| Abstract: |
Information technology (IT) supports companies to streamline their business
processes. The main contributions of IT are the digitalization of data and
efficient communication networks, which allow companies to automatize their
business processes and thus increase their efficiency, i.e., their value
creation. This effort started with the optimization of internal business
processes within a company. Nowadays, it also includes external business
processes, in which multiple enterprises and even customers are involved.
However, using IT also causes undesirable side effects for companies. They are
exposed to a wide range of vulnerabilities and threats. Digitalizing data,
e.g., documents, spurs the access to that data and the exchange of it.
However, a disadvantageous result of digitalizing data is the increased risk
of unauthorized access to that data. Communication networks provide an
excellent foundation for collaboration between companies. At the same time,
the open and anonymous character of communication networks is a reason for
distrust towards business partners offering their goods and services over such
networks. As a result of these undesirable side effects, the outcome of a
certain business process supported by IT may be suboptimal or companies may
refrain from using IT. Against this background, this thesis focuses on
securing electronic business processes with regard to two aspects, i.e.,
building trust in open networks and controlling the usage of digital objects.
Trust is the prerequisite for all kinds of commercial transactions. Using
reputation information is one possible way to build up trust among business
partners. In this thesis, we propose two new reputation systems to establish
trust for ad-hoc processes in open markets. The first reputation system
facilitates trust building in the context of electronic negotiations which are
performed with the help of a centralized system. The reputation system enables
companies to find trustworthy business partners and provides decision support
during a negotiation. The second reputation system supports trust building in
decentralized Peer-to-Peer (P2P) networks. A main feature of this system is
its robustness against coalition attacks, which is proven with the help of a
simulation. Controlling the usage of digital objects demands two
functionalities. First, we need methods for defining usage rules. Second,
mechanisms for enforcing the defined usage rules are required. In this thesis,
we address both aspects of usage control. Digital documents play a central
role in business processes, since they are a means of integration and are
handled among business partners. Some documents are sensitive and thus have to
be protected from being accessed by unauthorized parties. For this purpose, we
propose a flexible and expressive access control model for electronic
documents. Our model captures the information about the operations performed
on documents. This history information can be used to define access control
rules. Customers are involved in the execution of special kinds of business
processes, such as selling and consuming digital goods. In these cases,
digital goods have to be protected from being used in an unauthorized way,
e.g., being shared in public networks. Thus, the trustworthiness of customers'
platforms has to be verified before transferring digital goods. For this, we
propose a robust integrity reporting protocol which is necessary when a remote
platform has to perform security relevant operations, e.g., to enforce a
security policy which controls the usage of digital content. This integrity
reporting protocol is a building block of a new Digital Rights Management
system which is also presented in this thesis. This system provides a high
protection level. At the same time, it allows users to transfer their
purchased content to other devices or users. |