Authorization
NaturaISciences
ArticleID:1007.1202(2007)01—0009—04
DOI10.1007/sl1859—006—0129—7
VOI.12No.12007009—012
AuthorizationManagement
口YANGQiuwei',
WUSunyong,HONGFan",
LIAOJunguo'
1.CollegeofComputerScienceandTechnology,Huazhong
UniversityofScienceandTechnology,Wuhan430074,Hubei,China; 2.DepartmentofComputationalScienceandMathematics,Guilin UniversityofElectronicTechnology,Guilin541004,Guangxi,China Abstract:Authorizationmanagementisimportantpreconditionand foundationforcoordinatingandresourcesharinginopennetworks.Re- cently,authorizationbasedontrustiswidelyusedwherebyaccessrightsto sharedresourcearegrantedonthebasisoftheirtrustrelationindistributed environment.Nevertheless,dynamicchangeofthestatusofcredentialand chainoftrustinducestouncertaintyoftrustrelation.Consideringuncer- taintyofauthorizationandanalyzingdeficiencyofauthorizationmodel onlybasedontrust,weproposesiointtrust—riskevaluationandbuildthe
modelbasedonfuzzysettheory,andmakeuseofthemembershipgradeof fuzzysettoexpressjointtrust—riskrelation.Finally,derivationprinciple
andconstraintprincipleofiointtrust.riskrelationshipsarepresented.The authorizationmanagementmodelisdefinedbasedoniointtrust—risk
evaluation.proofofcomplianceandseparationofdutyareanalyzed.TI1e proposedmodeldepictsnotonlytrustrelationshipbetweenprincipals,but
alsosecurityproblemofauthorization.
Keywords:trustmanagement;authorizationmanagement;riskevaluation;
proofofcompliance;fuzzyset
CLCnumber:TP309
Receiveddate:2o06—06一l8
Foundationitem:SupportedbytheNationalNaturalScienceFoundationofChina
(60403027)
Biography:YANGQiuwei(1980-),mate,Ph.D.cav.didate,researchdirection:trustmall-
agementandaccesscontrolmode1.E—mail:qwyang@smail.hustedu.cn tT0whomcorrespondenceshouldbeaddressed.E—mail:xxyul@public.wh_hb.cn 0Introduction
Trustmanagement【一】isanapproachto
managingauthorizationindistributedenviron—
ments.Blazeetalfirstlyproposedtheconcept oftrust,andtooktrustintoconsiderationinau—
thorizing.Probabilitycomputedviahistorical recordsisviewedasthegradeoftrust~钔.Trustis
classifiedintotwotypes:directtrustandrecom—
mendationtrust.Butmodelingthesubjectivetrust withthesimpleprobabilityandexpressingthe integrationofmultirecommendationtrustsby simplyaveragingcannotdepictthesun}ectivity anduncertaintyoftrustrelationtruly.
Themembershipgradeoffuzzysetisintro—
ducedtomodeltheillegibilityofsubjectivetrust, andtrustismeasuredbytrustvector[5】|Trustand
riskistakenintorole--basedaccesscontrolpol-- icy[6t7】.Butitsexpressivepowerisnotabundant enough.Furthermore,itisnotpracticabletoother mode1.
InthisPaper,wedefineauthorizationsecu—
rityrisk(ARS)firstly,andproposethejoint
trust—riskevaluationmodelbasesonfuzzyset
theoryanddefinederivationprinciplesandcon—
straintprinciples.Onthisbasis,wepresentthe authorizationmanagementframework.Finally, proofofcompliance【】andseparationofduty【】
inprocessofauthorizationarediscussed.
1JointTrust—RiskEvaluation
1.1BasicConcept
Inthepastresearch,definitionabouttrustweredef- erentoneanother.Infact,trustisanexpectationthata principlecontemplatewhatanotherwillact.Foreachof theclassesoftrusttherearetwotypesoftrust:obiective trustandsubjectivetrust.Objectivetrustexpressestrust relationcanbeaccuratelydefinedandverifiedwith mathematicmeans.Tl?strelationbasedsociologyand
psychologyiscalledsubjectivetrust,whichholdsex—
tremeuncertaintyandsubjectivity.
