127 research outputs found
Constraint Expressions and Workflow Satisfiability
A workflow specification defines a set of steps and the order in which those
steps must be executed. Security requirements and business rules may impose
constraints on which users are permitted to perform those steps. A workflow
specification is said to be satisfiable if there exists an assignment of
authorized users to workflow steps that satisfies all the constraints. An
algorithm for determining whether such an assignment exists is important, both
as a static analysis tool for workflow specifications, and for the construction
of run-time reference monitors for workflow management systems. We develop new
methods for determining workflow satisfiability based on the concept of
constraint expressions, which were introduced recently by Khan and Fong. These
methods are surprising versatile, enabling us to develop algorithms for, and
determine the complexity of, a number of different problems related to workflow
satisfiability.Comment: arXiv admin note: text overlap with arXiv:1205.0852; to appear in
Proceedings of SACMAT 201
Lazy updates in key assignment schemes for hierarchical access control
Hierarchical access control policies are used to restrict access to
objects by users based on their respective security labels. There are
many key assignment schemes in the literature for implementing
such policies using cryptographic mechanisms. Updating keys in such
schemes has always been problematic, not least because many objects
may be encrypted with the same key. We propose a number of techniques
by which this process can be improved, making use of the idea of
lazy key updates, which have been studied in the context of
cryptographic file systems. We demonstrate in passing that schemes
for lazy key updates can be regarded as simple instances of key
assignment schemes. Finally, we illustrate the utility of our
techniques by applying them to hierarchical file systems and to
temporal access control policies
Role Signatures for Access Control in Grid Computing
Implementing access control efficiently and effectively in an open and distributed grid environment is a challenging problem. One reason for this is that users requesting access to remote resources may be unknown to the authorization service that controls access to the requested resources. Hence, it seems inevitable that pre-defined mappings of principals in one domain to those in the domain containing the resources are needed. A second problem in such environments is that verifying the authenticity of user credentials or attributes can be difficult. In this paper, we propose the concept of role signatures to solve these problems by exploiting the hierarchical structure of a virtual organization within a grid environment. Our approach makes use of a hierarchical identity-based signature scheme whereby verification keys are defined by generic role identifiers defined within a hierarchical namespace. We show that individual member organizations of a virtual organization are not required to agree on principal mappings beforehand to enforce access control to resources. Moreover, user authentication and credential verification is unified in our approach and can be achieved through a single role signature
On the satisfiability of constraints in workflow systems
Separation of duty and binding of duty in workflow systems is an
important area of current research in computer security. We
introduce a formal model for constrained workflow systems that
incorporate constraints for implementing such policies. We define an
entailment constraint, which is defined on a pair of tasks in a work
flow, and show that such constraints can be used to model many
familiar authorization policies. We show that a set of entailment
constraints can be manipulated algebraically in order to compute all
possible dependencies between tasks in the workflow. The resulting
set of constraints form the basis for an analysis of the
satisfiability of a workflow. We briefly consider how this analysis
can be used to implement a reference monitor for workflow systems
- …