feng liang,haoming guo,shengwei yi,xiaoqiang zhang,shilong ma

DOI: https://doi.org/10.1007/978-94-007-2169-2_124

2012-01-01

Abstract:Containing multiple domains and a large number of heterogeneous distributed devices, large-scale device collaboration systems require a fine-grained, flexible and secure mechanism for device access control. This chapter presents and evaluates a distributed device access control architecture Multiple Policies supported Attribute-Based Access Control (MPABAC) to support device authentication and authorization among multiple domains. Based on eXtensible Access Control Markup Language (XACML) standard and Attribute-Based Access Control (ABAC) model, this architecture supports cross-domain authentication and authorization, hierarchical policy combination and enforcement, unified device access control and fine-grained attributes-based privilege description. Experiments show that the performance of this implementation is acceptable within the production environment.

CH Fang,W Peng,XZ Ye,SY Zhang

DOI: https://doi.org/10.1109/cscwd.2005.194248

2007-01-01

Journal of Software

Abstract:Access control is one of the key steps to ensuring the availability, confidentiality and integrity of system resources. While it has been fully applied in various network systems, it's still relatively new for collaborative CAD. This paper provides a new framework of multi-level access control for collaborative CAD based on hierarchical product modeling. A layered privilege model (LPM) has been developed to provide multi-granularity access permissions in the part level and feature level. An extended hierarchy role-based access control (EHRBAC) is implemented, integrated with LPM and common Hierarchy RBAC, to provide hierarchical access control of collaborative feature modeling in the component/part level and design feature level. Mesh simplification techniques are used to create variable level-of-detail for individual features.

Bo Yu,Lin Yang,Yongjun Wang,Bofeng Zhang,Linru Ma,Yuan Cao

DOI: https://doi.org/10.1007/978-94-007-5699-1_98

2012-01-01

Abstract:Service composition has become the main style of cross-domain business collaboration environments, and security issues prohibit the widespread use of composite services. Based on attribute, this paper presents a multiple policies collaborative access control model which combines the attribute policies of composite service, component services and user domain. This model can provide fine-grained access control for service composition and support collaborative authorization based on business attributes in business collaboration environments while keeping the standalone of component service access control. The analysis result shows that this model not only satisfies the access control requirements of business process in composite service, but also provides fine-grained access control for component services. © 2012 Springer Science+Business Media.

Chen-hua Ma,Guo-dong Lu,Jiong Qiu

DOI: https://doi.org/10.1631/jzus.c0910564

2010-01-01

Journal of Zhejiang University SCIENCE C

Abstract:Collaborative access control is receiving growing attention in both military and commercial areas due to an urgent need to protect confidential resources and sensitive tasks. Collaborative access control means that multiple subjects should participate to make access control decisions to prevent fraud or the abuse of rights. Existing approaches to access control cannot satisfy the requirements of collaborative access control. To address this concern, we propose an authorization model for collaborative access control. The central notions of the model are collaborative permission, collaboration constraint, and collaborative authorization policy, which make it possible to define the collaboration among multiple subjects involved in gaining a permission. The implementation architecture of the model is also provided. Furthermore, we present effective conflict detection and resolution methods for maintaining the consistency of collaborative authorization policies.

Yingjie Xue,Kaiping Xue,Na Gai,Jianan Hong,David S. L. Wei,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2019.2911166

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In public cloud storage services, data are outsourced to semi-trusted cloud servers which are outside of data owners' trusted domain. To prevent untrustworthy service providers from accessing data owners' sensitive data, outsourced data are often encrypted. In this scenario, conducting access control over these data becomes a challenging issue. Attribute-based encryption (ABE) has been proved to be a powerful cryptographic tool to express access policies over attributes, which can provide a fine-grained, flexible, and secure access control over outsourced data. However, the existing ABE-based access control schemes do not support users to gain access permission by collaboration. In this paper, we explore a special attribute-based access control scenario where multiple users having different attribute sets can collaborate to gain access permission if the data owner allows their collaboration in the access policy. Meanwhile, the collaboration that is not designated in the access policy should be regarded as a collusion and the access request will be denied. We propose an attribute-based controlled collaborative access control scheme through designating translation nodes in the access structure. Security analysis shows that our proposed scheme can guarantee data confidentiality and has many other critical security properties. Extensive performance analysis shows that our proposed scheme is efficient in terms of storage and computation overhead.

Li Duan,Yang Zhang,Shiping Chen,Shuai Zhao,Shiyao Wang,Dongxi Liu,Ren Ping Liu,Bo Cheng,Junliang Chen

DOI: https://doi.org/10.1109/access.2016.2585185

IF: 3.9

2016-01-01

IEEE Access

Abstract:During business collaborations, multiple participating organizations often need to share data for common interests. In such cases, it is necessary to combine local policies from different organizations into a global one in order to manage access to the shared data. However, local policies of organizations may be different or even conflicting, due to diverse rules and rule combining algorithms chosen. Few existing methods for policy combination are able to automatically combine multiple local policies into a global one. In this paper, we propose a bottom up approach to address the issues of multiple policy combinations. The key idea is to first classify the rules based on attribute constraints in each policy, and then reduce the rules of the corresponding classes to one with the same attribute constraints. The reduced rules are then combined into a new global policy by choosing the appropriate rule combining algorithm in XACML. The latter ensures compliance with each of the local policies at syntax and semantic levels. To validate our approach, we develop a proof-of-concept implementation of the automated policy combination. Experimental results demonstrate that our approach is highly scalable and supports a number of attribute constraints in each local policy.

袁平鹏,陈刚,董金祥

DOI: https://doi.org/10.3321/j.issn:1003-9775.2004.04.006

2004-01-01

Abstract:An access control paradigm composed of basic model and role model is proposed for collaborative applications. Basic model specifies the relationship among privileges and the way of ranking privileges. It relates privilege with operations on the objects, so the model appears more straightforward. Moreover, if Brokers' implementation permits, the model can support any grained access control. Role model re-defines the role concept of RBAC96, divides the permissions of role into public permissions, protect permissions and private permissions. It allows user to define roles more flexibly, prevents private permissions of roles from being inherited and reduces the definition of ancillary roles.

Xuanmei Qin,Yongfeng Huang,Zhen Yang,Xing Li

DOI: https://doi.org/10.1016/j.sysarc.2020.101854

IF: 5.836

2021-01-01

Journal of Systems Architecture

Abstract:Ciphertext-policy attribute-based encryption(CP-ABE) has been widely studied and used in access control schemes for secure data sharing. Since in most of the existing attribute-based encryption methods, all user attributes are managed by a single central authority, it is easy to cause a single point of failure. Therefore, several multi-authority CP-ABE schemes are proposed to manage user attributes by multiple authorities. However, these schemes still do not eliminate the single point of failure in essence or suffer from high computation and communication overhead on data users. In this paper, we propose a Blockchain-based Multi-authority Access Control scheme called BMAC for sharing data securely. Shamir secret sharing scheme and permissioned blockchain (Hyperledger Fabric) are introduced to implement that each attribute is jointly managed by multiple authorities to avoid single point of failure. In addition, we take advantage of blockchain technology to establish trust among multiple authorities and exploit smart contracts to compute tokens for attributes managed across multiple management domains, which reduces communication and computation overhead on the data user side. Moreover, blockchain helps to record the access control process in a secure and auditable way. Finally, we analyze the security of the proposed algorithm. Further analysis and comparison show the performance of the proposed method.

Yan Zhu,Ruyun Yu,Di Ma,William Cheng-Chung Chu

DOI: https://doi.org/10.1109/tr.2019.2948713

IF: 5.883

2019-01-01

IEEE Transactions on Reliability

Abstract:This article aims to establish a cryptographic solution to improve security and reliability of the National Institute of Standards and Technology's attribute-based access control (ABAC) model. By breaking down the existing structure of attribute-based encryption, we propose a new cryptographic ABAC (C-ABAC) framework with dynamic policy authorization and real-time attribute credentials. Moreover, a practical C-ABAC construction is proposed to support provable policy decision making and verifiable attribute Tokens among multiple distributed authorities. In this construction, we develop a concrete approach of generating a cryptographic policy from access control markup language. We also prove that attribute Token has existential unforgeability under chosen-attribute and chosen-nonce attacks, and the cryptographic policy is existentially unforgeable under chosen-object attack. In addition, our C-ABAC construction provides semantic security against chosen-plaintext attack with Token and policy queries under the extended general Diffie–Hellman exponent assumption. Finally, we evaluate the performance of the C-ABAC system according to complexity analysis and experimental results. The results show that the C-ABAC system is reliable and easy to implement.

Zou Junwei,Lan Jiewei,Wang Xiaoke,Luo Hong

DOI: https://doi.org/10.1049/cje.2018.08.004

IF: 1.019

2018-01-01

Chinese Journal of Electronics

Abstract:The Electronic product code (EPC) network is established and maintained in worldwide-scale based on the EPC standard framework to guarantee the real-time information recognition, and provide efficient management for supply chain. In EPC network, a series of data services can be provided due to the requirements of users. Aiming to guarantee the security of data services, we propose a dynamic access control model for data services based on multiple attributes. We extract specific attribute sets from user, and calculate security level of user using certainty and uncertainty theories based on the attribute sets. The data can be provided to users according to the security level of user and data. The security of data in the supply chain can be guaranteed, and data acquisition can be dynamic and fine-grained. We deploy the proposed model to real supply chain management system we built to verify effectiveness and feasibility of the solution.

Y Tang,Ss Zhang,L Li

DOI: https://doi.org/10.1007/3-540-27912-1_61

2005-01-01

Abstract:The characteristics of multiple security domains environment include multifactor, dynamic, heterogeneity, and openness, which make its resources at high security risks. Thus, it is very critical for mobile access to realize the efficient resources access control in multiple security domains environment. This paper aims at the problems of dynamic privilege assignment for mobile users in cross-domain access, proposes a mobile access control architecture for multiple security domains environment (MACAMSDE), and introduces flexible access control mechanisms. In addtion it discusses the enabling key technologies.

Mang Su,Fenghua Li,Guozhen Shi,Li Li

2012-01-01

International Journal of Security and Its Applications

Abstract:The new computing modes, such as mobile computing, distributed computing, cloud computing and ubiquitous computing, etc., have brought about diversification and open features to the expression, exchange and access of computer network information. The multilevel security management is widely used in operation systems and information management systems. Focus on the multi-level security problem in various network environments, this paper defines the security identity, environment and temporal state of object, based on the ABAC (Action Based Access Control), and shows the security level, access scope and the demand of environment and temporal state of accessing subject, then proposes a multi-level security access control mechanism. Finally, an application example is given.

Carlos E. Rubio-Medrano,Ziming Zhao,Adam Doupé,Gail-Joon Ahn

DOI: https://doi.org/10.1145/2752952.2752977

2015-01-01

Abstract:With the advent of various collaborative sharing mechanisms such as Grids, P2P and Clouds, organizations including private and public sectors have recognized the benefits of being involved in inter-organizational, multi-disciplinary, and collaborative projects that may require diverse resources to be shared among participants. In particular, an environment that often makes use of a group of high-performance network facilities would involve large-scale collaborative projects and tremendously seek a robust and flexible access control for allowing collaborators to leverage and consume resources, e.g., computing power and bandwidth. In this paper, we propose a federated access management scheme that leverages the notion of attributes. Our approach allows resource-sharing organizations to provide distributed provisioning (publication, location, communication, and evaluation) of both attributes and policies for federated access management purposes. Also, we provide a proof-of-concept implementation that leverages distributed hash tables (DHT) to traverse chains of attributes and effectively handle the federated access management requirements devised for inter-organizational resource sharing and collaborations.

Xuejiao Liu,Yingjie Xia,Shasha Jiang,Fubiao Xia,Yanbo Wang

DOI: https://doi.org/10.1109/TrustCom.2013.60

2013-01-01

Abstract:Access control is one of the most important security mechanisms in cloud computing. Attributed based encryption provides an approach that allows data owners to integrate data access policies within the encrypted data. However, little work has been done to explore flexible authorization in specifying the data user's privileges and enforcing the data owner's policy in cloud based environments. In this paper, we propose a hierarchical attribute based access control scheme by extending ciphertext-policy attribute-based encryption (CP-ABE) with a hierarchical structure of multiauthorities and exploiting attribute-based signature (ABS). The proposed scheme not only achieves scalability due to its hierarchical structure, but also inherits fine-grained access control with authentication in supporting write privilege on outsourced data in cloud computing. In addition, we decouple the task of policy management from security enforcement by using the extensible access control markup language (XACML) framework. Extensive analysis shows that our scheme is both efficient and scalable in dealing with access control for outsourced data in cloud computing.

Haoxiang Huang,Jianbiao Zhang,Jun Hu,Yingfang Fu,Chenggang Qin

DOI: https://doi.org/10.1109/TIFS.2022.3206423

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The flow of data across nodes has become the dominant feature of data sharing in distributed environments with increasingly blurred boundaries, where it is crucial to maintain data access dynamic, trusted, and efficient. However, traditional centralized access control models are not only difficult to apply in distributed environments but also ignore trusted verification of authorized entities. What's worse, existing access control models rarely consider themselves security, lack independence, at a high risk of being bypassed or tampered with. Thus, we propose in this paper a distributed, dynamic, and trusted access control model, DDTAC-BSS, where the standard Attribute-Based Access Control (ABAC) architecture is modified and extended. To reduce the attack surface, we separate policy enforcement point (PEP) from other core components, they are located in the node system and access control system, respectively. Then, the access control entry point (ACEP) is added as the only interface for the node system to interact with the access control system. Subsequently, the model introduces the entity trusted assessment mechanism to improve the trustworthiness of access control services. Driven by the dynamic attributes, our model can achieve dynamic trusted authorization and fine-grained access control. Moreover, we implement a lightweight, independent, and distributed security subsystem to achieve unified management of policies and decision-making autonomy by message-driven. By considering the independence of the security subsystem, a trusted operating environment is built based on Trusted Execution Environment (TEE) to ensure the security of the access control mechanism itself. The security of our model is proved rigorously based on the non-interference theory. Comprehensive experiments and comparisons have demonstrated the superior functionality, comparable performance, and strong security of our model.

Mengting Li,Xinyi Huang,Joseph K. Liu,Li Xu,Wei Wu

DOI: https://doi.org/10.1504/ijes.2015.072364

2015-01-01

International Journal of Embedded Systems

Abstract:In this paper we introduce a cooperative attribute-based access control mechanism, which is specifically designed for enterprise computing systems. In our system, users are divided into different groups and they are affiliated with different attributes. Only members from the same group can combine their signing keys to form the signing key of a larger union set of attributes, but users from different groups cannot make it. With the union of the attributes, users can generate a signature which can be used to grant access right to the enterprise cloud system. The applications range from private cloud of a small and medium enterprise (SME) to a large public cloud of electronic healthcare system. We give an efficient design of this mechanism, formally prove its security and implement the prototype of our scheme.

Jinhua Ma,Shengmin Xu,Jianting Ning,Xinyi Huang,Robert H. Deng

DOI: https://doi.org/10.1109/tsc.2023.3324736

IF: 11.019

2023-01-01

IEEE Transactions on Services Computing

Abstract:Bilateral access control model, emerging as a novel paradigm in access control, has garnered extensive deployment within the domain of fog computing. This model offers on-demand data services, enabling the efficient identification of sensitive data without resorting to resource-intensive decryption procedures. Nonetheless, prevailing solutions exhibit impracticalities. Specifically, they fall short in supporting adaptive security, while presuming unwavering trustworthiness of the central authority. In this paper, we introduce a pioneering fine-grained and adaptively secure bilateral access control system through enhancements to the matchmaking attribute-based encryption (MABE) framework. We give a formalized definition of MABE, incorporating desirable security features such as blindness and unlinkability, aimed at capturing potential misconduct by the central authority. We propose a generic construction of MABE, drawing upon attribute-based encryption (ABE) and anonymous credential schemes (ACS), with provable security via formal security reduction in the adaptive model. We present an efficient instantiation of the MABE framework by introducing a practical ACS solution, wherein a cryptographic accumulator is employed to enhance performance. Experimental simulations substantiate that our solution not only has superior functionalities but also demonstrates performance on par with state-of-the-art solutions.

Xueqin Chen,Huizhong Wu,Yaoqin Zhu

DOI: https://doi.org/10.1109/ICSICT.2008.4734715

2008-01-01

Abstract:Recently, distributed computing technologies have developed rapidly, such as web services and other XML-based technologies. Information systems enter into a wide-area distributed computing environment. For web services based information systems, the separation between functions and resources enables reusability. However, it is difficult for traditional Access control models to deal with. The security of system encounters with challenges. This paper proposes a double access control model based on attributes to achieve the access control of system functions and resources. The access control decision of functions depends on subject attributes. The decision of resources relies on three attributes': subject attributes, resources attributes and environments attributes. Consistency of access controls between functions and resources is solved by subject's attributes certificate and shared policy. Certificate proxy is utilized to achieve single sign-on, authenticate and authority in wide-area environment. Furthermore, we depict the process flow of the access control in detail. The proposed model is implemented on XACML.NET package and applied in a web services based information system in NET Environment. At last, the performance of resource access control is analyzed and tested by VSTE-ST 2005. The results of practical application and experiment prove the feasibility and usability of the model.

Changsha Ma,Chang Wen Chen

DOI: https://doi.org/10.48550/arXiv.1511.03351

2015-11-11

Abstract:Media sharing is an extremely popular paradigm of social interaction in online social networks (OSNs) nowadays. The scalable media access control is essential to perform information sharing among users with various access privileges. In this paper, we present a multi-dimensional scalable media access control (MD-SMAC) system based on the proposed scalable ciphertext policy attribute-based encryption (SCP-ABE) algorithm. In the proposed MD-SMAC system, fine-grained access control can be performed on the media contents encoded in a multi-dimensional scalable manner based on data consumers' diverse attributes. Through security analysis, we show that the proposed MC-SMAC system is able to resist collusion attacks. Additionally, we conduct experiments to evaluate the efficiency performance of the proposed system, especially on mobile devices.

Multimedia,Cryptography and Security

Willy Susilo,Peng Jiang,Fuchun Guo,Guomin Yang,Yong Yu,Yi Mu

DOI: https://doi.org/10.1109/tifs.2017.2737960

IF: 7.231

2017-01-01

IEEE Transactions on Information Forensics and Security

Abstract:It is widely acknowledged that the collaborations with more users increase productivity. Secure cloud storage is a promising tool to enhance such a collaboration. Access control system can be enabled with attribute-based encryption. In this system, a user encrypts and uploads his/her data to the cloud with an access policy, such that only people who satisfy that access policy can decrypt the data. When a recipient would like to enable another person who is originally unauthorized by the original access policy, this recipient will need to extend the access policy by adding a new policy that includes the new person hence, the notion of extendable access control system. Admitting new users to access the uploaded data is an important requirement in enhancing collaborations. The main issue is with regards to the integrity protection during the process of extending the access policy. When a new access policy is added, the cloud has to be sure that the extended access policy remains guarding the same encrypted data as the original access policy, even though the cloud cannot decrypt this ciphertext, which is a challenging problem to solve. In this paper, we answer the above problem affirmatively by introducing an extendable access control system with Integrity Protection (EACSIP), which is suitable to enhance collaboration in the cloud. The construction of EACSIP is built on top of a novel cryptographic primitive, namely functional key encapsulation with equality testing. The security proof and the performance evaluation of EACSIP are provided in this paper.