Global ETD Search

1	An Ontology-Based Approach to Attribute Management in ABAC Environment January 2014 (has links) abstract: Attribute Based Access Control (ABAC) mechanisms have been attracting a lot of interest from the research community in recent times. This is especially because of the flexibility and extensibility it provides by using attributes assigned to subjects as the basis for access control. ABAC enables an administrator of a server to enforce access policies on the data, services and other such resources fairly easily. It also accommodates new policies and changes to existing policies gracefully, thereby making it a potentially good mechanism for implementing access control in large systems, particularly in today's age of Cloud Computing. However management of the attributes in ABAC environment is an area that has been little touched upon. Having a mechanism to allow multiple ABAC based systems to share data and resources can go a long way in making ABAC scalable. At the same time each system should be able to specify their own attribute sets independently. In the research presented in this document a new mechanism is proposed that would enable users to share resources and data in a cloud environment using ABAC techniques in a distributed manner. The focus is mainly on decentralizing the access policy specifications for the shared data so that each data owner can specify the access policy independent of others. The concept of ontologies and semantic web is introduced in the ABAC paradigm that would help in giving a scalable structure to the attributes and also allow systems having different sets of attributes to communicate and share resources. / Dissertation/Thesis / M.S. Computer Science 2014 Computer science Attribute Based Access Control Attribute Based Encryption Cloud Computing Ontology Security
2	Ciphertext-Policy Attribute-Based Encryption with Dynamic Membership Ruan, He-Ming 20 August 2008 (has links) Abstract Attribute-Based Encryption (ABE) is a relatively new encryption technology which is similar to multi-receiver encryption but the privacy of ciphertext receivers is protected by a set of attributes such that no one, even the encryptor, knows the identities of the receivers. Although the identities of those receivers remain unknown, the encryptor can ensure that all of the receivers cannot decrypt the ciphertext except for those who match the restrictions on predefined attribute values associated with the ciphertext. However, maintaining the correctness of users¡¦ attributes will take huge cost because the interactions between all users and the key generation center (KGC) are required to renew all of their private keys whenever a user joins, leaves the group, or updates the value of any of his attributes. Since user joining, leaving, and attribute updating may occur frequently in real situations, membership management will become a quite important issue in an ABE system but no existing scheme can perfectly cope with this problem. In this manuscript, we will present an ABE scheme which aims at the issue on dynamic membership management. Our work keeps high flexibility of the constrains on attributes and makes it possible for the procedures of user joining, leaving, and attribute updating to be dynamic, that is, it is not necessary for those users who do not update their attribute statuses to renew their private keys when some user changes his status. Finally, we also formally prove the security of the proposed scheme. Dynamic Membership Bilinear pairing Identity-based cryptosystem Attribute-based cryptosystem
3	A Top-Down Policy Engineering Framework for Attribute-Based Access Control Narouei, Masoud 05 1900 (has links) The purpose of this study is to propose a top-down policy engineering framework for attribute-based access control (ABAC) that aims to automatically extract ACPs from requirement specifications documents, and then, using the extracted policies, build or update an ABAC model. We specify a procedure that consists of three main components: 1) ACP sentence identification, 2) policy element extraction, and 3) ABAC model creation and update. ACP sentence identification processes unrestricted natural language documents and identify the sentences that carry ACP content. We propose and compare three different methodologies from different disciplines, namely deep recurrent neural networks (RNN-based), biological immune system (BIS-based), and a combination of multiple natural language processing techniques (PMI-based) in order to identify the proper methodology for extracting ACP sentences from irrelevant text. Our evaluation results improve the state-of-the-art by a margin of 5% F1-Measure. To aid future research, we also introduce a new dataset that includes 5000 sentences from real-world policy documents. ABAC policy extraction extracts ACP elements such as subject, object, and action from the identified ACPs. We use semantic roles and correctly identify ACP elements with an average F1 score of 75%, which bests the previous work by 15%. Furthermore, as SRL tools are often trained on publicly available corpora such as Wall Street Journal, we investigate the idea of improving SRL performance using domain-related knowledge. We utilize domain adaptation and semi-supervised learning techniques and improve the SRL performance by 2% using only a small amount of access control data. The third component, ABAC model creation and update, builds a new ABAC model or updates an existing one using the extracted ACP elements. For this purpose, we present an efficient methodology based on a particle swarm optimization algorithm for solving ABAC policy mining with minimal perturbation. Experimental results demonstrate that the proposed methodology generates much less complex policies than previous works using the same realistic case studies. Furthermore, we perform experiments on how to find an ABAC state as similar as possible to both the existing state and the optimal state. Part of the data utilized in this study was collected from the University of North Texas Policy Office, as well as policy documents from the university of North Texas Health Science Center, for the school years 2015-2016 through 2016-2017. Attribute-based Access Control Policy Engineering Access Control Policy
4	The Abacus: A New Approach to Authorization Siebach, Jacob Aaron Jess 09 August 2021 (has links) The purpose of this thesis is to investigate the implementation of digital authorization for computer systems, specifically how to implement an efficient and secure authorization engine that uses policies and attributes to calculate authorization. The architecture for the authorization engine is discussed, the efficiency of the engine is characterized by various tests, and the security model is reviewed against other presently existing models. The resulting efforts showed an increase in efficiency of almost two orders of magnitude, along with a reduction in the amount of processing power required to run the engine. The main focus of the work is how to provide precise, performant authorization using policies and attributes in a way that does not require the authorization engine to break domain boundaries by directly accessing data stores. Specifically, by pushing attributes from source domains into the authorization service, domains do not require the authorization service to have access to the data stores of the domain, nor is the authorization service required to have credentials to access data via APIs. This model also allows for a significant reduction in data motion as attributes need only be sent over the network once (when the attribute changes) as opposed to every time that the engine needs the attribute or every time that an attribute cache needs to be refreshed, resulting in a more secure way to store attributes for authorization purposes. authorization RBAC ABAC domain-driven design attribute-based authorization Engineering
5	Data Sharing on Untrusted Storage with Attribute-Based Encryption Yu, Shucheng 13 July 2010 (has links) "Storing data on untrusted storage makes secure data sharing a challenge issue. On one hand, data access policies should be enforced on these storage servers; on the other hand, confidentiality of sensitive data should be well protected against them. Cryptographic methods are usually applied to address this issue -- only encrypted data are stored on storage servers while retaining secret key(s) to the data owner herself; user access is granted by issuing the corresponding data decryption keys. The main challenges for cryptographic methods include simultaneously achieving system scalability and fine-grained data access control, efficient key/user management, user accountability and etc. To address these challenge issues, this dissertation studies and enhances a novel public-key cryptography -- attribute-based encryption (ABE), and applies it for fine-grained data access control on untrusted storage. The first part of this dissertation discusses the necessity of applying ABE to secure data sharing on untrusted storage and addresses several security issues for ABE. More specifically, we propose three enhancement schemes for ABE: In the first enhancement scheme, we focus on how to revoke users in ABE with the help of untrusted servers. In this work, we enable the data owner to delegate most computation-intensive tasks pertained to user revocation to untrusted servers without disclosing data content to them. In the second enhancement scheme, we address key abuse attacks in ABE, in which authorized but malicious users abuse their access privileges by sharing their decryption keys with unauthorized users. Our proposed scheme makes it possible for the data owner to efficiently disclose the original key owner's identity merely by checking the input and output of a suspicious user's decryption device. Our third enhancement schemes study the issue of privacy preservation in ABE. Specifically, our proposed schemes hide the data owner's access policy not only to the untrusted servers but also to all the users. The second part presents our ABE-based secure data sharing solutions for two specific applications -- Cloud Computing and Wireless Sensor Networks (WSNs). In Cloud Computing cloud servers are usually operated by third-party providers, which are almost certain to be outside the trust domain of cloud users. To secure data storage and sharing for cloud users, our proposed scheme lets the data owner (also a cloud user) generate her own ABE keys for data encryption and take the full control on key distribution/revocation. The main challenge in this work is to make the computation load affordable to the data owner and data consumers (both are cloud users). We address this challenge by uniquely combining various computation delegation techniques with ABE and allow both the data owner and data consumers to securely mitigate most computation-intensive tasks to cloud servers which are envisaged to have unlimited resources. In WSNs, wireless sensor nodes are often unattendedly deployed in the field and vulnerable to strong attacks such as memory breach. For securing storage and sharing of data on distributed storage sensor nodes while retaining data confidentiality, sensor nodes encrypt their collected data using ABE public keys and store encrypted data on storage nodes. Authorized users are given corresponding decryption keys to read data. The main challenge in this case is that sensor nodes are extremely resource-constrained and can just afford limited computation/communication load. Taking this into account we divide the lifetime of sensor nodes into phases and distribute the computation tasks into each phase. We also revised the original ABE scheme to make the overhead pertained to user revocation minimal for sensor nodes. Feasibility of the scheme is demonstrated by experiments on real sensor platforms. " Secure Data Sharing Access Control Untrusted Storage Cloud Computing Attribute-Based Encryption
