The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.05 - Sept.-Oct. (2012 vol.9)
pp: 756-769
Hoon Wei Lim , Nanyang Technological University, Singapore
Florian Kerschbaum , SAP Research, Karlsruhe
Huaxiong Wang , Nanyang Technological University, Singapore
ABSTRACT
Interorganizational workflow systems play a fundamental role in business partnerships. We introduce and investigate the concept of workflow signatures. Not only can these signatures be used to ensure authenticity and protect integrity of workflow data, but also to prove the sequence and logical relationships, such as AND-join and AND-split, of a workflow. Hence, workflow signatures can be electronic evidence useful for auditing, that is proving compliance of business processes against some regulatory requirements. Furthermore, signing keys can be used to grant permissions to perform tasks. Since the signing keys are issued on-the-fly, authorization to execute a task within a workflow can be controlled and granted dynamically at runtime. In this paper, we propose a concrete workflow signature scheme, which is based on hierarchical identity-based cryptography, to meet security properties required by interorganizational workflows.
INDEX TERMS
Business, Engines, Public key, Digital signatures, Electronic mail, security compliance., Digital signatures, applied cryptography, business processes
CITATION
Hoon Wei Lim, Florian Kerschbaum, Huaxiong Wang, "Workflow Signatures for Business Process Compliance", IEEE Transactions on Dependable and Secure Computing, vol.9, no. 5, pp. 756-769, Sept.-Oct. 2012, doi:10.1109/TDSC.2012.38
REFERENCES
[1] M. Huhns and M. Singh, "Service-Oriented Computing: Key Concepts and Principles," IEEE Internet Computing, vol. 9, no. 1, pp. 75-81, Jan./Feb. 2005.
[2] R. Buyya, C. Yeo, S. Venugopal, J. Broberg, and I. Brandic, "Cloud Computing and Emerging IT Platforms: Vision, Hype, and Reality for Delivering Computing as the Fifth Utility," Future Generation Computer Systems, vol. 25, no. 6, pp. 599-616, June 2009.
[3] M. Armbrust, A. Fox, R. Griffith, A. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, I. Stoica, and M. Zaharia, "A View of Cloud Computing," Comm. ACM, vol. 53, no. 4, pp. 50-58, Apr. 2010.
[4] S. Eckartz, M. Daneva, R. Wieringa, and J.V. Hillegersberg, "Cross-Organizational ERP Management: How to Create a Successful Business Case?," Proc. ACM Symp. Applied Computing, S. Shin, and S. Ossowski, eds., pp. 1599-1604, Mar. 2009.
[5] J. Liu, S. Zhang, and J. Hu, "A Case Study of an Inter-Enterprise Workflow-Supported Supply Chain Management System," Information & Management, vol. 42, no. 3, pp. 441-454, Mar. 2005.
[6] P. Grefen, K. Aberer, H. Ludwig, and Y. Hoffner, "CrossFlow: Cross-Organizational Workflow Management for Service Outsourcing in Dynamic Virtual Enterprises," IEEE Data Eng. Bull., vol. 24, no. 1, pp. 52-57, Mar. 2001.
[7] G. Alonso, C. Mohan, R. Gunthor, D. Agrawal, A.E. Abbadi, and M. Kamath, "Exotica/FMQM: A Persistent Message-Based Architecture for Distributed Workflow Management," Proc. IFIP WG8.1 Working Conf. Information Systems for Decentralized Organizations, Aug. 1995.
[8] V. Atluri, S. Chun, and P. Mazzoleni, "Chinese Wall Security for Decentralized Workflow Management Systems," J. Computer Security, vol. 12, no. 6, pp. 799-840, Dec. 2004.
[9] P. Muth, D. Wodtke, J. Weissenfels, A. Dittrich, and G. Weikum, "From Centralized Workflow Specification to Distributed Workflow Execution," J. Intelligent Information Systems, vol. 10, no. 2, pp. 159-184, Mar. 1998.
[10] S. Paul, E. Park, and J. Chaar, "RainMan: A Workflow System for the Internet," Proc. USENIX Symp. Internet Technologies and Systems, p. 15, Dec. 1997.
[11] G. Ahn, R. Sandhu, M. Kang, and J. Park, "Injecting RBAC to Secure a Web-Based Workflow System," Proc. Fifth ACM Workshop Role-Based Access Control (RBAC '00), pp. 1-10, July 2000.
[12] W. Huang and V. Atluri, "SecureFlow: A Secure Web-Enabled Workflow Management System," Proc. Fifth ACM Workshop Role-Based Access Control (RBAC '99). pp. 83-94, Oct. 1999.
