Many emerging applications (e.g., teleconference, real-time information services, pay per view, distributed interactive simulation, and collaborative work) are based upon a group communications model, i.e., they require packet delivery from one or more authorized senders to a very large number of authorized receivers. As a result, securing group communications (i.e., providing confidentiality, integrity, and authenticity of messages delivered between group members) will become a critical networking issue. In this paper, we present a novel solution to the scalability problem of group/multicast key management. We formalize the notion of a secure group as a triple (U; K;R) where U denotes a set of users, K a set of keys held by the users, and R a user-key relation. We then introduce key graphs to specify secure groups. For a special class of key graphs, we present three strategies for securely distributing rekey messages after a join/leave, and specify protocols for joining and leaving a...

We address the problem of authorization in large-scale, open...

We present a new model for authorization that integrates both local and distributed access control policies and that is extensible across applications and administrative domains. We introduce a general mechanism that is capable of implementing several security policies including role-based access control, Clark-Wilson, ACLs, capabilities, and lattice-based access controls. The Generic Authorization and Access-control API (GAA API) provides a generic framework by which applications facilitate access control decisions and request authorization information about a particular resource. We have integrated our system with the Prospero Resource Manager and Globus Security Infrastructure. 1 Introduction The conventional concept of an Access Control List (ACL) is the architectural foundation of many authorization mechanisms. A typical ACL is associated with an object to be protected and enumerates the list of authorized users and their rights to access the object. Access rights are selected f...

A security policy is a means by which participant session requirements are specified. However, existing frameworks provide limited facilities for the automated reconciliation of participant policies. This paper considers the limits and methods of reconciliation in a general-purpose policy model. We identify an algorithm for efficient two-policy reconciliation, and show that, in the worst-case, reconciliation of three or more policies is intractable. Further, we suggest efficient heuristics for the detection and resolution of intractable reconciliation. Based upon the policy model, we describe the design and implementation of the Ismene policy language. The expressiveness of Ismene, and indirectly of our model, is demonstrated through the representation and exposition of policies supported by existing policy languages. We conclude with brief notes on the integration and enforcement of Ismene policy within the Antigone communication system.

Multicast and anycast have received considerable attention due to their ability to support networked services. There are distinct and significant security vulnerabilities in both the multicast and anycast model including denial of service, theft of service, eavesdropping, and masquerading. The multicast problem requires a secure IGMP. The anycast problem requires secure anycast server advertisements. We generalize these two problems into a problem of group access control and propose Gothic, a complete architecture for providing group access control. Gothic centers around a novel authorization architecture. This is complemented by a proposal for a group policy management system that allows the group owner to be authenticated before being allowed to specify the group access rights. This system can be applied to other works that involve group policy. We show how Gothic operates in a number of environments including application-layer multicast, source-specific multicast, application-layer anycast and global IP-anycast. We evaluate the security and scalability of the architecture and show that it improves scalability over previous solutions while maintaining or increasing the level of security. We also propose methods of integrating Gothic with the group key management system and content distribution tree. We propose and evaluate a group access control aware group key management technique that leverages the existence of a group access control system to substantially reduce overhead.

As computing technology becomes more pervasive and mobile services are deployed, applications will need flexible access control mechanisms. Unlike traditional approaches for access control, access decisions for these applications will depend on the combination of the required credentials of users and the context and state of the system. In this paper, we extend the role-based access control model to provide dynamic context-aware access control for pervasive applications. The operation of the presented model is illustrated.

Business Processes for Web Services are the new paradigm for the lightweight integration of business from different enterprises. Whereas the security and access control policies for basic web services and distributed systems are well studied and almost standardized, there is not yet a comprehensive proposal for an access control architecture for business processes. The major difference is that business process describe complex services that cross organizational boundaries and are provided by entities that sees each other as just partners and nothing else. This calls for a number of differences with traditional aspects of access control architectures such as • credential vs classical user-based access control, • interactive and partner-based vs one-server-gathers-all requests of credentials from clients, • controlled disclosure of information vs all-or-nothing access control decisions, • abducing missing credentials for fulfilling requests vs deducing entailment of valid requests from credentials in formal models, • “source-code ” authorization processes vs data describing policies for communicating policies or for orchestrating the work of authorization servers. Looking at the access control field we find good approximation of most components but not their synthesis into one access control architecture for business processes for web services, which is the contribution of this paper. ∗ This work is partially funded by the IST programme of

We present an infrastructure for flexible and secure access to a group of distributed services in a nomadic computing environment, wherein users access local services from their mobile, wirelessly connected devices. We describe a secure `hand-off' protocol, which allows a user to register with a single service that `hands off' authorization to access a subset of the services. Our protocol helps maintain the user's privacy. It allows the services (which may be implemented on simple appliances) and the user's mobile device to have modest resources: services do nothavetobeonlinetoanypartyexcepttheuser's device and the storage and communication requirements are minimal. In addition to the hand-off protocol, the paper presents a model for authorization hand-off and describes related research and technologies. 1

End-users are often perceived as the weakest link in information security. Because of this perception, a growing body of research and commercial activity is focused on automated approaches to security. With these approaches, security decisions are removed from the hands of the users, and are placed instead in systems themselves, or in remote services or organizations that establish policies that are automatically enforced. We contend that although security automation is potentially beneficial in theory, in practice it is not a panacea for end-user information security. A number of technical and social factors mitigate against the acceptance and efficacy of automated end-user security solutions in many cases. In this paper, we present a discussion of the inherent limitations of automating security for end-users. We then discuss a set of design guidelines for choosing whether to automate end-user security systems. We conclude with a set of research directions focused on increasing the acceptance and efficacy of security solutions for end-users.

Group communication is increasingly used as a low cost building block for the development of highly available and survivable services in dynamic environments. However, contemporary frameworks often provide limited facilities for the definition and enforcement of precise security policies. This paper presents the Antigone 2.0 framework that allows the flexible specification and enforcement of group security policies. Enforcement is achieved through the policy directed composition and configuration of sets of basic security services implementing the group. We summarize the design of the Antigone 2.0 architecture, its use, and the Application Programming Interface (API). The use of the API is illustrated through two applications built on Antigone; a reliable multicast system and host level multicast security service. We conclude with a description of current status and plans for future work. 1