No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Access Control Challenges in Enterprise Ecosystems: Blockchain-Based Technologies as an Opportunity for Enhanced Access Control
Abstract
There is an increasing gap between the needs of modern, complex, and distributed environments in regards to control of access to data and the level to which classical access control solutions can fulfill those needs. The purpose of this chapter is to highlight the current state of art of existing research over access control in increasingly decentralized environments and to argue how the subject of access control is more relevant than ever before, with increasing research opportunities emerging. In this chapter, the authors analyze the current state of the art of access control mechanisms and systems over decentralized applications with a focus on enterprise ecosystems, analyze the current challenges and opportunities that the new technological landscape offers, specifically over the application of blockchain-based technologies in access control, and propose new research directions for the future.
... Blockchain is a suitable technology to support SSI, as it is decentralized and supports peer-to-peer interaction [143]. Furthermore, it can be used to obtain a reliable infrastructure for decentralized access control, mitigating some of its traditional problems, such as the lack of adaptability to dynamic environments [150]. Although the use of a replicated immutable appendable log could raise concerns regarding the GDPR, SSI allows technical privacy protection, achieving GDPR compliance [143]. ...
... This process allows the system to establish a history of access to resources. Moreover, centralized access control systems face several challenges and risks [150,157]: cumbersome policy management, lack of flexibility of setup and configuration, ineffective policy enforcement, risk of privacy leakage, and availability (single point of failure). These translate into issues of authentication, authorization, and accountability (AAA). ...
Blockchain is becoming ubiquitous in today's society. Just in the second quarter of 2021, centralized and decentralized exchanges moved a volume of over $600 billion in cryptocurrencies. Enterprises are adopting this technology, including cryptocurrencies, following the opportunity to expand to new businesses. However, they need to connect their existing systems to blockchains securely and reliably. Blockchain interoperability (BI) is emerging as one of the crucial features of blockchain technology, fueled by the need to eliminate data and value silos. Given this new domain's novelty and potential, we conduct a literature review on BI by collecting 404 documents. From those 404 documents, we systematically analyzed and discussed 102 documents, including peer-reviewed papers and grey literature. Our review identified four main open problems in the BI research area: 1) lack of systematic solution categorization, 2) lack of evaluation frameworks for BI, 3) gap between theory and practice, and 4) lack of supporting tools for BI. These problems make it challenging for academics and the industry to achieve interoperability among blockchains and centralized systems seamlessly. Based on the identified problems, the main goal of this thesis is to provide a detailed and extensive approach to blockchain interoperability theory, including classification of solutions, creation of conceptual models, and the design and implementation of blockchain interoperability solutions, supporting tools, and use cases. In this document, we present the work done so far to address this goal. We propose HERMES, a fault-tolerant middleware that connects blockchain networks and is based on the Open Digital Asset Protocol (ODAP). HERMES is crash fault-tolerant by allying a new protocol, ODAP-2PC, with a log storage API that can leverage blockchain to secure logs, providing transparency, auditability, availability, and non-repudiation. After that, we propose SSIBAC, self-sovereign identity access control, to address identity portability. Finally, we present the work plan for the rest of this doctoral thesis.
... These publications focus on communicating most of what we outline and describe in this thesis, from problem identification and motivation to artifact evaluation. The chapter described access control challenges in enterprise ecosystems and possible solutions through blockchain-based technologies [144], whose main content was derived from the extensive analysis of the state-of-art presented in this thesis (Chapter 2), description and motivation of the problem. Apart from this chapter, components of the research presented in this thesis have been submitted as conference research papers for (i) The 34th ACM/SIGAPP Symposium On Applied Computing (ACMSAC '19). ...
Protecting sensitive or private information is of the utmost importance. Information breaches, and sharing of sensitive information can have serious legal, reputation and financial impacts for individuals and organizations. At the same time, our technological landscape is getting more and more complex and distributed, being increasingly hard to protect information. A particular demonstration of this situation can be found in institutions providing certificates of accomplishment, such as Universities, who have been increasing efforts to shut down fake certificate generators online, while working in an environment where validation of credentials is essential, yet, done sporadically and requiring interactions between several parties. This situation exposes a gap between the needs of modern, complex distributed environments, in regards to control of access to information, and the level to which classic access control solutions can fulfill those needs. This thesis explores permissioned blockchains as technological vehicles for decentralizing access control, applied to this specific use case. This thesis proposes Blocked, a system that allows decentralized access control, through a permissioned blockchain, for issuing, sharing and managing educational certificates. An evaluation of this system demonstrates that it can be considered a suitable access control system, with improvements over the existing decentralized solutions for the same problem.
