We envisage a fine-grained access control solution that allows a user's access privilege to be linked to the confidence level (hereafter referred to as the assurance level) in identifying the user. Such a solution would be particularly attractive to a large-scale distributed resource sharing environment, where resources are likely to be more diversified and may have varying levels of sensitivity and resource providers may wish to adjust security protection levels to adapt to resource sensitivity levels or risk levels in the underlying environment. However, existing electronic authentication systems largely identify users through the verification of their electronic identity (ID) credentials. They take into account neither assurance levels of the credentials, nor any other factors that may affect the assurance level of an authentication process, and this binary approach to access control may not provide cost-effective protection to resources with varying sensitivity levels. To realise the vision of assurance level linked access control, there is a need for an authentication framework that is able to capture the confidence level in identifying a user, expressed as an authentication Level of Assurance (LoA), and link this LoA value to authorisation decision-making. This research investigates the feasibility of estimating a user's LoA at run-time by designing, prototyping and evaluating an authentication model that derives an LoA value based upon not only users' ID credentials, but also other factors such as access location, system environment and authentication protocol used. To this aim, the thesis has identified and analysed authentication attributes, processes and procedures that may influence the assurance level of an authentication environment. It has examined various use-case scenarios of authentication in Grid environments (a well-known distributed system) and investigated the relationships among the attributes in these scenarios. It has then proposed an authentication model, namely a generic e-authentication LoA derivation model (GEA-LoADM). The GEA-LoADM takes into account multiple authentication attributes along with their relationships, abstracts the composite effect by the multiple attributes into a generic value called the authentication LoA, and provides algorithms for the run-time derivation of LoA values. The algorithms are tailored to reflect the relationships among the attributes involved in an authentication instance. The model has a number of valuable properties, including flexibility and extensibility; it can be applied to different application contexts and supports easy addition of new attributes and removal of obsolete ones. The prototypes of the algorithms and the model have been developed. The performance and security properties of the LoA derivation algorithms and the model are analysed here and evaluated based on the prototypes. The performance costs of the GEA-LoADM are also investigated and compared against conventional authentication mechanisms, and the security of the model is tested against various attack scenarios. A case study has also been conducted using a live system, the Multi-Agency Information Sharing (MAIS) system.
Identifer | oai:union.ndltd.org:bl.uk/oai:ethos.bl.uk:525986 |
Date | January 2010 |
Creators | Yao, Li |
Contributors | Zhang, Ning |
Publisher | University of Manchester |
Source Sets | Ethos UK |
Detected Language | English |
Type | Electronic Thesis or Dissertation |
Source | https://www.research.manchester.ac.uk/portal/en/theses/a-structured-approach-to-electronic-authentication-assurance-level-derivation(c6a98938-f3e1-4727-9eac-c2cb0480a3df).html |
Page generated in 0.0018 seconds