Dynamicchangingofthestatusofobjectivetrust inducestotheuncertainty.Otherwise,subiectivetrust quaknowledgeacquisitionphenomenongoeswithseri—
oussubjectivityanduncertainty.Uncertaintyofobjective trustandsubjectivetrustleadstotheextremeuncertainty ofauthorization,whichwillaffectsystemsecurity.In otherwords,atspecificcircumstancethereexistdistance betweenexpectedtargetandpracticalresult,whichhap—
penstohavethesameviewtorisk.
Definition1Negativeauthorizationsecurityrisk
(NASR)istheuncertaintythatwillaffectthesystemse—
curitynegatively.
Trustevaluationandriskevaluationconstitutethe securityevaluationofauthorization.Onlyanalyzingone ofthemcannotassurethesystemsecurity:
Trustisrelevanttospecificoperation.e.g.a principalistrustedtoengageontechnicaltasknotbutto dealwithorganizationmanagement.
Hightrustdoesnotmeanlowrisk.e.g.inhier—
archicalcorporationstructuresuperiormanagerismore trustedthan.juniortechnician,buttheriskthatsuperior managercompletestechnicaltaskishigherthanthat juniortechniciandoes.
Lowtrustdoesnotmeanhighrisk.e.g.thetrust amongthestrangersatnewacquaintancemaybelow, butalsotheriskofauthorizationmaybelow.
Lowriskmeanshightrusty.e.g.1owerNASRis. higherthereliabilityis.
?Authorizationsecuritybuildsontrustaccepting andriskacceptingcriteria(introducedinlatersection). Authorizationsecurityisguaranteedifandonlyiftrust andrisksatisfypreconcertedacceptingcriteria. 1.2JointTrust-RiskEvaluationBasedonFuzzySet Inthepastresearch,authorizationbasedonlyon analyzingoneoftrustandrisk,andanalyzedresultdis—
tributedonacontinuousextendand"belong''or"non—
belong"tothesetofcontinuousrealnumberisthesim—
pierelation.Whereas,whenprinciplecannotobtainthe fu11informationoftrust—riskevaluation.thereexistsdis—
tancebetweenactualvalueandpracticalresult.110im—
provetheveracityandconsistencyofevaluation,wepro—
posetrustfuzzysetandriskfuzzysetbasedonfuzzyset theory"….andthendefinetheJointTmst—RiskFuzzy
Relation,andmakeuseofthemembershipgradetoex—
pressjointtrust—riskrelation.Inthefollowingdefinitions, thespaceoftrustobjectsandthespaceofriskobjects denotethespaceofentities.
Definition2LetU=fuldenoteaspaceoftrust objects.ThenatrustfuzzysetTFinUisdenotedasthe membershipfunctionthatmapsUtotheinterval[0,11, ~/TF:_?[0,11,whereforalluEU,所F(")=ldenotes
thatubelongstoTFtotally.)=0denotesthatu doesnotbelongtoTF.0<,~/TF)<ldenotesthatube—
longstoTFpartially.ForagivenuEU,rF(")denotes themembershipgradeoftheelementuinTF.Thefuzzy setTFcanbeexpressedasasetoforderedpairs TF={(",/lrF("))l"?Ul
Definition3RiskFuzzySet.LetU={uldenotea spaceofriskobjects.ThenariskfuzzysetRFinUis denotedasthemembershipfunctionthatmapsUtothe interval[0,11,fRF:_?【0,l】,whereforalluEU,(u)
=
ldenotesthat"belongstoRFtotally.朋RF)=0de—
notesthatUdoesnotbelongtoRF.0)<ldenotes thatUbelongstoRFpartially.ForagivenuEF(U) denotesthemembershipgradeoftheelementuinRF. ThefuzzysetRFcanbeexpressedasfollow
RF={(",/IRF("))l"?Ul
Definition4LetU×U={(",u)}denoteaspace
ofobjectsofjointtrust—riskrelationR.Thenjoint
