An Approach for Intentional Modeling of Web Services Security Risk Assessment

In this chapter, we provide a conceptual modeling approach for Web services security risk assessment that is based on the identification and analysis of stakeholder intentions. There are no similar approaches for modeling Web services security risk assessment in the existing pieces of literature. The approach is, thus, novel in this domain. The approach is helpful for performing means-end analysis, thereby, uncovering the structural origin of security risks in WS, and how the root-causes of such risks can be controlled from the early stages of the projects. The approach addresses “why” the process is the way it is by exploring the strategic dependencies between the actors of a security system, and analyzing the motivations, intents, and rationales behind the different entities and activities in constituting the system.

Propagation and Delegation of Rights in Access Controls and Risk Assessment Techniques

Access control methods have been improvised over time, but one area that remains quite grey is the concept of assessing risk levels before any type of access rights are granted. This is relatively a new paradigm in the research of semantic Web security, and new methodologies for this effort are being studied. In this chapter, we will see how qualitative risk assessment (Nissanke & Khayat, 2004) and quantitative risk assessment are carried out. The purpose is to have different methods of assessment for better grant of access control rights and permissions. New examples based on the model described (Nissanke & Khayat, 2004) are used to illustrate the concept. A new quantities technique is also added to complement the qualitative techniques.

A Framework for Electronic Bill Presentment and Off-Line Message Viewing

A security framework for secure message delivery and off-line message viewing of electronic bills is presented. This framework is implementable toward smart applications such as electronic bill presentment and payment systems.

Verifiable Encryption of Digital Signatures Using Elliptic Curve Digital Signature Algorithm and its Implementation Issues

This chapter presents a new simple scheme for verifiable encryption of elliptic curve digital signature algorithm (ECDSA). The protocol we present is an adjudicated protocol, that is, the trusted third party (TTP) takes part in the protocol only when there is a dispute. This scheme can be used to build efficient fair exchanges and certified email protocols. In this paper we also present the implementation issues. We present a new algorithm for multiplying two 2n bits palindromic polynomials modulo xp–1 for prime p = 2n + 1 for the concept defined in Blake, Roth, and Seroussi (1998), and it is compared with the Sunar-Koc parallel multiplier given in Sunar and Koc (2001).

An Introductory Study on Business Intelligence Security

Firstly, the fact that business intelligence (BI) applications are growing in importance, and secondly, the growing and more sophisticated attacks launched by hackers, the concern of how to protect the knowledge capital or databases that come along with BI or in another words, BI security, has thus arisen. In this chapter, the BI environment with its security features is explored, followed by a discussion on intrusion detection (ID) and intrusion prevention (IP) techniques. It is understood through a Web-service case study that it is feasible to have ID and IP as countermeasures to the security threats; thus further enhancing the security of the BI environment or architecture.

Node Authentication in Networks Using Zero-Knowledge Proofs

Zero-knowledge proof (ZKP) based authentication protocols provide a smart way to prove an identity of a node without giving away any information about the secret of that identity. There are many advantages as well as disadvantages to using this protocol over other authentication schemes, and challenges to overcome in order to make it practical for general use. This chapter examines the viability of ZKPs for use in authentication protocols in networks. It is concluded that nodes in a network can achieve a desired level of security by trading off key size, interactivity, and other parameters of the authentication protocol. This chapter also provides data analysis that can be useful in determining expected authentication times based on device capabilities. Pseudocode is provided for implementing a graph-based ZKP on small or limited processing devices.

RFID Systems

In this chapter, we discuss the business implications, as well as security and privacy issues, of the widespread deployment of radio frequency identification (RFID) systems. We first describe, in more detail, the components that make up an RFID system to facilitate better understanding of the implications of each, and then review the commercial applications of the RFID. We then discuss the security and privacy issues for RFID systems and what mechanisms have been proposed to safeguard these. The topics discussed in this chapter highlight the benefits of using RFIDs for user convenience in ubiquitous and pervasive commercial services and e-businesses, while maintaining the integrity of such systems against malicious attacks on the users’ security and privacy. This is vital for a business establishment to coexist with peers and remain competitively attractive to customers.

Wireless LAN Setup and Security Loopholes

This chapter gives a practical overview of the brief implementation details of the IEEE802.11 wireless LAN and the security vulnerabilities involved in such networks. Specifically, it discusses about the implementation of EAP authentication using RADIUS server with WEP encryption options. The chapter also touches on the ageing WEP and the cracking process, along with the current TKIP and CCMP mechanisms. War driving and other security attacks on wireless networks are also briefly covered. The chapter concludes with practical security recommendations that can keep intruders at bay. The authors hope that any reader would thus be well informed on the security vulnerabilities and the precautions that are associated with 802.11 wireless networks.

Secure Trust Transfer Using Chain Signatures

In this chapter, we discuss the concept of “trust transfer” using chain signatures. Informally, transferring trust involves creating a trust (or liability) relationship between two entities such that both parties are liable in the event of a dispute. If such a relationship involves more than two users, we say they are connected in a chained trust relationship. The members of a chained trust relationship are simultaneously bound to an agreement with the property that additional members can be added to the chain but once added, members cannot be removed thereafter. This allows members to be incrementally and noninteractively added to the chain. We coin the term “chained signatures” to denote signatures created in this incremental way. An important application of chained signatures is in e-commerce transactions involving many users. We present a practical construction of such a scheme that is secure under the Diffie- Hellman assumption in bilinear groups.

IPSec Overhead in Dual Stack IPv4/IPv6 Transition Mechanisms

Internet protocol version 6 (IPv6) is the next generation Internet protocol proposed by the Internet Engineering Task Force (IETF) to supplant the current Internet protocol version 4 (IPv4). Lack of security below the application layer in IPv4 is one of the reasons why there is a need for a new IP. IPv6 has built-in support for the Internet protocol security protocol (IPSec). This chapter reports work done to evaluate implications of compulsory use of IPSec on dual stack IPv4/IPv6 environment.