Role based access control in a telecommunications operations and maintenance network / Rollbaserad behörighetskontroll i ett drift- och underhållssystem för telekommunikation

Gunnarsson, Peter

January 2005

<p>Ericsson develops and builds mobile telecommunication networks. These networks consists of a large number of equipment. Each telecommunication company has a staff of administrators appointed to manage respective networks. </p><p>In this thesis, we investigate the requirements for an access control model to manage the large number of permissions and equipment in telecommunication networks. Moreover, we show that the existing models do not satisfy the identified requirements. Therefore, we propose a novel RBAC model which is adapted for these conditions. </p><p>We also investigate some of the most common used commercial tools for administrating RBAC, and evaluate their effectiveness in coping with our new proposed model. However, we find the existing tools limited, and thereby design and partly implement a RBAC managing system which is better suited to the requirements posed by our new model.</p>

Datalogi

Role Based Access Control

RBAC

security

authorization model

administration tools

Datalogi

Computer science

Datalogi

Powers of War: President Versus Congress

Santo, Jordan D.

01 January 2011

Before the United States Constitution was ratified there was much debate about what war powers the executive and legislative branches should hold. After much deliberation it was decided that the power to declare war would fall under the control of Congress. But as time passed, control over initiating military action began to shift from Congress to the President. This thesis examines the shift of power from the legislature to the President. The thesis explains the difference between a declaration of war, an authorization of force, as well as using the military as a police force. It examines the precedents set by Presidents Abraham Lincoln, Franklin Roosevelt, and Harry Truman, as well as the more recent methods used by Presidents Bill Clinton, George W. Bush, and Barack Obama. It also analyzes some of the major court cases that have dealt with the War Powers Clause and several War Powers Resolution. The information collected in this thesis comes from biographies, journal articles, and newspaper articles regarding the subject. This thesis shows that the executive has taken more power in initiating and continuing armed conflict and that the declaration of war, as defined in the Constitution, is obsolete.

War Powers

George W. Bush

Kosovo

Libya

Authorization of Force

Declaration of War

American Politics

Constitutional Law

A Statistically Rigorous Evaluation of the Cascade Bloom Filter for Distributed Access Enforcement in Role-Based Access Control (RBAC) Systems

Zitouni, Toufik

January 2010

We consider the distributed access enforcement problem for Role-Based Access Control (RBAC) systems. Such enforcement has become important with RBAC’s increasing adoption, and the proliferation of data that needs to be protected. Our particular interest is in the evaluation of a new data structure that has recently been proposed for enforcement: the Cascade Bloom Filter. The Cascade Bloom Filter is an extension of the Bloom filter, and provides for time- and space-efficient encodings of sets. We compare the Cascade Bloom Filter to the Bloom Filter, and another approach called Authorization Recycling that has been proposed for distributed access enforcement in RBAC. One of the challenges we address is the lack of a benchmark: we propose and justify a benchmark for the assessment. Also, we adopt a statistically rigorous approach for empirical assessment from recent work. We present our results for time- and space-efficiency based on our benchmark. We demonstrate that, of the three data structures that we consider, the Cascade Bloom Filter scales the best with the number of RBAC sessions from the standpoints of time- and space-efficiency.

Role Based Access Control

Cascade Bloom Filter

Authorization Recycling

Electrical and Computer Engineering

Secure Schemes for Semi-Trusted Environment

Tassanaviboon, Anuchart

January 2011

In recent years, two distributed system technologies have emerged: Peer-to-Peer (P2P) and cloud computing. For the former, the computers at the edge of networks share their resources, i.e., computing power, data, and network bandwidth, and obtain resources from other peers in the same community. Although this technology enables efficiency, scalability, and availability at low cost of ownership and maintenance, peers defined as ``like each other'' are not wholly controlled by one another or by the same authority. In addition, resources and functionality in P2P systems depend on peer contribution, i.e., storing, computing, routing, etc. These specific aspects raise security concerns and attacks that many researchers try to address. Most solutions proposed by researchers rely on public-key certificates from an external Certificate Authority (CA) or a centralized Public Key Infrastructure (PKI). However, both CA and PKI are contradictory to fully decentralized P2P systems that are self-organizing and infrastructureless. To avoid this contradiction, this thesis concerns the provisioning of public-key certificates in P2P communities, which is a crucial foundation for securing P2P functionalities and applications. We create a framework, named the Self-Organizing and Self-Healing CA group (SOHCG), that can provide certificates without a centralized Trusted Third Party (TTP). In our framework, a CA group is initialized in a Content Addressable Network (CAN) by trusted bootstrap nodes and then grows to a mature state by itself. Based on our group management policies and predefined parameters, the membership in a CA group is dynamic and has a uniform distribution over the P2P community; the size of a CA group is kept to a level that balances performance and acceptable security. The muticast group over an underlying CA group is constructed to reduce communication and computation overhead from collaboration among CA members. To maintain the quality of the CA group, the honest majority of members is maintained by a Byzantine agreement algorithm, and all shares are refreshed gradually and continuously. Our CA framework has been designed to meet all design goals, being self-organizing, self-healing, scalable, resilient, and efficient. A security analysis shows that the framework enables key registration and certificate issue with resistance to external attacks, i.e., node impersonation, man-in-the-middle (MITM), Sybil, and a specific form of DoS, as well as internal attacks, i.e., CA functionality interference and CA group subversion. Cloud computing is the most recent evolution of distributed systems that enable shared resources like P2P systems. Unlike P2P systems, cloud entities are asymmetric in roles like client-server models, i.e., end-users collaborate with Cloud Service Providers (CSPs) through Web interfaces or Web portals. Cloud computing is a combination of technologies, e.g., SOA services, virtualization, grid computing, clustering, P2P overlay networks, management automation, and the Internet, etc. With these technologies, cloud computing can deliver services with specific properties: on-demand self-service, broad network access, resource pooling, rapid elasticity, measured services. However, theses core technologies have their own intrinsic vulnerabilities, so they induce specific attacks to cloud computing. Furthermore, since public clouds are a form of outsourcing, the security of users' resources must rely on CSPs' administration. This situation raises two crucial security concerns for users: locking data into a single CSP and losing control of resources. Providing inter-operations between Application Service Providers (ASPs) and untrusted cloud storage is a countermeasure that can protect users from lock-in with a vendor and losing control of their data. To meet the above challenge, this thesis proposed a new authorization scheme, named OAuth and ABE based authorization (AAuth), that is built on the OAuth standard and leverages Ciphertext-Policy Attribute Based Encryption (CP-ABE) and ElGamal-like masks to construct ABE-based tokens. The ABE-tokens can facilitate a user-centric approach, end-to-end encryption and end-to-end authorization in semi-trusted clouds. With these facilities, owners can take control of their data resting in semi-untrusted clouds and safely use services from unknown ASPs. To this end, our scheme divides the attribute universe into two disjointed sets: confined attributes defined by owners to limit the lifetime and scope of tokens and descriptive attributes defined by authority(s) to certify the characteristic of ASPs. Security analysis shows that AAuth maintains the same security level as the original CP-ABE scheme and protects users from exposing their credentials to ASP, as OAuth does. Moreover, AAuth can resist both external and internal attacks, including untrusted cloud storage. Since most cryptographic functions are delegated from owners to CSPs, AAuth gains computing power from clouds. In our extensive simulation, AAuth's greater overhead was balanced by greater security than OAuth's. Furthermore, our scheme works seamlessly with storage providers by retaining the providers' APIs in the usual way.

Security

Cloud Computing

Access Control

Authorization

OAuth

Attribute Based Encryption

Electrical and Computer Engineering

Multi-Agent Designated Proxy Re-Signature Scheme

Lin, I-Shu

28 August 2012

With the convenience and development of digital signature and network technologies, several companies are beginning to transmit documents and messages over networks.This is expected to reduce costs and improve the efficiency of the working process. Based on the typical digital signature technique over public key infrastructure, each company can apply for its own certificate from the certificate authority to enable people to verify whether a message is signed by the company through the public key within the certificate. Generally, a general manager is responsible for signing a message to be published. However, the general manager is not always available; hence, the proxy signature scheme can be an efficient solution to this problem. In the typical proxy signature scheme, the delegator will delegate a proxy agent with the power of signing. The proxy agent can sign and produce the signature of the company on behalf of the general manager. A malicious proxy agent involved in the signing process may cause substantial damage to the company because of misbehaviors, such as signature forgery. Therefore, we propose a provably secure multi-agent designated proxy re-signature scheme. In the proposed scheme, the general manager designates several agents as delegatees. Each delegatee signs the message and send her/his signature to the proxy. The proxy can re-sign the message to form the signature of the company only when the proxy has obtained signatures from all delegatees. In addition, security definitions and formal proofs are provided in our scheme.

