=Paper=
{{Paper
|id=Vol-1584/paper14
|storemode=property
|title=The WebID Protocol Enhanced With Group Access, Biometrics, and Access Policies
|pdfUrl=https://ceur-ws.org/Vol-1584/paper14.pdf
|volume=Vol-1584
|authors=Cory Sabol,William Nick,Maya Earl,Joseph Shelton,Albert Esterline
|dblpUrl=https://dblp.org/rec/conf/maics/SabolNESE16
}}
==The WebID Protocol Enhanced With Group Access, Biometrics, and Access Policies==
https://ceur-ws.org/Vol-1584/paper14.pdf
Cory Sabol et al. MAICS 2016 pp. 89–95
The WebID Protocol Enhanced With Group Access,
Biometrics, and Access Policies
*
Cory Sabol, €William Nick, €Maya Earl, €Joseph Shelton, and €Albert Esterline
*
Dept. of Computer Science & €Dept. of Computer Science
*
University of North Carolina at Greensboro & €North Carolina A&T State University
Greensboro, North Carolina
cssabol@uncg.edu, {wmnick, mnearl, jashelt1}@aggies.ncat.edu, esterlin@ncat.edu
Abstract our solution. The next section discusses our use of access
The WebID protocol solves the challenge of remembering policies, reasoning about policies, and enforcing policies.
usernames and passwords. We enhance this protocol in Next, we present biometrics (the use of a person’s physio-
three ways. First, we give it the ability to manage groups of logical and behavioral characteristics for authentication)
agents and control their access to resources on the Web. and our biometric enhancement of the WeID protocol. The
Second, we add support for biometric access control to penultimate section briefly discusses implementation tech-
enhance security. Finally, we add support for OWL-based nologies, and the last section concludes with a summary of
policies that may be federated and result in flexible access this paper.
control.
Semantic Web Standards
Introduction
RDF/RDFS/OWL
The primary way of authenticating users on the Web is via
username and password. This is a rather secure and time- Our enhancements make heavy use of the Resource De-
tested method, but it is cumbersome and error prone. A scription Framework (RDF). RDF is a specification for
user may forget their username or password, requiring managing metadata of resources on the Web. In RDF, all
them to choose the ever so prevalent “forgot password” information is represented as triples of the form subject,
option. If the way a password reset is handled is insecure, predicate, object (Broekstra, Kampman & Harmelen,
then this opens up an entirely new attack surface for mali- 2002). The subject is the resource in question, and the
cious actors to gain information about a user. This is where predicate might describe a characteristic that the subject
alternatives such as OpenID (Wang Chen & Wang, 2012), has, in which case the object is the value of that character-
EMCSSL (Emercoin, 2015), and WebID (W3C, 2015) istic. Or the predicate describes a relationship between the
come into play. These systems are distributed platforms subject and the object, as in Tim knows Sarah, where Tim
that provide a user with, ideally, a simple way of asserting is the subject, knows is the predicate, and Sarah is the ob-
their identity on the Web. In this paper, we focus on the ject.
WebID protocol, identification for groups and some ways RDF lets us create a model of a resource and the rela-
in which the security of WebID can be improved for appli- tionships it has with other resources. RDF is also machine-
cations in which it is deemed necessary. readable so that we can build applications that leverage it
The remainder of this paper is organized as follows. The and the power of linked data (see below) to make the use
next section presents Semantic Web standards (such as and discovery of data much easier and consistent across
RDF and OWL), which are used for representation in our platforms. RDF is also expressible in various serializations,
protocols. Next is a section that introduces the WebID pro- such as RDF/XML, for better machine consumption. The
tocol and its use. Next, we introduce the problem of group Turtle serialization is a subset of the N3 serialization and is
access with WebIDs, and the following section presents meant for ease of human reading and writing. All RDF
examples throughout this document are written in N3 syn-
Copyright held by the author(s). tax for ease of reading.
