Article

Risk assessment in distributed authorization

Authors:

Christian Skalka,

X. Sean WangAuthors Info & Claims

FMSE '05: Proceedings of the 2005 ACM workshop on Formal methods in security engineering

Pages 33 - 42

https://doi.org/10.1145/1103576.1103581

Published: 11 November 2005 Publication History

Abstract

Distributed authorization takes into account several elements, including certificates that may be provided by non-local actors. While most trust management systems treat all assertions as equally valid up to certificate authentication, realistic considerations may associate risk with some of these elements; some actors may be less trusted than others, some elements may be more computationally expensive to obtain, and so forth. Furthermore, practical online authorization may require certain levels of risk to be tolerated. In this paper, we introduce a trust management logic that incorporates formal risk assessment. This formalization allows risk levels to be associated with authorization elements, and promotes development of a distributed authorization algorithm allowing tolerable levels of risk to be precisely specified and rigorously enforced.

References

[1]

M. Abadi, M. Burrows, B. Lampson, and G. Plotkin. A calculus for access control in distributed systems. ACM Transactions on Programming Languages and Systems, 15(4):706--734, 1993.

Digital Library

[2]

Scot Anderson. Constraint datalog in trust management. Master's thesis, University of Nebraska, 2003.

[3]

Andrew W. Appel and Edward W. Felten. Proof-carrying authentication. In G. Tsudik, editor, Proceedings of the 6th Conference on Computer and Communications Security, Singapore, November 1999. ACM Press.

Digital Library

[4]

Lujo Bauer. Access Control for the Web via Proof-carrying Authorization. PhD thesis, Princeton University, 2003.

Digital Library

[5]

Matt Blaze, Joan Feigenbaum, John Ioannidis, and Angelos D. Keromytis. RFC-2704: The KeyNote Trust-Management System Version 2. IETF, September 1999.

Digital Library

[6]

Matt Blaze, Joan Feigenbaum, and Jack Lacy. Decentralized trust management. Technical Report 96-17, DIMACS, June 28 1996.

Digital Library

[7]

M. Burrows, M. Abadi, and R. Needham. A logic of authentication. ACM Transactions on Computer Systems, 8(1):18--36, 1990.

Digital Library

[8]

D. Denning. A lattice model of secure information flow. In Communications of the ACM, pages 236--243. ACM, May 1976.

Digital Library

[9]

C. Ellison, B. Frantz, B. Lampson, R. Rivest, B. Thomas, and T. Ylonen. SPKI certificate theory. RFC 2693, Sept. 1999.

Digital Library

[10]

Tyrone Grandison and Morris Sloman. A survey of trust in internet applications. IEEE Communications Surveys & Tutorials, 4th Quarter, 2000.

Digital Library

[11]

Audun Josang. An algebra for assessing trust in certification chains. In J. Kochmar, editor, Proceedings of the Network and Distributed Systems Security Symposium (NDSS'99). The Internet Society, 1999.

[12]

Ninghui Li and John C. Mitchell. Datalog with constraints: A foundation for trust management languages. In Proceedings of the Fifth International Symposium on Practical Aspects of Declarative Languages, January 2003.

Digital Library

[13]

Ninghui Li and John C. Mitchell. Rt: A role-based trust-management framework. In Proceedings of the Third DARPA Information Survivability Conference and Exposition, pages 201--212. IEEE Computer Society Press, April 2003.

[14]

Ninghui Li, John C. Mitchell, and William H. Winsborough. Design of a role-based trust-management framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 114--130. IEEE Computer Society Press, May 2002.

Digital Library

[15]

Ninghui Li, William H. Winsborough, and John C. Mitchell. Distributed chain discovery in trust management. Journal of Computer Security, 11(1):35--86, February 2003.

Digital Library

[16]

R. Rivest and B. Lampson. SDSI - a simple distributed security infrastructure, 1996. http://theory.lcs.mit.edu/rivest/sdsi11.html.

[17]

Christian Skalka and X. Sean Wang. Trust but verify: Authorization for web services. In ACM Workshop on Secure Web Services, October 2004.