Digital Signature

Proxy Re-Signature

Multi-Agent

Authorization

Designated proxy re-signature

Determination of precipitated primary non-adherence after step therapy intervention in 4 classes of therapy

Sohl, David Jeremy

16 March 2015

In light of drastically escalating costs for today’s medications, pharmacy benefit managers are seeking a constant balance of effectiveness and cost control. Step Therapy helps to address these concerns with a try medication “A” before medication “B” logic. Like all medical interventions, the possibility of unintended consequences exists. The purpose of this study was to determine if non-adherence results from application of Step Therapy for selected medication classes (antihyperlipidemics (specifically the HMG Co-A reductase inhibitors), angiotensin receptor blockers, uro-selective alpha-blockers, and dipeptidyl peptidase-4 inhibitors) in the Department of Defense. Using a retrospective database analysis, this study examined the primary adherence rate of subjects after they have been denied coverage due to Step Therapy intervention. Additionally, this study examined the association of demographic and service-related factors with the likelihood that a patient will be non-adherent after encountering the intervention. Finally, the study measured the time to adherence after intervention for those who were persistent after a Step Therapy claim rejection. STATA version 10.0 was used to conduct logistic regression analyses to meet the study objectives. After examination of 279,508 claims for 27,202 subjects, the estimated primary non-adherence rate following the Step Therapy intervention for all medication classes combined was 15.1%. Additionally, there was inter-class variability in this rate ranging between 13.1% and 19.5%. A statistical and practical difference was also noted in non-adherence rates between subjects who received care at the retail point of service versus those who received care at the mail order point of service. Subjects who received care through retail were nearly twice as likely to be non-adherent as those who received care in the mail order segment. For those subjects who were persistent with therapy, the median time-to-fill was estimated at 7 days. The occurrence of non-adherence following a Step Therapy intervention was clearly demonstrated through this study. Although this study provides good framework for designing interventions after claim rejection, further research would help to determine the health impact of primary non-adherence as well as the economic consequences of the intervention. / text

Pharmacy

Prior authorization

Step therapy

Military

DoD

Insurance

Benefit management

PBM

Medicine

Drugs

Adherence

Compliance

Persistence

A Statistically Rigorous Evaluation of the Cascade Bloom Filter for Distributed Access Enforcement in Role-Based Access Control (RBAC) Systems

Zitouni, Toufik

January 2010

We consider the distributed access enforcement problem for Role-Based Access Control (RBAC) systems. Such enforcement has become important with RBAC’s increasing adoption, and the proliferation of data that needs to be protected. Our particular interest is in the evaluation of a new data structure that has recently been proposed for enforcement: the Cascade Bloom Filter. The Cascade Bloom Filter is an extension of the Bloom filter, and provides for time- and space-efficient encodings of sets. We compare the Cascade Bloom Filter to the Bloom Filter, and another approach called Authorization Recycling that has been proposed for distributed access enforcement in RBAC. One of the challenges we address is the lack of a benchmark: we propose and justify a benchmark for the assessment. Also, we adopt a statistically rigorous approach for empirical assessment from recent work. We present our results for time- and space-efficiency based on our benchmark. We demonstrate that, of the three data structures that we consider, the Cascade Bloom Filter scales the best with the number of RBAC sessions from the standpoints of time- and space-efficiency.