89
� Cory Sabol et al. MAICS 2016 pp. 89–95
The Resource Description Framework Schema (RDFS) linked data. Table 1 depicts the various modes of access
provides a way to construct RDF vocabularies by allowing offered by ACL.
one to define RDF classes, properties, and relations tai-
lored to one’s needs. One such RDFS vocabulary used in Table 1 – ACL access modes
the research reported here is FOAF, which stands for Mode: Actions Allowed:
Friend Of A Friend. Another such vocabulary is ACL, or Read Read the contents (including querying, etc.)
the Access Control Language. Both vocabularies are dis-
Write Overwrite contents (including deleting or
cussed below.
overwriting parts of it)
Linked Data Append Add information to the end without overwrit-
Linked-data is a set of best practices regarding the publica- ing any part
tion and connection of structured data on the Web Control Set the access control rules for the resource
(Broekstra, Kampman & Harmelen, 2002). Linked-data
aims to provide a consistent and uniform way for agents on
the web to consume and publish data, machine and human This ACL-RDF vocabulary, which is defined with
alike. The key to this is that data is published in a con- RDFS, includes properties of authorization (W3C, 2015). It
sistent format and that all data links to other appropriate allows the administrator to specify access control modes,
data so that the discovery and consumption of further data which are essentially classes of operations. The
is easy and encouraged. The main format in which linked- WebAccessControl protocol states that the user authenti-
data is published in RDF. cates to the server through the implementation of
WebID+TLS.
FOAF However, ACL can in some cases be rather rigid, which
FOAF is a powerful RDF vocabulary that allows for the is why we introduced a policy ontology written in OWL
concise description of people and their social networks in a (web ontology language) that we developed. The main
semantic and machine-readable manner (OpenSSL, 2007), advantage of this ontology is that it can be used in tandem
It allows us to compute over the relationships and pro- with a reasoner service such as Apache Jena, which can
grammatically make conclusions about a person and those make inferences based on the rules derived from the ontol-
to which they are connected. The conventional namespace ogy.
prefix for FOAF is foaf:.
FOAF is, of course, applicable to more than just people OWL
and their social networks. It is applicable to any agent on OWL (Antoniou & van Harmelen, 2004) extends the
the web. An agent could be a person or it could be a soft- power of RDFS and is used to represent ontologies on the
ware agent that acts on the behalf of a person or organiza- Semantic Web. “Ontology” is a term that is borrowed from
tion. FOAF is also useful for representing the subtle status philosophy referring to a conceptualization of a domain,
of a group of agents. We leverage the semantics of the describing entities in the world and how they relate to each
foaf:Group class in order not only to allow a group to act other.
as a collection of agents but also for the group itself to be
treated as, as well as act as, an individual within an appli-
cation or service. This is the crux of allowing for authenti-
WebID and Its Use
cation of a group’s agents based on the group asserting its
identity as an individual. WebID
WebID is a W3C proposed protocol which provides a way
ACL for an agent to be identified using standard web technolo-
gies (W3C, 2015). At its most basic level, a WebID is
The Access Control Language (ACL) is a simple RDF vo-
simply a unique URI (uniform resource identifier) that rep-
cabulary that allows the specification of access control
resents some resource or agent on the web. When the URI
rules to be tied to resources on the web and presented in a
is dereferenced, an RDF or human readable format of the
machine-readable manner. It allows for a fairly flexible
document that describes the resource or agent in question
and broad range of rules to be specified regarding a re-
is returned. (Derefencing means to retrieve the resource to
source. It also allows for the rules to be specified and de-
which the URI points.) The version of the file that is re-
termined in a decentralized manner. A resource can have
turned is determined by content negotiation and CoolURIs
its access control rules easily derived from another re-
(Ayers & Völkel, 2008), along with fragment identifiers or
source’s ACL file on the web. The rules can even be main-
303 redirects, to determine and return the appropriate rep-
tained simply via a separate service, thanks to the power of
90
� Cory Sabol et al. MAICS 2016 pp. 89–95
resentation of the document representing the resource that ing a system that couples a user’s biometric data with their
the WebID represents. Typically, HTML is served to hu- WebID to create a two-step authentication process.
