The problem of establishing trust lies in the lack of authentication and authorisation infrastructures supporting high level of assurance, privacy as well as cross-domain and jurisdictional collaborations.
There exist mature technologies for single enterprises to cover the complete suite from authentication, authorisation and access control. However, they cannot be straightforwardly applied to distributed systems for cross-organisational and jurisdictional collaborations. Moreover, it is difficult to integrate privacy-preserving authentication technologies into the systems of different entities within these distributed systems.
Notably our project is a synergy of deployment and development activities aiming at designing and deploying a large-scale distributed eAuthentication and eAuthorisation architecture, with emphasis on demonstrating the feasibility of our approach by deploying and testing two real-world pilots. With this we aim at bridging the gap between research and market adoption of project outcomes and technologies.
To address the technical problems described above and requirements posed by the use cases, we build a joint eAuthentication and eAuthorisation infrastructure by incorporating privacy-preserving cloud-based authentication service and techniques for unifying attributes and authorisation policies of different security domains. Moreover, we develop and integrate the technologies for assurance of claims, trust indicators, cryptographic policy enforcement and mechanisms to perform operations under encryption.
The figure above captures the structure of our approach to achieving our objectives and creating the proposed joint eAuthentication and eAuthorisation infrastructure. We start with the analysis of the identified uses cases for cross-organisational collaborations that deal with sensitive data and critical infrastructures. From these use cases we derive the key requirements for our eAuthentication and eAuthorisation framework and derive a reference architecture. These activities will be carried out in WP1. Next, to design a collaborative system with distributed resources, we take as a starting point the XACML authorisation framework and extend it with mechanisms for policy and attribute mapping between different security domains, as well as with policy translation needed to support distributed collaborative environments. The tasks related to the eAuthorisation framework will be carried out in WP3. This extended eAuthorisation framework then will be combined with eAuthentication framework where the required claims extracted from the policies are authenticated. To support user privacy, we bring in the ABC4Trust4 and Trust in Digital Life (TDL) eAuthentication frameworks and deploy digital user consent and Identity Mixer technologies to realise it. The eAuthentication platform will be implemented in WP2. Moreover, we extend such a joint eAuthentication and eAuthorisation framework with novel advanced solutions for cryptographic policy enforcement, trust indicators, assurance of claims and mechanisms for processing data in an encrypted form to address specific reliability, confidentiality and privacy requirements of distributed collaborations. This work will be done in WP4. The resulting infrastructure will be deployed in two pilots, one on bio-security incident management in Australia, and another one on collaborative services for eHealth and AAL in Europe, as a part of WP5. Using these pilots, we evaluate the security, usability, scalability and flexibility of our eAuthentication and eAuthorisation framework for distributed collaborations. The validation work will be carried out in WP6. These two pilots also allow us to analyse and unify the framework for joint Australian and European collaborations taking into account legal, procedural and business differences.