The Experts below are selected from a list of 18318 Experts worldwide ranked by ideXlab platform
Carsten Bormann - One of the best experts on this subject based on the ideXlab platform.
-
datagram transport layer security dtls profile for authentication and Authorization for constrained environments ace
2019Co-Authors: Stefanie Gerdes, Ludwig Seitz, Olaf Bergmann, Ga Ran Selander, Carsten BormannAbstract:This specification defines a profile of the ACE framework that allows constrained servers to delegate client authentication and Authorization. The protocol relies on DTLS for communication security between entities in a constrained network using either raw public keys or pre-shared keys. A resource-constrained server can use this protocol to delegate management of Authorization Information to a trusted host with less severe limitations regarding processing power and memory.
-
c3dc constrained client cross domain capable Authorization profile for authentication and Authorization for constrained environments ace
2018Co-Authors: Stefanie Gerdes, Olaf Bergmann, Carsten BormannAbstract:Resource-constrained nodes come in various sizes and shapes and often have constraints on code size, state memory, processing capabilities, user interface, power and communication bandwidth (RFC 7228). This document specifies a profile that describes how two autonomous resource-constrained devices, a client and a server, obtain the required keying material and Authorization Information to securely communicate with each other. Each of the devices is coupled with a less-constrained device, the Authorization manager, that helps with difficult authentication and Authorization tasks. The constrained devices do not need to register with Authorization managers from other security domains. The profile specifically targets constrained clients and servers. It is designed to consider the security objectives of the owners on the server and the client side.
Qin Liu - One of the best experts on this subject based on the ideXlab platform.
-
dynamic multi client searchable symmetric encryption with support for boolean queries
Information Sciences, 2020Co-Authors: Qin Liu, Shaobo ZhangAbstract:Abstract With the rapid growth of cloud computing, an increasing amount of data is being outsourced to cloud servers, in the meantime, how to search data securely and efficiently has got an unprecedented concern. Searchable symmetric encryption (SSE) that enables keyword-based searches over encrypted data provides an efficient way to this problem. However, the majority of existing SSE schemes focus on single keyword searches in the single-client setting, which limits their wide application in cloud computing. In this paper, we propose a Dynamic Multi-client SSE (DMSSE) scheme with support for boolean queries, by incorporating a client’s Authorization Information into search tokens and indexes. Our scheme allows a data owner to authorize multiple clients to perform boolean queries over an encrypted database, and limits a client’s search ability to legitimate keywords. Compared with existing MSSE schemes, our DMSSE scheme has the following merits: 1) Non-interactivity. After the grant of search permission, the clients can perform queries on their own without the help of the data owner. 2) Dynamic. The data owner can efficiently update a client’s search permission without affecting other clients. Experimental evaluations conducted on a real data set demonstrate that our DMSSE scheme is practical for use in a large-scale encrypted database.
Stefanie Gerdes - One of the best experts on this subject based on the ideXlab platform.
-
datagram transport layer security dtls profile for authentication and Authorization for constrained environments ace
2019Co-Authors: Stefanie Gerdes, Ludwig Seitz, Olaf Bergmann, Ga Ran Selander, Carsten BormannAbstract:This specification defines a profile of the ACE framework that allows constrained servers to delegate client authentication and Authorization. The protocol relies on DTLS for communication security between entities in a constrained network using either raw public keys or pre-shared keys. A resource-constrained server can use this protocol to delegate management of Authorization Information to a trusted host with less severe limitations regarding processing power and memory.
-
c3dc constrained client cross domain capable Authorization profile for authentication and Authorization for constrained environments ace
2018Co-Authors: Stefanie Gerdes, Olaf Bergmann, Carsten BormannAbstract:Resource-constrained nodes come in various sizes and shapes and often have constraints on code size, state memory, processing capabilities, user interface, power and communication bandwidth (RFC 7228). This document specifies a profile that describes how two autonomous resource-constrained devices, a client and a server, obtain the required keying material and Authorization Information to securely communicate with each other. Each of the devices is coupled with a less-constrained device, the Authorization manager, that helps with difficult authentication and Authorization tasks. The constrained devices do not need to register with Authorization managers from other security domains. The profile specifically targets constrained clients and servers. It is designed to consider the security objectives of the owners on the server and the client side.
Soon M Chung - One of the best experts on this subject based on the ideXlab platform.