man users and RDF to machines. The service that is im- We start by describing the problem surrounding group
plementing WebID can of course decide how this is to be access control on the web. As it stands, delegating access
handled; it could be that a human agent has reason to view to agents on the web is a process that relies heavily on stat-
the RDF representation of a resource and a machine needs ic access control lists and security logic that is heavily in-
to consume the HTML representation. tegrated into the application logic of the service. Further-
more, we have a natural notion of trust in a group’s head
WebID + TLS member, often allowing them to assert their identity and
WebID + TLS is the protocol that describes the implemen- subsequently allowing for the knowledge to validate the
tation of WebID. It has the following general steps (W3C, identity of the group’s other members. Capturing this in a
2015): computational environment is a challenge, but we have
x Initially, the client must establish a TLS connection, several solutions. We implemented a system that can allow
which the server authenticates itself, using the for group owners to authenticate themselves as well as
standard TLS protocol. establish the trust needed to more easily authenticate the
group's members. This is primarily accomplished by mak-
x Next, the client on a specific resource can perform an ing use of the FOAF term foaf:Group and the subtlety
HTTP GET, PUT, POST, or DELETE action. that allows a foaf:Group also to be an individual agent.
x At this stage, the guard, or server agent, can grant or Also, one can specify a class associated with a group so
deny access according to the access control rules. that elements of that class are automatically of that group
and vice versa.
x Now, if the resource requires authentication for access, We now address decentralizing web access control fur-
the client’s identity is linked to a private key and ther than was done in our initial implementation. Develop-
public key pair. This pair should be embedded in the ing secure code is often difficult, especially when the secu-
client’s certificate to be verified. The client has the rity logic of the application is tightly knit into the imple-
option to automate which certificate to send from its mentation. In our access to resources based on semantic
browser when the TLS agent makes a certificate rule lists, decoupling some of the security functionality
x The TLS agent matches the certificate’s public key from the main application logic allows for the application
with the public key in the user’s profile document on logic to be developed and maintained much more easily.
the server. We remove the rigidity of our original solution to authenti-
cating groups and expand it into a more generalized and
x The Verification Agent, defined in (W3C, 2015), extensible system with the use of OWL and a Jena reason-
verifies that the WebID in the WebID certificate ing service that can also easily apply to individual agents.
knows the given public key. The OWL policy ontology that has been developed in our
x The Verification Agent extracts the public key and the lab is also more robust and flexible than ACL as a means
URIs from the Subject Alternative Name property of expressing access control rules.
field in the certificate.
x With the WebID collected, the guard can check if one Our Solution to the Group Problem
of the URIs is authorized by the access control rules.
To solve the problems of group access control, we began
If access is granted, then the guard can pass on the
experimenting with the notion of authenticating a group of
request to the protected resource.
agents by dereferencing the WebIDs of the group's mem-
bers, which are presented in the group's profile document.
The Group Problem In order for this to work, however, we must make certain
that a group is explicitly defined to avoid ambiguities in
There are several problems that this work addresses, in- discerning whether or not the agent that is asserting its
cluding group access control using WebID as well as identity is indeed a group. This is where we make use of
strengthening access control on the web by coupling the the foaf:Group term. Figure 1 is a simple example of a
policy ontology we have developed with a Jena-based foaf:Group defined in RDF using N3 syntax. The profile
reasoner to help decentralize the security logic of determin- explicitly asserts that the agent is a foaf:Group. The pro-
ing access to resources on the web. We also present a solu- file document also contains the agent's public key, as all
tion to one of the main security flaws of WebID by creat- WebID profiles must. And it contains a list of the WebIDs
belonging to its member agents. This is critical to the veri-
91
� Cory Sabol et al. MAICS 2016 pp. 89–95
fication process, which allows the group to assert its identi- 1: define function grantAccess(AgentURI, ResourceURI):
ty and authenticate the group members too. 2: if (Agent's WebID not valid) then
3: Deny access to ResourceURI, prompt resource owner that
AgentURI
1: @prefix foaf: . 4: has requested access to the resource.
2: @prefix cert: . 5: return access denied
3: 6: end
4: _:webidcommunitygroup a foaf:Group; 7:
5: foaf:name “webidcommunitygroup”; 8: Define AProile := dereference(AgentURI)
6: foaf:member[/*group member WebID's here*/]; 9: Define ResACL := dereference(ResourceURI)
7: cert:PublicKey “MIICQ...EstKg==” . 10: Define AGraph := toGraph(AProfile)
Figure 1 – Simple Group Profile Document 11: Define ResACLGraph := toGraph(ResACL)
12:
13: if (AgentURI is in ResACLGraph OR
We can allow a WebID that represents a group to serve 14: Agraph.class is in ResACLGraph) then
as an entry point to the authentication process. We do this 15: return access type specified in ResACL
by first dereferencing the WebID to get the profile docu- 16: end
17: else
ment. With this we determine whether or not the agent is a 18: Deny access to ResourceURI, prompt resource owner
group by checking if the profile contains the foaf:Group 19: that AgentURI has requested access to the resource.
term. From there, we parse the WebIDs contained in the 20: return access denied
21: end
foaf:member list and individually verify the WebID of 22:end
each member and determine the access to the resource in 23:
question based on the access rules tied to the resource. We 24:forEach (Member m in Group g) do
25: accessCache.add(m, grantAccess(m, Resource.URI))
then use server-side caching techniques to cache this ac- 26:end
cess information for a limited time to the service so that,
Figure 2 – Group Access Delegation Algorithm
when an agent that is a member of a previously authenti-
cated group requests access to the resource, the service
Using ontologies to describe policies enables the system
may simply validate their WebID and then perform a sim-
to use concepts that describe the entities and environments
ple lookup against the cached access data to determine
that are being controlled. This simplifies their descriptions
what type of access should be allowed.
and improves the system’s analyzability. The result is that
We expanded our initial algorithm to include use of the
policy frameworks can take advantage of powerful features
policy ontology and a reasoner, which was implemented
such as policy conflict detection and harmonization. As
using Apache Jena. This got rid of the rigidity of the algo-
with databases, there is the possibility of accessing the
rithm and its close ties to the limited ACL vocabulary in
information provided by querying the ontology based on
favor of the flexibility that our OWL-based policy ontolo-
the ontology schema.
gy offers. Figure 2 shows the updated version of the high-
The KAoS policy service framework (Uszok, Bradshaw
level group access algorithm, which makes use of a re-
& Jeffers, 2004) is a mature general-purpose policy man-
sponse returned from the reasoner.
agement system developed by the Florida Institute for Hu-
man and Machine Cognition (IHMC). It makes use of
Defining and Enforcing Policies OWL and OWL-based tools for specification, analysis and
enforcement of policies that are constrained across a varie-
OWL-based Policy Ontology ty of distributed computing platforms. KAoS has support
for obligations and authorization policies as well as mech-
The major advantage of using XML to represent policies is
anisms for other kinds of policies. This enables analysis,
that it is straightforwardly extensible (Bradshaw, Uszok
management, specification, and enforcement of policies.
and Montanari, 2014), but the problem with XML, as with
Use of OWL-based policies allows term and policy federa-
many other representations, is that its semantics is mostly
tion. We are importing the KAoS policies and extending it
implicit. One problem with implicit semantics is that the
in order to create our own policies.
conventions on which it is based are potentially ambigu-
ous. For that reason, semantic technologies are being used.
Jena/Reasoning
There are many advantages to using OWL to represent
policies. Ontologies allow for policies to be easily extend- Jena is a Java-based Semantic Web framework (McBride,
ed by simply adding new concepts. 2002). It can read all RDF serializations and add data to
RDF graphs, and it can write RDF graphs to all common
serializations. A number of inference engines and
reasoners can be used in Jena. With these engines, addi-
tional RDF assertions can be derived from an original RDF
92
� Cory Sabol et al. MAICS 2016 pp. 89–95
document. Languages such as RDFS and, for possibly so- might be used is where a person tries to login to a social
phisticated ontologies, OWL are supported; additional network service. For example, William is a user of Jo-
facts can be inferred from instance data using these lan- seph’s social networking site. Figure 3 shows the sequence
guages. SWRL rules (Horrocks et al., 2004) are supported diagram for the WebID+Biometrics protocol for this sce-
if one installs the Pellet reasoner (Parsia, 2004). Pellet is an nario. The scenario assumes authentication for a RESTful
open-source Java-based OWL 2 reasoner. One of the main web service. A RESTful web service communicates using
points of this framework is that it is intentionally general the HTTP protocol in a way similar to (but more involved
so as to be applicable for virtually any problem. than) the way a web browser gets a web page from a serv-
er.
