Abstract
The enforcement of access control policies using cryptography has received considerable attention in recent years and the security of such enforcement schemes is increasingly well understood. Recent work in the area has considered the efficient enforcement of temporal and geo-spatial access control policies, and asymptotic results for the time and space complexity of efficient enforcement schemes have been obtained. However, for practical purposes, it is useful to have explicit bounds for the complexity of enforcement schemes.
In this article we consider interval-based access control policies, of which temporal and geo-spatial access control policies are special cases. We define enforcement schemes for interval-based access control policies for which it is possible, in almost all cases, to obtain exact values for the schemes' complexity, thereby subsuming a substantial body of work in the literature. Moreover, our enforcement schemes are more practical than existing schemes, in the sense that they operate in the same way as standard cryptographic enforcement schemes, unlike other efficient schemes in the literature. The main difference between our approach and earlier work is that we develop techniques that are specific to the cryptographic enforcement of interval-based access control policies, rather than applying generic techniques that give rise to complex constructions and asymptotic bounds.
- Akl, S. and Taylor, P. 1983. Cryptographic solution to a problem of access control in a hierarchy. ACM Trans. Comput. Syst. 1, 3, 239--248. Google ScholarDigital Library
- Alon, N. and Schiebe R. B. 1987. Optimal preprocessing for answering on-line product queries. Tech. rep. TR 71/87, Institute of Computer Science, Tel-Aviv University.Google Scholar
- Atallah, M., Blanton, M., Fazio, N., and Frikken, K. 2009. Dynamic and efficient key management for access hierarchies. ACM Trans. Inform. Syst. Security 12, 3, 1--43. Google ScholarDigital Library
- Atallah, M., Blanton, M., and Frikken, K. 2006. Key management for non-tree access hierarchies. In Proceedings of 11th ACM Symposium on Access Control Models and Technologies. ACM, New York, 11--18. Google ScholarDigital Library
- Atallah, M., Blanton, M., and Frikken, K. 2007a. Efficient techniques for realizing geospatial access control. In Proceedings of the ACM Symposium on Information, Computer and Communications Security. ACM, New York, 82--92. Google ScholarDigital Library
- Atallah, M., Blanton, M., and Frikken, K. 2007b. Incorporating temporal capabilities in existing key management schemes. In Proceedings of the 12th European Symposium on Research in Computer Security. 515--530. Google ScholarDigital Library
- Ateniese, G., Desantis, A., Ferrara, A., and Masucci, B. 2006. Provably-secure time-bound hierarchical key assignment schemes. In Proceedings of the 13th ACM Conference on Computer and Communications Security. ACM, New York, 288--297. Google ScholarDigital Library
- Backes, M., Cachin, C., and Oprea, A. 2006. Secure key-updating for lazy revocation. In Proceedings of 11th European Symposium on Research in Computer Security. 327--346. Google ScholarDigital Library
- Bell, D. and La Padula, L. 1976. Secure computer systems: Unified exposition and Multics interpretation. Tech. rep. MTR-2997, MITRE Corp., Bedford, MA.Google Scholar
- Bertino, E., Bonatti, P., and Ferrari, E. 2001. TRBAC: A temporal role-based access control model. ACM Trans. Inform. Syst. Security 4. 3, 191--223. Google ScholarDigital Library
- Bertino, E., Carminati, B., and Ferrari, E. 2002. A temporal key management scheme for secure broadcasting of XML documents. In Proceedings of the 8th ACM Conference on Computer and Communications Security. ACM, New York, 31--40. Google ScholarDigital Library
- Bethencourt, J., Sahai, A., and Waters, B. 2007. Ciphertext-policy attribute-based encryption. In Proceedings of IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 321--334. Google ScholarDigital Library
- Bodlaender, H., Tel, G., and Santoro, N. 1994. Trade-offs in non-reversing diameter. Nordic J. Comput. 1, 1, 111--134. Google ScholarDigital Library
- Canetti, R., Halevi, S., and Katz, J. 2007. A forward-secure public-key encryption scheme. J. Cryptology 20, 3, 265--294. Google ScholarDigital Library
- Crampton, J. 2009. Trade-offs in cryptographic implementations of temporal access control. In Proceedings of the 14th Nordic Workshop on Secure IT Systems. 72--87. Google ScholarDigital Library
- Crampton, J. 2010. Cryptographic enforcement of role-based access control. In Proceedings of 7th International Workshop on Formal Aspects of Security & Trust. 191--205. Google ScholarDigital Library
- Crampton, J., Martin, K., and Wild, P. 2006. On key assignment for hierarchical access control. In Proceedings of the 19th Computer Security Foundations Workshop. 98--111. Google ScholarDigital Library
- Davey, B. and Priestley, H. 2002. Introduction to Lattices and Order 2nd Ed. Cambridge University Press, Cambridge, UK.Google Scholar
- Desantis, A., Ferrara, A., and Masucci, B. 2007a. Efficient provably-secure hierarchical key assignment schemes. In Proceedings of the 32nd International Symposium on Mathematical Foundations of Computer Science. 371--382. Google ScholarDigital Library
- Desantis, A., Ferrara, A., and Masucci, B. 2007b. New constructions for provably-secure time-bound hierarchical key assignment schemes. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies. ACM, New York, 133--138. Google ScholarDigital Library
- Desant I S, A., Ferrara, A., and Masucci, B. 2008. New constructions for provably-secure time-bound hierarchical key assignment schemes. Theor. Comput. Sci. 407, 1-3, 213--230. Google ScholarDigital Library
- Dushnik, B. and Miller, E. 1941. Partially ordered sets. Am. J. Math. 63, 600--610.Google ScholarCross Ref
- Fu, K., Kamara, S., and Kohno, T. 2006. Key regression: Enabling efficient key distribution for secure distributed storage. In Proceedings of the Network and Distributed System Security Symposium (NDSS'06).Google Scholar
- Srivatsa, M., Iyengar, A., Yin, J., and Liu, L. 2008. A scalable method for access control in location-based broadcast services. In Proceedings of INFOCOM'08. 256--260.Google Scholar
- Thorup, M. 1995. Shortcutting planar digraphs. Combinatorics Probab. Comput. 4, 287--315.Google ScholarCross Ref
- Yao, A. C.-C. 1982. Space-time tradeoff for answering range queries. In Proceedings of the 14th Annual ACM Symposium on Theory of Computing (Extended abstracts). ACM, New York, 128--136. Google ScholarDigital Library
- Yuan, H. and Atallah, M. 2009. Efficient and secure distribution of massive geo-spatial data. In Proceedings of the 17th ACM SIGSPATIAL International Symposium on Advances in Geographic Information Systems. ACM, New York, 440--443. Google ScholarDigital Library
Index Terms
- Practical and efficient cryptographic enforcement of interval-based access control policies
Recommendations
Cryptographic enforcement of role-based access control
FAST'10: Proceedings of the 7th International conference on Formal aspects of security and trustMany cryptographic schemes have been designed to enforce information flow policies. However, enterprise security requirements are often better encoded, or can only be encoded, using role-based access control policies rather than information flow ...
Model-driven run-time enforcement of complex role-based access control policies
ASE '18: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software EngineeringA Role-based Access Control (RBAC) mechanism prevents unauthorized users to perform an operation, according to authorization policies which are defined on the user’s role within an enterprise. Several models have been proposed to specify complex RBAC ...
Access control enforcement testing
AST '13: Proceedings of the 8th International Workshop on Automation of Software TestA policy-based access control architecture comprises Policy Enforcement Points (PEPs), which are modules that intercept subjects access requests and enforce the access decision reached by a Policy Decision Point (PDP), the module implementing the access ...
Comments