trust-riskrelationRinUxUisdenotedasthemem- bershipfunctionthatmapsUxUtotheinterval[0,1】,
rF×RF:UxU—?[0,11,whereforall(ul,U2)EUxU,
rF×RF(uI,U2)=ldenotesthat(ul,u2)belongstoTF×RF
totally.,]-/TFxRF(U1,u2)=0denotesthat(ul,u2)doesnot belongtoTF~RF.0<,/-/TF×RF(U1,U2)<ldenotesthat(Ul,U2) belongstoTF~RFpartially.Foragiven(ul,"2)?UxU,
rF×RF(ul,u2)denotesthemembershipgradeoftheele—
mentUlinTFandthemembershipgradeoftheelement u2inRF.ThefuzzysetTFxRFcanbeexpressedasaset oforderedpairs
TFxRF={((uI,u2),~/TFxRF(U1,"2))lUl?u2EUl
IfUlequalstou2,,/-/TFxRF(U1,U0denotesthemem—
bershipgradeoftheelementulinTFandRF.Ifu1does notequaltou2,舳RFl,"1)denotesthemembership
gradeoftheelementUlinTFandthemembershipgrade
oftheelementu2inRF,whichisnotpracticallymeaning. 1.3DerivationofJointTrust.RiskRelation
Similartotrustrelation,authorizationsecurityrisk canalsobeclassifiedtotwotypes:directauthorization riskandrecommendationauthorizationrisk.Theformer donatestheuncertaintyofinfluencingthesystemsecu—
ritynegativelywhenauthorizing.Recommendationpath maynotexistbetweenthetwoprinciples.Thelater representsthataprincipaltruststheabilityofanother principaltorecommendothers.Twotypesderivation needtobetreated:concatenationofsinglerelationchain
andintegrationofmultirelationchains. Definition5Suppose1anddenotesthemem—
bershipgradeoftwoprincipalsseparatelyinasamejoint trust—riskfuzzysetaboutP,wellthenthetwotypesderi—
vationoffl,andasfollow:
1)Concatenationofsinglerelationchain:Given A,CeU,pePifABdenotesthemembershipgrade OfaboutPinA'sview,andif--)cdenotesthemem—
bershipgradeofCaboutPinB'sview.Therefore,the membershipgradeofCaboutPinA'sviewcanbecon—
catenatedasfollows.
AC:ABBC
Concatenationofsinglerelationchaindefinesthe principlesthatjointtrust—riskrelationbuildsonmulti subsections.Principalscancontacteachothervianot onlydirectjointrelationbutalsorecommendationrela—
tion.Thenewjointtrust-riskrelationisformedbycon—
catenationoperation.
2)Integrationofmultirelationchains:Given A,BepeP,if1,,…,denotesnumbermofthe
membershipgradeofBaboutPinA'sview.Therefore, thenumbermofthemembershipgradeofBaboutPin A'sviewcanbeintegratedasfollows.
_?1@…@/4.
Whenthereexistmanypathsbetweenprincipals, integrationofmultirelationchainscanbeusedtoelevate theiointrelationsyntheticallyandunitthoserelations. Letand/2虾separatelydenotethetrust.share andrisk—share,derivationofjointtrust-riskrelationsatis—
tiesfollowingconstraints:
?Boundedness.?Weakbounde(h1ess:0?(RF?1,
whichrestrictsthatalltheiointtrust.riskevaluationmust distributeintheinterval【0,1】.?Strongboundedness:
givenA,BepeP,ifl,2,…,denotesnumberm
ofthemembershipgradeofBaboutPinA'sview, followingconstrainmustalsobesatisfiedtoT _?
F
B
andB:
(T_?F?min(/~ff,2TF,…,))A(R_?F
?max(/~ff,,…,))
?Monotony~GivenA,B,CepeP,ifde—
notesthemembershipgradeofBaboutPinA'sview, andifBCdenotesthemembershipgradeofCaboutP inB'sview.Trustdropsandriskincreasesasfollow alongwithoftherelationchain:
(T_?Fc?T_?FB0BT_?Fc)A(R_?Fc?/.~RF+B?BR_?Fc)
?Unitariness.Supposethesetofthestatistical weights{el,,…,晶},wellthen?0,I2:1.
