General Access Control Research Articles

A Framework for Expressing and Enforcing Purpose-Based Privacy Policies

Purpose is a key concept in privacy policies. Although some models have been proposed for enforcing purpose-based privacy policies , little has been done in defining formal semantics for purpose, and therefore an effective enforcement mechanism for such policies has remained a challenge. We have developed a framework for expressing and enforcing such policies by giving a formal definition of purpose and proposing a modal-logic language for formally expressing purpose constraints. The semantics of this language are defined over an abstract model of workflows . Based on this formal framework, we discuss some properties of purpose, show how common forms of purpose constraints can be formalized, how purpose-based constraints can be connected to more general access control policies, and how they can be enforced in a workflow-based information system by extending common access control technologies.

Revisits and Transformations Among Functional Encryption Systems

ABSTRACTFunctional encryption provides a general access control over the encrypted data, where only the receiver with attribute that satisfies control policy function of policy parameter (i.e. ) can decrypt its ciphertext. Special cases of functional encryption include (anonymous-) (hierarchical) identity-based encryption, fuzzy identity-based encryption, attribute-based encryption, public key encryption with keyword search, spatial encryption, inner-product encryption, hidden-vector encryption and predicate encryption. In general functional encryption systems, the control policy function can be set flexibly. The main gap among these functional encryption schemes lies in the policy functions that associates with the secret keys. In this work, we first investigate several functional encryption schemes, and then formalize and unify the functionality description of the control policies for these schemes. After giving a general definition and security model, we present the relationship and transformations among functional encryption schemes when the equivalence of these different policy functions is employed.

Decision Theory based Auto-delegation (DTA-d) scheme for Ubiquitous Computing

Access control is a fundamental and essential mechanism to maintain security in ubiquitous computing (UbiComp). Flexibility is an important property for general access control system, which can be achieved by access or authority delegation. Existing delegation mechanisms are subjectcentered, thus in order to make sure that the unavailability of some users does not prevent the system to be functional; autodelegation mechanisms are introduced, in particular for emergency-prone environments, such as healthcare, military systems auto-delegation mechanisms are required. Autodelegation mechanism combines the strengths of delegation systems and “break-the-glass” policies, by stating that the most qualified available user for a resource can access this resource. Further this work is extended by considering availability as a quantitative measure, such that each user is associated with a probability of availability. The main contribution of this paper is to present decision theory based auto-delegation scheme (DTA-d) for UbiComp. UbiComp poses new security challenges while the information can be accessed anywhere and anytime, hence the access control is required to maintain the security in UbiComp, but along with the strong access control, autodelegation is also necessary to provide flexibility. While performing the auto-delegation, numbers of alternatives are available, among these alternatives selecting one as best is the important issue and this is addressed in this paper. Decision theory is used to select the best alternative when numbers of alternatives are available and their consequences cannot be forecast with certainty. Using Bayesian decision theory and by applying bays rule access is granted or denied for particular subject to object.

A General Mandatory Access Control Framework in Distributed Environments

A General Mandatory Access Control Framework in Distributed Environments

An Effective Approach for Fine-Grained RBAC Model Based on AOP

we propose an effective approach for fine-grained RBAC model by using AOP. The proposed approach can effectively accomplish the general role-based access control functions among enterprise application systems. This approach focuses on the fine-grained access control and is implemented by using interceptor technique of Java Struts2. We also present the related architecture and applied system (Project Management Platform of DUT Infrastructure Construction) for a verification of this proposed approach.

Tunnel Access Control Integrated in the Traffic Management

Control and monitoring of the transportation network originates from different needs, where traditionally only the traffic flow has been targeted. This paper presents how SMARTFREIGHT has used new and emerging ICT to develop a holistic control and monitoring tool for managing traffic, and individual vehicles in particular. The generic access control developed, defines how areas and sections can be controlled and monitored by comparing associated access requirements with the vehicles’ properties. The paper shows further how the same tool can be used to increase safety and emergency preparedness in tunnels, where also the current tunnel situation is considered before giving individual vehicles accesses. This solution was successfully demonstrated by using IPv6 and CALM technology in Trondheim, and is described within this paper.

MODEL CHECKING FOR VERIFICATION OF MANDATORY ACCESS CONTROL MODELS AND PROPERTIES

Mandatory access control (MAC) mechanisms control which users or processes have access to which resources in a system. MAC policies are increasingly specified to facilitate managing and maintaining access control. However, the correct specification of the policies is a very challenging problem. To formally and precisely capture the security properties that MAC should adhere to, MAC models are usually written to bridge the rather wide gap in abstraction between policies and mechanisms. In this paper, we propose a general approach for property verification for MAC models. The approach defines a standardized structure for MAC models, providing for both property verification and automated generation of test cases. The approach expresses MAC models in the specification language of a model checker and expresses generic access control properties in the property language. Then the approach uses the model checker to verify the integrity, coverage, and confinement of these properties for the MAC models and finally generates test cases via combinatorial covering array for the system implementations of the models.

Design and Optimization of Medium Access Control Protocol of IEEE 802.3 Transmitter with VHDL

ABSTRACT The purpose of this paper is to design and develop a MAC Transmitter on Field Programmable Gate Arrays (FPGA) that converts 32 bit data in to 4 bit DATA for transmitter. In this paper we design the Ethernet (802.3) connection oriented LAN Medium Access Control Transmitter (MAC). It starts by describing the behavior of MAC circuit using VHISC Hardware Description Language (VHDL). A synthesized VHDL model of the chip is developed and implemented on target technology. This paper will concentrate on the testability features that increase product reliability. It focuses on the design of a MAC Transmitter chip with embedded Built-In-Self- Test (BIST) architecture using FPGA technology. General Terms Medium Access Control, VHISC Hardware Description Language Keywords- Local Area Network (LAN), Medium Access Control(MAC), Linear feed Back Register, Logical Link Control(LLC), VHISC Hardware Description Language (VHDL). STRT1. INTRODUCTION The Media Access Control (MAC) data communication protocol sub-layer, also known as the Medium Access Control, is a part of the data link layer specified in the seven-layer of OSI model (layer 2). It provides addressing and channel access control mechanisms that make it possible for several terminals or network nodes to communicate within a multipoint network, typically with a local area network (LAN) or metropolitan area network (MAN). A MAC protocol is not required in full-duplex point-to-point communication. In single channel point-to-point communications full-duplex can be emulated. This emulation can be considered a MAC layer. The MAC sub-layer acts as an interface between the Logical Link Control RWsub layer and the network's physical layer. The MAC layer provides an addressing mechanism called physical address or MAC address. This is a unique serial number assigned to each network adapter, making it possible to deliver data packets to a destination within a sub network, i.e. a physical network without routers, for example an Ethernet network. FPGA area and speed optimization to implement computer network protocol is subject of research mainly due to its importance to network performance. The objective of resource utilization of field programming gate array(FPGA) is to allocate contending to embed maximum intricate functions. This approach makes design cost effective and maximizing IEEE 802.3 MAC performance. Binary exponential back off algorithm. Very high speed integrated circuit hardware description language (VHSIC-HDL) VHDL coding to implemented synchronous counter and FSM coding style influence performance of MAC transmitter[1][3].However effective VHDL coding style optimizes FPGA resource allocation for area and speed performance of IEEE 802.3 MAC transmitter can be optimized using linear feedback shift register, one hot finite machine (FSM) state encoding style.

Exclusion-intersection encryption

We propose a new variant of identity-based encryption named as exclusion-intersection encryption: Intersection decryption keys (e.g., A ? B ? C) generated by a key generation centre can only be used to decrypt the ciphertext which is of all the specified groups| interests, its holders are excluded from decrypting when the documents are not targeted to all these groups (e.g., the key of A ? B ? C cannot decrypt the ciphertext targeted only to C). While recent advances in cryptographic techniques can support a more general access control policy, the private key size is often not a constant. We also present an online/offline variant.

