Authentication of User’s Device and Browser for Data Access in Untrusted Cloud
Primary Investigator:
Bharat Bhargava
Denis Ulybyshev, B. Bhargava, L.Li, J. Kobes, D. Steiner, H. Halpin, B.An, M. Villarreal, R. Ranchal
Abstract
Modern distributed systems (such as composite web services, cloud solutions) comprise of a number of services, which collaborate, interact and share data. Privacy-preserving secure data dissemination and data leakage detection must be provided in these systems. Service must not be able to get access to data items for which it is not authorized. If authorized service leaks data to an unauthorized party then data leakage must be detected and reported to data owner.
In our scenario, data owner wants to share data with a set of services. Each service is only authorized to access a subset of data. The problem in the composition of services is that opaque data sharing and undetected data leakages may occur. Our approach provides policy-based secure data dissemination and protects data throughout their lifecycle. Selective dissemination of data is based on the following:
1) Access control policies so that each requesting service gets access only to the data it is authorized for
2) Browser’s cryptographic capabilities of the client issuing data request
3) Client’s Authentication method: fingerprint authentication and USB-key authentication allow the client to access more data compared to password-based authentication
4) Type of the client’s network: secure (e.g. corporate Intranet) vs. insecure
5) Type of the client’s device requesting data (e.g. smartphone vs. desktop computer)
In order to ensure correct delivery of appropriate data to each service, it is necessary that each service shares entire data even though services are only authorized for certain subset of data. Data leakage made by service, authorized for that data, to unauthorized service is detected by notification script and watermarks embedded into the data.
Our approach does not require data owner availability, is independent from trusted third parties, is able to operate in unknown environments and supports different authentication methods for the client. The approach is illustrated on a healthcare scenario with composite web services.