Attribute based infrastructures for authentication and authorisation

In Germany in 2006 alone customers spend over $ 23.9 billion online. E-commerce is going to grow as are threats and dangers for users and providers. What is needed is a security infrastructure in combination with an information infrastructure satisfying both the requirements of customers as well as of Service Providers. This work proposes an attribute-based Authentication and Authorisation Infrastructure (AAI) for b2c e-commerce which aims at mediating between the respective demands and securing electronic transactions. Private users request ease of use through a central account management and Single Sign-On as well as privacy and trust in the infrastructure. Service Providers demand security through a dynamic, fine-grained access control mechanisms and outsourcing capabilities. By using attribute-based Access Control and open communication standards a mediating infrastructure is built forming an intermediary. The architecture comprises the distributed entities of Identity Providers, Service Providers in a federation, and a central Policy Decision Point. Their involvement and tasks are defined by guaranteeing security without restricting usability and pseudonymity. This book will, firstly, analyse the involved parties and possible scenarios in b2c e-commerce and their motivations for a security infrastructure. Secondly, security fundamentals in the areas of authentication, authorisation, access control, attribute management, and privacy enhancing technologies will be presented. A thorough review of existing AAIs will be conducted showing where these state-of-the-art solutions have their shortcomings. An attribute-based AAI will be presented suggesting a reference protocol and a reference architecture, an allocation strategy, a Security Pattern System, and prototypical implementations. An evaluation scheme is used to assess the AAI. This work presents a new approach to the field of AAIs: an attribute-based infrastructure tailored to the needs of both customers and vendors, securing e-commerce, and making the process more convenient and trusted.