Abstract
In this paper, we distinguish between authorization problems at management level and request level in open decentralized systems, using delegation for flexible and scalable authorization management. The delegation models in existing approaches are limited within one level or only provide basic delegation schemes, and have no effective control over the propagation scope of delegated privileges. We propose REAL, a Role-based Extensible Authorization Language framework for open decentralized systems. REAL covers delegation models at both two levels and provides more flexible and scalable authorization and delegation policies while capable of restricting the propagation scope of delegations. We formally define the semantics of credentials in REAL by presenting a translation algorithm from credentials to Datalog rules (with negation-as-failure). This translation also shows that the semantics can be computed in polynomial time.
This work is supported by the National Grand Fundamental Research 973 Program of China under Grant No.G1999032703; the National High Technology Development 863 Program of China under Grant No.2003AA115210; Foundation of Weapons Research in Advance under Grant No.51415030203KG01, “security technologies in multi-database systems”.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Lampson, B., Abadi, M., Burrows, M., Wobber, E.: Authentication in distributed systems: Theory and practice. ACM Transactions on Computer Systems 10(4), 265–310 (1992)
Firozabadi, B.S., Sergot, M., Bandmann, O.: Using Authority Certificates to Create Management Structures. In: Proceeding of Security Protocols, 9th International Workshop, Cambridge, UK. Springer, Heidelberg (2001) (in press)
Ellison, C.M., Frantz, B., Lampson, B., Rivest, R., Thomas, B.M., Ylonen, T.: SPKI Certificate Theory. IETF RFC 2693 (1998)
Barka, E., Sandhu, R.: Framework for Role-Based Delegation Models. In: Proceedings of 16th Annual Computer Security Application Conference, New Orleans, LA, December 11-15, pp. 168–176 (2000)
Berman, F., Fox, G., Hey, T. (eds.): Grid Computing - Making the Global Infrastructure a Reality. John Wiley & Sons Ltd., Chichester (2003)
Intelligent Systems Laboratory, Swedish Institute of Computer Science, SICStus Prolog User’s Manual, Release 3.11.1 (February 2004)
Shapiro, J.S., Smith, J.M., Farber, D.J.: EROS: a fast capability system. In: 17th ACM Symposium on Operating Systems Principles (SOSP 1999) (1999)
Pearlman, L., Kesselman, C., Welch, V., Foster, I., Tuecke, S.: The Community Authorization Service: Status and Future. In: CHEP 2003, La Jolla, California, March 24-28 (2003)
Gasser, M., Mcdermott, E.: An architecture for practical delegation in a distributed system. In: Proceedings of the IEEE Symposium on Security and Privacy, May 1990, pp. 20–30 (1990)
Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.D.: The KeyNote trust-management system, version 2. IETF RFC 2704 (September 1999)
Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.D.: The role of trust management in distributed systems. In: Vitek, J. (ed.) Secure Internet Programming. LNCS, vol. 1603, pp. 185–210. Springer, Heidelberg (1999)
Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust management framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 114–130. IEEE Computer Society Press, Los Alamitos (2002)
Li, N., Grosof, B.N., Feigenbaum, J.: Delegation logic: A logic-based approach to distributed authorization. ACM Transaction on Information and System Security (TISSEC) (February 2003)
Bandmann, O., Damy, M., Firozabadi, B.S.: Constrained Delegation. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy (S&P 2002) (2002)
Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 Model for Role-Based Administration of Roles. ACM Transactions on Information and System Security 2(1), 105–135 (1999)
Schwoon, S., Jha, S., Reps, T., Stubblebine, S.: On Generalized Authorization Problems. In: Proceedings of the 16th IEEE Computer Security Foundations Workshop (CSFW 2003) (2003)
The Common Object Request Broker: Architecture and Specification, Object Management Group, Version 3.0 (July 2002)
Varadharajan, V., Allen, P., Black, S.: An Analysis of the Proxy Problem in Distributed systems. In: IEEE Symposium on Research in Security and Privacy, Oakland, CA (1991)
Van Gelder, A., Ross, K.A., Schlipf, J.S.: The Well-Founded Semantics for General Logic Programs. JACM 38(3), 620–650
Wulf, W., Cohen, E., Corwin, W., Jones, A., Levin, R., Pierson, C., Pollack, F.: HYDRA: The kernel of a multiprocessor operating system. Communications of the ACM 17(6), 337–345 (1974)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Yin, G., Teng, M., Wang, Hm., Jia, Y., Shi, Dx. (2004). An Authorization Framework Based on Constrained Delegation. In: Cao, J., Yang, L.T., Guo, M., Lau, F. (eds) Parallel and Distributed Processing and Applications. ISPA 2004. Lecture Notes in Computer Science, vol 3358. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30566-8_98
Download citation
DOI: https://doi.org/10.1007/978-3-540-30566-8_98
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-24128-7
Online ISBN: 978-3-540-30566-8
eBook Packages: Computer ScienceComputer Science (R0)