2AuthorizationManagement
2.1AuthorizationRules
Definition6Anauthorization1smodeledasa 3-tuple,(PrincipalA,PrincipalB,P),denotesthatprincipal AauthorizesthepermissionptoprincipalB. Afterauthorizationdecisiontakestrustandriskinto consideration,howdoestrustandriskinfluencetheau. thorizationdecision?Acceptingcriteriaontrustandrisk ispresentedfirstly.e.g.ifandonlyifthemembership gradeofBaboutPinA'sviewequaltopreconcerted
valuere,principalAauthorizesthepermissionPto principalB.Thismaybeexpressedas
A,BeAcanassignp,/-/TF×RF(B,)?rep.
Definition7Anauthorizationbasedonioint trust—riskevaluationismodeledasa6-tuple,(PrincipalA, PrincipalB,P,/-/TF×RF(B,),Evironment,Constraints), denoteswhen/-/TF×RF(B,B)satisfytheacceptingcriteria andrelativeconstraintsaresatisfiedunderspecificenvi. ronment,principalAauthorizesthepermissionPtoprin—
cipalB.Thismaybeexpressedas
,
B?U,AcanassignP,environmentandcon—
straintsaresatisfied.
/-/TF×RF(B,B)satisfiestheacceptingcriteria. Environmentisthecertainenvironmentalvariables, suchastimevariable.Constraintsdenotesomerestricts, suchasSeparationofDutyOtherwise.anauthoriza. tionmayberelatetomuchtrust—riskacceptingcriteria,
e.g.muchmembershipgradesofB/-/TF×R~(B2)needto
check,multiauthorization6-tuplecanexpressthecom—
plexacceptingcriteria.
Definition8Suppose/-/TF×RF(B,)denotesnumber
mofthemembershipgradeofBaboutPinA'sview,an authorizationcanbecreatedasfollows:
Grantrules.SupposeprincipalBrequesttoau. 11
thorizepermissionPfromA,ifbothenvironmentvari- ablesandrelativeconstraintsaresatisfied,and/-/TF×RF
(,B)satisfytheacceptingcriteria,principalAauthorizes
thepermissionptoprincipalB.
?Revokerules.SupposeprincipalAcanrevoke thepermissionP.Distheconstraintsofdelegationdepth anddisthecurrentdelegationdepth.Ifrelativecon—
straintsorenvironmentvariablesarenotsatisfiedor /-/TF×RF,B)doesnotsatisfytheacceptingcriteria,ord doesnotsatisfytheconstraintsofdelegationdepthD, principalArevokethepermissionPfromprincipalB. Thismaybeexpressedas
,B?U,AcanrevokeP,((EnvironmentorConstraints arenotsatisfied)U(?D)U(FRF,B)satisfiesthe
acceptingcriteria))~pwillberevokedfromB. ?Delegationrules.SupposeprincipalAisnotthe ownerofthepermissionPbutcandelegatethePtooth—
ers.PrincipalBrequesttoauthorizepermissionpfromA, ifbothenvironmentvariablesandrelativeconstraintsare satisfied,anddsatisfiestheconstraintsofdelegation depthD,and/-/TF×RF(B,B)satisfytheacceptingcriteria, principalAauthorizesthepermissionPtoprincipalB. Thismaybeexpressedas
,
B?U,AcandelegateP,
EnvironmentandConstraintsaresatisfied,?D,
/-/TF×RF(B,B)satisfiestheacceptingcriteria==>p. 2.2ProofofComplianceandSeparationofDuty Authorizationruledepictstheproblemasfollow: Whetherthesetofparametersproverequest,_cometo compliancewithlocalauthorizationprinciples?Thesetof authorizationprinciplesconstitutetheauthorizationpolicy. Anyprincipalmustholdtheownauthorizationpolicy,