Customizing Distributed Proofs of Authorization

Zhang, Charles C.; Winslett, Marianne

Permalink

https://hdl.handle.net/2142/11380 Copy

Description

Title

Customizing Distributed Proofs of Authorization

Author(s)

• Zhang, Charles C.
• Winslett, Marianne

Issue Date

2007-08

Keyword(s)

• distributed systems
• computer security

Abstract

When identity-based authorization becomes difficult due to the scalability requirements and highly dynamic nature of open distributed systems, digitally certifiable attributes can be an effective basis for specifying authorization policies. Before an authorization decision is made in such a system, a client needs to collect a set of credentials to prove that it satisfies the authorization policies. The process to construct such a proof is often interactive and multilateral, involving multiple parties iteratively requesting credentials from one another before presenting all their own relevant credentials; we call this a distributed proof of authorization (DPA). DPAs can be carried out in multiple ways. A resource provider can passively wait for its clients to gather all the credentials required for them to gain access; others can take a proactive approach by directly requesting all credentials from the appropriate issuers on behalf of their client. To move away from these two extremes, which raise issues of efficiency and completeness, we propose Query Routing Rules (QRR) to customize distributed credential collection within a P2P authorization framework called MultiTrust, which gives peers autonomy in deciding whether and how they respond to authorization requests. We provide a distributed proof construction algorithm that peers can use to reason about authorizations based on the access control policies and QRRs. This algorithm is configurable, sound, and complete with regard to the search space covered by QRRs. By configuring different QRRs, MultiTrust can not only use flexible strategies to improve the performance of DPA, but also emulate other distributed trust management frameworks such as QCM and RT0 and serve as a reasoning framework for authorization in heterogeneous distributed systems.

Type of Resource

text

Permalink

http://hdl.handle.net/2142/11380

Copyright and License Information

You are granted permission for the non-commercial reproduction, distribution, display, and performance of this technical report in any format, BUT this permission is only for a period of 45 (forty-five) days from the most recent time that you verified that this technical report is still available from the University of Illinois at Urbana-Champaign Computer Science Department under terms that include this permission. All other rights are reserved by the author(s).

Owning Collections