组合Web服务访问控制策略合成研究

针对Web服务多域环境下组合服务的访问控制策略合成问题,首先提出基于属性的Web服务访问控制策略描述框架,并结合原子属性值限制的属性描述方法,对服务访问控制策略进行了形式化表达。然后,通过分析服务组合描述文档中的控制结构,并研究访问控制策略合成算子和访问控制策略规则的合成运算,提出组合Web服务访问控制策略合成方法,实现了组合服务访问控制策略的合成。最后,结合实例给出组合Web服务的访问控制策略合成流程,验证了合成方法的实用性。     

Web服务访问控制策略研究

Web服务环境中,交互实体通常位于不同安全域,具有不可预见性。Web服务应该基于其他与领域无关的信息而非身份来实施访问控制,以实现对跨域未知用户的访问授权。为此,提出了适应于Web服务的基于上下文的访问控制策略模型。模型的核心思想是将各种与访问控制有关的信息统一抽象表示为一个上下文概念,以上下文为中心来制定和执行访问控制策略,上下文担当了类似基于角色的访问控制(RBAC)中角色的概念。基于描述逻辑语言(DL),定义了基于上下文的访问控制策略公理,建立了访问控制策略知识库,提出了访问控制策略的逻辑推理方法。最后基于Racer推理系统,通过实验验证了方法的可行性和有效性。     

Access control and trust in the use of widely distributed services

OASIS is a role‐based access control (RBAC) architecture for achieving secure interoperation of independently managed services in an open, distributed environment. OASIS differs from other RBAC schemes in a number of ways: role management is decentralized, roles are parametrized, roles are activated within sessions and privileges are not delegated. OASIS depends on an active middleware platform to notify services of any relevant changes in their environment. Services define roles and establish formally specified policy for role activation and service use (authorization); users must present the required credentials and satisfy specified constraints in order to activate a role or invoke a service. The membership rule of a role indicates which of the role activation conditions must remain true while the role is active. A role is deactivated immediately if any of the conditions of the membership rule associated with its activation become false. OASIS introduces the notion of appointment, whereby being active in certain roles carries the privilege of issuing appointment certificates to other users. Appointment certificates capture the notion of long‐lived credentials such as academic and professional qualification or membership of an organization. The role activation conditions of a service may include appointment certificates, prerequisite roles and environmental constraints. The role activation and authorization policies of services within an administrative domain need not embody role hierarchies nor enforce privilege delegation. But OASIS is sufficiently flexible to capture such notions, through prerequisite roles and appointments, if they are required within an application domain. We define the model and architecture and discuss engineering details, including security issues. We illustrate how an OASIS session can span multiple domains and we propose a minimal infrastructure to enable widely distributed, independently developed services to enter into agreements to respect each other's credentials. In a multi‐domain system access control policy may come from multiple sources and must be expressed, enforced and managed. In order to respond to changing relationships between organizations it should be easy to allow role holders in one domain to obtain privileges in another. Our approach to policy and meta‐policy management is described. We speculate on a further extension to mutually unknown, and therefore untrusted, parties. Each party will accumulate audit certificates which embody its interaction history and which may form the basis of a web of trust. Copyright © 2003 John Wiley & Sons, Ltd.     

Building access control policy model for privacy preserving and testing policy conflicting problems

This paper proposes a purpose-based access control model in distributed computing environment for privacy preserving policies and mechanisms, and describes algorithms for policy conflicting problems. The mechanism enforces access policy to data containing personally identifiable information. The key component is purpose involved access control models for expressing highly complex privacy-related policies with various features. A policy refers to an access right that a subject can have on an object, based on attribute predicates, obligation actions, and system conditions. Policy conflicting problems may arise when new access policies are generated that are possible to be conflicted to existing policies. As a result of the policy conflicts, private information cannot be well protected. The structure of purpose involved access control policy is studied, and efficient conflict-checking algorithms are developed and implemented. Finally a discussion of our work in comparison with other related work such as EPAL is presented.     

面向WS-BPEL的访问控制策略合成研究

在Web服务组合中,外部子服务通常会定义访问控制策略以保护资源被安全的使用,同时组合脚本中也存在着复杂的逻辑控制结构,这两点因素使安全管理员在描述组合服务的访问控制策略变得非常复杂。提出一种基于条件的访问控制策略模型以及基于该模型的策略合成代数,将WS-BPEL语言中常见控制结构映射成策略合成表达式,通过合成外部子服务的访问控制策略,生成组合服务的访问控制策略。最后,设计了原型系统描述策略合成的流程。     

基于属性分组的访问控制策略检索方法

细粒度授权需要设置大量访问控制策略,由此带来了检索效率方面的问题。针对现有检索方法应用于大规模访问控制策略时检索效率低下的问题,提出了一种基于属性分组的访问控制策略检索方法,通过对策略集进行基于属性的分组而缩减策略检索的范围,从而减少不必要的计算以及比较过程,由此实现对访问控制策略的高效率检索。实验结果表明,相对于现有方法,基于属性分组的访问控制策略检索方法具有更高的检索效率。     

基于XACML的访问控制策略

如何解决对Web服务的访问控制已成为当前Web服务应用研究中的一个重要课题。首先介绍了XACML标准的产生动机,然后结合Xpath来说明如何定义标准的访问控制策略。应用XACML策略来定义通用的访问控制需求,并且提出了一种机制来发现和解决策略间的冲突,达到对Web服务进行细粒度的访问控制。最后以一个应用实例来具体描述怎样创建一个XACML访问控制策略以及如何对实体的访问进行控制。     

基于属性的跨域访问控制模型设计

本文针对基于Web服务跨域访问控制问题,首先对该问题进行了系统的分析,进而采用SAML身份认证机制和XACML访问控制策略结合ABAC的方法,提出了基于属性的跨域访问控制模型,从而实现了分布式平台的单点登录、多点认证和跨域访问。     

Model-driven trust negotiation for Web services

Trust negotiation is an approach to access control whereby access is granted based on trust established in a negotiation between the service requester and the service provider. Trust negotiation systems avoid several problems facing traditional access control models such as DAC (discretionary access control) and MAC (mandatory access control). Another problem is that Web service providers often do not know requesters identities in advance because of the ubiquitousness of services. We describe Trust-Serv, a trust negotiation framework for Web services, which features a policy language based on state machines. It is supported by lifecycle management and automated runtime enforcement tools. Credential retrieval and validation in Trust-Serv rely on predefined Web services that provide interactions with attribute assertion authorities and public key infrastructure.     

Access control aware data retrieval for secret sharing based database outsourcing

Enforcing dynamic and confidential access control policies is a challenging issue of data outsourcing to external servers due to the lack of trust towards the servers. In this paper, we propose a scalable yet flexible access control enforcement mechanism when the underlying relational data, on which access policies are defined, has been shared through a secret sharing scheme. For sharing values of an attribute in a relation, the attribute is assigned a secret distribution key and its values are split and distributed among data servers according to a Shamir based secret sharing scheme. Given access control policies over attributes of the relation schema, access to distribution keys, used further for reconstructing original values, is managed using the Chinese remainder theorem. Our solution, in addition to preserving the confidentiality of access control policies, is flexible to efficiently adopt grant and revoke of authorizations. Moreover, it prevents the possibility of information leakage caused by query processing through an access control aware retrieval of data shares. That is, our solution not only enforces access control policies for reconstructing shares and obtaining original values, but also for retrieving shares in query processing scenario. We implemented our mechanism and performed extensive experiments, whose results confirm its efficiency and considerable scalability in practice.     

云环境下SNS隐私保护方案

社交网络存储的数据实际都是外包给并不完全可信的云服务商。针对社交网络隐私安全和属性更新问题,提出一种云环境中具有策略隐藏和属性撤销的属性基加密方案。通过分解密钥产生方式降低用户端的计算量,引入合数阶的双线性群实现访问策略隐藏,并利用令牌树和陷门机制灵活且高效地完成属性撤销。而且,该方案在标准假设下可被证明是安全的。因此,将该方案运用于社交网络,将数据加密存储于云服务端是安全可行的。与其他方案相比,该方案既保护了访问策略的隐私,又具有多样的访问控制功能,在计算和存储等方面更有优势。     

A Trust-Based Context-Aware Access Control Model for Web-Services

A key challenge in Web services security is the design of effective access control schemes that can adequately meet the unique security challenges posed by the Web services paradigm. Despite the recent advances in Web based access control approaches applicable to Web services, there remain issues that impede the development of effective access control models for Web services environment. Amongst them are the lack of context-aware models for access control, and reliance on identity or capability-based access control schemes. Additionally, the unique service access control features required in Web services technology are not captured in existing schemes. In this paper, we motivate the design of an access control scheme that addresses these issues, and propose an extended, trust-enhanced version of our XML-based Role Based Access Control (X-RBAC) framework that incorporates trust and context into access control. We outline the configuration mechanism needed to apply our model to the Web services environment, and provide a service access control specification. The paper presents an example service access policy composed using our framework, and also describes the implementation architecture for the system.This is an extended version of the paper that has been presented at the 3rd International Conference on Web Services (ICWS), San Diego, 6–9 July 2004.Recommended by: Athman Bouguettaya and Boualem Benatallah     

Ciphertext-policy attribute-based encryption supporting access policy update and its extension with preserved attributes

Attribute-based encryption (ABE) allows one-to-many encryption with static access control. In many occasions, the access control policy must be updated, but the original encryptor might be unavailable to re-encrypt the message, which makes it impractical. Unfortunately, to date the work in ABE does not consider this issue yet, and hence this hinders the adoption of ABE in practice. In this work, we consider how to update access policies in ciphertext-policy attribute-based encryption (CP-ABE) systems efficiently without encrypting each ciphertext with new access policies. We introduce a new notion of CP-ABE supporting access policy update that captures the functionalities of attribute addition and revocation to access policies. We formalize the security requirements for this notion and subsequently construct two provably secure CP-ABE schemes supporting AND-gate access policy with constant-size ciphertext for user decryption. The security of our schemes are proved under the augmented multi-sequences of exponents decisional Diffie–Hellman assumption. We also present a different construction in which certain attributes in an access policy can be preserved by the original encryptor, while other attributes can be revoked efficiently so that the ability of attribute revocation can be appropriately restrained.     

工作流系统上下文相关访问控制模型

访问控制是提高工作流系统安全性的重要机制。基于角色的访问控制（RBAC）被绝大多数工作流系统所采用,已成为工作流领域研究的热点。但是,现有的基于角色的访问控制模型没有考虑工作流上下文对任务执行授权安全的影响,容易造成权限冗余,也不支持职责分离策略。该文提出一种工作流上下文相关访问控制模型WfCAC,首先,定义该模型的构成要素和体系结构,然后讨论工作流职责分离和访问控制机制,并对模型性质进行分析。WfCAC模型支持用户组及其层次结构,支持最小权限授权策略和职责分离策略,实现了工作流上下文相关访问控制。     

一种面向操作系统应用类的安全策略

从保密性和完整性的角度分析了用户普遍使用的,建立在自主访问控制机制上的,应用在高安全等级操作系统上运行所面临的安全问题,提出了一种面向应用类的安全策略。面向应用类的安全策略将用户使用的应用抽象为应用类,定义了主体的运行状态——用户域和应用域以及客体的类别——用户数据和应用类数据,定义了用户数据访问控制规则,应用类数据访问控制规则以及主体安全状态的迁移规则,防止了用户数据的非授权泄露和应用类数据的非受权修改,为用户建立了一种高安全的应用环境。     

Extending TINA with Secure On-Line Accounting Services

Concepts and principles of TINA (Telecommunications Information Networking Architecture) are introduced with the objective of correcting problems of the current centralized service control and service data model in an IN (Intelligent Network). It is becoming increasingly clear that the future sophisticated telecommunication services, e.g., multimedia, and multi-party conferencing, breaking away from the traditional telephony call model will need the solutions for rapid and efficient introduction, deployment, operations, and management.In this paper, we discuss accounting features and requirements, as well as security services in the TINA management context. We will introduce and present an implementation of a model for a security management, based on secure objects, cryptography and certificate distribution. In order to provide secure services, secure objects that have security functionality, such as authentication and access control, have been defined. Secure objects in our model are CORBA objects. The security domain is also called SBS (Security Base Server), provides security services and has an SMIB (Security Management Information Base) that contains security policies, cryptographic algorithms, and other relevant information. A prototype has been implemented and some experimental results are presented.     

A privacy preserving authorisation system for the cloud

In this paper we describe a policy based authorisation infrastructure that a cloud provider can run as an infrastructure service for its users. It will protect the privacy of users? data by allowing the users to set their own privacy policies, and then enforcing them so that no unauthorised access is allowed to their data. The infrastructure ensures that the users? privacy policies are stuck to their data, so that access will always be controlled by the policies even if the data is transferred between cloud providers or services. This infrastructure also ensures the enforcement of privacy policies which may be written in different policy languages by multiple authorities such as: legal, data subject, data issuer and data controller. A conflict resolution strategy is presented which resolves conflicts among the decisions returned by the different policy decision points (PDPs). The performance figures are presented which show that the system performs well and that each additional PDP only imposes a small overhead.