In certain business sectors adapting to modern and cost reducing technologies and service models can be still a challenge. This especially applies for health care related SME, such as hospitals, where cost reduction r...
详细信息
ISBN:
(纸本)9781479952557
In certain business sectors adapting to modern and cost reducing technologies and service models can be still a challenge. This especially applies for health care related SME, such as hospitals, where cost reduction runs counter the need of being compliant to legal regulations and where the access control has to struggle against a diverse landscape of health care equipment accompanied by dynamic and complex role models. Outsourcing data storage and data processing seems not to reduce the complexity, rather bears the risks of reduced data availability, loss or abuse of data and can increase legal compliance risks and concerns. Since this applies for many SMEs, a common platform, such as an ecosystem, can help to lower the entrance barrier by regaining helpful management functionalities, standardized basic services and therefore push the adoption to modern cost reducing service consumption scenarios. In this paper a generic design pattern for realizing distributed authorization in an API ecosystem is presented. The pattern is applied within a research project, which aims to develop an ecosystem for trading and consuming services within demanding business sectors and reduce lock-in effects for both, service providers and consumers. The concept of distributed authorization is applied in a new complex multi entity use-case, where access policies for RESTful APIs can be designed flexible under consideration of service providers' and consumers' requirements which are enforced by a central trusted 3rd party provider.
The World Wide Web (W3) has the potential to link different kinds of documents into hypertext collections and to distribute such collections among many document servers. distributed collections can bring forth new W3 ...
详细信息
The World Wide Web (W3) has the potential to link different kinds of documents into hypertext collections and to distribute such collections among many document servers. distributed collections can bring forth new W3 applications in extranets and expand the concept of content reuse. However, they also bring new authorization problems, such as the need for coordinated user administration, user authentication, and revocation of rights. This paper proposes WDAI, a simple and general infrastructure for distributed authorization on the World Wide Web. Under WDAI, browsers and servers exchange authorization information using X.509v3-based authorization certificates. WDAI is designed to be open to a wide variety of security policies and, being compatible with existing W3 technology, can be implemented without modifying existing browsers. (C) 1999 Published by Elsevier Science B.V. All rights reserved.
distributed authorization takes into account several elements, including certificates that may be provided by non-local actors. While most trust management systems treat all assertions as equally valid up to certifica...
详细信息
distributed authorization takes into account several elements, including certificates that may be provided by non-local actors. While most trust management systems treat all assertions as equally valid up to certificate authentication, realistic considerations may associate risk with some of these elements, for example some actors may be less trusted than others. Furthermore, practical online authorization may require certain levels of risk to be tolerated. In this paper, we introduce a trust management logic based on the system RT that incorporates formal risk assessment. This formalization allows risk levels to be associated with authorization, and authorization risk thresholds to be precisely specified and enforced. We also develop an algorithm for automatic authorization in a distributed environment, that is directed by risk considerations. A variety of practical applications are discussed.
authorization is an open problem in Ambient Intelligence environments. The difficulty of implementing authorization policies lies in the open and dynamic nature of such environments. The information is distributed amo...
详细信息
authorization is an open problem in Ambient Intelligence environments. The difficulty of implementing authorization policies lies in the open and dynamic nature of such environments. The information is distributed among various heterogeneous devices that collect, process, change, and share it. Previous work presented a fully distributed approach for reasoning with conflicts in ambient intelligence systems. This paper extends previous results to address authorization issues in distributed environments. First, the authors present the formal high-level authorization language DEAL to specify access control policies in open and dynamic distributed systems. DEAL has rich expressive power by supporting negative authorization, rule priorities, hierarchical category authorization, and nonmonotonic reasoning. The authors then define the language semantics through Defeasible Logic. Finally, they demonstrate the capabilities of DEAL in a use case Ambient Intelligence scenario regarding a hospital facility.
Practical analysis tools for distributed authorization need to answer quickly and accurately the question: who can access this resource? DAP (Delegation with Acyclic Paths) is it distributed authorization framework (i...
详细信息
ISBN:
(纸本)9781595939364
Practical analysis tools for distributed authorization need to answer quickly and accurately the question: who can access this resource? DAP (Delegation with Acyclic Paths) is it distributed authorization framework (introduced in [17]) that tries to inter-operate better with standard PKI mechanisms while retaining some of the benefits of new trust management schemes. DAP has an acyclicity requirement which makes it more difficult to answer the question quickly. In this paper we use a technique borrowed front compiler optimization, dominator-tree problem decomposition, to overcome this limitation of DAP with a fast heuristic. We show through simulation the heuristic's performance in a realistic federated resource management scenario. We also show how this heuristic can be complemented by clone-analysis techniques that exploit similarities between principals to further improve performance. We are currently using the heuristic and clone-analysis in practice in a design/analysis security tool.
This paper introduces the PeerAccess framework for reasoning about authorization in open distributed systems, and shows how a parameterization of the framework can be used to reason about access to computational resou...
详细信息
ISBN:
(纸本)9781595932266
This paper introduces the PeerAccess framework for reasoning about authorization in open distributed systems, and shows how a parameterization of the framework can be used to reason about access to computational resources in a grid environment. The PeerAccess framework supports a declarative description of the behavior of peers that selectively push and/or pull information from certain other peers. PeerAccess local knowledge bases encode the basic knowledge of each peer (e.g., Alice's group memberships), its policies governing the release of each possible piece of information to other peers, and information that guides and limits its search process when trying to obtain particular pieces of information from other peers. PeerAccess proofs of authorization are verifiable and nonrepudiable, and their construction relies only on the local information possessed by peers and their parameterized behavior with respect to query answering, information push/pull, and information release policies (i.e., no omniscient viewpoint is required). We present the PeerAccess language and peer knowledge base structure, the associated formal semantics and proof theory, and examples of the use of PeerAccess in constructing proofs of authorization to access computational resources.
In the present-day context, data owners store and share sensitive records on cloud servers to ensure the confidentiality and integrity of their data. There are challenges related to storing data on cloud servers, incl...
详细信息
In the present-day context, data owners store and share sensitive records on cloud servers to ensure the confidentiality and integrity of their data. There are challenges related to storing data on cloud servers, including ensuring data security, privacy, compliance, and data sovereignty concerns. Another problem is data request frequency (increasing the server's computational overhead). An Attribute-Based Access Control Scheme (ABCS) was implemented, allowing authorized users secure access to data from the cloud server. The proposed work is divided into two objectives: The first objective is enhancing data security through an XOR and Functional-Based Stream Cipher (FBSC) for secure storage and sharing. The second objective entails leveraging data owner attributes to create a polynomial for distributing the symmetric secret key. The Symmetric Secret Key is segmented into 'n' shares using Shamir's Secret Sharing Scheme to provide the multiparty Secret Key Points, which are then shared among the authorized users via asymmetric encryption. The Attributed-based hierarchical tree structure scheme AB-HTS-S stores the Secret Key Points. Lagrange interpolation is used to reconstruct symmetric secret keys and provide access to privileged users. AB-HTS-S scheme defines an authorized user threshold (T >= 3) to reconstruct the symmetric secret key for decryption. Data encryption is evaluated using statistical methods such as the NIST Statistical Test Suite, Correlation Coefficient, and Histogram analysis. Performance analysis, a key aspect of our research, demonstrates that our proposed scheme offers significant computational efficiency, ensuring rapid encryption/decryption and high throughput. The experimental results show that our scheme requires minimal storage and communication overhead. Security analysis proves that our scheme resists collusion and chosen plaintext attacks. Therefore, the proposed schemes can offer secure and efficient mechanisms for cloud storage, instill
Through web service technology, distributed applications can be built in an open and flexible manner, bringing tremendous power to applications on the web. However, this flexibility poses significant challenges to sec...
详细信息
Through web service technology, distributed applications can be built in an open and flexible manner, bringing tremendous power to applications on the web. However, this flexibility poses significant challenges to security. Traditional access control for distributed systems is not flexible and efficient enough in such an environment;in particular, fully secure online authorization decisions may be too inefficient in practice, requiring simplification which may have only an informal and unverifiable relation to fully secure authorization decisions. This paper introduces a trust-but-verify framework for web services authorization. In this framework, each web service maintains the usual access control policies, as well as a trust transformation policy, that formally species how to simplify full authorization into a more efficient form for online checking. This formalization allows certainty that offline checking verifies the trust relation between full security and online checking.
A number of research systems have demonstrated the benefits of accompanying each request with a machine-checkable proof that the request complies with access-control policy - a technique called proof-carrying authoriz...
详细信息
ISBN:
(纸本)9781605585376
A number of research systems have demonstrated the benefits of accompanying each request with a machine-checkable proof that the request complies with access-control policy - a technique called proof-carrying authorization. Numerous authorization logics have been proposed as vehicles by which these proofs can be expressed and checked. A challenge in building such systems is how to allow delegation between institutions that use different authorization logics. Instead of trying to develop the authorization logic that all institutions should use, we propose a framework for interfacing different, mutually incompatible authorization logics. Our framework provides a very small set of primitives that defines an interface for communication between different logics without imposing any fundamental constraints oil their design or nature. We illustrate by example that a variety of different logics can communicate over this interface, and show formally that supporting the interface does not impinge on the integrity of each individual logic. We also describe an architecture for constructing authorization proofs that contain components from different logics and report oil the performance of a prototype proof checker.
Permissions are highly sensitive in Internet-of-Things (IoT) applications, as IoT devices collect our personal data and control the safety of our environment. Rather than simply granting permissions, further constrain...
详细信息
ISBN:
(纸本)9781450356664
Permissions are highly sensitive in Internet-of-Things (IoT) applications, as IoT devices collect our personal data and control the safety of our environment. Rather than simply granting permissions, further constraints shall be imposed on permission usage so as to realize the Principle of Least Privilege. Since IoT devices are physically embedded, they are often accessed in a particular sequence based on their relative physical positions. Monitoring if such sequencing constraints are honoured when IoT devices are accessed provides a means to fence off malicious accesses. This paper proposes a history-based capability system, HCAP, for enforcing permission sequencing constraints in a distributed authorization environment. We formally establish the security guarantees of HCAP, and empirically evaluate its performance.
暂无评论