Access Control systems are used in computer security to regulate the access to critical or valuable resources. The rights of subjects to access such resources are typically expressed through access control policies, which are evaluated at access request time against the current access context. This paper proposes a new approach based on blockchain technology to publish the policies expressing the right to access a resource and to allow the distributed transfer of such right among users. In our proposed protocol the policies and the rights exchanges are publicly visible on the blockchain, consequently any user can know at any time the policy paired with a resource and the subjects who currently have the rights to access the resource. This solution allows distributed auditability, preventing a party from fraudulently denying the rights granted by an enforceable policy. We also show a possible working implementation based on XACML policies, deployed on the Bitcoin blockchain.
Bitcoin is the first and most popular decentralized cryptocurrency to date. In this work, we extract and analyze the core of the Bitcoin protocol, which we term the Bitcoin backbone, and prove two of its fundamental properties which we call common prefix and chain quality in the static setting where the number of players remains fixed. Our proofs hinge on appropriate and novel assumptions on the “hashing power” of the adversary relative to network synchronicity; we show our results to be tight under high synchronization.
Next, we propose and analyze applications that can be built “on top” of the backbone protocol, specifically focusing on Byzantine agreement (BA) and on the notion of a public transaction ledger. Regarding BA, we observe that Nakamoto’s suggestion falls short of solving it, and present a simple alternative which works assuming that the adversary’s hashing power is bounded by \(1/3\). The public transaction ledger captures the essence of Bitcoin’s operation as a cryptocurrency, in the sense that it guarantees the liveness and persistence of committed transactions. Based on this notion we describe and analyze the Bitcoin system as well as a more elaborate BA protocol, proving them secure assuming high network synchronicity and that the adversary’s hashing power is strictly less than \(1/2\), while the adversarial bound needed for security decreases as the network desynchronizes.
In this paper, an extensive state of the art review of different access control solutions in IoT within the Objectives, Models, Architecture and Mechanisms (OM-AM) way is provided. An analysis of the security and privacy requirements for the most dominant IoT application domains, including Personal and home, Government and utilities, and Enterprise and industry, is conducted. The pros and cons of traditional, as well as recent access control models and protocols from an IoT perspective are highlighted. Furthermore, a qualitative and a quantitative evaluation of the most relevant IoT related-projects that represent the majority of research and commercial solutions proposed in the field of access control conducted over the recent years (2011- 2016) is achieved. Finally, potential challenges and future research directions are defined.
Cryptocurrencies, based on and led by Bitcoin, have shown promise as infrastructure for pseudonymous online payments, cheap remittance, trustless digital asset exchange, and smart contracts. However, Bitcoin-derived blockchain protocols have inherent scalability limits that trade-off between throughput and latency and withhold the realization of this potential.
This paper presents Bitcoin-NG, a new blockchain protocol designed to scale. Based on Bitcoin's blockchain protocol, Bitcoin-NG is Byzantine fault tolerant, is robust to extreme churn, and shares the same trust model obviating qualitative changes to the ecosystem.
In addition to Bitcoin-NG, we introduce several novel metrics of interest in quantifying the security and efficiency of Bitcoin-like blockchain protocols. We implement Bitcoin-NG and perform large-scale experiments at 15% the size of the operational Bitcoin system, using unchanged clients of both protocols. These experiments demonstrate that Bitcoin-NG scales optimally, with bandwidth
limited only by the capacity of the individual nodes and latency limited only by the propagation time of the network.
Context-aware access control systems should reactively adapt access control decisions to dynamic environmental conditions. In this paper we present ERBAC - an event-driven extension of the TRBAC model that allows the specification and enforcement of general reactive policies - and its implementation. While almost all the individual features of ERBAC occur separately in some previous model, the detailed design of the policy language, its implementation in XACML, and its testing contribute to the development of expressive, event-driven policy frameworks by demonstrating that this rich model can be satisfactorily implemented, and that its expressivity and performance are compatible with a variety of realistic application scenarios. In particular, a number of examples illustrate ERBAC's expressive power, and its ability of handling exceptional situations in a flexible way, while keeping policies compact and manageable. The prototype extends XACML's language and the implementation of the PDP to support the new model. Systematic scalability experiments show that the computational cost of policy rule evaluation in ERBAC is compatible with real-world applications.
We propose a new decentralized access control scheme for secure data storage in clouds that supports anonymous authentication. In the proposed scheme, the cloud verifies the authenticity of the series without knowing the user's identity before storing data. Our scheme also has the added feature of access control in which only valid users are able to decrypt the stored information. The scheme prevents replay attacks and supports creation, modification, and reading data stored in the cloud. We also address user revocation. Moreover, our authentication and access control scheme is decentralized and robust, unlike other access control schemes designed for clouds which are centralized. The communication, computation, and storage overheads are comparable to centralized approaches.
An integrity policy defines formal access constraints which, if effectively enforced, protect data from improper modification. The author identifies the integrity problems posed by a secure military computer utility. Integrity policies addressing these problems are developed and their effectiveness evaluated. A prototype secure computer utility, Multics, is then used as a testbed for the application of the developed access controls.
Andrew is a distributed computing environment that is a synthesis of the personal computing and timesharing paradigms. When mature, it is expected to encompass over 5,000 workstations spanning the Carnegie Mellon University campus. This paper examines the security issues that arise in such an environment and describes the mechanisms that have been developed to address them. These mechanisms include the logical and physical separation of servers and clients, support for secure communication at the remote procedure call level, a distributed authentication service, a file-protection scheme that combines access lists with UNIX mode bits, and the use of encryption as a basic building block. The paper also discusses the assumptions underlying security in Andrew and analyzes the vulnerability of the system. Usage experience reveals that resource control, particularly of workstation CPU cycles, is more important than originally anticipated and that the mechanisms available to address this issue are rudimentary.
The Internet enables global sharing of data across organizational boundaries. Traditional access control mechanisms are intended for one or a small number of machines under common administrative control, and rely on maintaining a centralized database of user identities. They fail to scale to a large user base distributed across multiple organizations. This survey provides a taxonomy of decentralized access control mechanisms intended for large scale, in both administrative domains and users. We identify essential properties of such access control mechanisms. We analyze popular networked file systems in the context of our taxonomy.
A model of protection mechanisms in computing systems is presented and its appropriateness is argued. The “safety” problem for protection systems under this model is to determine in a given situation whether a subject can acquire a particular right to an object. In restricted cases, it can be shown that this problem is decidable, i.e. there is an algorithm to determine whether a system in a particular configuration is safe. In general, and under surprisingly weak assumptions, it cannot be decided if a situation is safe. Various implications of this fact are discussed.
In this work we ask the question: what are the challenges of managing a physical or file system access-control pol- icy for a large organization? To answer the question, we conducted a series of interviews with thirteen administrators who manage access-control policy for either a file system or a physical space. Based on these interviews we identi- fied three sets of real-world requirements that are either ig- nored or inadequately addressed by technology: 1) policies are made/implemented by multiple people; 2) policy makers are distinct from policy implementers; and 3) access-control systems don't always have the capability to implement the desired policy. We present our interview results and propose several possible solutions to address the observed issues.
We investigate a security framework for collaborative appli- cations that relies on the role-based access control (RBAC) model. In our framework, roles are pre-defined and organized in a hierarchy (par- tial order). However, we assume that users are not previously identified, therefore the actions that they can perform are dynamically determined based on their own attribute values and on the attribute values associ- ated with the resources. Those values can vary over time (e.g., the user's location or whether the resource is open for visiting) thus enabling or disabling a user's ability to perform an action on a particular resource. In our framework, constraint values form partial orders and determine the association of actions with the resources and of users with roles. We have implemented our framework by exploring the capabilities of se- mantic web technologies, and in particular of OWL 1.1, to model both our framework and the domain of interest and to perform several types of reasoning. In addition, we have implemented a user interface whose purpose is twofold: (1) to offer a visual explanation of the underlying reasoning by displaying roles and their associations with users (e.g., as the user's locations vary); and (2) to enable monitoring of users that are involved in a collaborative application. Our interface uses the Google Maps API and is particularly suited to collaborative applications where the users' geospatial locations are of interest.
Conventional access control models like role based access control are suitable for regulating access to resources by known users. However, these models have often found to be inadequate for open and decentralized multi-centric sys- tems where the user population is dynamic and the identity of all users are not known in advance. For such systems, cre- dential based access control has been proposed. Credential based systems achieve access control by implementing a bi- nary notion of trust. If a user is trusted by virtue of success- ful evaluation of its credentials it is allowed access, otherwise not. However, such credential based models have also been found to be lacking because of certain inherent drawbacks with the notion of credentials. In this work, we propose a trust based access control model called TrustBAC. It ex- tends the conventional role based access control model with the notion of trust levels. Users are assigned to trust levels instead of roles based on a number of factors like user creden- tials, user behavior history, user recommendation etc. Trust levels are assigned to roles which are assigned to permissions as in role based access control. The TrustBAC model thus incorporates the advantages of both the role based access control model and credential based access control models.
The modern enterprise spans several functional units or administrative domains with diverse authorization requirements. Access control policies in an enterprise environment typically express these requirements as authorization constraints. While desirable for access control, constraints can lead to conflicts in the overall policy in a multidomain environment. The administration problem for enterprise-wide access control, therefore, not only includes authorization management for users and resources within a single domain but also conflict resolution among heterogeneous access control policies of multiple domains to allow secure interoperation within the enterprise. This work presents design and implementation of X-GTRBAC Admin, an administration model that aims at enabling administration of role-based access control (RBAC) policies in the presence of constraints with support for conflict resolution in a multidomain environment. A key feature of the model is that it allows decentralization of policy administration tasks through the abstraction of administrative domains, which not only simplifies authorization management, but is also fundamental to the concept of decentralized conflict resolution presented. The paper also illustrates the applicability of the outlined administrative concepts in a realistic enterprise environment using an implementation prototype that facilitates policy administration in large enterprises.
In Peer-to-Peer (P2P) computing environments, each participant (peer) acts as both client and content provider. This satisfies the requirement that resources should be increasingly made available by being published to other users from a user's machine. Compared with services performed by the client-server model, P2P-based services have several advantages. However, wide-scale application of P2P computing is constrained by limitations associated with the especially sophisticated control mechanisms needed between peers. To overcome these limitations, we introduce a controlled P2P computing architecture by extending the concept of Web services to the peer-to-peer level through a generic middleware. Specifically, in this paper we tailor our approach to support RBAC. Although our approach supports both brokered and purist P2P models, all of the policy decisions can be made on the peer side, because policy information is transferred from the policy servers to the corresponding peers through metadata that peers can understand. Each peer makes the access control decision based on the enterprise, the community, and the peer policies without asking other components. This approach supports RBAC services for collaborative enterprise in P2P computing environments, not only within one community but also within inter-communities. Furthermore, it also supports peers' autonomous decisions without causing policy conflicts. The broad dissemination of our approach would enable P2P technology to be applicable to more reliable and efficient services, providing controlled communications between peers.
With the growing use of wireless networks and mobile devices, we are moving towards an era where location information will be necessary for access control. The use of location information can be used for enhancing the security of an application, and it can also be exploited to launch attacks. For critical appli- cations, a formal model for location-based access control is needed that increases the security of the application and ensures that the location information cannot be exploited to cause harm. In this paper, we show how the Role-Based Access Control (RBAC) model can be extended to incorporate the notion of location. We show how the different components in the RBAC model are related with location and how this location information can be used to determine whether a subject has access to a given object. This model is suitable for applications consisting of static and dynamic objects, where location of the subject and object must be considered before granting access.
New cryptographic protocols which take full advantage of the unique properties of public key cryptosystems are now evolving. Several protocols for public key distribution and for dig~tal signatures are briefly compared with each other and with the conventional alternative. 1.
Attribute based access control (ABAC) grants accesses to services based on the attributes possessed by the requester. Thus, ABAC differs from the traditional discretionary access control model by replacing the subject by a set of attributes and the object by a set of services in the access control matrix. The former is appropriate in an identity-less system like the Internet where subjects are identified by their characteristics, such as those substantiated by certificates. These can be modeled as attribute sets. The latter is appropriate because most Internet users are not privy to method names residing on remote servers. These can be modeled as sets of service options. We present a framework that models this aspect of access control using logic programming with set constraints of a computable set theory [DPPR00]. Our framework specifies policies as stratified constraint flounder-free logic programs that admit primitive recursion. The design of the policy specification framework ensures that they are consistent and complete. Our ABAC policies can be transformed to ensure faster runtimes.
Role-based access control (RBAC) models are receiving increasing attention as a generalized approach to access control. Roles can be active at certain time periods and non active at others; moreover, there can be activation dependencies among roles. To tackle such dynamic aspects, we introduce Temporal-RBAC (TRBAC), an extensions of the RBAC model. TRBAC supports both periodic activations and deactivations of roles, and temporal dependencies among such actions, expressed by means of role triggers, whose actions may be either executed immediately, or be deferred by an explicity specified amount of time. Both triggers and periodic activations/deactivations may have a priority associated with them, in order to resolve conflicting actions. A formal semantics for the specification language is provided, and a polynomial safeness check is introduced to reject ambiguous or inconsistent specifications. Finally, an implementation architecture is outlined.
The article is devoted to the research of current trends and priorities for the blockchain technology use in order to ensure the economic security of large corporate entities. Large corporate entities operating in terms of digital economy were selected as the object of the research. The subject of the research is a set of economic and organizational and financial relations ensuring the financial controlling effectiveness in large corporate entities, implemented with the blockchain technology application. The work highlights the advantages and risks of the blockchain technology use at different levels of the economic system on the basis of the study of accumulated experience, reveals institutional gaps and organizational dysfunctions appearing in the course of modelling the blockchain technology application experience to solve definite economic problems, defines the need of institutional, legal, information and technology preparation of economic agents to the blockchain technology implication. Forcing the practice of the blockchain technologies use in corporate entities can provide a minimum level of the corporate sector infrastructural readiness to risk management in the economic system integration into digital economy. At the same time the use of the system and functional approach has allowed coming to a conclusion that the blockchain technology spread in the international and domestic contracting between the corporate sector subjects is creating new threats to economic security, which requires the inclusion of possible risks decomposition in the systems of corporate audit and controlling as a part of the proactive approach.
Blockchains represent a novel application of cryptography and information technology to age-old problems of financial record-keeping, and they may lead to farreaching changes in corporate governance. Many major players in the financial industry have began to invest in this new technology, and stock exchanges have proposed using blockchains as a new method for trading corporate equities and tracking their ownership. This essay evaluates the potential implications of these changes for managers, institutional investors, small shareholders, auditors, and other parties involved in corporate governance. The lower cost, greater liquidity, more accurate record-keeping, and transparency of ownership offered by blockchains may significantly upend the balance of power among these cohorts. © The Authors 2017. Published by Oxford University Press on behalf of the European Finance Association. All rights reserved.
Blockchain technology has the potential to revolutionize applications and redefine the digital economy.
Handbook of Research on Digital Transformations edited by F. Xavier Olleros, and Majlinda ZheguA paraitre
This chapter investigates how an electronic patient record (EPR) document can be managed by a number of active XML (AXML) peers representing hospitals, MDs, insurance companies, and Department of Health. These peers are living on remote servers, laptops, and mobile devices. Each of them provides integrated information/filtering services, or a combination of these, such as a hospital provides information about visits, while an insurance company gives reimbursement reports, and access control on both of them is enforced by both the regulations of the Department of Health, and their own respective privacy policies. The chapter also illustrates how the distributed data can be queried by different users, and how the specified access control rules are enforced along the way. It also investigates how the queries are executed efficiently—only the relevant/permissible parts of the AXML document are exchanged among peers, an AXML peer can fully or partially evaluate a query by delegating some of the computation to filtering peers or information sources.
Access control in enterprises is a key research area in the realm of Computer Security because of the unique needs of the target enterprise. As the enterprise typically has large user and resource pools, administering the access control based on any framework could in itself be a daunting task. This work presents X-GTRBAC Admin, an administration model that aims at enabling policy administration within a large enterprise. In particular, it simplifies the process of user-to-role and permission-to-role assignments, and thus allows decentralization of the policy administration tasks. Secondly, it also allows for specifying the domain of authority of the system administrators, and hence provides mechanism to distribute the administrative authority over multiple domains within the enterprise. The paper also illustrates the applicability of the administrative concepts presented in our framework for enterprise-wide access control.
Recently, there has been considerable interest in attribute based access control (ABAC) to overcome the limitations of the dominant access control models (i.e, discretionary-DAC, mandatory-MAC and role based-RBAC) while unifying their advantages. Although some proposals for ABAC have been published, and even implemented and standardized, there is no consensus on precisely what is meant by ABAC or the required features of ABAC. There is no widely accepted ABAC model as there are for DAC, MAC and RBAC. This paper takes a step towards this end by constructing an ABAC model that has "just sufficient" features to be "easily and naturally" configured to do DAC, MAC and RBAC. For this purpose we understand DAC to mean owner-controlled access control lists, MAC to mean lattice-based access control with tranquility and RBAC to mean flat and hierarchical RBAC. Our central contribution is to take a first cut at establishing formal connections between the three successful classical models and desired ABAC models.
We propose a new model for data storage and access in clouds. Our scheme avoids storing multiple encrypted copies of same data. In our framework for secure data storage, cloud stores encrypted data (without being able to decrypt them). The main novelty of our model is addition of key distribution centers (KDCs). We propose DACC (Distributed Access Control in Clouds) algorithm, where one or more KDCs distribute keys to data owners and users. KDC may provide access to particular fields in all records. Thus, a single key replaces separate keys from owners. Owners and users are assigned certain set of attributes. Owner encrypts the data with the attributes it has and stores them in the cloud. The users with matching set of attributes can retrieve the data from the cloud. We apply attribute-based encryption based on bilinear pairings on elliptic curves. The scheme is collusion secure; two users cannot together decode any data that none of them has individual right to access. DACC also supports revocation of users, without redistributing keys to all the users of cloud services. We show that our approach results in lower communication, computation and storage overheads, compared to existing models and schemes.
In this paper, we propose a new privacy preserving authenticated access control scheme for securing data in clouds. In the proposed scheme, the cloud verifies the authenticity of the user without knowing the user's identity before storing information. Our scheme also has the added feature of access control in which only valid users are able to decrypt the stored information. The scheme prevents replay attacks and supports creation, modification, and reading data stored in the cloud. Moreover, our authentication and access control scheme is decentralized and robust, unlike other access control schemes designed for clouds which are centralized. The communication, computation, and storage overheads are comparable to centralized approaches.
At present, the system described in this paper has not been approved by the Department of Defense for processing classified information. This paper does not represent DOD policy regarding industrial application of time- or resource-sharing of EDP equipment.
This volume provides an overview of the Multics system developed at M.I.T.--a time-shared, general purpose utility like system with third-generation software. The advantage that this new system has over its predecessors lies in its expanded capacity to manipulate and file information on several levels and to police and control access to data in its various files. On the invitation of M.I.T.'s Project MAC, Elliott Organick developed over a period of years an explanation of the workings, concepts, and mechanisms of the Multics system. This book is a result of that effort, and is approved by the Computer Systems Research Group of Project MAC. In keeping with his reputation as a writer able to explain technical ideas in the computer field clearly and precisely, the author develops an exceptionally lucid description of the Multics system, particularly in the area of "how it works." His stated purpose is to serve the expected needs of designers, and to help them "to gain confidence that they are really able to exploit the system fully, as they design increasingly larger programs and subsystems." The chapter sequence was planned to build an understanding of increasingly larger entities. From segments and the addressing of segments, the discussion extends to ways in which procedure segments may link dynamically to one another and to data segments. Subsequent chapters are devoted to how Multics provides for the solution of problems, the file system organization and services, and the segment management functions of the Multics file system and how the user may employ these facilities to advantage. Ultimately, the author builds a picture of the life of a process in coexistence with other processes, and suggests ways to model or construct subsystems that are far more complex than could be implemented using predecessor computer facilities. This volume is intended for the moderately well informed computer user accustomed to predecessor systems and familiar with some of the Multics overview literature. While not intended as a definitive work on this living, ever-changing system, the book nevertheless reflects Multics as it has been first implemented, and should reveal its flavor, structure and power for some time to come.
Current approaches to access control on Web servers do not scale to enterprise-wide systems because they are mostly based on individual user identities. Hence we were motivated by the need to manage and enforce the strong and efficient RBAC access control technology in large-scale Web environments. To satisfy this requirement, we identify two different architec-tures for RBAC on the Web, called user-pull and server-pull. To demonstrate feasibility, we implement each architecture by integrating and extending well-known technologies such as cookies, X.509, SSL, and LDAP, providing compatibility with current Web technologies. We describe the technologies we use to implement RBAC on the Web in different architectures. Based on our experience, we also compare the tradeoffs of the different approaches .