Apache Thrift William’s client sends a TLS request to Joseph’s social
Thrift is an interface definition language and binary com- networking service. Then Joseph’s social networking ser-
munication protocol that is used to define and create ser- vice requests a certificate from William’s client. William’s
vices for numerous languages. It is used as a remote proce- client sends a certificate to Joseph’s social networking ser-
dure call (RPC) framework and was developed at Face- vice and dereferences William’s profile from William’s
book for “scalable cross-language services development” server from the URI that was provided in William’s certifi-
(Apache, 2007). It is incorporated into our code through cate. Joseph’s social networking service then queries the
the use of RDF and triples. The RDF file information goes RDF that is William’s profile and checks whether or not
to the server, which infers triples and then returns more the modulus and exponent from the profile on William’s
triples. Whatever access the person has will be inferred by server match the modulus and exponent from William’s
the reasoner. The Thrift service uses Pellet for reasoning certificate. If they match, then Joseph’s service will send
about our policies. the RDF for the particular feature extractor that has been
generated at random. William’s client will ask William to
submit, for example, a picture from which it will extract
Extension Using Biometrics the feature vector and serialize it to an RDF serialization.
That RDF will be sent to Joseph’s service, which will
Biometrics dereference a document on William’s server that contains
William’s biometric information. Joseph’s service will
Biometrics is the study of identifying an individual based
then verify that William’s biometrics matches the enrolled
off of their physical characteristics (Jain and Ross 2008). It
feature vectors. Finally, if the biometrics submitted to Jo-
is useful in many authentication systems due to its inherent
seph’s social networking service matches the biometrics
advantages over other types of authentication. Unlike a
from the RDF document on William’s server, then Jo-
knowledge-based system (Zhang and Li 2011) that uses a
seph’s service will notify William’s client that he may ac-
password or some other key phrase to grant access, a bio-
cess it.
metric system uses an individual’s biometric, such as their
face, iris or fingerprint. These biometrics cannot be as easi-
ly misplaced or stolen as a password can. A token-based
systems (Hao & Yu, 2010) use some physical token such
as a key or smart card to grant access. However, tokens can
also be misplaced or stolen.
A biometric system is composed of some sensor, such as
a camera or scanner, a module that extracts features from
what was taken from the sensor, a module that stores the
extracted features in a database, and a module to compare
extracted features to enrolled features (Jain and Ross
2008).
WebID + Biometric protocol
This section describes the WebID+Biometrics protocol,
which is built off the WebID protocol but uses the disposa-
ble feature extractors created by the GEFE technique de-
veloped by Shelton et al. (2012) for biometric verification.
WebID+Biometrics also uses OWL-based policies, as de- Figure 3- The sequence diagram for the WebID+Biometrics Pro-
scribed above. One possible scenario where this protocol tocol
93
� Cory Sabol et al. MAICS 2016 pp. 89–95
body having access to a device in which an agent’s WebID
Unlike the WebID protocol, we use policies, which are certificate is installed. We also add support for OWL-based
expressed in OWL. This allows us to infer roles and to policies that may be federated and result in flexible access
infer how access is delegated. To illustrate this, consider control. What is reported here leads to future work aimed
another example, where a user, Renee, is trying to access a at the notion of a network of trust.
resource controlled by William. Renee is part of the same
organization as William, and William has also delegated
access to a resource to Renee. Renee’s client requests to
References
login and access a resource controlled by William. The Antoniou, G., & van Harmelen, F. (2004). Web ontology lan-
service requests Renee’s certificate and gets the RDF pro- guage: Owl. In Handbook on ontologies (pp. 67-92). Springer
file document from Renee’s server from the URI in the Berlin Heidelberg.
certificate. The service checks whether the modulus and Apache Software Foundation. Apache Thrift.
exponent in the certificate match the modulus and expo- 2007.http://thrift.apache.org/.
nent in the profile document. The Service requests Renee’s Ayers, D. and Völkel, M. 2008. Cool URIs for the Semantic Web.
client to submit her biometric credentials using a particular Cool URIs for the Semantic Web.
disposable FE. If the biometrics for Renee matches the
biometrics on Renee’s server, then the server will pass http://www.w3.org/TR/cooluris/.
