Semantic Web Trust Portal: an intelligent security and trust platform

Semantic Web Trust Portal is the first installment of the Safelayer Sandbox initiative. It is a platform that brings together all Safelayer's R&D work. More than just a Web portal, it is a truly semantic infrastructure that groups several elements around security and trust: authentication solutions, applications, Web services, data repositories, semantic knowledge bases, etc., all of which is orchestrated by an integration bus that manages the message flow between the elements.

The semantic trust platform implemented by Semantic Web Trust Portal validates an infrastructure in which the components make use of traditional security and trust functions. In addition, new semantic and context functionalites are combined to facilitate and improve the perception of trust of services, applications and users.

At the core of Semantic Web Trust Portal is an enterprise service bus (ESB), a software component for integrating applications. By creating and managing different data flows, it facilitates the provision and consumption of services in a way that is transparent for application architects, designers and developers. The SOA philosophy and the use of Web services help to make incorporating new applications via the ESB straightforward and flexible.

Aside from the ESB, the infrastructure comprises the following actors and components:

Users

Traditionally, managing security and trust services was entirely the responsibility of network administrators and applications. As making security decisions can be complicated for everyday users, it is vital that security and trust information incorporated into applications is user-friendly so it can be easily browsed and interpreted.

In Semantic Web Trust Portal, security and access control is managed centrally, and there is only one entry point for users.

Relying Party Applications

Semantic Web Trust Portal is configured to support some communication with relying party applications. Some Web services are published that support accessing the data in the semantic knowledge base, mainly on certification authorities. The ESB manages access control for this.

Communication with relying party applications is two way as the Semantic Web Trust Portal services also make use of external services such as social networks and ontology repositories.

Context Sensors and Agents

One of the innovative characteristics of Semantic Web Trust Portal is the incorporation and processing of context information to improve the trust services. To do this, sensors and agents that collect the necessary data are required so that users, aided by the applications, can make context-based trust decisions. Another of its useful features is the generating of context stamps, which are similar to time-stamps.

The context may include information on time, location or the characteristics and status of the device or the user profile. Furthermore, the processing of this context information is carried out respecting user privacy and the appropriate privacy protection mechanisms can be even activated according to the context.

Single Registration Service

Users need to register via the single registration portal to use Semantic Web Trust Portal applications and services.

As well as being more convenient for users as they do not have to register for each of the applications, the identity management processes are centralized from user registration up until deregistration.

The registration process is carried out by the automatic generation of a public and a private key, which allows users to use the functionality of the applications directly related to the PKI, i.e., the digital signing and encrypting of documents.

The keys generated can also be used as an authentication mechanism in Semantic Web Trust Portal. To do this, users need to install these keys, which can also be downloaded in a file (in PKCS#12 format), that are recognized by all operating systems and browsers. The keys are protected by the password chosen on registration.

Authentication Mechanisms

Semantic Web Trust Portal can be accessed using several authentication mechanisms:

• Password: The password is a very popular authentication mechanism but one that is highly vulnerable to dictionary and brute-force attacks and gives rise to simple phishing and social-engineering techniques. Thus, it is not recommended for use in critical environments if it is not used in combination with another authentication mechanism.
• Context-Based Password. Traditional password authentication is complemented with the context analysis and the user's usual authentication pattern to improve robustness.
• Graphical Password. A graphical password comprising several icons. It is more secure and easier to remember and replaces the traditional alphanumeric password.
• gOTP. Activated with a graphical password, this is an iPhone application that generates one-time passwords.
• QR-Scan OTP. Authentication is activated by taking a photograph of the QR code that appears on screen. If the Android device has a data connection enabled, authentication is immediate; if not, the application generates a one-time password that the user enters in Semantic Web Trust Portal.
• Digital certificate. The digital certificate is a very-reliable authentication mechanism if it is securely stored and the certification authority that issued it followed the appropriate procedures. Semantic Web Trust Portal accepts the digital certificate issued during the registration process by Safelayer's demo CA.
• Information card. The managed information cards invoke the identity provider in the authentication process to issue the information the service provider needs. The user's card selector mediates between the providers.

With the help of a mobile device and symmetric and PKI-based cryptographic keys, gOTP and QR-Scan OTP provide multi-factor authentication.

Trust services

The TrustedX platform in combination with the Spring framework is used for identification and access control. This means all Semantic Web Trust Portal transactions are authenticated and authorized by TrustedX.

As well as access control, TrustedX also provides other PKI trust-services for the rest of the Semantic Web Trust Portal components, such as signature generation and verification, certificate management and validation, document encryption and decryption, time-stamp issuing, and the management of the private and public keys used in these operations.

One of our research objectives is for the trusted services of TrustedX to compliment other components that serve as sources of reputation information. This means that the user profile is a dynamic list of attributes and that, therefore, authorization depends not only on the authentication mechanism and user profile, but that it must also make use of context and reputation information from different sources.

Certification Authority

The digital certificates and keys issued to users in the registration process are generated by Semantic Web Trust Portal's own Certification Authority.

Click here to download the certificate from this Certification Authority.

Semantic Knowledge Base

Most of the information generated by our Semantic Web Trust Portal demo-applications is stored in the semantic knowledge base, which is based on W3C's semantic standards. By using ontologies to structure information, inference processes can be run on the identity, context and PKI-related entity information to, for example, obtain new information that can be incorporated into the trust decision processes (authentication, authorization and access control, primarily).

Communication with this knowledge base is carried out via a specifically-designed and implemented Web-service interface that allows the rest of the Semantic Web Trust Portal modules to perform queries, updates, inference requests, etc.

Application Databases

The demo applications have their own databases for storing status information. These are accessed via the ESB.

Demo applications

The most visible part of Semantic Web Trust Portal is the demo applications and services. Each of them highlights one of Safelayer's research lines: trust services for cloud computing, rating certification authorities, managing personal profiles via FOAF specification or generating information cards. Although, the most innovative and interesting aspect is that these applications—as different as they may appear—share user and context knowledge to maximize functionality and, primarily, to provide greater trust to users.

For example, Interidy IdP can generate an information card from a FOAF published in FOAF Manager. And PKI Webtop, in its Web and Android versions, only works with certificates issued by certification authorities cataloged in PKI Trust Center. Interidy IdP, PKI Webtop, Graphical Password Manager and Password in Context Manager are used to configure some of the portal's authentication mechanisms.

So, owing to this common infrastructure, the demo applications share elements, such as the registration service, authentication services, security components and knowledge bases, increasing efficiency and providing greater added value.

The Spanish Ministry for Industry, Tourism and Trade (Ministerio de Industria, Turismo y Comercio) co-funded this work as part of the SAT2 project, ref. TSI-020100-2008-365 and TSI-020100-2009-374 of the AVANZA I+D sub-program.

Go to Semantic Web Trust Portal in Safelayer Sandbox.

Semantic Web Trust Portal is the entry point to Safelayer Sandbox Experiments, which show and validate new tendencies in identity and trust management, as well as new information management models.

If you are not registered yet, you can create an account for all the applications with a single and simple registration process.

If you are already registered, select one of the available authentication mechanisms to log in.

Interidy IdP	FOAF Manager
PKI Trust Center	PKI Webtop