A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network. The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they'll generate the longest chain and outpace attackers. The network itself requires minimal structure. Messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone.
Cloud computing presents new security challenges to control access to information in cloud services. This article describes an authorization model suitable for cloud computing that supports hierarchical role-based access control, path-based object hierarchies, and federation. The authors also present an authorization system architecture for implementing the model. In particular, they provide some technical implementation details, together with performance results from the prototype. They also describe security, privacy, and trust management aspects for the authorization system.
Cloud computing is an emerging computing paradigm in which resources of the computing infrastructure are provided as services over the Internet. As promising as it is, this paradigm also brings forth many new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are not within the same trusted domain as data owners. To keep sensitive user data confidential against untrusted servers, existing solutions usually apply cryptographic methods by disclosing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce a heavy computation overhead on the data owner for key distribution and data management when fine-grained data access control is desired, and thus do not scale well. The problem of simultaneously achieving fine-grainedness, scalability, and data confidentiality of access control actually still remains unresolved. This paper addresses this challenging open issue by, on one hand, defining and enforcing access policies based on data attributes, and, on the other hand, allowing the data owner to delegate most of the computation tasks involved in fine-grained data access control to untrusted cloud servers without disclosing the underlying data contents. We achieve this goal by exploiting and uniquely combining techniques of attribute-based encryption (ABE), proxy re-encryption, and lazy re-encryption. Our proposed scheme also has salient properties of user access privilege confidentiality and user secret key accountability. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security models.
In the schematic protection model subjects are classified into protection types. Creation is authorized by a can-create binary relation on types. It is shown that with arbitrary cycles in can-create safety is undecidable. Whereas it has been previously shown safety is decidable for acyclic can-create. It is also shown that safety remains undedicable even if all creates are attenuating in that tickets (capabilities) given to a subject on its creation are attenuated copies of tickets available to its parent. This contrasts with decidable safety for attenuating cycles of length one. It appears safety is decidable for the practically useful cases while undecidability results from undue laxity in authorizing creation.
Cloud computing, as an emerging computing paradigm, enables users to remotely store their data into a cloud so as to enjoy scalable services on-demand. Especially for small and medium-sized enterprises with limited budgets, they can achieve cost savings and productivity enhancements by using cloud-based services to manage projects, to make collaborations, and the like. However, allowing cloud service providers (CSPs), which are not in the same trusted domains as enterprise users, to take care of confidential data, may raise potential security and privacy issues. To keep the sensitive user data confidential against untrusted CSPs, a natural way is to apply cryptographic approaches, by disclosing decryption keys only to authorized users. However, when enterprise users outsource confidential data for sharing on cloud servers, the adopted encryption system should not only support fine-grained access control, but also provide high performance, full delegation, and scalability, so as to best serve the needs of accessing data anytime and anywhere, delegating within enterprises, and achieving a dynamic set of users. In this paper, we propose a scheme to help enterprises to efficiently share confidential data on cloud servers. We achieve this goal by first combining the hierarchical identity-based encryption (HIBE) system and the ciphertext-policy attribute-based encryption (CP-ABE) system, and then making a performance-expressivity tradeoff, finally applying proxy re-encryption and lazy re-encryption to our scheme.
It has been recognized for some time that software alone does not provide an adequate foundation for building a high-assurance trusted platform. The emergence of industry-standard trusted computing technologies promises a revolution in this respect by providing roots of trust upon which secure applications can be developed. These technologies offer a particularly attractive platform for security in peer-to-peer environments. In this paper we propose a trusted computing architecture to enforce access control policies in such applications. Our architecture is based on an abstract layer of trusted hardware which can be constructed with emerging trusted computing technologies. A trusted reference monitor (TRM) is introduced beyond the trusted hardware. By monitoring and verifying the integrity and properties of running applications in a platform using the functions of trusted computing, the TRM can enforce various policies on behalf of object owners. We further extend this platform-based architecture to support user-based control policies, cooperating with existing services for user identity and attributes. This architecture and its refinements can be extended in future work to support general access control models such as lattice-based access control, role-based access control, and usage control.
