Compliance Checking for Usage-Constrained Credentials in Trust Negotiation Systems

We propose an approach to placing usage-constraints on RT credentials; issuers specify constraints by designing non-deterministic finite automata. We show by examples that this approach can express constraints of practical interest. We present a compliance checker in the presence of usage-constraints, especially for trust negotiation systems. Given an RT policy, the checker is able to find all minimal satisfying sets, each of which uses credentials in a way consistent with given constraints. The checker leverages answer set programming, a declarative logic programming paradigm, to model and solve the problem. We also show preliminary experimental results: supporting usage-constraints on credentials incurs affordable overheads and the checker responds efficiently.

[1]  Lujo Bauer,et al.  Constraining Credential Usage in Logic-Based Access Control , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[2]  Michael Sipser,et al.  Introduction to the Theory of Computation , 1996, SIGA.

[3]  Lujo Bauer,et al.  Distributed proving in access-control systems , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[4]  Marianne Winslett,et al.  Towards an efficient and language-agnostic compliance checker for trust negotiation systems , 2008, ASIACCS '08.

[5]  Valentin Goranko,et al.  Logic in Computer Science: Modelling and Reasoning About Systems , 2007, J. Log. Lang. Inf..

[6]  Moritz Y. Becker Information Flow in Credential Systems , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[7]  Ninghui Li,et al.  Automated trust negotiation using cryptographic credentials , 2005, CCS '05.

[8]  Marianne Winslett,et al.  Requirements for policy languages for trust negotiation , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[9]  Ninghui Li,et al.  Towards practical automated trust negotiation , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[10]  Michael D. Jones,et al.  Responding to policies at runtime in TrustBuilder , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[11]  Ninghui Li,et al.  Design of a role-based trust-management framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[12]  Alex M. Andrew,et al.  Knowledge Representation, Reasoning and Declarative Problem Solving , 2004 .