The Experts below are selected from a list of 5799 Experts worldwide ranked by ideXlab platform
Arash Shaghaghi - One of the best experts on this subject based on the ideXlab platform.
-
function based Access Control fbac from Access Control Matrix to Access Control tensor
Computer and Communications Security, 2016Co-Authors: Yvo Desmedt, Arash ShaghaghiAbstract:The misuse of legitimate Access to data is a serious information security concern for both organizations and individuals. From a security engineering viewpoint, this might be due to the failure of Access Control. Inspired by Functional Encryption, we introduce Function-Based Access Control (FBAC). From an abstract viewpoint, we suggest storing Access authorizations as a three-dimensional tensor, or an Access Control Tensor (ACT) rather than the two-dimensional Access Control Matrix (ACM). In FBAC, applications do not give blind folded execution right and can only invoke commands that have been authorized for function defined data segments. So, one might be authorized to use a certain command on one object, while being forbidden to use the same command on another object. Such behavior can not be efficiently modeled using the classical Access Control Matrix or achieved efficiently using cryptographic mechanisms. Here, we lay the theoretical foundations of FBAC and summarize our extended work on implementation and deployment recommendations.
-
Function-Based Access Control (FBAC): From Access Control Matrix to Access Control Tensor
arXiv: Cryptography and Security, 2016Co-Authors: Yvo Desmedt, Arash ShaghaghiAbstract:Security researchers have stated that the core concept behind current implementations of Access Control predates the Internet. These assertions are made to pinpoint that there is a foundational gap in this field, and one should consider revisiting the concepts from the ground up. Moreover, Insider threats, which are an increasing threat vector against organizations are also associated with the failure of Access Control. Access Control models derived from Access Control Matrix encompass three sets of entities, Subjects, Objects and Operations. Typically, objects are considered to be files and operations are regarded as Read, Write, and Execute. This implies an `open sesame' approach when granting Access to data, i.e. once Access is granted, there is no restriction on command executions. Inspired by Functional Encryption, we propose applying Access authorizations at a much finer granularity, but instead of an ad-hoc or computationally hard cryptographic approach, we postulate a foundational transformation to Access Control. From an abstract viewpoint, we suggest storing Access authorizations as a three-dimensional tensor, which we call Access Control Tensor (ACT). In Function-based Access Control (FBAC), applications do not give blind folded execution right and can only invoke commands that have been authorized for data segments. In other words, one might be authorized to use a certain command on one object, while being forbidden to use exactly the same command on another object. The theoretical foundations of FBAC are presented along with Policy, Enforcement and Implementation (PEI) requirements of it. A critical analysis of the advantages of deploying FBAC, how it will result in developing a new generation of applications, and compatibility with existing models and systems is also included. Finally, a proof of concept implementation of FBAC is presented.
Yvo Desmedt - One of the best experts on this subject based on the ideXlab platform.
-
function based Access Control fbac from Access Control Matrix to Access Control tensor
Computer and Communications Security, 2016Co-Authors: Yvo Desmedt, Arash ShaghaghiAbstract:The misuse of legitimate Access to data is a serious information security concern for both organizations and individuals. From a security engineering viewpoint, this might be due to the failure of Access Control. Inspired by Functional Encryption, we introduce Function-Based Access Control (FBAC). From an abstract viewpoint, we suggest storing Access authorizations as a three-dimensional tensor, or an Access Control Tensor (ACT) rather than the two-dimensional Access Control Matrix (ACM). In FBAC, applications do not give blind folded execution right and can only invoke commands that have been authorized for function defined data segments. So, one might be authorized to use a certain command on one object, while being forbidden to use the same command on another object. Such behavior can not be efficiently modeled using the classical Access Control Matrix or achieved efficiently using cryptographic mechanisms. Here, we lay the theoretical foundations of FBAC and summarize our extended work on implementation and deployment recommendations.