Digital Library

Cited By

Gautham HP D(2021)A Systematic Approach for a Secure Authentication SystemInternational Journal of Soft Computing and Engineering10.35940/ijsce.F3508.071062110:6(7-11)Online publication date: 30-Jul-2021
https://doi.org/10.35940/ijsce.F3508.0710621
Rubio-Medrano CZhao ZAhn GBertino ESandhu RKrishnan R(2018) RiskPol Proceedings of the Third ACM Workshop on Attribute-Based Access Control10.1145/3180457.3180462(54-60)Online publication date: 14-Mar-2018
https://dl.acm.org/doi/10.1145/3180457.3180462
Dorri Nogoorani SJalili R(2016)TIRIACFuture Generation Computer Systems10.1016/j.future.2015.03.00355:C(238-254)Online publication date: 1-Feb-2016
https://dl.acm.org/doi/10.1016/j.future.2015.03.003
Show More Cited By

Index Terms

Risk assessment in distributed authorization
1. Security and privacy
  1. Network security

Recommendations

Risk management for distributed authorization

Distributed authorization takes into account several elements, including certificates that may be provided by non-local actors. While most trust management systems treat all assertions as equally valid up to certificate authentication, realistic ...
Specifying distributed trust management in LolliMon
PLAS '06: Proceedings of the 2006 workshop on Programming languages and analysis for security

We propose the monadic linear logic programming language LolliMon as a new foundation for the specification of distributed trust management systems, particularly the RT framework. LolliMon possesses features that make it well-suited to this application, ...
Risk profiles and distributed risk assessment

Risk assessment is concerned with discovering threat paths between potential attackers and critical assets, and is generally carried out during a system's design and then at fixed intervals during its operational life. However, the currency of such ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

FMSE '05: Proceedings of the 2005 ACM workshop on Formal methods in security engineering

November 2005

90 pages

ISBN:1595932313

DOI:10.1145/1103576

General Chair:
Vijay Atluri
Rutgers University
,
Program Chairs:
Pierangela Samarati
Universita' degli Studi di Milano, Italy
,
Ralf Küsters
University of Kiel, Germany
,
John Mitchell
Stanford University

Copyright © 2005 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 November 2005

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS05

Sponsor:

CCS05: 12th ACM Conference on Computer and Communications Security 2005

November 11, 2005

VA, Fairfax, USA

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
501
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)0

Reflects downloads up to 02 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Gautham HP D(2021)A Systematic Approach for a Secure Authentication SystemInternational Journal of Soft Computing and Engineering10.35940/ijsce.F3508.071062110:6(7-11)Online publication date: 30-Jul-2021
https://doi.org/10.35940/ijsce.F3508.0710621
Rubio-Medrano CZhao ZAhn GBertino ESandhu RKrishnan R(2018) RiskPol Proceedings of the Third ACM Workshop on Attribute-Based Access Control10.1145/3180457.3180462(54-60)Online publication date: 14-Mar-2018
https://dl.acm.org/doi/10.1145/3180457.3180462
Dorri Nogoorani SJalili R(2016)TIRIACFuture Generation Computer Systems10.1016/j.future.2015.03.00355:C(238-254)Online publication date: 1-Feb-2016
https://dl.acm.org/doi/10.1016/j.future.2015.03.003
Cristani MKarafili EVigano L(2013)A complete tableau procedure for risk analysis2013 International Conference on Risks and Security of Internet and Systems (CRiSIS)10.1109/CRiSIS.2013.6766351(1-8)Online publication date: Oct-2013
https://doi.org/10.1109/CRiSIS.2013.6766351
Cristani MKarafili EViganò L(2013)Tableau systems for reasoning about riskJournal of Ambient Intelligence and Humanized Computing10.1007/s12652-013-0186-75:2(215-247)Online publication date: 26-Jul-2013
https://doi.org/10.1007/s12652-013-0186-7
Cristani MKarafili EViganò L(2012)Towards a Logical Framework for Reasoning about RiskMultidisciplinary Research and Practice for Information Systems10.1007/978-3-642-32498-7_46(609-623)Online publication date: 2012
https://doi.org/10.1007/978-3-642-32498-7_46
Hu JLi RLu ZLu JMa X(2011)RARFuture Generation Computer Systems10.1016/j.future.2010.09.00827:5(574-586)Online publication date: 1-May-2011
https://dl.acm.org/doi/10.1016/j.future.2010.09.008
Wang LSinghal AJajodia S(2007)Measuring the overall security of network configurations using attack graphsProceedings of the 21st annual IFIP WG 11.3 working conference on Data and applications security10.5555/1770560.1770573(98-112)Online publication date: 8-Jul-2007
https://dl.acm.org/doi/10.5555/1770560.1770573
Skalka CWang XChapin P(2007)Risk management for distributed authorizationJournal of Computer Security10.5555/1370674.137067615:4(447-489)Online publication date: 1-Dec-2007
https://dl.acm.org/doi/10.5555/1370674.1370676
Wang LSinghal AJajodia SKarjoth GStølen K(2007)Toward measuring network security using attack graphsProceedings of the 2007 ACM workshop on Quality of protection10.1145/1314257.1314273(49-54)Online publication date: 29-Oct-2007
https://dl.acm.org/doi/10.1145/1314257.1314273
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents