Secure Role Based Messaging

This paper describes a secure role based messaging system design based on the use of X.509 Attribute Certificates for holding user roles. Access to the messages is authorised by the PERMIS Privilege Management Infrastructure, a policy driven role based access control (RBAC) infrastructure, which allows the assignment of roles to be distributed between trusted issuing authorities, and allows a change of access control policy at runtime. Messages can be sent by roles and users, and can be sent to roles and users. Messages are secure in their exchange between senders and recipients. Details of the security and messaging design are presented.

[1]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[2]  San C. Vo A Survey of Elliptic Curve Cryptosystems, Part I: Introductory , 2003 .

[3]  Alfred Menezes,et al.  The Elliptic Curve Digital Signature Algorithm (ECDSA) , 2001, International Journal of Information Security.

[4]  Achim D. Brucker,et al.  The CVS-Server Case Study: A Formalized Security Architecture , 2002 .

[5]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[6]  P. Hoffman Enhanced Security Services for S/MIME , 1999, RFC.

[7]  David W. Chadwick,et al.  Evolving messaging systems for secure role based messaging , 2005, 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS'05).

[8]  Michael J. Wiener,et al.  Cryptanalysis of Short RSA Secret Exponents (Abstract) , 1990, EUROCRYPT.

[9]  Pawel Gburzynski,et al.  Fighting the spam wars: A remailer approach with restrictive aliasing , 2004, TOIT.

[10]  Nathaniel S. Borenstein,et al.  Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies , 1996, RFC.

[11]  Ákos Frohner,et al.  VOMS, an Authorization System for Virtual Organizations , 2003, European Across Grids Conference.

[12]  André Zúquete,et al.  Enforcing Obligation with Security Monitors , 2001, ICICS.

[13]  Stephanie Forrest,et al.  Email networks and the spread of computer viruses. , 2002, Physical review. E, Statistical, nonlinear, and soft matter physics.

[14]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[15]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[16]  Jeremy L. Jacob,et al.  The role-based access control system of a European bank: a case study and discussion , 2001, SACMAT '01.

[17]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[18]  Rolf Oppliger,et al.  Using Attribute Certificates to Implement Role-based Authorization and Access Controls , 2000 .

[19]  David W. Chadwick,et al.  RBAC Policies in XML for X.509 Based Privilege Management , 2002, SEC.

[20]  John G. Myers Simple Authentication and Security Layer (SASL) , 1997, RFC.

[21]  Dan Boneh,et al.  Cryptanalysis of RSA with private key d less than N0.292 , 2000, IEEE Trans. Inf. Theory.

[22]  David W. Chadwick,et al.  Policy based electronic transmission of prescriptions , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[23]  Marco Casassa Mont,et al.  A flexible role-based secure messaging service: exploiting IBE technology for privacy in health care , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[24]  Mark R. Crispin Internet Message Access Protocol - Version 4rev1 , 1996, RFC.

[25]  Blake Ramsdell,et al.  S/MIME Version 3 Message Specification , 1999, RFC.

[26]  David W. Chadwick,et al.  Distributed key management for secure role based messaging , 2006, 20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06).

[27]  Carlisle M. Adams,et al.  X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP , 1999, RFC.

[28]  Alexey Melnikov,et al.  Simple Authentication and Security Layer (SASL) , 2006, RFC.

[29]  Sylvia L. Osborn Mandatory access control and role-based access control revisited , 1997, RBAC '97.

[30]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[31]  Sylvia L. Osborn,et al.  Modeling Mandatory Access Control in Role-Based Security Systems , 1995, DBSec.

[32]  Sushil Jajodia,et al.  Obligation monitoring in policy management , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[33]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[34]  David W. Chadwick An X.509 Role Based Privilege Management Infrastructure , 2001 .

[35]  Matthew K. Franklin,et al.  Self-healing key distribution with revocation , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[36]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[37]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[38]  Clifford C. Cocks An Identity Based Encryption Scheme Based on Quadratic Residues , 2001, IMACC.

[39]  S. D. Wolthusen A distributed multipurpose mail guard , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[40]  Timothy W. Finin,et al.  A policy language for a pervasive computing environment , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[41]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[42]  Brent Waters,et al.  Attribute-based encryption for fine-grained access control of encrypted data , 2006, CCS '06.

[43]  Sylvia L. Osborn,et al.  Access Rights Administration in Role-Based Security Systems , 1994, DBSec.

[44]  Gene Tsudik,et al.  On simple and secure key distribution , 1993, CCS '93.

[45]  Duminda Wijesekera,et al.  A policy driven approach to email services , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[46]  William Stallings,et al.  Cryptography and Network Security: Principles and Practice , 1998 .

[47]  Ravi S. Sandhu,et al.  Lattice-based access control models , 1993, Computer.

[48]  Ravi S. Sandhu Role Hierarchies and Constraints for Lattice-Based Access Controls , 1996, ESORICS.

[49]  Zygmunt J. Haas,et al.  Securing ad hoc networks , 1999, IEEE Netw..

[50]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[51]  David W. Chadwick,et al.  The PERMIS X.509 role based privilege management infrastructure , 2002, SACMAT '02.

[52]  David W. Chadwick The X.509 Privilege Management Infrastructure , 2003 .

[53]  David W. Chadwick,et al.  Role-Based Access Control With X.509 Attribute Certificates , 2003, IEEE Internet Comput..

[54]  David W. Chadwick,et al.  Trust infrastructure for policy based messaging in open environments , 2005, 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05).

[55]  Ian T. Foster,et al.  The Community Authorization Service: Status and Future , 2003, ArXiv.

[56]  Serban I. Gavrila,et al.  Formal specification for role based access control user/role and role/role relationship management , 1998, RBAC '98.

[57]  Brent Waters,et al.  Fuzzy Identity-Based Encryption , 2005, EUROCRYPT.

[58]  Dan Boneh,et al.  Experimenting with Shared Generation of RSA Keys , 1999, NDSS.

[59]  Ken Moody,et al.  Meta-policies for distributed role-based access control systems , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[60]  Jonathan B. Postel Rfc821: simple mail transfer protocol , 1982 .

[61]  Dan Boneh,et al.  A Method for Fast Revocation of Public Key Certificates and Security Capabilities , 2001, USENIX Security Symposium.