ERCIM News No.30 - July 1997

CWASAR - A European Infrastructure for Secure Electronic Commerce

by Winfried Kühnhauser

The goal of CWASAR (Cooperative Wide Area Service Architecture) is to design and implement a European-wide infrastructure for secure electronic commerce. The project was preceeded by a professionally conducted market analysis in Germany, Spain and France, of the basic user requirements for a cross-country oriented system. From the results of this analysis, the main functional and architectural components of CWASAR were defined. The CWASAR approach is professionally applied within the eco infobase, the industrial offspring of the CWASAR infrastructure. This summary focuses on the security aspects designed to cater for the varying security requirements of end users and sketches the basic approach taken.

Communication technology today provides us with world-wide computer networks that link together a multitude of individual systems from industry, the public sector and academia, thus opening up many possibilities for efficient communication and cooperation.

The principal advantage of such networks is that world-wide information resources become very easily accessible. Ironically, this is also the network's biggest danger. Legal restrictions, ethical practices as well as commercial and private interests imply that much of the information on the network is sensitive in some way, and so access to this information must be controlled. This is particularly important for applications in fields such as law, medicine, and commerce. Protecting such systems against misuse is the domain of Information Security.

The social and commercial acceptance of such systems depends highly on the public's confidence in their security. Encryption mechanisms that guard the integrity and authenticity of the information while in transit are used today in some specialised applications, such as the electronic banking of Bank 24, a subsidiary company of Deutsche Bank.

However, the isolated use of security mechanisms in dedicated applications is far from sufficient for establishing a global trust in the security of a global communication infrastructure. To this end, concepts are needed which allow information security to be tailored to that which ordinary users, institutions or service providers individually require.

The CWASAR Approach

The approach to security in CWASAR centres around the notion of security policies ­ sets of rules that govern the use of sensitive information. Security policies in CWASAR are individual: each organisation, each application and each user may define his own policy. Security policies and application systems are distinct: a security policy is a separate, autonomous software unit that can be developed by applying proven methods and tools from software engineering, thus enhancing the efficiency and economy of the development process.

The Technology

Success in achieving a high level of security in a computer system depends on the degree of care put into designing and implementing its security policies. This covers the quality of the development process as well as the quality of the security architecture that integrates and enforces the policies. The approach in CWASAR is twofold: Firstly, methods and tools are developed to support the efficient and correct engineering of security policies. Secondly, mechanisms in security architectures are developed that support the integration and enforcement of such policies into a system platform.

Methods and Tools to support Policy Engineering

To meet the high quality requirements of security policies, their specification uses security models and formal specification techniques that provide the foundation for the analysis of security properties as well as for the verification of the generated code. This part is the domain of security engineering: the efficient development of policies such that the user may have trust in the conformity of requirements and implementation. This process is supported by tools for the exact identification of security requirements, for the exact definition of policy semantics, for the analysis of a specification, for the verification of policy implementations and for the certification of the results.

Efficiency of policy development is considered the key to a broad application of this technology. The approach is to minimise the development effort by providing software manufacturers with methods and tools for policy re-use. These include the composition of verified policy components and an algebra to define the semantics of policy combination.

The CWASAR Security Architecture

The implementation of security policies concerns paradigms for the representation of implemented security policies as well as properties of the security architecture that allow to integrate and enforce the policies.

The basis of our approach is the custodian concept. A custodian is a programmed module encapsulating the security policy of an application. Once programmed, a custodian is linked to an application and at run-time, it intercepts all communications between entities of the application and verifies whether the communication is legal with respect to the security policy.

The key point for the security architecture is the integration of the custodian model. To that end, the security architecture implements the traditional reference monitor principles (such as total mediation and policy tamperproofness) as well as custodian persistency and the binding of an application to its governing custodian.

Conclusions and Perspective

The security technology presented in this summary has been validated within the GMD Institute for System Design Technology for several years now. A security architecture capable of integrating application-specific security policies was implemented for the OSF Distributed Computing Environment and was also designed for the CWASAR electronic commerce scenario. The concepts are now on the verge of being professionally applied within the eco infobase, the industrial counterpart of the CWASAR infrastructure.

Methods and tools for the efficient development of security policies are currently a major research topic of the information security group at GMD. A policy specification language exists that today works for a certain class of policies. Future work will focus on two goals: to further advance the efficiency of policy development by re-using existing and verified policy components, and to support the proof and certification of a policy's security properties.

The validation work has provided us with a small set of ready-to-use security policies that can be viewed as the foundation of our ultimate goal: a rich set of ready-to-use, off-the-shelf security policies that can be taken as they are or be composed into new policies that exactly match a user's needs. While we are currently exploiting our ideas within the Cwasar scenario, the approach taken ­ securing systems by integrating application-specific security policies - is sufficiently general to be applicable in many areas where security is a major concern. More info on the CWASAR project at: CWASAR.html

Please contact:
Winfried Kühnhauser - GMD
Tel: +49 2241 14 2480

return to the contents page