Article

A user-centric anonymous authorisation framework in e-commerce environment

Authors:

Harikrishna Vasanta,

Kim-Kwang Raymond Choo,

Mark LooiAuthors Info & Claims

ICEC '04: Proceedings of the 6th international conference on Electronic commerce

Pages 138 - 147

https://doi.org/10.1145/1052220.1052238

Published: 25 March 2004 Publication History

Abstract

A novel user-centric authorisation framework suitable for e-commerce in an open environment is proposed. The credential-based approach allows a user to gain access rights anonymously from various service providers who may not have pre-existing relationships. Trust establishment is achieved by making use of referrals from external third parties in the form of Anonymous Attribute Certificates. The concepts of One-task Authorisation Key and Binding Signature are proposed to facilitate pseudonymity in authorisation service. These mechanisms enhance user privacy and tackle the problem of scalability in identity-based access control systems.

References

[1]

P. Ashley, S. Hada, and G. Karjoth. E-P3P Privacy Policies and Privacy Authorisation. In Proceedings of ACM Workshop on Privacy in Electronic Society, pages 103--109, 2002.]]

Digital Library

[2]

P. Ashley and M. Vandenwauver. Practical Intranet Security: An Overview of the State of the Art and Available Technolgies. Kluwer Academic Publishers, 1999.]]

Digital Library

[3]

R. Au, M. Looi, and P. Ashley. Cross Domain One-Shot Authorisation using Smart Card. In Proceedings of 7th ACM Conference on Computer and Communication Security (CCS' 2000), pages 220--227, 2000.]]

Digital Library

[4]

T. Aura and C. Ellison. Privacy and Accountability in Certificate Systems. In Helsinki University of Technology Laboratory for Theoretical Computer Science Research Report 61, 2000.]]

[5]

M. Bellare, A. Boldyreva, and S. Micali. Public-key Encryption in a Multi-User Setting: Security Proofs and Improvements. In Advances in Cryptology - Eurocrypt, pages 259 - 274. Springer-Verlag, 2000. Lecture Notes in Computer Science Volume 1807.]]

Digital Library

[6]

M. Bellare, R. Canetti, and H. Krawczyk. Keying Hash Functions for Message Authentication. In Advances in Cryptology - Crypto 96, pages 1 - 15. Springer-Verlag, 1996. Lecture Notes in Computer Science Volume 1109.]]

Digital Library

[7]

M. Bellare, R. Guerin, and H. Krawczyk. XOR MACs: New Methods For Message Authentication Using Finite Pseudorandom Functions. In 16th Annual International Cryptology Conference on Advances in Cryptology, pages 15 - 28. Springer-Verlag, 1995. Lecture Notes in Computer Science Volume 963.]]

Digital Library

[8]

M. Bellare and Phillip Rogaway. Provably Secure Session Key Distribution: The Three Party Case. In 27th ACM Symposium on the Theory of Computing, pages 57--66. ACM Press, 1995.]]

Digital Library

[9]

L. Cardelli. Abstractions for Mobile Computation. In Secure Internet Programming: Security Issues for Mobile and Distributed Objects, LNCS 1603, pages 51--79. Springer Verlag, 1999.]]

Digital Library

[10]

D. Chaum. Untraceable Electronic Mail, Return addresses and digital Pseudonyms. In Communications of the ACM, volume 24, pages 84--88, 1981.]]

Digital Library

[11]

D. Chaum. Security Without Identification: Transaction Systems to Make Big Brother Obsolete. In Communications of the ACM, volume 28, pages 1030--1044, 1985.]]

Digital Library

[12]

R. Clarke. Identified, Anonymous and Pseudonymous Transactions: The Spectrum of Choice. In Proceedings of User Identification & Privacy Protection Conference, 1999.]]

[13]

R. Cramer and V. Shoup. Design and Analysis of Practical Public-Key Encryption Schemes Secure Against Adaptive Chosen Ciphertext Attack. SIAM Journal on Computing, 33(1):167--226, 2003.]]

Digital Library

[14]

C. Ellison. Improvements on Conventional PKI Wisdom. In Proceedings of the First Annual PKI Research Workshop, pages 165--175, 2003.]]

[15]

C. Ellison, B. Frantz, B. Lampson, R. Rivest, B. Thomas, and T. Ylonen. SPKI Certificate Theory. In RFC 2693, Internet Engineering Task Force, 1999.]]

Digital Library

[16]

C. Farkas, G. Ziegler, A. Meretei, and A. Lorincz. Anonymity and Accountability in Self-organising Electronic Communities. In Proceedings of ACM Workshop on Privacy in Electronic Society, pages 81--90, 2002.]]

Digital Library

[17]

S. Farrell and R. Housley. An Internet Attribute Certificate for Authorisation. In RFC 3281, Internet Engineering Task Force, 2002.]]

Digital Library

[18]

B. Friedman, P. H. Khan, and D. C. Howe. Trust Online. In Communications of the ACM, volume 43, pages 34--40, 2000.]]

Digital Library

[19]

S. Goldwasser and S. Micali. Probabilisitic Encryption. Journal of Computer and System Sciences, 28:270--299, 1984.]]

[20]

S. Goldwasser, S. Micali, and R. L. Rivest. A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks. SIAM Journal on Computing, 17(2):281-308, 1988.]]

Digital Library

[21]

D. L. Hoffman, T. P. Novak, and T. Peralta. Building Consumer Trust Online. In Communications of the ACM, volume 42, pages 80--85, 1999.]]