6	Achieving secure and efficient access control of personal health records in a storage cloud Binbusayyis, Adel January 2017 (has links) A personal health record (PHR) contains health data about a patient, which is maintained by the patient. Patients may share their PHR data with a wide range of users such as healthcare providers and researchers through the use of a third party such as a cloud service provider. To protect the confidentiality of the data and to facilitate access by authorized users, patients use Attribute-Based Encryption (ABE) to encrypt the data before uploading it onto the cloud servers. With ABE, an access policy is defined based on users' attributes such as a doctor in a particular hospital, or a researcher in a particular university, and the encrypted data can only be decrypted if and only if a user's attributes comply with the access policy attached to a data object. Our critical analysis of the related work in the literature shows that existing ABE based access control frameworks used for sharing PHRs in a storage cloud can be enhanced in terms of scalability and security. With regard to scalability, most existing ABE based access control frameworks rely on the use of a single attribute authority to manage all users, making the attribute authority into a potential bottleneck regarding performance and security. With regard to security, the existing ABE based access control frameworks assume that all users have the same level of trust (i.e. they are equally trustworthy) and all PHR data files have the same sensitivity level, which means that the same protection level is provided. However, in our analysis of the problem context, we have observed that this assumption may not always be valid. Some data, such as patients' personal details and certain diseases, is more sensitive than other data, such as anonymised data. Access to more sensitive data should be governed by more stringent access control measures. This thesis presents our work in rectifying the two limitations highlighted above. In doing so, we have made two novel contributions. The first is the design and evaluation of a Hierarchical Attribute-Based Encryption (HABE) framework for sharing PHRs in a storage cloud. The HABE framework can spread the key management overheads imposed on a single attribute authority tasked with the management of all the users into multiple attribute authorities. This is achieved by (1) classifying users into different groups (called domains) such as healthcare, education, etc., (2) making use of multiple attribute authorities in each domain, (3) structuring the multiple attribute authorities in each domain in a hierarchical manner, and (4) allowing each attribute authority to be responsible for managing particular users in a specific domain, e.g. a hospital or a university. The HABE framework has been analyzed and evaluated in term of security and performance. The security analysis demonstrates that the HABE framework is resistant to a host of security attacks including user collusions. The performance has been analyzed in terms of computational and communication overheads and the results show that the HABE framework is more efficient and scalable than the most relevant comparable work. The second novel contribution is the design and evaluation of a Trust-Aware HABE (Trust+HABE) framework, which is an extension of the HABE framework. This framework is also intended for sharing PHRs in a storage cloud. The Trust+HABE framework is designed to enhance security in terms of protecting access to sensitive PHR data while keeping the overhead costs as low as possible. The idea used here is that we classify PHR data into different groups, each with a distinctive sensitivity level. A user requesting data from a particular group (with a given sensitivity level) must demonstrate that his/her trust level is not lower than the data sensitivity level (i.e. trust value vs data sensitivity verification). A user's trust level is derived based on a number of trust-affecting factors, such as his/her behaviour history and the authentication token type used to identify him/herself etc. For accessing data at the highest sensitivity level, users are required to get special permissions from the data owners (i.e. the patients who own the data), in addition to trust value vs data sensitivity verification. In this way, the framework not only adapts its protection level (in imposing access control) in response to the data sensitivity levels, but also provides patients with more fine-grained access control to their PHR data. The Trust+HABE framework is also analysed and evaluated in term of security and performance. The performance results from the Trust+HABE framework are compared against the HABE framework. The comparison shows that the additional computational, communication, and access delay costs introduced as the result of using the trust-aware approach to access control in this context are not significant compared with computational, communication, and access delay costs of the HABE framework. 004
7	IaaS-cloud security enhancement : an intelligent attribute-based access control model and implementation Al-Amri, Shadha M. S. January 2017 (has links) The cloud computing paradigm introduces an efficient utilisation of huge computing resources by multiple users with minimal expense and deployment effort compared to traditional computing facilities. Although cloud computing has incredible benefits, some governments and enterprises remain hesitant to transfer their computing technology to the cloud as a consequence of the associated security challenges. Security is, therefore, a significant factor in cloud computing adoption. Cloud services consist of three layers: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Cloud computing services are accessed through network connections and utilised by multi-users who can share the resources through virtualisation technology. Accordingly, an efficient access control system is crucial to prevent unauthorised access. This thesis mainly investigates the IaaS security enhancement from an access control point of view.
