Files in this item



application/pdfCustomizing Dis ... roofs of Authorization.pdf (236kB)
(no description provided)PDF


Title:Customizing Distributed Proofs of Authorization
Author(s):Zhang, Charles C.; Winslett, Marianne
Subject(s):distributed systems
computer security
Abstract:When identity-based authorization becomes difficult due to the scalability requirements and highly dynamic nature of open distributed systems, digitally certifiable attributes can be an effective basis for specifying authorization policies. Before an authorization decision is made in such a system, a client needs to collect a set of credentials to prove that it satisfies the authorization policies. The process to construct such a proof is often interactive and multilateral, involving multiple parties iteratively requesting credentials from one another before presenting all their own relevant credentials; we call this a distributed proof of authorization (DPA). DPAs can be carried out in multiple ways. A resource provider can passively wait for its clients to gather all the credentials required for them to gain access; others can take a proactive approach by directly requesting all credentials from the appropriate issuers on behalf of their client. To move away from these two extremes, which raise issues of efficiency and completeness, we propose Query Routing Rules (QRR) to customize distributed credential collection within a P2P authorization framework called MultiTrust, which gives peers autonomy in deciding whether and how they respond to authorization requests. We provide a distributed proof construction algorithm that peers can use to reason about authorizations based on the access control policies and QRRs. This algorithm is configurable, sound, and complete with regard to the search space covered by QRRs. By configuring different QRRs, MultiTrust can not only use flexible strategies to improve the performance of DPA, but also emulate other distributed trust management frameworks such as QCM and RT0 and serve as a reasoning framework for authorization in heterogeneous distributed systems.
Issue Date:2007-08
Genre:Technical Report
Other Identifier(s):UIUCDCS-R-2007-2891
Rights Information:You are granted permission for the non-commercial reproduction, distribution, display, and performance of this technical report in any format, BUT this permission is only for a period of 45 (forty-five) days from the most recent time that you verified that this technical report is still available from the University of Illinois at Urbana-Champaign Computer Science Department under terms that include this permission. All other rights are reserved by the author(s).
Date Available in IDEALS:2009-04-22

This item appears in the following Collection(s)

Item Statistics