-
Function-Based Access Control (FBAC): From Access Control Matrix to Access Control Tensor
arXiv: Cryptography and Security, 2016Co-Authors: Yvo Desmedt, Arash ShaghaghiAbstract:Security researchers have stated that the core concept behind current implementations of Access Control predates the Internet. These assertions are made to pinpoint that there is a foundational gap in this field, and one should consider revisiting the concepts from the ground up. Moreover, Insider threats, which are an increasing threat vector against organizations are also associated with the failure of Access Control. Access Control models derived from Access Control Matrix encompass three sets of entities, Subjects, Objects and Operations. Typically, objects are considered to be files and operations are regarded as Read, Write, and Execute. This implies an `open sesame' approach when granting Access to data, i.e. once Access is granted, there is no restriction on command executions. Inspired by Functional Encryption, we propose applying Access authorizations at a much finer granularity, but instead of an ad-hoc or computationally hard cryptographic approach, we postulate a foundational transformation to Access Control. From an abstract viewpoint, we suggest storing Access authorizations as a three-dimensional tensor, which we call Access Control Tensor (ACT). In Function-based Access Control (FBAC), applications do not give blind folded execution right and can only invoke commands that have been authorized for data segments. In other words, one might be authorized to use a certain command on one object, while being forbidden to use exactly the same command on another object. The theoretical foundations of FBAC are presented along with Policy, Enforcement and Implementation (PEI) requirements of it. A critical analysis of the advantages of deploying FBAC, how it will result in developing a new generation of applications, and compatibility with existing models and systems is also included. Finally, a proof of concept implementation of FBAC is presented.
K Knorr - One of the best experts on this subject based on the ideXlab platform.
-
dynamic Access Control through petri net workflows
Annual Computer Security Applications Conference, 2000Co-Authors: K KnorrAbstract:Access Control is an important protection mechanism for information systems. An Access Control Matrix grants subjects privileges to objects. Today, Access Control matrices are static they rarely change over time. This paper shows how to make Access Control matrices dynamic by means of workflows. Access rights are granted according to the state of the workflow. By this practice the risk of data misuse is decreased which is proven through an equation given in the paper. The concept of workflow is defined by Petri nets which offer a solid mathematical foundation and are well suited to represent discrete models such as workflows.
Weipang Yang - One of the best experts on this subject based on the ideXlab platform.
-
refereed paper an Access Control scheme based on chinese remainder theorem and time stamp concept
Computers & Security, 1996Co-Authors: Minshiang Hwang, Wenguey Tzeng, Weipang YangAbstract:In this paper we propose a new dynamic Access Control method for the computer system with frequently inserted, deleted and updated users/files. Our method, based on the concepts of the Access Control Matrix, key-lock-pair, time stamp and Chinese remainder theorem, associates each user with a user key and a user lock and each file with a file key and a file lock. Our method can achieve the following four goals. 1.(1) By a simple modulo operation on the keys and locks of the user and the file, we can reveal the Access right of a user to a file. 2.(2) When a user/file is added to the computer system, we only assign a key and a lock to the user/file without affecting the keys and locks of the other users/files in the system. 3.(3) When a user/file is deleted from the computer system, we simply erase the entry of the user/file in the computer system. 4.(4) When the Access right of a user to a file is updated, we merely modify the key and lock of the user or the file without affecting the keys and locks of the other users/ files in the system. The main contribution of our method is that the action of inserting, deleting a user/file, or updating the Access right of a user to a file can be done by modifying only one key and one lock, which could not be achieved simultaneously before.
Minshiang Hwang - One of the best experts on this subject based on the ideXlab platform.
-
refereed paper an Access Control scheme based on chinese remainder theorem and time stamp concept
Computers & Security, 1996Co-Authors: Minshiang Hwang, Wenguey Tzeng, Weipang YangAbstract:In this paper we propose a new dynamic Access Control method for the computer system with frequently inserted, deleted and updated users/files. Our method, based on the concepts of the Access Control Matrix, key-lock-pair, time stamp and Chinese remainder theorem, associates each user with a user key and a user lock and each file with a file key and a file lock. Our method can achieve the following four goals. 1.(1) By a simple modulo operation on the keys and locks of the user and the file, we can reveal the Access right of a user to a file. 2.(2) When a user/file is added to the computer system, we only assign a key and a lock to the user/file without affecting the keys and locks of the other users/files in the system. 3.(3) When a user/file is deleted from the computer system, we simply erase the entry of the user/file in the computer system. 4.(4) When the Access right of a user to a file is updated, we merely modify the key and lock of the user or the file without affecting the keys and locks of the other users/ files in the system. The main contribution of our method is that the action of inserting, deleting a user/file, or updating the Access right of a user to a file can be done by modifying only one key and one lock, which could not be achieved simultaneously before.
