Implement role based access control with attribute certificates

Nowadays more and more activities are performed over the Internet. But as more people are involved in the transaction circle, security and authorization control becomes one of the biggest concerns. Hence, We are motivated by the need 10 manage and to enforce a strong authorization mechanism in large-scale web-environment. Role based access control (RBAC) provides some flexibility to security management. Public key infrastructure (PKI) can provide a strong authentication. Privilege management infrastructure (PMI) as a new technology can provide strong authorization. In order to satisfy mentioned security requirements, we have established a role based access control infrastructure and developed a prototype that uses X.509 public key certificates (PKCs) and attribute certificates (ACs). Access control is performed by access control policies that are written in XML. Policies and roles are stored in ACs. PKCs and AO are all stored in LDAP servers. A new solution for policy management is described. The main components of the prototype are administration tool and access control engine. The access control engine provides a service that mediates the data between the users and the resources, which is also responsible for authentication and authorization. The administration tool can create key pairs, PKCs and ACs, manage users' information, and so on.

[1]  Duen-Ren Liu,et al.  Access control with role attribute certificates , 2000 .

[2]  Hong Fan,et al.  A context-aware role-based access control model for Web services , 2005, IEEE International Conference on e-Business Engineering (ICEBE'05).

[3]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System Version 2 , 1999, RFC.

[4]  William E. Johnston,et al.  Authorization and attribute certificates for widely distributed access control , 1998, Proceedings Seventh IEEE International Workshop on Enabling Technologies: Infrastucture for Collaborative Enterprises (WET ICE '98) (Cat. No.98TB100253).

[5]  Chen Youping Task-role-based access control model , 2006 .

[6]  J. Feigenbaum,et al.  The KeyNote trust management system version2, IETF RFC 2704 , 1999 .

[7]  David W. Chadwick,et al.  The PERMIS X.509 role based privilege management infrastructure , 2002, SACMAT '02.

[8]  Ravi S. Sandhu,et al.  Framework for role-based delegation models , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[9]  Yi-Shiung Yeh,et al.  Applying lightweight directory access protocol service on session certification authority , 2002, Comput. Networks.

[10]  Seog Park,et al.  The Work Concept RBAC Model for the Access Control of the Distributed Web Server Environment , 2001, Web Intelligence.

[11]  José M. Troya,et al.  Integrating PMI services in CORBA applications , 2003, Comput. Stand. Interfaces.

[12]  Sun Meifeng,et al.  KeyNote Trust Management System , 2002 .

[13]  Srilekha Mudumbai,et al.  Certificate-based authorization policy in a PKI environment , 2003, TSEC.

[14]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[15]  Seog Park,et al.  Task-role-based access control model , 2003, Inf. Syst..

[16]  E. F. Michiels,et al.  ISO/IEC 10181-4:1995 Information technology Open Systems Interconnection Security frameworks for open systems: Non-repudiation framework , 1996 .

[17]  Edward C. Cheng An object-oriented organizational model to support dynamic role-based access control in electronic commerce , 2000, Decis. Support Syst..

[18]  Ian T. Foster,et al.  A community authorization service for group collaboration , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[19]  R. Brown,et al.  The application of security policy to role-based access control and the common data security architecture , 2000, Comput. Commun..

[20]  Serguei Leontiev,et al.  Using the GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms with the Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 2006, RFC.

[21]  Bernd Blobel,et al.  Using a privilege management infrastructure for secure web-based e-health applications , 2003, Comput. Commun..

[22]  David W. Chadwick,et al.  RBAC Policies in XML for X.509 Based Privilege Management , 2002, SEC.

[23]  Andrew D. Fernandes Risking "trust" in a public key infrastructure: old techniques of managing risk applied to new technology , 2001, Decis. Support Syst..

[24]  Gail-Joon Ahn,et al.  Role-based access control on the web , 2001, TSEC.

[25]  Gail-Joon Ahn Role-based access control in DCOM , 2000, J. Syst. Archit..

[26]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[27]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 1999, RFC.

[28]  David W. Chadwick,et al.  A Comparison of the Akenti and PERMIS Authorization Infrastructures , 2003 .

[29]  Scott B. Cantor,et al.  Shibboleth architecture draft v05 , 2002 .