Jason Crampton (2007) Role Signatures for Access Control in Grid Computing.
Full text access: Open
Implementing access control efficiently and effectively in an open and distributed grid environment is a challenging problem. One reason for this is that users requesting access to remote resources may be unknown to the authorization service that controls access to the requested resources. Hence, it seems inevitable that pre-defined mappings of principals in one domain to those in the domain containing the resources are needed. A second problem in such environments is that verifying the authenticity of user credentials or attributes can be difficult. In this paper, we propose the concept of role signatures to solve these problems by exploiting the hierarchical structure of a virtual organization within a grid environment. Our approach makes use of a hierarchical identity-based signature scheme whereby verification keys are defined by generic role identifiers defined within a hierarchical namespace. We show that individual member organizations of a virtual organization are not required to agree on principal mappings beforehand to enforce access control to resources. Moreover, user authentication and credential verification is unified in our approach and can be achieved through a single role signature.
This is a Published version This version's date is: 10/05/2007 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/bdc4d96d-2f08-d8b1-8d0d-d582246ad7fb/1/
Deposited by () on 28-Jun-2010 in Royal Holloway Research Online.Last modified on 14-Dec-2010
[1] M. Abdalla, E. Bresson, O. Chevassut, B. M¨oller, and D. Pointcheval. Provably securepassword-based authentication in TLS. In Proceedings of the 1st ACM Symposium on InformAtion,Computer and Communications Security (ASIACCS 2006), pages 35–45. ACMPress, March 2006.
[2] R. Alfieri, R. Cecchini, V. Ciaschini, L. dell’ Agnello, ´A. Frohner, K. L˝orentey, and F. Spataro.From gridmap-file to VOMS: Managing authorization in a Grid environment. Future GenerationComputer Systems, 21(4):549–558, April 2005.
[3] W. Bagga and R. Molva. Policy-based cryptography and applications. In A.S. Patrick andM. Yung, editors, Proceedings of the 9th International Conference on Financial Cryptographyand Data Security (FC 2005), pages 72–87. Springer-Verlag LNCS 3570, February 2005.
[4] M. Blaze, J. Feigenbaum, J. Ioannidis, and A.D. Keromytis. The KeyNote trust-managementsystem version 2. The Internet Engineering Task Force (IETF), RFC 2704, September 1999.
[5] D. Boneh, X. Boyen, and E. Goh. Hierarchical identity based encryption with constant sizeciphertext. In R. Cramer, editor, Advances in Cryptology - Proceedings of EUROCRYPT2005, pages 440–456. Springer-Verlag LNCS 3494, 2005.
[6] D. Boneh and M. Franklin. Identity-based encryption from the Weil pairing. In J. Kilian,editor, Advances in Cryptology - Proceedings of CRYPTO 2001, pages 213–229. Springer-Verlag LNCS 2139, August 2001.
[7] D. Boneh, C. Gentry, B. Lynn, and H. Shacham. Aggregate and verifiably encrypted signaturesfrom bilinear maps. In E. Biham, editor, Advances in Cryptology - Proceedings ofEUROCRYPT 2003, pages 416–432. Springer-Verlag LNCS 2656, May 2003.
[8] R. Butler, V. Welch, D. Engert, I. Foster, S. Tuecke, J.Volmer, and C. Kesselman. A nationalscaleauthentication infrastructure. IEEE Computer, 33(12):60–66, 2000.
[9] D.W. Chadwick and A. Otenko. The PERMIS X.509 role based privilege management infrastructure.Future Generation Computer Systems, 19(2):277–289, February 2003.
[10] D. Clarke, J. Elien, C. Ellison, M. Fredette, A. Morcos, and R. Rivest. Certificate chaindiscovery in SPKI/SDSI. Journal of Computer Security, 9(4):285–322, January 2001.
[11] J. Crampton, H.W. Lim, K.G. Paterson, and G. Price. A certificate-free grid security infrastructuresupporting password-based user authentication. In Proceedings of the 6th AnnualPKI R&D Workshop 2007, to appear.
[12] C. Ellison, B. Frantz, B. Lampson, R. Rivest, B. Thomas, and T. Ylonen. SPKI certificatetheory. The Internet Engineering Task Force (IETF), RFC 2693, September 1999.
[13] I. Foster and C. Kesselman, editors. The Grid 2: Blueprint for a New Computing Infrastructure.Elsevier, San Francisco, 2004.
[14] I. Foster, C. Kesselman, and S. Tuecke. The anatomy of the Grid: Enabling scalable virtual organizations.International Journal of High Performance Computing Applications, 15(3):200–222, 2001.
[15] C. Gentry. Certificate-based encryption and the certificate revocation problem. In E. Biham,editor, Advances in Cryptology - Proceedings of EUROCRYPT 2003, pages 272–293. Springer-Verlag LNCS 2656, May 2003.
[16] C. Gentry and A. Silverberg. Hierarchical ID-Based cryptography. In Y. Zheng, editor,Advances in Cryptology - Proceedings of ASIACRYPT 2002, pages 548–566. Springer-VerlagLNCS 2501, December 2002.
