| ¡¡ | Chinese Journal of Computers Full Text |
| Title | Rule Based Constrained Delegation Framework |
| Authors | YIN Gang WANG Huai-Min SHI Dian-Xi TENG Meng |
| Address | (School of Computer Science, National University of Defense Technology, Changsha 410073) |
| Year | 2007 |
| Issue | No.9(1511¡ª1519) |
| Abstract & Background | Abstract Delegation allows privilege propagation between principals, which is the core mechanism of trust management systems to enable multi-domain authorization. But unrestricted delegation may lead to privilege proliferation and breach the security of information systems. The delegation mechanisms in existing trust management systems are short of effective controllability on privilege propagation and their security need to be formally analyzed and proved. In this paper, a role-based constrained delegation model named RCDM (Role-based Constrained Delegation Model) is proposed, which supports flexible policies for delegation of authority and uses a scope constraint structure to control the depth scope and width scope of privilege propagation. A rule-based compliance checking algorithm named C3A is proposed for RCDM, the soundness and completeness of C3A with respect to RCDM are analyzed using the semantic theory of logic programs, which theoretically prove the security and availability of RCDM. keywords trust management; delegation; scope constraint; rule; proof of compliance background This work is supported by the National Basic Research Program(973 Program) of China under grant No.2005CB321804, National Natural Science Foundation of China under grant No.90412011, and the National High Technology Research and Development Program (863 Program) of China under grant Nos.2003AA115210, 2004AA112020. Most of the new ideas in this paper arise from the development of the security service in StarBus+, a middleware platform developed by the authors during last 10 years and configured as general distributed computing platform for many projects and software products in China. Besides providing secure communication and identity-based access control, the security service also aims to enable authorization across different security domains with different authorities. Delegation is one of the key mechanisms for decentralized authorization which is also hot spot in trust management(TM) systems. It is very important to control the privilege proliferation during delegation, which is still a difficult problem in existing TM systems. The authors are trying to propose more flexible and controllable delegation models to fulfill those special requirements, as shown in this paper. To integrate the delegation model into StarBus+security service, the authors designed a novel security architecture named middleware access control management, which will be reported in near future. |