-
role based access control for the open grid services architecture data access and integration ogsa dai
2007Co-Authors: Soon M Chung, Anil L PereiraAbstract:Grid has emerged recently as an integration infrastructure for the sharing and coordinated use of diverse resources in dynamic, distributed virtual organizations (VOs). A Data Grid is an architecture for the access, exchange, and sharing of data in the Grid environment. In this dissertation, role-based access control (RBAC) systems for heterogeneous data resources in Data Grid systems are proposed. The Open Grid Services Architecture - Data Access and Integration (OGSA-DAI) is a widely used framework for the integration of heterogeneous data resources in Grid systems. However, in the OGSA-DAI system, access control causes substantial administration overhead for resource providers in VOs because each of them has to manage the Authorization Information for individual Grid users. Its identity-based access control mechanisms are severely inefficient and too complicated to manage because the direct mapping between users and privileges is transitory. To solve this problem, (1) the Community Authorization Service (CAS), provided by the Globus toolkit, and (2) the Shibboleth, an attribute Authorization service, are used to support RBAC in the OGSA-DAI system. The Globus Toolkit is widely used software for building Grid systems. Access control policies need to be specified and managed across multiple VOs. For this purpose, the Core and Hierarchical RBAC profile of the eXtensible Access Control Markup Language (XACML) is used; and for distributed administration of those policies, the Object, Metadata and Artifacts Registry (OMAR) is used. OMAR is based on the e-business eXtensible Markup Language (ebXML) registry specifications developed to achieve interoperable registries and repositories. The RBAC systems allow quick and easy deployments, privacy protection, and the centralized and distributed management of privileges. They support scalable, interoperable and fine-grain access control services; dynamic delegation of rights; and user-role assignments. They also reduce the administration overheads for resource providers because they need to maintain only the mapping Information from VO roles to local database roles. Resource providers maintain the ultimate authority over their resources. Moreover, unnecessary mapping and connections can be avoided by denying invalid requests at the VO level. Performance analysis shows that our RBAC systems add only a small overhead to the existing security infrastructure of OGSA-DAI.
-
role based access control for grid database services using the community Authorization service
IEEE Transactions on Dependable and Secure Computing, 2006Co-Authors: Anil L Pereira, Vineela Muppavarapu, Soon M ChungAbstract:In this paper, we propose a role-based access control (RBAC) method for grid database services in open grid services architecture-data access and integration (OGSA-DAI). OGSA-DAI is an efficient grid-enabled middleware implementation of interfaces and services to access and control data sources and sinks. However, in OGSA-DAI, access control causes substantial administration overhead for resource providers in virtual organizations (VOs) because each of them has to manage a role-map file containing Authorization Information for individual grid users. To solve this problem, we used the community Authorization service (CAS) provided by the globus toolkit to support the RBAC within the OGSA-DAI framework. The CAS grants the membership on VO roles to users. The resource providers then need to maintain only the mapping Information from VO roles to local database roles in the role-map files, so that the number of entries in the role-map file is reduced dramatically. Furthermore, the resource providers control the granting of access privileges to the local roles. Thus, our access control method provides increased manageability for a large number of users and reduces day-to-day administration tasks of the resource providers, while they maintain the ultimate authority over their resources. Performance analysis shows that our method adds very little overhead to the existing security infrastructure of OGSA-DAI
Liu Ouyang - One of the best experts on this subject based on the ideXlab platform.
-
vanguard a cache level sensitive file integrity monitoring system in virtual machine environment
IEEE Access, 2018Co-Authors: Bin Shi, Lei Cui, Liu OuyangAbstract:Sensitive files in computer systems such as executable programs, configuration, and Authorization Information have a great importance of their own, in terms of both confidentiality and functionality. To protect sensitive files, an effective approach named as file integrity monitoring is proposed to detect aggressive behaviors by verifying all the actions on these sensitive files. However, due to semantic gap problems, current file integrity monitoring tools are incapable of monitoring files in memory, so that an illegal modification of a file may bypass the detection by deliberately hiding itself inside the cache without actually committing to the disk. In this paper, we propose a runtime sensitive file integrity monitoring system named Vanguard, to satisfy the requirement of cache-level file protection. It can monitor both IO operations and cache operations, thereby deterring the illegal file accesses. To achieve the cache-level monitoring, we explore the techniques to detect when sensitive files are loaded into and swapped out from the operating system page cache. Vanguard is isolated from the monitored system so it is hard to be subverted. We implement Vanguard on QEMU/KVM platform, and both Linux and Windows guest operating systems are supported. We conduct several experiments, and the experimental results show the effectiveness of Vanguard and imply that our method incurs acceptable overhead.