[13] J. Miller, M. Fan, S. Wu, I. Arpinar, A. Sheth, and K. Kochut, "Security for the METEOR Workflow Management System," Technical Report UGA-CS-LSDIS-TR-99-010, Univ. of Georgia, June 1999.
[14] F. Montagut and R. Molva, "Traceability and Integrity of Execution in Distributed Workflow Management Systems," Proc. 12th European Symp. Research in Computer Security (ESORICS '07), J. Biskup and J. Lopez, eds., pp. 251-266, 2007.
[15] "Workflow Management Coalition, Workflow Security Considerations," White Paper WFMC-TC-1019, The Workflow Management Coalition Specification, Feb. 1998.
[16] D. Boneh, X. Boyen, and E. Goh, "Hierarchical Identity Based Encryption with Constant Size Ciphertext," EUROCRYPT: Proc. Advances in Cryptology, R. Cramer, ed., pp. 440-456, May 2005.
[17] C. Gentry and A. Silverberg, "Hierarchical ID-Based Cryptography," ASIACRYPT: Proc. Advances in Cryptology, Y. Zheng, ed., pp. 548-566, Dec. 2002.
[18] H.W. Lim and K. Paterson, "Multi-Key Hierarchical Identity-Based Signatures," Proc. 11th IMA Int'l Conf. Cryptography and Coding (IMA '07), S. Galbraith, ed., pp. 384-402, Dec. 2007.
[19] R. Thomas and R. Sandhu, "Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Authorization Management," Proc. 11th IFIP Int'l Conf. Database Security, pp. 166-181, Aug. 1997.
[20] M. Weske, Business Process Management: Concepts, Languages, Architectures. Springer-Verlag, 2007.
[21] V. Atluri, "Security for Workflow Systems," Information Security technical report, vol. 6, no. 2, pp. 59-68, 2001.
[22] A. Shamir, "Identity-Based Cryptosystems and Signature Schemes," CRYPTO: Proc. Advances in Cryptology, G. Blakley and D. Chaum, eds., pp. 47-53, Aug. 1985.
[23] D. Boneh and M. Franklin, "Identity-Based Encryption from the Weil Pairing," CRYPTO: Proc. Advances in Cryptology, J. Kilian, ed., pp. 213-229, Aug. 2001.
[24] J.C. Cha and J.H. Cheon, "An Identity-Based Signature from Gap Diffie-Hellman Groups," Proc. Sixth Int'l Workshop Theory and Practice in Public Key Cryptography (PKC '03), Y.G. Desmedt, ed., pp. 18-30, Aug. 2001.
[25] F. Hess, "Efficient Identity Based Signature Schemes Based on Pairings," Proc. Ninth Int'l Workshop Selected Areas in Cryptography (SAC '02), K. Nyberg and H. Heys, eds., pp. 310-324, Aug. 2003.
[26] S. Goldwasser, S. Micali, and R. Rivest, "A Digital Signature Scheme Secure against Adaptive Chosen-Message Attacks," SIAM J. Computing, vol. 17, no. 2, pp. 281-308, Apr. 1988.
[27] G. Neven, "Efficient Sequential Aggregate Signed Data," EUROCRYPT: Proc. Advances in Cryptology, N. Smart, ed., pp. 52-69, Apr. 2008.
[28] S. Galbraith, K. Paterson, and N. Smart, "Pairings for Cryptographers," Discrete Applied Math., vol. 156, no. 16, pp. 3113-3121, Sept. 2008.
[29] MIRACL, Shamus Software Ltd., http:/www.shamus.ie/, 2012.
[30] The Pairing-Based Cryptography (PBC) Library, Stanford Univ., http://crypto.stanford.edupbc/, 2012.
[31] S. Galbraith, "Supersingular Curves in Cryptography," ASIACRYPT: Proc. Advances in Cryptology, C. Boyd, ed., pp. 495-513, Dec. 2001.
[32] X. Boyen and B. Waters, "Compact Group Signatures Without Random Oracles," EUROCRYPT: Proc. Advances in Cryptology, S. Vaudenay, ed., pp. 427-444, May 2006.
[33] V. Miller, "The Weil Pairing, and Its Efficient Calculation," J. Cryptology, vol. 17, no. 4, pp. 235-261, Sept. 2004.
[34] H.W. Lim, "On the Application of Identity-Based Cryptography in Grid Security," PhD thesis, Univ. of London, 2006.
[35] R. Granger and N. Smart, On Computing Products of Pairings, Cryptology ePrint Archive, Report 2006/172, available at http://eprint.iacr.org/2006172, May 2006.
[36] R. Housley, W. Polk, W. Ford, and D. Solo, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile," The Internet Eng. Task Force (IETF), vol. RFC 3280, Apr. 2002.
[37] J. Biskup, B. Carminati, E. Ferrari, F. Müller, and S. Wortmann, "Towards Secure Execution Orders for Composite Web Services," Proc. IEEE Int'l Conf. Web Serices (ICWS '07), pp. 489-496, July 2007.
[38] C. Rudolph, N. Kuntze, and Z. Velikova, "Secure Web Service Workflow Execution," Electronic Notes in Theoretical Computer Science, vol. 236, pp. 33-46, Apr. 2009.
[39] Z. Velikova, J. Schütte, and N. Kuntze, "Towards Security in Decentralized Workflows," Proc. Int'l Conf. Ultra Modern Telecomm. & Workshops (ICUMT '09), pp. 1-6, Oct. 2009.
[40] F. Kerschbaum and P. Robinson, "Security Architecture for Virtual Organizations of Business Web Services" J. Systems Architecture, vol. 55, no. 4, pp. 224-232, Apr. 2009.
[41] D. Jordan and J. Evdemon, "Web Services Business Process Execution Language Version 2.0" OASIS Standard, http://docs.oasis-open.org/wsbpel/2.0/OS wsbpel-v2.0-OS.html, Apr. 2007.
[42] A. Liu, S. Müller, and K. Xu, "A Static Compliance-Checking Framework for Business Process Models," IBM Systems J., vol. 46, no. 2, pp. 335-361, Nov. 2007.
[43] S. Sadiq, G. Governatori, and K. Namiri, "Modeling Control Objectives for Business Process Compliance," Proc. Fifth Int'l Conf. Business Process Management (BPM '07), G. Alonso, P. Dadam, and M. Rosemann, eds., pp. 149-164, Sept. 2007.
[44] Pub. L. No. 107-204, 116 Stat. 745, enacted 2002-07-30, The Sarbanes-Oxley Act of 2002.
[45] Basel II Accord, Basel Committee on Banking Supervision (BCBS), http:/www.bis.org/, Apr. 2008.
[46] The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Framework, http:/www.coso.org/, 2012.
[47] The Control Objectives for Information and related Technology (CobiT), http:/www.isaca.org/, 2012.
[48] ISO 17799, the Code of Practice for Information Security Management, http:/iso-17799.safemode.org/, 2012.
[49] V. Atluri and W. Huang, "An Authorization Model for Workflows," Proc. Fourth European Symp. Research in Computer Security (ESORICS '96), E. Bertino, H. Kurth, G. Martella, and E. Montolivo, eds., pp. 44-64, 1996.
[50] E. Bertino, E. Ferrari, and V. Atluri, "The Specification and Enforcement of Authorization Constraints in Workflow Management Systems," ACM Trans. Computer Systems, vol. 2, no. 1, pp. 65-104, Feb. 1999.
[51] M. Kang, J. Park, and J. Froscher, "Access Control Mechanisms for Inter-Organizational Workflow," Proc. Sixth ACM Symp. Access Control Models and Technologies (SACMAT '01), pp. 66-74, May 2001.
[52] P. Syverson, D. Goldschlag, and M. Reed, "Anonymous Connections and Onion Routing," Proc. IEEE Symp. Security and Privacy, pp. 44-54, May 1997.
[53] D. Chaum and E.V. Heyst, "Group Signatures," EUROCRYPT '91: Proc. Advances in Cryptology, D. Davies, ed., pp. 257-265, 1991.
[54] W. Bagga and R. Molva, "Policy-Based Cryptography and Applications," Proc. Ninth Int'l Conf. Financial Cryptography and Data Security (FC '05), A. Patrick and M. Yung, eds., pp. 72-87, Feb. 2005.
[55] Y. Wu, "Efficient Authentication of Electronic Document Workflow," Proc. First SKLOIS Conf. Information Security and Cryptology (CISC '05), D. Feng, D. Lin, and M. Yung, eds., pp. 101-112, Dec. 2005.
[56] D. Boneh, C. Gentry, B. Lynn, and H. Shacham, "Aggregate and Verifiably Encrypted Signatures from Bilinear Maps," EUROCRYPT: Proc. Advances in Cryptology, E. Biham, ed., pp. 416-432, May 2003.
37 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool