Abstract
This paper proposes a knowledge-based approach to Internet authorizations using Public-Key Infrastructure (PKI) based digital certificates and Role-Based Access Control (RBAC). First, we introduce several existing access control models. Second, a logic-based policy specification language is given. Third, a policy-driven RBAC is presented. Fourth, a method of automatically assigning roles to users using digital certificates is discussed. Then, the architecture for Internet authorizations is described. Finally, a solution to remote policy enforcement is proposed. We also give the syntax of a role definition language and illustrate it in appendices A and B, respectively.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Attribute certificates-a new initiative in PKI technology, http://www.baltimore.com/library/whitepapers/acswp-hm.html.
Dandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 Model for Role-Based Administration of Roles, ACM Transactions on Information and System Security, 2(1), (1999) 105–135.
Ellison C.: SPKI Certificate Documentation, http://www.pobox.com/~cme/html/spki.html.
Edwards, N., Rees, O.: High Security Web Servers and Gateways, In Proc. of 6th International WWW Conference, (1997) 927–938.
Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: “SPKI Certificate Theory” Request for Comments: 2693, ftp://ftp.isi.edu/in-notes/rfc2693.txt.
Ferraiolo, D. F., Barkley, J. F., Kuhn, D. R: A Role-Based Access Control Model and Reference Implementation Within a Corporate Intranet, ACM Transactions on Information and System Security, 2(1), (1999) 34–64.
Ferraiolo, D. F., Cugini, J. A., Kuhn, D. R.: Role-Based Access Control (RBAC): Features and Motivations, In Proc. of 11th Annual Computer Security Applications Conf., (1995) 241–248, http://hissa.ncsl.nist.gov/rbac/newpaper/rbac.html.
Gheorghiu, G., Ryutov, T., Neuman, B. C.: Authorization for Metacomputing Applications, In Proc. of the IEEE 7th International Symposium on High Performance Distributed Computing, (1998) 132–139.
Giuri, L., Iglio, P.: A formal model for role based access control with constraints, In Proc. of the Computer Security Foundations Workshop, (1996) 136–145.
Hashii, B., Malabarba, S., Pandey, R., Bishop, M.: Supporting Reconfigurable security Policies for Mobile Programs, Computer Networks, 33 (2000) 77–93.
Herzberg, A., Mass, Y., Mihaeli, J., Naor, D., Ravid, Y.: Access Control Meets Public Key Infrastructure, Or: Assigning Roles to Strangers, http://www.hrl.il.ibm.com/TrustEstablishment/paper.htm.
Hitchens, M., Varadharajan, V.: Issues in the Design of a Language for Role-Based Access Control, In Proc. of the 2nd International Conference on Information and Communications Security (ICICS’99), (1999) 22–38.
Hitchens, M., Varadharajan, V.: Elements of A Language for Role-Based Access Control, In Proc. of IFIP TC11 Sixteenth Annual Working Conference on Information Security, (2000) 371–380.
Jajodia, S., Samarati, P.: A Unified Framework for Enforcing Multiple Access Control Policies, SIGMOD RECORD, 26(2), (1997) 474–485.
Johnston, W., Mudumbai, S., Thompson, M.: Authorization and Attribute Certificates for Widely Distributed Access Control, In Proc. of the IEEE 7th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE-98), (1998) 340–345.
Kuhn, D. R.: Mutual Exclusion of Roles as a Means of Implementing separation of Duty in Role-Based Access Control Systems, In Proc. of the 2nd ACM Workshop on Role-Based Access Control, 1997.
Li, N., Feigenbaum, J., Grosof, B.: A Logic-based Knowledge Representation for Authorization with Delegation, In Proc. of the 12th IEEE Computer Security Foundations Workshop, (1999) 162–174.
Lin, A., Brown, R.: The Application of Security Policy to Role-Based Access Control and the Common Data Security Architecture, Computer Communications, Vol. 23, No. 17, (2000) 1584–1593.
Lin, P., Lin, L.: Security in Enterprise Networking: A Quick Tour, IEEE Communications Magazine, (1996)56–61.
Liu, Q., Shi, J., You, J.: Separation of Duty in Role-Based Access Control Model, In Proc. of IFIP/SEC2000 (part of thel6th IFIP World Computer Congress), (2000) 240–243.
Massacci, F.: Reasoning about Security: a Logic and a Decision Method for Role-Based Access Control, In Proc. of the International Joint Conference on Qualitative and Quantitative Practical Reasoning (ECSQARU/FAPR-97), Lecture Notes in Artificial Intelligence, Vol. 1244 (1997)421–435.
Na, S., Cheon, S.: Dynamic Role Assignment in Role-Based Access Control Systems, In Proc. of IFIP TC11 Sixteenth Annual Working Conference on Information Security, (2000) 248–252.
Sandhu, R. S.: Lattice-Based Access Control Models, IEEE Computer, 26(11), (1993) 9–19.
Sandhu, R. S., Coyne, E., Feinstein, H., Youman, C: Role-Based Access Control Models, IEEE Computer, 29(2), (1996) 38–47.
Seamons, K. E., Winsborough, W., Winslett, M.: Internet Credential Acceptance Policies, In Proc. of the Workshop on Logic Programming for Internet Applications, July 1997, http://www.transarc.com/~winsboro/papers/CAP.html.
Thomson, M., Johnston, W., Mudumbai, S., Hoo, G., Jackson, K., Essiari, A.: Certificate-Based Access Control for Widely Distributed Resources, In Proc. of 8th Security Symposium, (1999)215–227.
Winslett, M., Ching, N., Jones, V., Slepchin, I.: Using Digital Credentials on the World-Wide Web, Journal of Computer Security 5(3) (1997) 255–267, http://drl.cs.uiuc.edu/pubs/ics97.ps.
Woo, T. Y. C, Lam, S. S.: Designing a Distributed Authorization Service, In Proc. of IEEE 17th International Conference on Computer Communications (INFOCOM’98), Vol. 2 (1998) 419–429.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Lin, A. (2001). A Knowledge-Based Approach to Internet Authorizations. In: Varadharajan, V., Mu, Y. (eds) Information Security and Privacy. ACISP 2001. Lecture Notes in Computer Science, vol 2119. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-47719-5_24
Download citation
DOI: https://doi.org/10.1007/3-540-47719-5_24
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-42300-3
Online ISBN: 978-3-540-47719-8
eBook Packages: Springer Book Archive