Flexible secure inter-domain interoperability through attribute conversion

The access control policy of an application that is composed of interoperating components/services is defined in terms of the access control policies enforced by the respective services. These individual access control policies are heterogenous in the sense that the services may be independently developed and managed and it is not practical to assume that all policies are defined with respect to some uniform domain vocabulary of policy attributes. A framework is described that provides a domain mapping for heterogenous policies. A fuzzy-based conversion mechanism determines the degree to which an access control attribute of one (service) policy may safely interoperate with an access control attribute of another (service) policy. The approach is scalable in the sense that it is not necessary to a priori specify every pairwise policy interoperation relationship, rather, where obvious interpretations exist then policy relationships are specified, while other relationships are inferred using the fuzzy mechanism.

[1]  Carlisle M. Adams,et al.  X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP , 1999, RFC.

[2]  Abraham Martín-Campillo,et al.  Providing early resource allocation during emergencies: The mobile triage tag , 2009, J. Netw. Comput. Appl..

[3]  Jin Y. Yen,et al.  Finding the Lengths of All Shortest paths in N -Node Nonnegative-Distance Complete Networks Using 12N3 Additions and N3 Comparisons , 1972, JACM.

[4]  Di Wu,et al.  Ontology-Based RBAC Specification for Interoperation in Distributed Environment , 2006, ASWC.

[5]  Ho-fung Leung,et al.  Ontology Based Hybrid Access Control for Automatic Interoperation , 2007, ATC.

[6]  Vicenç Torra,et al.  Modeling Decisions: Information Fusion and Aggregation Operators (Cognitive Technologies) , 2006 .

[7]  Antonio F. Gómez-Skarmeta,et al.  Use of XACML Policies for a Network Access Control Service , 2005, IWAP.

[8]  Bruce Schneier,et al.  Ten Risks of PKI , 2004 .

[9]  Elisa Bertino,et al.  Access-control language for multidomain environments , 2004, IEEE Internet Computing.

[10]  Junzhou Luo,et al.  A trust degree based access control in grid environments , 2009, Inf. Sci..

[11]  Russ Housley,et al.  An Internet Attribute Certificate Profile for Authorization , 2002, RFC.

[12]  Peter P. Chen,et al.  Graph-theoretic method for merging security system specifications , 2007, Inf. Sci..

[13]  George J. Klir,et al.  Fuzzy sets and fuzzy logic - theory and applications , 1995 .

[14]  Marta M. B. Pascoal,et al.  A new implementation of Yen’s ranking loopless paths algorithm , 2003, 4OR.

[15]  Peter Gutmann,et al.  PKI: It's Not Dead, Just Resting , 2002, Computer.

[16]  Simon N. Foley Supporting Imprecise Delegation in KeyNote , 2002, Security Protocols Workshop.

[17]  Jean Bacon,et al.  Access control and trust in the use of widely distributed services , 2001, Softw. Pract. Exp..

[18]  Ian T. Foster,et al.  The Community Authorization Service: Status and Future , 2003, ArXiv.

[19]  Vicenç Torra,et al.  Modeling decisions - information fusion and aggregation operators , 2007 .

[20]  Elisa Bertino,et al.  Specification and enforcement of flexible security policy for active cooperation , 2009, Inf. Sci..

[21]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[22]  Elisa Bertino,et al.  Secure interoperation in a multidomain environment employing RBAC policies , 2005, IEEE Transactions on Knowledge and Data Engineering.

[23]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.

[24]  Ronald L. Rivest,et al.  Can We Eliminate Certificate Revocations Lists? , 1998, Financial Cryptography.

[25]  Jianxin Li,et al.  A secure collaboration service for dynamic virtual organizations , 2010, Inf. Sci..

[26]  Antonio F. Gómez-Skarmeta,et al.  A Heterogeneous Network Access Service Based on PERMIS and SAML , 2005, EuroPKI.

[27]  Li Gong,et al.  Computational Issues in Secure Interoperation , 1996, IEEE Trans. Software Eng..

[28]  Simon N. Foley,et al.  Approximating Saml Using Similarity Based Imprecision , 2005, INTELLCOMM.

[29]  S. Gritzalis,et al.  A scalable security architecture enabling coalition formation between autonomous domains , 2005, Proceedings of the Fifth IEEE International Symposium on Signal Processing and Information Technology, 2005..

[30]  D. Richard Kuhn,et al.  Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems , 1997, RBAC '97.

[31]  Simon N. Foley,et al.  Aggregating Trust Using Triangular Norms in the KeyNote Trust Management System , 2010, STM.