Role Based Access Control

Cascade Bloom Filter

Authorization Recycling

Electrical and Computer Engineering

Secure Schemes for Semi-Trusted Environment

Tassanaviboon, Anuchart

January 2011

In recent years, two distributed system technologies have emerged: Peer-to-Peer (P2P) and cloud computing. For the former, the computers at the edge of networks share their resources, i.e., computing power, data, and network bandwidth, and obtain resources from other peers in the same community. Although this technology enables efficiency, scalability, and availability at low cost of ownership and maintenance, peers defined as ``like each other'' are not wholly controlled by one another or by the same authority. In addition, resources and functionality in P2P systems depend on peer contribution, i.e., storing, computing, routing, etc. These specific aspects raise security concerns and attacks that many researchers try to address. Most solutions proposed by researchers rely on public-key certificates from an external Certificate Authority (CA) or a centralized Public Key Infrastructure (PKI). However, both CA and PKI are contradictory to fully decentralized P2P systems that are self-organizing and infrastructureless. To avoid this contradiction, this thesis concerns the provisioning of public-key certificates in P2P communities, which is a crucial foundation for securing P2P functionalities and applications. We create a framework, named the Self-Organizing and Self-Healing CA group (SOHCG), that can provide certificates without a centralized Trusted Third Party (TTP). In our framework, a CA group is initialized in a Content Addressable Network (CAN) by trusted bootstrap nodes and then grows to a mature state by itself. Based on our group management policies and predefined parameters, the membership in a CA group is dynamic and has a uniform distribution over the P2P community; the size of a CA group is kept to a level that balances performance and acceptable security. The muticast group over an underlying CA group is constructed to reduce communication and computation overhead from collaboration among CA members. To maintain the quality of the CA group, the honest majority of members is maintained by a Byzantine agreement algorithm, and all shares are refreshed gradually and continuously. Our CA framework has been designed to meet all design goals, being self-organizing, self-healing, scalable, resilient, and efficient. A security analysis shows that the framework enables key registration and certificate issue with resistance to external attacks, i.e., node impersonation, man-in-the-middle (MITM), Sybil, and a specific form of DoS, as well as internal attacks, i.e., CA functionality interference and CA group subversion. Cloud computing is the most recent evolution of distributed systems that enable shared resources like P2P systems. Unlike P2P systems, cloud entities are asymmetric in roles like client-server models, i.e., end-users collaborate with Cloud Service Providers (CSPs) through Web interfaces or Web portals. Cloud computing is a combination of technologies, e.g., SOA services, virtualization, grid computing, clustering, P2P overlay networks, management automation, and the Internet, etc. With these technologies, cloud computing can deliver services with specific properties: on-demand self-service, broad network access, resource pooling, rapid elasticity, measured services. However, theses core technologies have their own intrinsic vulnerabilities, so they induce specific attacks to cloud computing. Furthermore, since public clouds are a form of outsourcing, the security of users' resources must rely on CSPs' administration. This situation raises two crucial security concerns for users: locking data into a single CSP and losing control of resources. Providing inter-operations between Application Service Providers (ASPs) and untrusted cloud storage is a countermeasure that can protect users from lock-in with a vendor and losing control of their data. To meet the above challenge, this thesis proposed a new authorization scheme, named OAuth and ABE based authorization (AAuth), that is built on the OAuth standard and leverages Ciphertext-Policy Attribute Based Encryption (CP-ABE) and ElGamal-like masks to construct ABE-based tokens. The ABE-tokens can facilitate a user-centric approach, end-to-end encryption and end-to-end authorization in semi-trusted clouds. With these facilities, owners can take control of their data resting in semi-untrusted clouds and safely use services from unknown ASPs. To this end, our scheme divides the attribute universe into two disjointed sets: confined attributes defined by owners to limit the lifetime and scope of tokens and descriptive attributes defined by authority(s) to certify the characteristic of ASPs. Security analysis shows that AAuth maintains the same security level as the original CP-ABE scheme and protects users from exposing their credentials to ASP, as OAuth does. Moreover, AAuth can resist both external and internal attacks, including untrusted cloud storage. Since most cryptographic functions are delegated from owners to CSPs, AAuth gains computing power from clouds. In our extensive simulation, AAuth's greater overhead was balanced by greater security than OAuth's. Furthermore, our scheme works seamlessly with storage providers by retaining the providers' APIs in the usual way.

