The present invention relates to verifying and enabling access to a service provided by a service computer.
More and more services within networks request certain access-rights in order to grant access. Access-rights to resources are often described as logical expression over users' attributes which is also referred to as access rule. An example of such a “rule” is: “the user must either be over eighteen or must have consent from her parents”. In case the attributes need not to be certified, they can be provided directly by the user; otherwise they need to be provided by a third parties (e.g., Microsoft's passport), or by using attribute certificates.
Today's access decision engines determine whether or not a user is granted access to some resource by first collecting all attributes appearing in the access rule and then by evaluation the rule. This approach has the drawback that the access decision or granting engine gets to know all data about the user. The users are concerned about their privacy and information released to the access decision engines which lack strong privacy mechanisms.
From the above it follows that there is need in the art to minimize the information that can be gathered by access decision engines or computers within a network. In fact, the user should be able to decide which attributes or information an access granting party should get to know and hence to minimize the information conveyed.
Therefore, the present invention provides efficient schemes that allows a user to decide which attributes or information an access granting party, hereafter also referred to as access decision engine, gets to know. Therewith it is in the hands of the user to minimize the information conveyed.
In accordance with a first aspect of the present invention, there is given a method for verifying and enabling access to a service S provided by a service computer. The method comprises the steps of: receiving a request from a remote computer requesting access to the service that is desired by a user; sending to the remote computer a response comprising an access policy AP for accessing the service, the access policy AP describing at least one possibility to obtain access to the service; receiving from the remote computer a reply comprising a description of evidence information DEI to be gathered to fulfill the access policy AP; receiving evidence information EI specified by the description DEI; and in the event that the received evidence information EI is sufficient to fulfill the access policy AP enabling the access, otherwise denying the access.
Embodiments of the invention are described in detail below, by way of example only, with reference to the following schematic drawings.
The present invention provides efficient schemes that allows a user to decide which attributes or information an access granting party, hereafter also referred to as access decision engine, gets to know. Therewith it is in the hands of the user to minimize the information conveyed. The following describes from the user's view how access to a service can be obtained and granted that gives the user the choice which evidence is to get known to an access decision engine. At first, the user asks or requests to access a service. Then, the access decision engine checks whether the user has already provided evidence that he or she is allowed to access the service. If yes, access is granted. In the other case, it is continued with the next steps.
The access decision engine informs with a reply the user what evidence, e.g., credentials, statement by third parties, or the like, needs to be provided to get access and possibly what evidence the user has already provided, i.e., the user is send an access condition or access policy. The user reviews what evidence is required and decides which evidence he or she wants to provide, for example, which credentials he or she wants to show, or which parties or servers the access decision engine should ask for evidence. This has the advantage that the user can decide which evidence he or she wants to provide the access decision engine in order to get access. It is advantageous if the access condition or policy is displayed to the user. In a further example, the user can gather related evidence from third parties. This can involve getting credentials/certificates that the user would forward to the access decision engine or inquiring with third parties that would possibly later be queried for evidence by the access decision engine. Moreover, the user can collect further evidence, e.g., credentials. Then, the user let the access decision engine know which evidence he or she wants to be gathered by the decision engine. This might include the user sending authorization tokens to the access decision engine so as to enable the latter to request evidence from third parties.
Accordingly, the access decision engine gathers the evidence, either from the user directly or from third parties. This can include that the user provides the evidence, for example, by proving possession of credentials, without the access decision engine getting to know which particular evidence allows the user the access. For instance, the user proves that he or she is either 18 or has consent from her parents as opposed to just sending a certificate that states that he or she is over 18. Finally, if all evidence can be retrieved, the access decision engine grants the access.
In accordance with a first example embodiment of the present invention, there is given a method for verifying and enabling access to a service S provided by a service computer. The method comprises the steps of: a) receiving a request from a remote computer requesting access to the service that is desired by a user; b) sending to the remote computer a response comprising an access policy AP for accessing the service, the access policy AP describing at least one possibility to obtain access to the service; c) receiving from the remote computer a reply comprising a description of evidence information DEI to be gathered to fulfill the access policy AP; d) receiving evidence information EI specified by the description DEI; and e) in the event that the received evidence information EI is sufficient to fulfill the access policy AP enabling the access, otherwise denying the access.