Renee’s policy document to a reasoning service. The rea- Bizer, C., Heath, T., and Berners-Lee, T. 2009. Linked Data—The
soning service will reason about the document based on a Story So Far. International Journal on Semantic Web and Infor-
policy ontology. The result will determine whether Renee mation Systems. pp. 1–22.
will gain access to the system. Bradshaw, J.M., A. Uszok, and R. Montanari. 2014. Policy-Based
Like the WebID protocol, our protocol allows for pro- Governance of Complex Distributed Systems: What Past Trends
files to be decentralized. Unlike the WebID protocol, how- Can Teach Us about Future Requirements. Adaptive, Dynamic,
ever, our protocol is able to handle biometric verification. and Resilient Systems, CRC Press.
This allows users to bring their own biometrics. Unlike the Broekstra, J., Kampman, A. and Harmelen, F. V. 2002. Sesame:
WebID protocol, our protocol reasons about permissions A Generic Architecture for Storing and Querying RDF and RDF
using policy documents expressed in OWL. Schema. Proceedings of the First International Semantic Web
Conference on the Semantic Web. Springer-Verlag, London, UK,
UK, 54-68.
Implementation
Emercoin. 2015. EMCSSL. Decentralized identity management,
Node.js was used to build a client application from which passwordless logins, and client SSL certificates using Emercoin
agents may try to authenticate for access to resources that NVS. Emercoin International Development Group.
have access rules expressed using the OWL based policy
Hao, Z., & Yu, N. 2010. A Security Enhanced Remote Password
ontology. The client also acts as the WebID authentication
Authentication Scheme Using Smart Card. 2010 Second Interna-
service. We paired the Node.js client with an Apache Jena
tional Symposium on Data, Privacy, and E-Commerce, 56-60.
based reasoner service, which accepts the access rules and
makes inferences based on them, returning the type of ac- Horrocks, I., Patel-Schneider, P.F., Boley, H., Tabet, S., Grosof,
cess to a resource that is to be granted to the client. The B., Dean. M. 2004. SWRL: A Semantic Web Rule Language
reasoner used is Pellet, and Apache Thrift provides REST- Combining OWL and RuleML, W3C Member Submission, W3C.
ful access to it. http://www.w3.org/Submission/2004/SUBM-SWRL-20040521/.
Jain, A. K., Ross, A. 2008. Introduction to Biometrics. Handbook
of Biometrics. Springer. pp. 1–22.
Conclusion
McBride, B. 2002. Jena: A Semantic Web Toolkit. IEEE Internet
We addressed the way group access control and group Computing 6(6): 55-59 (2002)
based authentication might be handled on the web and cre- OpenSSL Software Foundation. OpenSSL Project. The OpenSSL
ated a high-level algorithm for authenticating a group and Project Homepage, 2007.
its members and caching the access decisions to the server
< https://www.openssl.org/>
for a limited time. This allows for a more natural notion of
a group to exist and interact with web services, just as in Parsia, B., Sirin, E. 2004. Pellet: an OWL DL reasoned. Proc.
real life a group owner’s identity is validated and then trust DL-2004, 2004.
is established and propagated to the group’s members. We Shelton, J., Bryant, K., Abrams, S., Small, L., Adams, J., Leflore,
also improved the security of the WebID protocol by cou- D., & Dozier, G. 2012. Genetic & Evolutionary Biometric Securi-
pling it with biometrics. This mitigates the threat of some-
94
� Cory Sabol et al. MAICS 2016 pp. 89–95
ty: Disposable Feature Extractors for Mitigating Biometric Re- Wang, R,. Chen, S., Wang, X. 2012. Signing me onto your ac-
play Attacks. Procedia Computer Science, 8, 351-360. counts through Facebook and Google: A traffic-guided security
Uszok, A., Bradshaw, J. M., & Jeffers, R. 2004. KAoS: A policy study of commercially deployed single-sign-on web services.
and domain services framework for grid computing and semantic IEEE Symposium on Security and Privacy.
web services. Trust management: Second international confer- Zhang, H., & Li, M. 2011. Security vulnerabilities of an remote
ence, iTrust 2004, Oxford, UK, March 29–April 1, 2004. Pro- password authentication scheme with smart card. 2011 Interna-
ceedings. Vol. 2995 of Lecture Notes in Computer Science., (pp. tional Conference on Consumer Electronics, Communications
16–26). Springer-Verlag, Berlin, Heidelberg and Networks (CECNet), 698-701.
W3C. ed. 2015. WebID-TLS. Authentification over TLS.
95
