Skip to main content
SpringerLink
Log in

Handling distributed authorization with delegation through answer set programming

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Distributed authorization is an essential issue in computer security. Recent research shows that trust management is a promising approach for the authorization in distributed environments. There are two key issues for a trust management system: how to design an expressive high-level policy language and how to solve the compliance-checking problem (Blaze et al. in Proceedings of the Symposium on Security and Privacy, pp. 164–173, 1996; Proceedings of 2nd International Conference on Financial Cryptography (FC’98). LNCS, vol.1465, pp. 254–274, 1998), where ordinary logic programming has been used to formalize various distributed authorization policies (Li et al. in Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 114–130, 2002; ACM Trans. Inf. Syst. Secur. (TISSEC) 6(1):128–171, 2003). In this paper, we employ Answer Set Programming to deal with many complex issues associated with the distributed authorization along the trust management approach. In particular, we propose a formal authorization language \(\mathcal {AL}\) providing its semantics through Answer Set Programming. Using language \(\mathcal {AL}\), we cannot only express nonmonotonic delegation policies which have not been considered in previous approaches, but also represent the delegation with depth, separation of duty, and positive and negative authorizations. We also investigate basic computational properties related to our approach. Through two case studies. we further illustrate the application of our approach in distributed environments.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Agudo, I., Lopez, J., Montenegro, J.A.: A representation model of trust relationships with delegation extensions. In: Proceedings of the 3th International Conference on Trust Management, pp. 116–130 (2005)

  2. Anger Chr., Konczak K., Linke Th. and Schaub T. (2005). A glimpse of answer set programming. Künstliche Intelligenz 19(1): 12–17

    Google Scholar 

  3. Baral, C.: Knowledge Representation, Reasoning and Declarative Problem Solving. Cambridge University Press, Cambridge (2003)

  4. Bertino, E., Buccafurri, F., Ferrari, E., Rullo, P.: A logical framework for reasoning on data access control policies. In: Proceedings of the 12th IEEE Computer Security Foundations Workshop(CSFW-12), pp. 175–189. IEEE Computer Society Press, Los Alamitos (1999)

  5. Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: Proceedings of the Symposium on Security and Privacy, pp. 164–173. IEEE Computer Society Press, Los Alamitos (1996)

  6. Blaze, M., Feigenbaum, J., Strauss, M.: Compliance-checking in the policyMaker trust management system. In: Proceedings of 2nd International Conference on Financial Cryptography (FC’98). LNCS, vol.1465, pp. 254–274. Springer, Berlin Heidelberg New York (1998)

  7. Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.D.: The role of trust management in distributed systems. In: Secure Internet Programming. LNCS, vol. 1603, pp. 185–210. Springer, Berlin Heidelberg New York (1999)

  8. Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.D.: The keyNote trust-management system, Version 2. Internet Engineering Task Force RFC 2704. http://www.ietf.org/rfc/ rfc2704.txt (1999)

  9. Clarke, D., Elien, J., Ellison, C., Fredette, M., Morcos, A., Rivest, R.L.: Certificate chain discovery in SPKI/SDSI, manuscript (1999)

  10. Elien, J.: Certificate discovery using SPKI/SDSI 2.0 certificates. Masters Thesis. MIT LCS. http://theory.lcs.mit.edu/ cis/theses/elien-masters.ps (1998)

  11. Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: SPKI certificate theory. Internet Engineering Task Force RFC 2693. http://www.ietf.org/rfc/rfc2693.txt (1999)

  12. Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: Simple public key certificate. Internet Draft

  13. Gelfond, M., Lifschitz, V.: The stable model semantics for logic programming. In: Kowalski, R., Bowen, K (eds.) Proceedings of the 5th International Conference and Symposium on Logic Programming, pp. 1070–1080. MIT Press, Cambridge (1988)

  14. ITU-T Rec. X.509 (revised): The directory – authentication framework. International Telecommunication Union

  15. Jajodia S., Samarati P. and Subrahmanian V.S. (2001). Flexible support for multiple access control policies. ACM Trans. Database Syst. 26(2): 214–260

    Article  Google Scholar 

  16. Kent S.T. (1993). Internet privacy enhanced mail. Commun. ACM 36(8): 48–60

    Article  Google Scholar 

  17. Li N., Winsborough W.H. and Mitchell J.C. (2003). Distributed credential chain discovery in trust management. J. Comput. Secur. 11(1): 35–86

    Google Scholar 

  18. Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust management framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 114–130. IEEE Computer Society Press, Los Alamitos (2002)

  19. Li N., Grosof B.N. and Feigenbaum J. (2003). Delegation logic: a logic-based approach to distributed authorization. ACM Trans. Inf. Syst. Secur. (TISSEC) 6(1): 128–171

    Article  Google Scholar 

  20. Niemela, I., Simons, P., Syrjanen, T.: Smodels: a system for answer set programming. In: Proceedings of the 8th International Workshop on Non-monotonic Reasoning (2000)

  21. Rivest, R.L., Lampson, B.: SDSI – a simple distributed security infrastructure. http://theory.lcs.mit.edu/rivest/sdsi11. html (1996)

  22. Ruan, C., Varadharajan, V.: Resolving conlicts in authorization delegations. In: Proceedings of the 7th Australian Conference on Information Security and Privacy. LNCS, vol. 2384, pp. 271–285 (2002)

  23. Ruan, C., Varadharajan, V.: A weighted graph approach to authorization delegation and conflict resolution. In: Proceedings of the 9th Australian Conference on Information Security and Privacy, pp. 402–413 (2004)

  24. Ruan, C., Varadharajan, V., Zhang, Y.: Logic-based reasoning on delegatable authorizations. In: Proceedings of the 13th International Symposium on Foundations of Intelligent Systems, pp. 185–193 (2002)

  25. Syrjänen, T.: Lparse 1.0 User’s mannual. http://www.tcs.hut. fi/Software/smodels

  26. Wang, S., Zhang, Y.: A formalization of distributed authorization with delegation. In: Proceedings of the 10th Australian Conference on Information Security and Privacy. LNCS, vol. 3574, pp 303–315 (2005)

  27. Woo T.Y.C. and Lam S.S. (1993). Authorization in distributed systems: a new approach. J. Comput. Secur. 2(2/3): 107C136

    Google Scholar 

  28. Zhang Y. (2003). Two results for prioritized logic programming. Theory Practice Logic Program. 3(2): 223–242

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computing and Mathematics, University of Western Sydney, Penrith South DC, NSW, 1797, Australia

    Shujing Wang & Yan Zhang

Authors
  1. Shujing Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yan Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shujing Wang.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Wang, S., Zhang, Y. Handling distributed authorization with delegation through answer set programming. Int. J. Inf. Secur. 6, 27–46 (2007). https://doi.org/10.1007/s10207-006-0008-4

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-006-0008-4

Keywords

Search

Navigation