Académique Documents
Professionnel Documents
Culture Documents
Proceedings of the 2005 International Conference on Computational Intelligence for Modelling, Control and Automation, and International Conference on
Intelligent Agents, Web Technologies and Internet Commerce (CIMCA-IAWTIC05)
0-7695-2504-0/05 $20.00 2005 IEEE
in place Prospective Customer. He selects a product workflow ends with Customers Credit Banks
and places an order by transition Send Order. Workflow ended.
Customer waits for acknowledgement of product UPSs workflow starts with token in place UPS. As
availability and credit check success by place soon as UPS receives the shipping order and payment
Customer waiting for acknowledgement. Customer from Dell (Receive Product and Payment), it becomes
receives an acknowledgement by Receive ready to deliver product to Customer (Product ready
Acknowledgement transition. Customer waits for the for delivery). UPS delivers product to the Customer
product by place Customer waiting for product. As (Deliver product) and waits for the signed receipt from
Customer receives the product (Customer with the Customer (Waiting for Receipt). UPS sends
product), he signs the receipt and returns it to UPS by successful delivery notification to Dell (Notify Dell)
transition Sign Receipt. After receiving the product after receiving the signed receipt from Customer
Customer waits for receipt with credit card charges (Receive Receipt). UPSs workflow ends with UPSs
(Customer waiting for receipt). After receiving the Workflow Ended.
receipt (Receive Receipt) Customers workflow ends
in Customers workflow ended. 4. Specification of Security Features
Dells workflow starts with a token in place Dell.
After receiving the order (Receive Order) Dell Online Computer Shopping System consists of four
becomes ready for checking the availability of product workflows: Customer, Dell, Customers Credit Bank
(Order waiting to be checked for availability) and and UPS. In order to determine soundness property of
credit check of the customer (Order waiting to be sent given workflow net, an extended net is used. The
for credit verification). Dell checks the availability of soundness [4] of this extended net is verified using
product (Check Availability) and sends the credit Woflan tool. The IOWF is 1-consistent [3] with
details to Customers Credit Bank (Send Card respect to the Message Sequence Chart as the message
Details). Dell starts processing order (transition Start names used in Message Sequence Chart are the same
Processing) by having acknowledgement ready to be as the names of communication links between the
sent (Acknowledgement ready to be sent) and product workflows and the order of execution of tasks in
ready to be built (Product ready to be built). Dell IOWF is the same as that in Message Sequence Chart.
sends the acknowledgement to the customer (Send
Acknowledgement) and builds the product (Build 4.1. Specifying Authentication
Product). As product is built, it is ready to be shipped
(Product ready for shipping). Dell arranges shipping One of the key issues in e-business security is
(Arrange Shipping) and paying the shipping fees to legitimate use. Legitimate use has two components:
UPS. Dell then waits for the notification from the UPS authentication and identification. Identification
(Dell waiting for notification), that the product is involves a process of a user positively identifying
delivered to the customer. After receiving notification himself/herself to the host (server) that it wishes to
(Receive Notification), Dell charges the Customer conduct a transition with. The most common method
(transition Charge Customer). As Dell receives the for establishing identity is by means of username and
acknowledgement (Receive Acknowledgement) from password. The response to identification is
UPS it sends the receipt with charges to the Customer authentication. Authentication is the process of
(Send Receipt). Dells workflow ends after sending the verifying the identity of a user, process, or device, as a
receipt to the Customer as shown by place Dells prerequisite to allowing access to resources in a
workflow ended. Customers Credit banks workflow system [1, 2]. The identity of a certain user or process
starts with a token in Customers Credit Bank. It starts is challenged by the system and proper steps must be
processing of Customers Credit check request taken to prove the claimed identity. Authentication
(Process Request) as soon as it gets Customers needs to work both ways: for users to authenticate the
information from Dell (Receive Customers server they are contacting, and for servers to identify
information). As it has the credit result ready (Credit their clients. Authentication requires the entity that
result ready to be sent), UPS sends the credit result to presents its identity to confirm it either with something
Dell as shown by Send Details. Customers Credit the client knows (e.g. password or PIN), something the
Bank then waits for transition request from Dell client has (e.g. a Username). Authentication can be
(Waiting for Transaction Request). Customers Credit implemented in online shopping system by providing
Bank then processes request (Process Request) and users of each workflow with username and passwords
sends the acknowledgement to Dell (Send so that only authorized user(s) can access the
acknowledgement to Dell). Customers Credit Banks workflow. It is assumed that each of the workflow in
Proceedings of the 2005 International Conference on Computational Intelligence for Modelling, Control and Automation, and International Conference on
Intelligent Agents, Web Technologies and Internet Commerce (CIMCA-IAWTIC05)
0-7695-2504-0/05 $20.00 2005 IEEE
IOWF has different users as a result each workflow Acknowledgement to Dell (place Product Received)
has separate verification of username and password. and delivers product to Customer. Customer signs
Fig. 2 shows Petri net implementation to the IOWF. receipt and returns it back to UPS (transition Send
The soundness of this authorization is verified using Receipt). UPS then sends Delivery Notification to Dell
Woflan [4]. In order to incorporate authorization, with added digital signature (transition Notify Dell
places Username & Password are added to the with Digital Signature). Dell sends notification
workflow of each participating organization. As the Received Acknowledgement to UPS (place
user of the workflow enters Username & Password, it Notification Received Ack.) and charge details with
is verified by checking the username and password in digital signature to Customers Credit Bank (transition
the database of each organization. Charge Customer & Add Signature). Customers
Credit Bank sends the acknowledgement to Dell (place
4.2. Specifying Non-Repudiation Acknowledgement). Dell sends the received receipt to
Customers Credit Bank (place Ack.Received Receipt).
Non-repudiation is a stronger variation of At last customer sends Receive Acknowledgement to
authentication that allows the senders identity to be Dell (place Receipt Received Ack).
verified by a third party, and is used to prove that a
message was not forged. This also means that the 5. Conclusions
sender cannot deny he sent a particular message. Non-
repudiation is the ability of an originator or recipient Inter-organizational workflows and selected features
of a transaction to prove to a third party that their related to their security were studied. An incremental
counterpart did in fact take the action. Thus the sender method of security features representation has been
of a message should be able to prove to a third party presented with Online Computer Shopping System.
that the intended recipient got the message and the IOWF without security features has been specified
recipient should be able to prove to a third party that using Petri-Nets. The security features are
the originator did actually send the message. incrementally added. As a result we achieve new Petri
Non-repudiation can be implemented by enforcing net model that incorporates security features of interest
each of the organization to send Receive such as: authentication, data integrity, and non-
acknowledgement. Digital signature can be used not repudiation. This upgraded Petri net model can be
only to ensure that a message or document has been subjected to incremental verification and validation
electronically signed by the person but also, to ensure techniques. Future work will aim at using colored Petri
that a person cannot later deny that they furnished the nets for representation of IOWFs. Moreover multilevel
signature. Incorporation of non repudiation in Online security can also be incorporated in IOWF.
Shopping System is shown in Fig. 3. Soundness of the
non-repudiation is verified using Woflan. As customer
is ready to place an order, he attaches a digital 6. References
signature with order as shown by transition Prepare
Order with Digital Signature. As Dell receives order, [1] Atluri V., Security for Workflow Systems, Vol. 6,
it sends the acknowledgement to Customer (place No. 2, 2001, Elsevier Science, pp. 59-68.
Order Received Acknowledgement). Dell then adds
digital signature to Customers credit before sending it [2] B. Mikolajczak, S. Joshi. Modeling of Information
to Customers Credit bank (transition Add Digital Systems Security Features with Colored Petri nets.
Signature). Customers Credit Bank sends Receive IEEE SMC 2004 Int. Conference, Oct. 2004, The
Acknowledgement to Dell (place Customer Info. Netherlands.
Received Ackno). It then adds digital signature to
credit result after (transition Add Digital Signature). [3]. van der Aalst W.M.P. Loosely Coupled Inter-
As Dell receives credit result it sends organizational Workflows: Modeling and Analyzing
acknowledgement to Customers Credit Bank (place Workflows Crossing Organizational Boundaries.
Credit Result Received Ack). Dell then sends Information and Management, 37(2):67-75, 2000.
acknowledgement of product availability and credit
check success with digital signature to Customer [4] van der Aalst W.M.P., Verbeek H.M.W., Kumar
(transition Send Acknowledgement with digital sign). A., XRL/Woflan: Verification of an XML/Petri-net
Customer sends Received Acknowledgement to Dell based language for inter-organizational workflow, in:
(place Receive Ack. from Customer). Dell adds digital Proc. of the 6th Conference on Information Systems
signature before arranging the shipping (transition Add and Technology, CIST-2001, pp. 30-45.
Digital Signature). UPS sends Receive
Proceedings of the 2005 International Conference on Computational Intelligence for Modelling, Control and Automation, and International Conference on
Intelligent Agents, Web Technologies and Internet Commerce (CIMCA-IAWTIC05)
0-7695-2504-0/05 $20.00 2005 IEEE
Fig. 1 IOWF of the Online Computer Shopping System
Proceedings of the 2005 International Conference on Computational Intelligence for Modelling, Control and Automation, and International Conference on
Intelligent Agents, Web Technologies and Internet Commerce (CIMCA-IAWTIC05)
0-7695-2504-0/05 $20.00 2005 IEEE
Fig. 2 Online Computer Shopping System IOWF with Implemented Authorization
Proceedings of the 2005 International Conference on Computational Intelligence for Modelling, Control and Automation, and International Conference on
Intelligent Agents, Web Technologies and Internet Commerce (CIMCA-IAWTIC05)
0-7695-2504-0/05 $20.00 2005 IEEE
Fig 3. Online Computer Shopping System IOWF with Implemented Non Repudiation
Proceedings of the 2005 International Conference on Computational Intelligence for Modelling, Control and Automation, and International Conference on
Intelligent Agents, Web Technologies and Internet Commerce (CIMCA-IAWTIC05)
0-7695-2504-0/05 $20.00 2005 IEEE