this document, also in a distributed way, and (iii) process queries while enforcing the access control, in a distributed, privacy conscious manner. In Fig. 1, an EPR at a physician's peer has some part on a monitoring device, and some part at the hospital and (recursively) at the insurance company. Access control on this distributed data is partly determined by the patient 's preferences (through her SmartCard), partly by the general regulations of the Department of Health, and partly locally at each participating peer
In traditional access control models like mandatory access control (MAC), discretionary access con- trol (DAC), and role-based access control (RBAC), authorization decisions are determined according to the identities of subjects and objects, which are authenticated by a system completely. Recent access con- trol practices, such as digital rights management (DRM), trust management, and usage control, require flexible authorization policies. In such systems, a subject may be only partially authenticated according to one or more attributes. Authorization policies are specified with subject and object attribute values. In this paper we propose an attribute-based access matrix model, named ABAM, which extends the original access matrix model. We show that ABAM enhances the expressive power of the access matrix model by supporting attribute-based authorizations and dynamic permission propagations. Specifically, ABAM is comprehensive enough to encompass traditional access control models as well as some usage control features. As expressive power and safety are two fundamental but conflictive objectives of an access con- trol model, we study the safety property of ABAM and conclude that the safety problem is decidable for a restricted case where attribute relationship graph allows no cycles containing creating-attribute tuples. The restricted case is shown to sustain good expressive power to model practical systems.
In this paper, we introduce the notion of TeaM-based Access Control (TMAC) as an approach to applying rolebased access control in collaborative environments. Our focus is on collaborative activity that is best accomplished through organized teams. Thus, central to the TMAC approach is the notion of a “team” as an abstraction that encapsulates a collection of users in specific roles with the objective of accomplishing a specific task or goal. We were led to the idea of TMAC when our investigations revealed two interesting requirements for certain collaborative environments. The first was the need for a hybrid access control model that incorporated the advantages of broad, role-based permissions across object types, yet required fine-grained, identity-based control on individual users in certain roles and to individual object instances. The second was a need to distinguish the passive concept of permission assignment from the active concept of context-based permission activation. It remains to be seen whether these requirements should lead to yet another variation of one or more models of RBAC, or whether such requirements and
The Internet enables global sharing of data across organizational boundaries. Distributed file systems facilitate data sharing in the form of remote file access. However, traditional access control mechanisms used in distributed file systems are intended for machines under common administrative control, and rely on maintaining a centralized database of user identities. They fail to scale to a large user base distributed across multiple organizations. We provide a survey of decentralized access control mechanisms in distributed file systems intended for large scale, in both administrative domains and users. We identify essential properties of such access control mechanisms. We analyze both popular production and experimental distributed file systems in the context of our survey.
Keeping confidential who sends which messages, in a world where any physical transmission can be traced to its origin, seems impossible. The solution presented here is unconditionally or cryptographically secure, depending on whether it is based on one-time-use keys or on public keys, respectively. It can be adapted to address efficiently a wide variety of practical considerations.
The protection state of a system is defined by the privileges possessed by subjects at a given moment. Operations that change this state are themselves authorized by the current state. This poses a design problem in constructing the initial state so that all derivable states conform to a particular policy. It also raises an analysis problem of characterizing the protection states derivable from a given initial state. A protection model provides a framework for both design and analysis. Design generality and tractable analysis are inherently conflicting goals. Analysis is particularly difficult if creation of subjects is permitted. The schematic protection model resolves this conflict by classifying subjects and objects into protection types. The privileges possessed by a subject consist of a type-determined part specified by a static protection scheme and a dynamic part consisting of tickets (capabilities). It is shown that analysis is tractable for this model provided certain restrictions are imposed on subject creation. A scheme authorizes creation of subjects via a binary relation on subject types. Our principal constraint is that this relation be acyclic, excepting loops that authorize a subject to create subjects of its own type. Our assumptions admit a variety of useful systems.
It is shown that the large-scale automated transaction systems of the near future can be designed to protect the privacy and maintain the security of both individuals and organizations. A new approach is described in which: (1) an individual uses a different account number or 'digital pseudonym' with each organization; (2) individuals conduct transactions using personal card computers that might take a form similar to a credit-card-sized calculator, and include a character display, keyboard, and a limited distance communication capability; (3) individuals keep secret keys from organizations and organizations devise other secret keys that are kept from individuals.