Lightweight Encryption of Hierarchical Access Control Mechanism Key Using Tribes of Farey Fractions and its Analysis

In this paper we propose a mechanism to develop a lightweight encryption technique. We encrypt hierarchical single key-lock access control mechanism key by encoding key (key number). Key number is derived using Chinese reminder theorem and tribes of Gaussian or rational Farey fractions are used to encode the key number. The advantages of the proposed mechanism are i) no decoding overhead as access rights are derived without decoding the encoded the key number, ii) no need to derive the key number for already existing files. Hence this method secures access control system by encoding the key number and acts as a thin layer of security; however the performance of retrieval system remains unchanged. General Terms Access control mechanism, Cryptography, Network Security.

GTHBAC: A Generalized Temporal History Based Access Control Model

Time plays a crucial role in access control for new computing environments, which is not supported in traditional access control models. In this paper, we propose a Generalized Temporal History Based Access Control (GTHBAC) model, aimed at integrating history-based constraints along with a generic access control model. GTHBAC enhances the specification of user-defined authorization rules by constraining time interval and temporal expression over users' history of accesses. Due to different application needs, GTHBAC uses two different time schemes, i.e., real time and logical time, in its authorization rules. A formal semantics for temporal authorizations is provided, and conflicting situations are also investigated and resolved in the model. To represent the applicability of the proposed model, an architecture for an access control system based on the model is proposed, and a case of employing the model in specifying and enforcing access control policies in a banking system is studied. The operators of GTHBAC are also compared with Linear Time Temporal Logic (LTL) operators to show the expressive power of the model.

A Meta-model of Access Control in a Fibred Security Language

The issue of representing access control requirements continues to demand significant attention. The focus of researchers has traditionally been on developing particular access control models and policy specification languages for particular applications. However, this approach has resulted in an unnecessary surfeit of models and languages. In contrast, we describe a general access control model and a logic-based specification language from which both existing and novel access control models may be derived as particular cases and from which several approaches can be developed for domain-specific applications. We will argue that our general framework has a number of specific attractions and an implication of our work is to encourage a methodological shift from a study of the particulars of access control to its generalities.

Fundamental aspects of access control for geospatial data

In recent years, geographical information systems have been employed in a wide variety of application domains, and as a result many research efforts are being devoted to those upcoming problems. Geospatial data security, especially access control, has attracted increased research interests within the academic community. The tendency towards sharing and interoperability of geospatial data and applications makes it common to acquire and integrate geospatial data from multiple organisations to accomplish a complex task. Meanwhile, many organisations have the requirement for securing access to possessed sensitive or proprietary geospatial data. In this heterogeneous and distributed environment, consistent access control functionality is crucial to promote controlled accessibility. As an extension of general access control mechanisms in the IT domain, the mechanism for geospatial data access control has its own requirements and characteristics of granularity and geospatial logic. In this paper, we address several fundamental aspects concerning the design and implementation of an access control system for geospatial data, including the classification, requirements, authorisation models, storage structures and management approaches for authorisation rules, matching and decision-making algorithms between authorisation rules and access requests, and its policy enforcement mechanisms. This paper also presents a system framework for realising access control functionality for geospatial data, and explain access control procedures in detail.

Research on the grey relational evaluation method of core competencies of virtual enterprise members

PurposeThe purpose of this paper is to create a model of role‐based access control (RBAC) for virtual enterprise (VE).Design/methodology/approachAn access control model for security and management of VE is presented by integrating generic structure of VE and applying the principles of RBAC. In addition, the application of the model to a supply chain oriented VE illustrates that a general access control scheme can ensure the running of VE.FindingsA theory base of access control for the realization of the VE is found.Originality/valueThe paper provides a very useful new model of access control for VE. This paper is aimed at researchers and engineers.

Modeling of RBAC‐based access control of virtual enterprise

PurposeThe purpose of this paper is to create a model of role‐based access control (RBAC) based access control for virtual enterprise (VE).Design/methodology/approachAn access control model for security and management of VE is presented by integrating generic structure of VE and applying the principles of RBAC. In addition, the application of the model to a supply chain‐oriented VE illustrates that a general access control scheme can ensure the running of VE.FindingsA theory base of access control for the realization of the VE is found.Originality/valueThe paper presents a very useful new model of access control for VE. This paper is aimed at researchers and engineers.

Model for access control system based on RBAC and GFAC

On study of Role-Based Access Control(RBAC)model and Generalized Framework for Access Control(GFAC),the generalized model for access control based on RBAC and GFAC was presented.The characteristics of this model and the control policy were described,in which the group permission,constraint elements and special permission were introduced.Combining techniques of layered authorization,minimizing privileges and role inherited authorization,the RBAC was optimized by enforcing access control on the request.It can figure out the complex access control in the system,and decrease the complexity of the authorization and management of users.The system is configurable and can be maintained easily.Finally,the case of a generalized access control system was given.

General attribute based RBAC model for web services

Growing numbers of users and many access policies that involve many different resource attributes in service-oriented environments cause various problems in protecting resource. This paper analyzes the relationships of resource attributes to user attributes based on access policies for Web services, and proposes a general attribute based role-based access control(GARBAC) model. The model introduces the notions of single attribute expression, composite attribute expression, and composition permission, defines a set of elements and relations among its elements and makes a set of rules, assigns roles to user by inputing user’s attributes values. The model is a general access control model, can support more granularity resource information and rich access control policies, also can be used to wider application for services. The paper also describes how to use the GARBAC model in Web services environments.

Dynamic security context management in Grid-based applications

This paper summarises ongoing research and recent results on the development of flexible access control infrastructure for complex resource provisioning in Grid-based collaborative applications and on-demand network services provisioning. The paper analyses the general access control model for Grid-based applications and discusses what mechanisms can be used for expressing and handling dynamic domain or process/workflow-related security context. Suggestions are given on what specific functionality should be added to the Grid-oriented authorization frameworks to handle such dynamic security context. As an example, the paper explains how such functionality can be achieved in the GAAA Authorization framework (GAAA-AuthZ) and GAAA toolkit. Additionally, the paper describes AuthZ ticket format for extended AuthZ session management. The paper is based on experiences gained from major Grid-based and Grid-oriented projects such as EGEE, Phosphorus, NextGRID, and GigaPort Research on Network.

Context-aware usage-based grid authorization framework

Due to inherent heterogeneity, multi-domain characteristic and highly dynamic nature, authorization is a critical concern in grid computing. This paper proposes a general authorization and access control architecture, grid usage control (GUCON), for grid computing. It's based on the next generation access control mechanism usage control (UCON) model. The GUCON Framework dynamic grants and adapts permission to the subject based on a set of contextual information collected from the system environments; while retaining the authorization by evaluating access requests based on subject attributes, object attributes and requests. In general, GUCON model provides very flexible approaches to adapt the dynamically security request. GUCON model is being implemented in our experiment prototype.

Integrated access control and intrusion detection for web servers

Current intrusion detection systems work in isolation from access control for the application the systems aim to protect. The lack of coordination and interoperation between these components prevents detecting and responding to ongoing attacks in real-time before they cause damage. To address this, we apply dynamic authorization techniques to support fine-grained access control and application level intrusion detection and response capabilities. This paper describes our experience with integration of the Generic Authorization and Access Control API (GAA-API) to provide dynamic intrusion detection and response for the Apache Web server. The GAA-API is a generic interface which may be used to enable such dynamic authorization and intrusion response capabilities for many applications.