Article

Efficient support for enterprise delegation policies

Author:

Victoria UngureanuAuthors Info & Claims

SAC '05: Proceedings of the 2005 ACM symposium on Applied computing

Pages 340 - 345

https://doi.org/10.1145/1066677.1066757

Published: 13 March 2005 Publication History

Abstract

Delegation, whereby an entity gives some of its rights to other entities, is considered the cornerstone of decentralized authorization, and many access control frameworks proposed recently make delegation its central tenet. In these frameworks, delegation is commonly viewed as a transfer between two autonomous agents---the grantor and the grantee. But the situation can be considerably more complex, and more challenging, in the case the grantor belongs to an organization. Generally, employees are not autonomous agents, but their actions are subject to the regulations of their enterprise. In particular, if an employee transfers his rights to another agent, this transfer is subject to the enterprise delegation policies.In delegation frameworks, authorizing a request requires finding a valid chain of credentials that delegates the authority from the source (the local policy of the entity that serves the request) to the requester. Unfortunately, chain discovery is a computationally expensive and time consuming task. It was shown that, in the general case, chain discovery is undecidable, and in more restrictive cases, it is polynomial in the number of credentials available to the server. Verifying compliance with the terms of a delegation policy adds a considerable overhead to request authorization.This paper presents a framework that considerably reduces the time required to authorize a request. In this framework, a delegation chain is condensed into a single credential, called chained delegation certificate (CDC). A CDC attests that the owner has a certain right, and serves as proof that every link in the chain complies with the policy governing delegation of the right in question. When CDCs are used for authorization, a server does not need to verify compliance with the delegation policy, nor does it need to perform the chain discovery step, and therefore requests are served considerably faster.

References

[1]

T. Aura. Distributed access rights management with delegations certificates. In Secure Internet Programming, pages 211--235, 1999.]]

Digital Library

[2]

J. Bacon, K. Moody, and W. Yao. A model of Oasis role-based access control and its support for active security. ACM Transactions on Information and System Security (TISSEC), 5(4):492--540, November 2002.]]

Digital Library

[3]

O. Bandmann, M. Dam, and B. Firozabadi. Constrained delegations. In Proceedings of the IEEE Symposium in Security and Privacy, pages 131--140, Oakland, California, 2002.]]

Digital Library

[4]

M. Blaze, J. Feigenbaum, J. loannidis, and A. Keromytis. The role of trust management in distributed systems security. Secure Internet Programming: Issues in Distributed and Mobile Object Systems, 1603, 1999.]]

Digital Library

[5]

M. Blaze, J. Feigenbaum, and A. D. Keromytis. Keynote: Trust management for public-key infrastructures (position paper). In Security Protocols Workshop, pages 59--63, 1998.]]

Digital Library

[6]

M. Blaze, J. Feigenbaum, and J. Lacy. Decentralized trust management. In Proceedings of the IEEE Symposium on Security and Privacy, May 1996.]]

Digital Library

[7]

M. Blaze, J. Feigenbaum, and M. Strauss. Compliance checking in the policymaker trust management system. In Financial Cryptography, pages 254--274, 1998.]]

[8]

D. Clarke, J. Elien, C. Ellison, M. Fredette, A. Morcos, and R. Rivest. Certificate chain discovery in SPKI/SDSI. Journal of Computer Security, 9(4):285--322, 2001.]]

Digital Library

[9]

J. DeTreville. Binder, a logic-based security language. In Proceedings of the IEEE Symposium in Security and Privacy. IEEE Computer Society, 2002.]]

Digital Library

[10]

R. J. Hayton, J. M. Bacon, and K. Moody. Access control in an open distributed environment. In Proceedings of the IEEE Symposium on Security and Privacy, 1998.]]

[11]

S. loannidis, A. D. Keromytis, S. M. Bellovin, and J. M. Smith. Implementing a distributed firewall. In ACM Conference on Computer and Communications Security, pages 190--199, 2000.]]

Digital Library

[12]

Y. Kortesniemi. SPKI performance and certificate chain reduction. In GI Jahrestagung, pages 449--454, 2002.]]

Digital Library

[13]

N. Li, B. Grosof, and J. Feigenbaum. Delegation Logic: A logic-based approach to distributed authorization. ACM Transaction on Information and System Security (TISSEC), 6(1):128--171, February 2003.]]

Digital Library

[14]

N. Li, J. Mitchell, and W. Winsborough. Design of a role-based trust-management framework. In Proceedings of the IEEE Symposium in Security and Privacy, pages 114--130, 2002.]]

Digital Library

[15]

N. Li, W. Winsborough, and J. C. Mitchell. Distributed credential chain discovery in trust management. Journal of Computer Security, 11(1):35--86, February 2003.]]

[16]

V. Ungureanu. Using certified policies to regulate e-commerce transactions. ACM Transactions on Internet Technologies, 5(1), February 2005.]]

Digital Library

Cited By

Huraj LSiládi VSvitek MZelinka T(2009)Authorization through trust chains in ad hoc gridsProceedings of the 2009 Euro American Conference on Telematics and Information Systems: New Opportunities to increase Digital Citizenship10.1145/1551722.1551735(1-4)Online publication date: 3-Jun-2009
https://dl.acm.org/doi/10.1145/1551722.1551735

Recommendations

Using XML and XACML to Support Attribute Based Delegation
CIT '05: Proceedings of the The Fifth International Conference on Computer and Information Technology

This paper proposes an Attribute-Based- Delegation-Model (ABDM) with an extended delegation condition consisting of both delegation attribute expression (DAE) and prerequisite condition. In ABDM, a delegatee must satisfy delegation condition (especially ...
Composing Administrative Scope of Delegation Policies based on extended XACML
EDOC '06: Proceedings of the 10th IEEE International Enterprise Distributed Object Computing Conference

XACML as a language of access policy and access context request based on attributes is widely accepted. Current XACML specification's main shortcoming is not considering delegation. A TC in OASIS proposed a draft about administrative policy, which ...
DeFIRED: decentralized authorization with receiver-revocable and refutable delegations
EuroSec '22: Proceedings of the 15th European Workshop on Systems Security

A lot of research has been done over the last few years regarding decentralized authorization and access control, with existing approaches like the WAVE framework removing the need to rely on centralized parties for the management of access policies. ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '05: Proceedings of the 2005 ACM symposium on Applied computing

March 2005

1814 pages

ISBN:1581139640

DOI:10.1145/1066677

Conference Chair:
Hisham M. Haddad
Kennesaw State University
,
Editor:
Lorie M. Liebrock
New Mexico Institute of Mining and Technology, Socorro, NM
,
Program Chairs:
Andrea Omicini
Alma Mater Studiorum, Universita di Bologna, Italy
,
Roger L. Wainwright
Univerity of Tulsa, OK

Copyright © 2005 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 March 2005

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SAC05

Sponsor:

SIGAPP

SAC05: The 2005 ACM Symposium on Applied Computing

March 13 - 17, 2005

New Mexico, Santa Fe

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Upcoming Conference

SAC '25

Sponsor:
sigapp

The 40th ACM/SIGAPP Symposium on Applied Computing

March 31 - April 4, 2025

Catania , Italy

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
245
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Huraj LSiládi VSvitek MZelinka T(2009)Authorization through trust chains in ad hoc gridsProceedings of the 2009 Euro American Conference on Telematics and Information Systems: New Opportunities to increase Digital Citizenship10.1145/1551722.1551735(1-4)Online publication date: 3-Jun-2009
https://dl.acm.org/doi/10.1145/1551722.1551735

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten