Trust Building and Usage Control for Electronic Business Processes

Information technology (IT) supports companies to streamline their business processes. The main contributions of IT are the digitalization of data and efficient communication networks, which allow companies to automatize their business processes and thus increase their efficiency, i.e., their value creation. This effort started with the optimization of internal business processes within a company. Nowadays, it also includes external business processes, in which multiple enterprises and even customers are involved. However, using IT also causes undesirable side effects for companies. They are exposed to a wide range of vulnerabilities and threats. Digitalizing data, e.g., documents, spurs the access to that data and the exchange of it. However, a disadvantageous result of digitalizing data is the increased risk of unauthorized access to that data. Communication networks provide an excellent foundation for collaboration between companies. At the same time, the open and anonymous character of communication networks is a reason for distrust towards business partners offering their goods and services over such networks. As a result of these undesirable side effects, the outcome of a certain business process supported by IT may be suboptimal or companies may refrain from using IT. Against this background, this thesis focuses on securing electronic business processes with regard to two aspects, i.e., building trust in open networks and controlling the usage of digital objects. Trust is the prerequisite for all kinds of commercial transactions. Using reputation information is one possible way to build up trust among business partners. In this thesis, we propose two new reputation systems to establish trust for ad-hoc processes in open markets. The first reputation system facilitates trust building in the context of electronic negotiations which are performed with the help of a centralized system. The reputation system enables companies to find trustworthy business partners and provides decision support during a negotiation. The second reputation system supports trust building in decentralized Peer-to-Peer (P2P) networks. A main feature of this system is its robustness against coalition attacks, which is proven with the help of a simulation. Controlling the usage of digital objects demands two functionalities. First, we need methods for defining usage rules. Second, mechanisms for enforcing the defined usage rules are required. In this thesis, we address both aspects of usage control. Digital documents play a central role in business processes, since they are a means of integration and are handled among business partners. Some documents are sensitive and thus have to be protected from being accessed by unauthorized parties. For this purpose, we propose a flexible and expressive access control model for electronic documents. Our model captures the information about the operations performed on documents. This history information can be used to define access control rules. Customers are involved in the execution of special kinds of business processes, such as selling and consuming digital goods. In these cases, digital goods have to be protected from being used in an unauthorized way, e.g., being shared in public networks. Thus, the trustworthiness of customers' platforms has to be verified before transferring digital goods. For this, we propose a robust integrity reporting protocol which is necessary when a remote platform has to perform security relevant operations, e.g., to enforce a security policy which controls the usage of digital content. This integrity reporting protocol is a building block of a new Digital Rights Management system which is also presented in this thesis. This system provides a high protection level. At the same time, it allows users to transfer their purchased content to other devices or users.