Achieving secure and flexible M-services through tickets

Abstract

Web services via wireless technologies, mobile services (M-services), HTTP, and XML have become important for conducting business. W3C XML Protocol Working Group has been developing standard techniques such as Web Services Description Language (WSDL), simple object access protocol (SOAP), universal description discovery and integration (UDDI). However, at this stage, there is no standard technique for access control in M-services. This paper describes a secure and flexible access control scheme and protocol for M-services based on role based access control (RBAC). The access control architecture involves a Trusted Credential Center (TCC), a Trusted Authentication and Registration Center (TARC) and a secure ticket based mechanism for service access. Users and service providers register with the TARC and are authenticated. Based on this, tickets are issued by the TCC to users. Tickets carry authorization information needed for the requested services. In particular, we are able to specify access control polices based on roles. The protocols between the various entities in the model are protected using appropriate security mechanisms such as signatures which are used to verify correctness of the requested service, as well as to direct billing information to the appropriate user. Our architecture supports efficient authentication of users and service providers over different domains and provides a secure access model for services to users. Our model is also able to support anonymity of users. Only the TARC is able to identify misbehaving users. We believe that the proposed architecture forms a good basis for achieving a secure and flexible M-service system.