Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fine Granularity Policy Based Device Access Security Claes Nilsson - Sony Ericsson 2009-12-18.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Fine Granularity Policy Based Device Access Security Claes Nilsson - Sony Ericsson 2009-12-18."— Presentation transcript:

1 Fine Granularity Policy Based Device Access Security Claes Nilsson - Sony Ericsson 2009-12-18

2 Content of presentation A proposal for “Fine Granularity Policy Based Device Access Security”. This is response to ACTION-38: “Should issue recommendation on the granularity of the security system”

3 Use cases In a file API access to certain data is restricted to certain applications In a file or contacts API differentiation based on application identity between "read-only" and “read and write” access A "Secure credential manager“ for retrieving API-keys used for application log in to social networking web services

4 Proposal for “Fine Granularity Policy Based Device Access Security” Based on “Policy Based Device Access Security” (Steve Lewontin/Nokia http://lists.w3.org/Archives/Public/public-device- apis/2009Nov/att-0012/SecurityPolicy_09.pdf)http://lists.w3.org/Archives/Public/public-device- apis/2009Nov/att-0012/SecurityPolicy_09.pdf Added finer granularity to restrict access to APIs based on application identity Assumptions: – The origin and integrity of the web application can be securely verified. Examples: Signed web widget Web application accessed through SSL/TLS – The identity of the web application can be securely verified. Examples: The application identity is included in a widget's (signed) configuration file (assumes some kind of centralized widget signing) The application identity is included in a widget's certificate (makes distributed signing possible)

5 Web Execution Environment Web Application, e.g. Widget package html CSS JS Dig Signature cert Conf doc Content Engine 2. GetTrustAttributes Returns OriginURl, Certificate, Digital Signature, Conf Doc,etc 6. Result = AccessDeviceFunc (AppId, Params….) Assumptions: The origin and integrity of the web application can be securely verified. The identity of the web application can be securely verified. Trust Manager 3. GetTrustDomain(TrustAttributes, TrustPolicy) Trust Policy “Device API” 4. CallAPI (Params…, TrustDomain, AppId) Access Manager 5. Access allowed? (TrustDomain, Access Policy) Returns TrustDomain + AppId 1. navigator.device.API.method(Params…) Returns Allowed/ NotAllowed Returns “Result “, which will be a callback to navigator.device.API.method( “Device functionality to be accessed with the granularity of AppId” Access Policy

6 Logical flow for “Fine Granularity Policy Based Device Access Security” 1.The web application, e.g. a signed web widget, accesses device functionality that is restricted to this specific application. 2.The content engine loads the content and gets any needed content trust attributes, e.g. the origin URL, the digital signature, the certificate, the configuration document etc. 3.The content engine queries the trust manager to get the trust domain of the content and the application identity, passing the relevant trust attributes, and the path to the appropriate trust policy to the trust manager. The actual name/id of the application could for example be included in a widget's (signed) configuration document (assumes some kind of centralized widget signing) or it could be included in the certificate (makes distributed signing possible). The application’s name/id must be relative to the origin of the application, typically the PKI-identity, e.g. the Certificate Authority (CA) of a signed widgets certificate. This means that the CA must coordinate the application names/ids. So, an application identity (AppId) consists of two parts: - Origin of the application, typically the PKI-identity - Actual name/id of application 4.The content engine makes an API request, passing relevant parameters and the trust domain and application id to the device API implementation. 5.The device API implementation creates a security session with the access manager, passing the path to the appropriate access policy and the content trust domain. The device API implementation asks the security manager for an access decision (via the security session) passing the required capabilities. 6.Based on the result of the access control decision, the service invokes the requested operation, passing the application id, or throws a security exception. The “Device Functionality” will only open up the part that is available for this application according to the application id.

Download ppt "Fine Granularity Policy Based Device Access Security Claes Nilsson - Sony Ericsson 2009-12-18."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
1 The phone in the cloud Utilizing resources hosted anywhere Claes Nilsson.

1 The phone in the cloud Utilizing resources hosted anywhere Claes Nilsson.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
魂▪創▪通魂▪創▪通 2013. 7. 19. WebCert - SOP Sangrae Cho Authentication Research Team.

魂▪創▪通魂▪創▪通 WebCert - SOP Sangrae Cho Authentication Research Team.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.

Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
Data Security in Local Networks using Distributed Firewalls

Data Security in Local Networks using Distributed Firewalls
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Security Management.

Security Management.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Visual Signature Profile OASIS - DSS-X. Agenda General Requirements – Digital Signature operation Visual Signature content Verification Operation.

Visual Signature Profile OASIS - DSS-X. Agenda General Requirements – Digital Signature operation Visual Signature content Verification Operation.
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.

Similar presentations

Ads by Google