Security

Cloud Computing

Access Control

Authorization

OAuth

Attribute Based Encryption

Electrical and Computer Engineering

Engineering Trusted Location Services and Context-aware Augmentations for Network Authorization Models

Wullems, Christian John

January 2005

Context-aware computing has been a rapidly growing research area, however its uses have been predominantly targeted at pervasive applications for smart spaces such as smart homes and workplaces. This research has investigated the use of location and other context data in access control policy, with the purpose of augmenting existing IP and application-layer security to provide fine-grained access control and effective enforcement of security policy. The use of location and other context data for security purposes requires that the technologies and methods used for acquiring the context data are trusted. This thesis begins with the description of a framework for the analysis of location systems for use in security services and critical infrastructure. This analysis classifies cooperative locations systems by their modes of operation and the common primitives they are composed of. Common location systems are analyzed for inherent security flaws and limitations based on the vulnerability assessment of location system primitives and the taxonomy of known attacks. An efficient scheme for supporting trusted differential GPS corrections is proposed, such that DGPS vulnerabilities that have been identified are mitigated. The proposal augments the existing broadcast messaging protocol with a number of new messages facilitating origin authentication and integrity of broadcast corrections for marine vessels. A proposal for a trusted location system based on GSM is presented, in which a model for tamper resistant location determination using GSM signaling is designed. A protocol for association of a user to a cell phone is proposed and demonstrated in a framework for both Web and Wireless Application Protocol (WAP) applications. After introducing the security issues of existing location systems and a trusted location system proposal, the focus of the thesis changes to the use of location data in authorization and access control processes. This is considered at both the IP-layer and the application-layer. For IP-layer security, a proposal for location proximity-based network packet filtering in IEEE 802.11 Wireless LANs is presented. This proposal details an architecture that extends the Linux netfilter system to support proximity-based packet filtering, using methods of transparent location determination through the application of a pathloss model to raw signal measurements. Our investigation of application-layer security resulted in the establishment of a set of requirements for the use of contextual information in application level authorization. Existing network authentication protocols and access control mechanisms are analyzed for their ability to fulfill these requirements and their suitability in facilitating context-aware authorization. The result is the design and development of a new context-aware authorization architecture, using the proposed modifications to Role-based Access Control (RBAC). One of the distinguishing characteristics of the proposed architecture is its ability to handle authorization with context-transparency, and provide support for real-time granting and revocation of permissions. During the investigation of the context-aware authorization architecture, other security contexts in addition to host location were found to be useful in application level authorization. These included network topology between the host and application server, the security of the host and the host execution environment. Details of the prototype implementation, performance results, and context acquisition services are presented.

Pervasive

ubiquitous

authorization

access control

location

trusted location

context

context-aware

network security

Theory and Ideology of Debates on Dismissal in Spain / Teoría e Ideología de los Debates sobre el Despido en España

Valdés Dal-Ré, Fernando

10 April 2018

This article analyzes the three major debates that have steadily been following the numerous regulatory changes, as regards dismissal, preceded the recent reform of 2012. They are: the regulation of the principle of causality and contradiction of dismissal which involves the allocation of unfair dismissal statute efficiency, reducing the cost of dismissal as a measure to combat chronic high rate of temporary employment in the Spanish industrial relations system and, finally, the argument of maintaining historical administrative authorization for lay offs of collective character. An examination of these discussions, we try to review schematically the most controversial aspects of that reform, paying particular attention to the matters of regulation and choice of the legislature by the most extreme solutions for dismissal. / El presente trabajo analiza los tres grandes debates que de manera constante han venido acompañando a los numerosos cambios normativos que, en materia de despido, han precedido a la última reforma de 2012. Son ellos: la regulación del principio de causalidad del despido y la contradicción que comporta la atribución de eficacia extintiva a los despidos injustificados, la reducción del coste de despido como medida para combatir la crónica alta tasa de temporalidad en el sistema español de relaciones laborales y, en fin, la discusión del mantenimiento de la histórica autorización administrativa para los despidos de carácter colectivo. A partir del examen de estos debates, se intenta pasar revista de manera esquemática a los aspectos más controvertidos de la mencionada reforma, prestando una especial atención a las materias objeto de regulación y a la opción del legislador por las soluciones más extremas en materia de despido.

Cause Of Dismissal

Temporary Rate

Administrative Authorization

Causa Del Despido

Tasa De Temporalidad

Autorización Administrativa