[17] V. Goyal, O. Pandey, A. Sahai, and B. Waters. Attribute-based encryption for fine-grainedaccess control of encrypted data. In R.N. Wright, S.D.C. di Vimercati, and V. Shmatikov,editors, Proceedings of the 13th ACM Computer and Communications Security Conference(CCS 2006), pages 89–98. ACM Press, October 2006.
[18] P. Gutmann. PKI: It’s not dead, just resting. IEEE Computer, 35(8):41–49, August 2002.
[19] A. Joux. A one round protocol for tripartite Diffie-Hellman. In W. Bosma, editor, Proceedingsof 4th Algorithmic Number Theory Symposium (ANTS-IV), pages 385–394. Springer-VerlagLNCS 1838, 2000.
[20] N. Li, J.C. Mitchell, and W.H. Winsborough. Design of a role-based trust managementframework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages114–130. IEEE Computer Society Press, May 2002.
[21] N. Li, W.H. Winsborough, and J.C. Mitchell. Distributed credential chain discovery in trustmanagement. Journal of Computer Security, 11(1):35–86, February 2003.
[22] N. Nagaratnam and D. Lea. Secure delegation for distributed object environments. In Proceedingsof the 4th USENIX Conference on Object-Oriented Technologies and Systems, pages101–116, April 1998.
[23] K.G. Paterson. Cryptography from pairings. In I.F. Blake, G. Seroussi, and N.P. Smart,editors, Chapter 10 of Advances in Elliptic Curve Cryptography, pages 215–251, Cambridge,2005. Cambridge University Press, LMS 317.
[24] L. Pearlman, V. Welch, I. Foster, C. Kesselman, and S. Tuecke. A community authorizationservice for group collaboration. In Proceedings of the 3rd IEEE International Workshop onPolicies for Distributed Systems and Networks (POLICY’02), pages 50–59. IEEE ComputerSociety Press, June 2002.
[25] M. Pirretti, P. Traynor, P. McDaniel, and B. Waters. Secure attribute-based systems. InR.N. Wright, S.D.C. di Vimercati, and V. Shmatikov, editors, Proceedings of the 13th ACMComputer and Communications Security Conference (CCS 2006), pages 99–112. ACM Press,October 2006.
[26] A. Sahai and B. Waters. Fuzzy identity-based encryption. In R. Cramer, editor, Advances inCryptology - Proceedings of EUROCRYPT 2005, pages 457–473. Springer-Verlag LNCS 3494,May 2005.
[27] R. Sakai, K. Ohgishi, and M. Kasahara. Cryptosystems based on pairing. In Proceedings ofthe 2000 Symposium on Cryptography and Information Security (SCIS 2000), January 2000.
[28] R.S. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman. Role-based access control models.IEEE Computer, 29(2):38–47, February 1996.
[29] A. Shamir. Identity-based cryptosystems and signature schemes. In G.R. Blakley andD. Chaum, editors, Advances in Cryptology - Proceedings of CRYPTO ’84, pages 47–53.Springer-Verlag LNCS 196, August 1985.
[30] N.P. Smart. Access control using pairing based cryptography. In M. Joye, editor, Proceedingsof the RSA Conference: Topics in Cryptology - the Cryptographers’ Track (CT-RSA 2003),pages 111–121. Springer-Verlag LNCS 2612, April 2003.
[31] R. Tamassia, D. Yao, and W.H. Winsborough. Role-based cascaded delegation. In T. Jaegerand E. Ferrari, editors, Proceedings of the 9th ACM Symposium on Access Control Modelsand Technologies (SACMAT 2004), pages 146–155. ACM Press, June 2004.
[32] M.R. Thompson, A. Essiari, and S. Mudumbai. Certificate-based authorization policy in aPKI environment. ACM Transactions on Information and System Security, 6(4):566–588,November 2003.
[33] V. Welch, I. Foster, C. Kesselman, O. Mulmo, L. Pearlman, S. Tuecke, J. Gawor, S. Meder,and F. Siebenlist. X.509 proxy certificates for dynamic delegation. In Proceedings of the 3rdAnnual PKI R&D Workshop, pages 42–58, April 2004.
[34] V. Welch, F. Siebenlist, I. Foster, J. Bresnahan, K. Czajkowski, J. Gawor, C. Kesselman,S. Meder, L. Pearlman, and S. Tuecke. Security for Grid services. In Proceedings of the12th IEEE International Symposium on High Performance Distributed Computing (HPDC-12 2003), pages 48–61. IEEE Computer Society Press, June 2003.
[35] W. Yao, K. Moody, and J. Bacon. A model of OASIS role-based access control and its supportfor active security. In Proceedings of the 6th ACM Symposium on Access Control Models andTechnologies (SACMAT 2001), pages 171–181. ACM Press, May 2001.
[36] F. Zhang and K. Kim. ID-based blind signature and ring signature from pairings. In Y. Zheng,editor, Advances in Cryptology - Proceedings of ASIACRYPT 2002, pages 533–547. Springer-Verlag LNCS 2501, December 2002.