An advantage of this method is that the user has the full control about the information he or she is willing to reveal. The user can define what information about him/her is available to and can be collected by an access control system. This leads to more privacy with access control systems, because the information gathered by the access decision engine is minimized. The remote computer can send the evidence information EI or part of it directly to the access granting engine. By doing so, the access process is simplified because the access granting engine does not need to request the evidence information from, e.g., the remote computer or any other information server.
It appears to be advantageous when the access granting engine and the service computer form a unit, because then the communication can be reduced between the access granting engine and the service computer, leading to a faster access. This also avoids communication over the network.
Step d), receiving evidence information EI, can further comprise receiving identifying information II from the user allowing to obtain further evidence information FEI about the user from an information service computer. This allows the access granting engine to obtain the evidence information EI or part thereof from third parties or other data sources. Step e), enabling the access, can further comprise issuing an access granting token AGT for use with a further service computer. This allows the user to control to whom it is allowed to request identifying information II from further service computers. Step c) receiving from the remote computer a reply, can be omitted, and step d) receiving evidence information EI, can either include the description of the evidence information DEI or the description of the evidence information DEI is implicit from the sent/received evidence information EI. That is, in the latter case the sent evidence information EI implicitly states the user's consent of what is to be gathered to fulfill the access policy AP. Since the user does not need to send explicitly what he or she is willing to reveal, the process becomes more efficient.
Desired privacy criteria are much better fulfilled when the access policy AP is displayed to the user who then can actively select the information to be revealed. Thereby, the user is well informed and can interactively choose the information he or she is willing to disclose.
When steps a) and b) are omitted and in step c) the access policy AP and/or the description of evidence information DEI are/is received, then the present invention can be implemented into current systems in a much simpler manner, e.g., with browser-based access.
In the following various embodiments are described. The same reference signs or numbers are used to denote the same parts or the like.
Variations described for the present invention can be realized in any combination desirable for each particular application. Thus particular limitations, and/or embodiment enhancements described herein, which may have particular advantages to a particular application need not be used for all applications. Also, not all limitations need be implemented in methods, systems and/or apparatus including one or more concepts of the present invention.
The present invention can be realized in hardware, software, or a combination of hardware and software. A visualization tool according to the present invention can be realized in a centralized fashion in one computer system, or in a distributed fashion where different elements are spread across several interconnected computer systems. Any kind of computer system—or other apparatus adapted for carrying out the methods and/or functions described herein—is suitable. A typical combination of hardware and software could be a general purpose computer system with a computer program that, when being loaded and executed, controls the computer system such that it carries out the methods described herein. The present invention can also be embedded in a computer program product, which comprises all the features enabling the implementation of the methods described herein, and which—when loaded in a computer system—is able to carry out these methods.
Computer program means or computer program in the present context include any expression, in any language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after conversion to another language, code or notation, and/or reproduction in a different material form.
Thus the invention includes an article of manufacture which comprises a computer usable medium having computer readable program code means embodied therein for causing a function described above. The computer readable program code means in the article of manufacture comprises computer readable program code means for causing a computer to effect the steps of a method of this invention. Similarly, the present invention may be implemented as a computer program product comprising a computer usable medium having computer readable program code means embodied therein for causing a a function described above. The computer readable program code means in the computer program product comprising computer readable program code means for causing a computer to effect one or more functions of this invention. Furthermore, the present invention may be implemented as a program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for causing one or more functions of this invention.
It is noted that the foregoing has outlined some of the more pertinent objects and embodiments of the present invention. This invention may be used for many applications. Any disclosed embodiment may be combined with one or several of the other embodiments shown and/or described. This is also possible for one or more features of the embodiments. Thus, although the description is made for particular arrangements and methods, the intent and concept of the invention is suitable and applicable to other arrangements and applications. It will be clear to those skilled in the art that modifications to the disclosed embodiments can be effected without departing from the spirit and scope of the invention. The described embodiments ought to be construed to be merely illustrative of some of the more prominent features and applications of the invention. Other beneficial results can be realized by applying the disclosed invention in a different manner or modifying the invention in ways known to those familiar with the art.
Number | Date | Country | Kind |
---|---|---|---|
03405469.2 | Jun 2003 | EP | regional |