Digital Library

[22]

G. Karjoth, M. Schunter, and M. Waidner. Platform for Enterprise Privacy Practices - Privacy-enabled Management of Customer Data. In Proceedings of the Privacy Enhancing Technologies Conference, volume LNCS 2482, pages 69--84, 2003.]]

Digital Library

[23]

A. Pfitzmann and M. Kohntopp. Anonymity, Unobservability and Pseudonymity - A proposal for Terminology. In Proceedings of the workshop on Design issues in anonymity and unobservability, LNCS 2009, Springer-Verlag, 2000.]]

Digital Library

[24]

M. G. Reed, P. F. Syverson, and D. Goldschlag. Anonymous Connections and Onion Routing. In IEEE Journal on Selected Areas in Communications, volume 16, pages 482--494, 1998.]]

Digital Library

[25]

M. K. Reiter and A. D. Rubin. Crowds: Anonymity for Web Transactions. In ACM Transactions on Information and System Security, volume 1, pages 66--92, 1998.]]

Digital Library

[26]

W3C. Platform for Privacy Preferences. In URL: www.w3.org/P3P.]]

[27]

ITU-T Recommendation X.509. In Information technology - Open systems interconnection - the directory: Public-key and attribute certificate frameworks, 2000.]]

[28]

ITU-T Recommendation X.812. ISO 10181-3: Information Technology - Open Systems Interconnection - Security Frameworks for Open Systems: Access Control Framework. International Organisation for Standarisation, 1996.]]

Cited By

Lehnhardt JSpalka A(2011)Decentralized generation of multiple, uncorrelatable pseudonyms without trusted third partiesProceedings of the 8th international conference on Trust, privacy and security in digital business10.5555/2035420.2035434(113-124)Online publication date: 29-Aug-2011
https://dl.acm.org/doi/10.5555/2035420.2035434
Rifà-Pous H(2011)Anonymous reputation based reservations in e-commerce (amnesic)Proceedings of the 13th International Conference on Electronic Commerce10.1145/2378104.2378121(1-10)Online publication date: 3-Aug-2011
https://dl.acm.org/doi/10.1145/2378104.2378121
Patel AQi WTaghavi M(2011)Design of secure and trustworthy mobile agent‐based e‐marketplace systemInformation Management & Computer Security10.1108/0968522111118861019:5(333-352)Online publication date: 22-Nov-2011
https://doi.org/10.1108/09685221111188610
Show More Cited By

Recommendations

Compact and Anonymous Role-Based Authorization Chain

We introduce a decentralized delegation model called anonymous role-based cascaded delegation. In this model, a delegator can issue authorizations on behalf of her role without revealing her identity. This type of delegation protects the sensitive ...
A Secure Anonymous Authorisation Architecture for E-Commerce
EEE '05: Proceedings of the 2005 IEEE International Conference on e-Technology, e-Commerce and e-Service (EEE'05) on e-Technology, e-Commerce and e-Service

We propose a new authorisation architecture based on the extension to the anonymous authorisation framework proposed by Au et al., whereby a new entity, trustee, and a new concept, Key Binding Certificate (KBC), are introduced. In the architecture, the ...
An efficient framework for user authorization queries in RBAC systems
SACMAT '09: Proceedings of the 14th ACM symposium on Access control models and technologies

The User Authorization Query (UAQ) Problem for RBAC, introduced by Zhang and Joshi, is to determine the set of roles to be activated in a single session for a particular set of permissions requested by the user. This set of roles must satisfy ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ICEC '04: Proceedings of the 6th international conference on Electronic commerce

March 2004

684 pages

ISBN:1581139306

DOI:10.1145/1052220

Copyright © 2004 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ICEC: International Center for Electronic Commerce

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 March 2004

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Article

Acceptance Rates

Overall Acceptance Rate 150 of 244 submissions, 61%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
793
Total Downloads

Downloads (Last 12 months)1
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Lehnhardt JSpalka A(2011)Decentralized generation of multiple, uncorrelatable pseudonyms without trusted third partiesProceedings of the 8th international conference on Trust, privacy and security in digital business10.5555/2035420.2035434(113-124)Online publication date: 29-Aug-2011
https://dl.acm.org/doi/10.5555/2035420.2035434
Rifà-Pous H(2011)Anonymous reputation based reservations in e-commerce (amnesic)Proceedings of the 13th International Conference on Electronic Commerce10.1145/2378104.2378121(1-10)Online publication date: 3-Aug-2011
https://dl.acm.org/doi/10.1145/2378104.2378121
Patel AQi WTaghavi M(2011)Design of secure and trustworthy mobile agent‐based e‐marketplace systemInformation Management & Computer Security10.1108/0968522111118861019:5(333-352)Online publication date: 22-Nov-2011
https://doi.org/10.1108/09685221111188610
Jøsang AGollmann DAu R(2006)A method for access authorisation through delegation networksProceedings of the 2006 Australasian workshops on Grid computing and e-research - Volume 5410.5555/1151828.1151848(165-174)Online publication date: 1-Jan-2006
https://dl.acm.org/doi/10.5555/1151828.1151848
Au WChoo KLooi M(2005)A Secure Anonymous Authorisation Architecture for E-CommerceProceedings of the 2005 IEEE International Conference on e-Technology, e-Commerce and e-Service (EEE'05) on e-Technology, e-Commerce and e-Service10.1109/EEE.2005.16(106-111)Online publication date: 29-Mar-2005
https://dl.acm.org/doi/10.1109/EEE.2005.16

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents