Security Management, Integrity, and Internal Control in Information Systems / IFIP Advances in Information and Communication Technology Bd.193 (PDF)
International Federation for Information Processing
...
48 DeutschlandCard Punkte sammeln
- Lastschrift, Kreditkarte, Paypal, Rechnung
- Kostenloser tolino webreader
International Federation for Information Processing
The IFIP series publishes state-of-the-art results in the sciences and technologies of information and communication. The scope of the series includes: foundations of computer science; software theory and practice; education; computer applications in technology; communication systems; systems modeling and optimization; information systems; computers and society; computer systems technology; security and protection in information processing systems; artificial intelligence; and human-computer interaction. Proceedings and post-proceedings of referred international conferences in computer science and interdisciplinary fields are featured. These results often precede journal publication and represent the most current research. The principal aim of the IFIP series is to encourage education and the dissemination and exchange of information about all aspects of computing.
For more information about the 300 other books in the IFIP series, please visit www.springeronline.com.
For more information about IFIP, please visit www.ifip.org.
This section describes the key features of X-GTRBAC (XML-based Generalized Temporal Role Based Access Control), our XML-based policy specification framework. Our specification language is an extension of the RBAC model suitable for addressing the access management challenges in federated systems discussed in this paper.
3.1 Language Specification
X-GTRBAC language specification is captured through a contextfree grammar called X-Grammar, which follows the same notion of terminals and non-terminals as in BNF, but supports the tagging notation of XML which also allows expressing attributes within element tags. The use of attributes helps maintain compatibility with XML schema syntax, which serves as the type definition model for our language. Since it follows BNF convention, X-Grammar can be accepted by a well-defined automaton to allow automatic translation into XML schema documents.
This allows automatic creation of strongly typed policy Schemas based on the supplied grammar specification. We choose to use X-Grammar syntax instead of directly working with XML Schemas for ease of analysis (since existing compiler tools for BNF grammars can be applied) and better readability and presentation. Examples of X-Grammar policies are given in following sections. The complete syntax of X-GTRBAC language specification appears in Appendix A.
3.2 Policy Components
We now describe the main components of our policy language. While doing so, we motivate our design decision by evaluating existing approaches against our stated requirements, and pointing out the merits of our design with respect to our objectives.
3.2.1 Credentials
Credentials are a key component of an access control language. A credential encodes the authentication and authorization information for the users. We have earlier motivated that a heterogeneous and unfamiliar user and
[12, 13] are well-known examples of distributed schemes that have used identity-based X.509 certificates for user authentication. The authentication information (i.e. public keys) is then used to construct an authorization credential that comprises of a set of resource-specific rules. The credentials are bound to user identities and therefore this approach to credential specification is not scalable. Even when knowledge of identities is available, the requirement of fine-grained access control would lead to rule-explosion in the access control policy given the size of federated population in open systems. Additionally, this approach tightly couples authentication with authorization, and is therefore inflexible, and violates one of our design principles.
Our policy framework addresses this problem through the use of attributebased (as opposed to identity-based) credential specification. We adopt a modular approach and allow independent specification of credentials used in authentication and authorization. The authenticating credential comprises of authentication information expressed in terms of user attributes which are used by the access control processor for role assignment. This idea is similar to the one used in [14]. However, unlike in [14], we do not require reliance on X.509 identity-based certificates to encode user authentication information. Instead, the user attributes may be supplied in any mutually agreed format, such as an Attribute Statement in the emerging identity federation standard SAML [7]. This supports the requirement for credential federation (See Section 3.3.3).
- Autoren: Paul Dowland , Bhavani Thuraisingham , Steve Furnell
- 2006, 2006, 370 Seiten, Englisch
- Herausgegeben: Steve Furnell, Bhavani Thuraisingham, X. Sean Wang
- Verlag: Springer-Verlag GmbH
- ISBN-10: 038731167X
- ISBN-13: 9780387311678
- Erscheinungsdatum: 03.06.2006
Abhängig von Bildschirmgröße und eingestellter Schriftgröße kann die Seitenzahl auf Ihrem Lesegerät variieren.
- Dateiformat: PDF
- Größe: 19 MB
- Ohne Kopierschutz
- Vorlesefunktion
Zustand | Preis | Porto | Zahlung | Verkäufer | Rating |
---|
Schreiben Sie einen Kommentar zu "Security Management, Integrity, and Internal Control in Information Systems / IFIP Advances in Information and Communication Technology Bd.193".
Kommentar verfassen