the policy are able to decrypt the message. In this paper, we first revisit the formal definition of policy-based encryption and describe a policy-based encryption scheme from bilinear pairings. Our scheme improves the one proposed in [W. Bagga and R. Molva.
Proceedings of the 2006 ACM Symposium on Information, computer and communications security - ASIACCS '06, 2006
The concept of policy-based cryptography is a promising paradigm for trust establishment and auth... more The concept of policy-based cryptography is a promising paradigm for trust establishment and authorization in largescale open environments like the Internet and Mobile Networks. It aims at providing a framework for performing cryptographic operations with respect to policies formalized as monotone Boolean expressions written in standard normal forms. A policy involves conjunctions and disjunctions of conditions where each condition is
Page 1. Proof-Carrying Proxy Certificates Walid Bagga, Stefano Crosta, and Refik Molva ... This i... more Page 1. Proof-Carrying Proxy Certificates Walid Bagga, Stefano Crosta, and Refik Molva ... This is achieved by providing a valid proxy certificate and proving the possession of the private R. De Prisco and M. Yung (Eds.): SCN 2006, LNCS 4116, pp. 321335, 2006. ...
Electronic Notes in Theoretical Computer Science, 2007
A policy-based encryption scheme allows to encrypt a message according to a credential-based poli... more A policy-based encryption scheme allows to encrypt a message according to a credential-based policy formalized as monotone Boolean expression written in standard normal form. The encryption is so that only the users having access to a qualified set of credentials for the policy are able to decrypt the message. In this paper, we first revisit the formal definition of policy-based encryption and describe a policy-based encryption scheme from bilinear pairings. Our scheme improves the one proposed in [W. Bagga and R. Molva. Policy- ...
Devices supporting nomadic applications are assumed to be able to take advantage of the capabilit... more Devices supporting nomadic applications are assumed to be able to take advantage of the capabilities of surrounding devices. This paper discusses the access control requirements of such ad-hoc federations of communicating devices, some of which may be administered by a different authority, and illustrates how such scenarios would be handled in the Web Services Securityand the framework proposed in the WiTness project. The adaptation of the WiTness flexible attribute certificate infrastructure as tokens for the Web Services Securityspecifications suite is finally discussed as an option to support scenarios where a full-time attachment to a global network is impossible.
This document presents the current PRIME architecture including infrastructural aspects for priva... more This document presents the current PRIME architecture including infrastructural aspects for privacy-enhancing identity management. The architecture describes how parties should interact in order that users can keep control over their data. We describe the mechanisms that are required for privacy protection and present the architectural building blocks that realize these mechanisms. Rules govern the operation of an implementation of the software systems defined by the architecture. An implementation of the architecture allows a user to manage her personal data, keep control over her data in interactions in electronic media, to minimize the disclosure of personal data in interactions, and gives her assurance of properties of other parties she interacts with. A service provider's implementation interacts with users and protects the user data once released. A basic design principle for the architecture is to minimize trust assumptions.
Devices supporting nomadic applications are assumed to be able to take advantage of the capabilit... more Devices supporting nomadic applications are assumed to be able to take advantage of the capabilities of surrounding devices. This paper discusses the access control requirements of such ad-hoc federations of communicating devices, some of which may be administered by a different authority, and illustrates how such scenarios would be handled in the Web Services Security and the framework proposed in the WiTness project. The adaptation of the WiTness flexible attribute certificate infrastructure as tokens for the Web Services Security specifications suite is finally discussed as an option to support scenarios where a full-time attachment to a global network is impossible. Key words: Web Services, attribute certificates and PKI, access control, mobile applications 1
In this paper we analyze secure access control and rights management concerns in a typical public... more In this paper we analyze secure access control and rights management concerns in a typical public sector Workflow Management System which orchestrates the control flow of an inter-European judicial process. We have classified a set of topics, that have not been adequately addressed so far, in our opinion, in three different categories: i) deriving consistent access control policies for workflow tasks, ii) the temporal (short-term) provisioning o f access rights with certificates, and iii) enforcing access control on workflow tasks , with a focus on interorganizational workflows. We will analyze these dif ferent concerns in this paper, and propose specific solutions where appropriate. W have validated our work in a case study, closely related to the scenarios deve loped within the eJustice project, concerning an inter-organizational workflo w regarding the issuing of rogatory letters and arrest warrants for the improv ement of inter-European investigations and prosecutions 1.
In this paper we analyze secure access control and rights management concerns in a typical public... more In this paper we analyze secure access control and rights management concerns in a typical public sector Workflow Management System which orchestrates the control flow of an inter-European judicial process. We have classified a set of topics, that have not been adequately addressed so far, in our opinion, in three different categories: i) deriving consistent access control policies for workflow tasks, ii) the temporal (short-term) provisioning of access rights with certificates, and iii) enforcing access control on workflow tasks, with a focus on interorganizational workflows. We will analyze these different concerns in this paper, and propose specific solutions where appropriate. We have validated our work in a case study, closely related to the scenarios developed within the eJustice project, concerning an inter-organizational workflow regarding the issuing of rogatory letters and arrest warrants for the improvement of inter-European investigations and prosecutions1.
Devices supporting nomadic applications are assumed to be able to take advantage of the capabilit... more Devices supporting nomadic applications are assumed to be able to take advantage of the capabilities of surrounding devices. This paper discusses the access control requirements of such ad-hoc federations of communicating devices, some of which may be administered by a different authority, and illustrates how such scenarios would be handled in the Web Services Securityand the framework proposed in the WiTness project. The adaptation of the WiTness flexible attribute certificate infrastructure as tokens for the Web Services Securityspecifications suite is finally discussed as an option to support scenarios where a full-time attachment to a global network is impossible.
A policy-based encryption scheme allows to encrypt a message according to a credential-based poli... more A policy-based encryption scheme allows to encrypt a message according to a credential-based policy formalized as monotone Boolean expression written in standard normal form. The encryption is so that only the users having access to a qualified set of credentials for the policy are able to decrypt the message. In this paper, we first revisit the formal definition of policy-based encryption and describe a policy-based encryption scheme from bilinear pairings. Our scheme improves the one proposed in [W. Bagga and R. Molva.
Proceedings of the 2006 ACM Symposium on Information, computer and communications security - ASIACCS '06, 2006
The concept of policy-based cryptography is a promising paradigm for trust establishment and auth... more The concept of policy-based cryptography is a promising paradigm for trust establishment and authorization in largescale open environments like the Internet and Mobile Networks. It aims at providing a framework for performing cryptographic operations with respect to policies formalized as monotone Boolean expressions written in standard normal forms. A policy involves conjunctions and disjunctions of conditions where each condition is
Page 1. Proof-Carrying Proxy Certificates Walid Bagga, Stefano Crosta, and Refik Molva ... This i... more Page 1. Proof-Carrying Proxy Certificates Walid Bagga, Stefano Crosta, and Refik Molva ... This is achieved by providing a valid proxy certificate and proving the possession of the private R. De Prisco and M. Yung (Eds.): SCN 2006, LNCS 4116, pp. 321335, 2006. ...
Electronic Notes in Theoretical Computer Science, 2007
A policy-based encryption scheme allows to encrypt a message according to a credential-based poli... more A policy-based encryption scheme allows to encrypt a message according to a credential-based policy formalized as monotone Boolean expression written in standard normal form. The encryption is so that only the users having access to a qualified set of credentials for the policy are able to decrypt the message. In this paper, we first revisit the formal definition of policy-based encryption and describe a policy-based encryption scheme from bilinear pairings. Our scheme improves the one proposed in [W. Bagga and R. Molva. Policy- ...
Devices supporting nomadic applications are assumed to be able to take advantage of the capabilit... more Devices supporting nomadic applications are assumed to be able to take advantage of the capabilities of surrounding devices. This paper discusses the access control requirements of such ad-hoc federations of communicating devices, some of which may be administered by a different authority, and illustrates how such scenarios would be handled in the Web Services Securityand the framework proposed in the WiTness project. The adaptation of the WiTness flexible attribute certificate infrastructure as tokens for the Web Services Securityspecifications suite is finally discussed as an option to support scenarios where a full-time attachment to a global network is impossible.
Uploads
Papers by Stefano Crosta