PRIVACY-PRESERVING ATTRIBUTE-BASED ACCESS CONTROL IN A GRID
| Main Author: | |
|---|---|
| Language: | English |
| Published: |
Wright State University / OhioLINK
2010
|
| Subjects: | |
| Online Access: | http://rave.ohiolink.edu/etdc/view?acc_num=wright1283121251 |
| id |
ndltd-OhioLink-oai-etd.ohiolink.edu-wright1283121251 |
|---|---|
| record_format |
oai_dc |
| spelling |
ndltd-OhioLink-oai-etd.ohiolink.edu-wright12831212512021-08-03T06:17:13Z PRIVACY-PRESERVING ATTRIBUTE-BASED ACCESS CONTROL IN A GRID Park, Sang Mork Computer Science Grid Security Attribute-Based Access Control Privacy DNF conversion CNF conversion Globus Shibboleth A Grid community is composed of diverse stake holders, such as data resource providers, computing resource providers, service providers, and the users of the resources and services. In traditional security systems for Grids, most of the authentication and authorization mechanisms are based on the user's identity or the user's classification information. If the authorization mechanism is based on the user's identity, fine-grained access control policies can be implemented but the scalability of the security system would be limited. If the authorization mechanism is based on the user's classification, the scalability can be improved but the fine-grained access control policies may not be supported. We developed an enhanced version of the Community Authorization Service (CAS) which supports centralized, fine-grained access control by managing the memberships, service types, resource objects and security policies of a Virtual Organization (VO). The current CAS provides fundamental solutions regarding user privacy, authentication and authorization, but it has some limitations due to its centralized management of the security policies of a VO, in terms of scalability, flexibility and interoperability. We enhanced the CAS to support diverse security requirements within a dynamic Grid environment by enabling the CAS server to publish a proxy certificate embedding additional attributes of users. It allows the service providers to support customized services by analyzing the attributes of users and security policies. Previous researches on privacy-preserving in a Grid have focused on protecting the data stored in a data server and on securing the communication to protect exchanged data. The issue of preserving the privacy of users has not been a major issue in the security domain. However, as on-line transactions prevail and diverse user attributes are required for authorization decision, the privacy-preserving becomes an important issue. Attribute-Based Access Control (ABAC) employs multiple attributes for authorization decision, which enables the security system to be flexible, interoperable, and multifunctional. However, ABAC has disadvantages with regard to privacy-preserving because it requires the circulation of the user attributes which can increase the risk of privacy violation. To enhance the privacy-preserving capability of ABAC in a Grid, we developed an attribute release control mechanism to publish an optimal set of attributes that are essential to access a desired resource (or service), while exposing least amount of sensitive user information. To facilitate the selection of an optimal set of attributes, we also developed Security Policy Publication Service (SPPS) which retrieves the access condition from the access control policies in eXtensible Access Control Markup Language (XACML) and converts it into a Disjunctive Normal Form (DNF) of attributes. We modified the Shibboleth Identity Provider and GridShib for the implementation of our privacy-preserving ABAC, and the performance analysis shows that the overhead of the proposed system is very small. 2010-10-27 English text Wright State University / OhioLINK http://rave.ohiolink.edu/etdc/view?acc_num=wright1283121251 http://rave.ohiolink.edu/etdc/view?acc_num=wright1283121251 unrestricted This thesis or dissertation is protected by copyright: all rights reserved. It may not be copied or redistributed beyond the terms of applicable copyright laws. |
| collection |
NDLTD |
| language |
English |
| sources |
NDLTD |
| topic |
Computer Science Grid Security Attribute-Based Access Control Privacy DNF conversion CNF conversion Globus Shibboleth |
| spellingShingle |
Computer Science Grid Security Attribute-Based Access Control Privacy DNF conversion CNF conversion Globus Shibboleth Park, Sang Mork PRIVACY-PRESERVING ATTRIBUTE-BASED ACCESS CONTROL IN A GRID |
| author |
Park, Sang Mork |
| author_facet |
Park, Sang Mork |
| author_sort |
Park, Sang Mork |
| title |
PRIVACY-PRESERVING ATTRIBUTE-BASED ACCESS CONTROL IN A GRID |
| title_short |
PRIVACY-PRESERVING ATTRIBUTE-BASED ACCESS CONTROL IN A GRID |
| title_full |
PRIVACY-PRESERVING ATTRIBUTE-BASED ACCESS CONTROL IN A GRID |
| title_fullStr |
PRIVACY-PRESERVING ATTRIBUTE-BASED ACCESS CONTROL IN A GRID |
| title_full_unstemmed |
PRIVACY-PRESERVING ATTRIBUTE-BASED ACCESS CONTROL IN A GRID |
| title_sort |
privacy-preserving attribute-based access control in a grid |
| publisher |
Wright State University / OhioLINK |
| publishDate |
2010 |
| url |
http://rave.ohiolink.edu/etdc/view?acc_num=wright1283121251 |
| work_keys_str_mv |
AT parksangmork privacypreservingattributebasedaccesscontrolinagrid |
| _version_ |
1719434074544668672 |