Abstract
SACL is an access control language based on SPKI/SDSI PKI that has features like group certificates, delegation, threshold certificates etc. In this paper, we show how SACL can be effectively realized in a Security Automata framework. We establish the equivalence of the transformation with the SPKI/SDSI semantics as well as the set-theoretic semantics. The transformation gives an efficient way to enforce the policy being defined and allows inference of authorizations obtained from multiple certificates. Further, we describe algorithms for efficiently solving certificate-analysis problems, resource authentication problems etc. The transformation allows us to capture the authorization of tags while being delegated in an unambiguous way and, define the set of tags permissible under threshold certification. The framework succinctly captures the expressive power of SACL and enables heterogenous integration of SACL with state-based security mechanisms that are widely used for protection/security of classical OS, Databases etc. One of the distinct advantages of the framework is the amenability of using finite state model-checking algorithms for verifying access control. We shall show how very useful properties can be verified using our transformation.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Bell, D.E., LaPadula, L.J.: Secure computer system: Unified exposition and multics interpretation. ESD-TR-75-306, rev. 1, Electronic Systems Division, Air Force Systems Command, Hanscom Field, Bedford, MA 01731
Brewer, D.F.C., Nash, M.J.: The chinese wall security policy. In: IEEE Symposium on Security and Privacy, pp. 206–214 (1989)
Clarke, D.E., Elien, J.-E., Ellison, C.M., Fredette, M., Morcos, A., Rivest, R.L.: Certificate chain discovery in SPKI/SDSI. Journal of Computer Security 9(4), 285–322 (2001)
Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: RFC 2693. SPKI certificate theory, IETF RFC Publication (September 1999)
Ferraiolo, D., Kuhn, R.: Role-based access controls. In: 15th NIST-NCSC National Computer Security Conference, pp. 554–563 (1992)
Jha, S., Reps, T.: Model checking SPKI/SDSI. Journal of Computer Security 12, 317–353 (2004)
Li, N., Mitchell, J.C.: Understanding SPKI/SDSI using first-order logic. In: CSFW, pp. 89–103 (2003)
Schneider, F.B.: Enforceable security policies. Information and System Security 3(1), 30–50 (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Narendra Kumar, N.V., Shyamasundar, R.K. (2006). Specification and Realization of Access Control in SPKI/SDSI. In: Bagchi, A., Atluri, V. (eds) Information Systems Security. ICISS 2006. Lecture Notes in Computer Science, vol 4332. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11961635_12
Download citation
DOI: https://doi.org/10.1007/11961635_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-68962-1
Online ISBN: 978-3-540-68963-8
eBook Packages: Computer ScienceComputer Science (R0)