Quantified trust levels for authentication

Abstract

Service-oriented Architectures (SOAs) facilitate applications to integrate seamlessly services from collaborating business partners regardless of organizational borders. In order to secure access to these services, mechanisms for authentication and authorisation must be deployed that control the access based on identity-related information. To enable a business partners' users to access the provided services, an identity federation is often established that enables the brokering of identity information across organisational borders. The establishment of such a federation requires complex agreements and contracts that define common policies, obligations and procedures. Generally, this includes obligations on the authentication process as well. However in an SOA, requirements for authentication and authorisation should depend on the services themselves and might be subject to frequent changes. Moreover, different partners in the federation might have different regulations on the authentication process that even exceed the requirements of a service provider. Therefore the authentication method should not be stipulated in advance. For a flexible service access, different authentication methods should be allowed that comply with the service's requirements. However, more flexibility in the authentication step results into a complicated access control step. For this reason, approaches exist to subsume different properties of the authentication process into a level of trust and grant access to a resource if the requirements of the expected trust level arc met. Typical approaches define levels of trust by grouping requirements into categories of similar impact, by considering the economic loss or by using a combination of impact and likelihood. Moreover, ideas exist to describe the strength of the authentication by a numerical value and to subsume them into a quantified trust level. However, the question of the semantic of such a "strength" level and its calculation is still open. Therefore, in this paper we present a formal definition of a trust level to quantify the trust that is established by using a particular authentication method. As a mathematical foundation classical probability theory is used to describe the strength of an authentication method. © 2009 Vieweg+Teubner | GWV Fachverlage GmbH, Wiesbaden.