8	Applying Attribute-Based Encryption in Two-Way Radio Talk Groups: A Feasibility Study Gough, Michael Andreas 01 May 2018 (has links) In two-way radio systems, talk groups are used to organize communication. Some situations may call for creating a temporary talk group, but there are no straightforward ways to do this. Making a new talk group requires programming radios off-line. Temporary groups can be created, but this requires inputting radio IDs which is tedious on a radio's limited controls. By describing group members using attributes, ciphertext-policy attribute-based encryption (CP-ABE) can be used to quickly create sub-groups of a talk group. This scheme requires fewer button presses and messages sent in the new talk group are kept secret. CP-ABE can be used on deployed hardware, but performance varies with the type of embedded processor and the number of attributes used. Because radio communication is time-critical, care must be taken not to introduce too much audio delay. By using benchmark programs on a variety of single-board computers, we explore the limits of using CP-ABE on a two-way radio. encryption two-way radio communication attribute-based encryption embedded hardware talk groups Electrical and Computer Engineering
9	Interaction Testing, Fault Location, and Anonymous Attribute-Based Authorization January 2019 (has links) abstract: This dissertation studies three classes of combinatorial arrays with practical applications in testing, measurement, and security. Covering arrays are widely studied in software and hardware testing to indicate the presence of faulty interactions. Locating arrays extend covering arrays to achieve identification of the interactions causing a fault by requiring additional conditions on how interactions are covered in rows. This dissertation introduces a new class, the anonymizing arrays, to guarantee a degree of anonymity by bounding the probability a particular row is identified by the interaction presented. Similarities among these arrays lead to common algorithmic techniques for their construction which this dissertation explores. Differences arising from their application domains lead to the unique features of each class, requiring tailoring the techniques to the specifics of each problem. One contribution of this work is a conditional expectation algorithm to build covering arrays via an intermediate combinatorial object. Conditional expectation efficiently finds intermediate-sized arrays that are particularly useful as ingredients for additional recursive algorithms. A cut-and-paste method creates large arrays from small ingredients. Performing transformations on the copies makes further improvements by reducing redundancy in the composed arrays and leads to fewer rows. This work contains the first algorithm for constructing locating arrays for general values of $d$ and $t$. A randomized computational search algorithmic framework verifies if a candidate array is $(\bar{d},t)$-locating by partitioning the search space and performs random resampling if a candidate fails. Algorithmic parameters determine which columns to resample and when to add additional rows to the candidate array. Additionally, analysis is conducted on the performance of the algorithmic parameters to provide guidance on how to tune parameters to prioritize speed, accuracy, or a combination of both. This work proposes anonymizing arrays as a class related to covering arrays with a higher coverage requirement and constraints. The algorithms for covering and locating arrays are tailored to anonymizing array construction. An additional property, homogeneity, is introduced to meet the needs of attribute-based authorization. Two metrics, local and global homogeneity, are designed to compare anonymizing arrays with the same parameters. Finally, a post-optimization approach reduces the homogeneity of an anonymizing array. / Dissertation/Thesis / Doctoral Dissertation Computer Science 2019 Computer science attribute-based access control combinatorial testing covering array locating array randomized algorithm
10	Secure Schemes for Semi-Trusted Environment Tassanaviboon, Anuchart January 2011 (has links) In recent years, two distributed system technologies have emerged: Peer-to-Peer (P2P) and cloud computing. For the former, the computers at the edge of networks share their resources, i.e., computing power, data, and network bandwidth, and obtain resources from other peers in the same community. Although this technology enables efficiency, scalability, and availability at low cost of ownership and maintenance, peers defined as ``like each other'' are not wholly controlled by one another or by the same authority. In addition, resources and functionality in P2P systems depend on peer contribution, i.e., storing, computing, routing, etc. These specific aspects raise security concerns and attacks that many researchers try to address. Most solutions proposed by researchers rely on public-key certificates from an external Certificate Authority (CA) or a centralized Public Key Infrastructure (PKI). However, both CA and PKI are contradictory to fully decentralized P2P systems that are self-organizing and infrastructureless. To avoid this contradiction, this thesis concerns the provisioning of public-key certificates in P2P communities, which is a crucial foundation for securing P2P functionalities and applications. We create a framework, named the Self-Organizing and Self-Healing CA group (SOHCG), that can provide certificates without a centralized Trusted Third Party (TTP). In our framework, a CA group is initialized in a Content Addressable Network (CAN) by trusted bootstrap nodes and then grows to a mature state by itself. Based on our group management policies and predefined parameters, the membership in a CA group is dynamic and has a uniform distribution over the P2P community; the size of a CA group is kept to a level that balances performance and acceptable security. The muticast group over an underlying CA group is constructed to reduce communication and computation overhead from collaboration among CA members. To maintain the quality of the CA group, the honest majority of members is maintained by a Byzantine agreement algorithm, and all shares are refreshed gradually and continuously. Our CA framework has been designed to meet all design goals, being self-organizing, self-healing, scalable, resilient, and efficient. A security analysis shows that the framework enables key registration and certificate issue with resistance to external attacks, i.e., node impersonation, man-in-the-middle (MITM), Sybil, and a specific form of DoS, as well as internal attacks, i.e., CA functionality interference and CA group subversion. Cloud computing is the most recent evolution of distributed systems that enable shared resources like P2P systems. Unlike P2P systems, cloud entities are asymmetric in roles like client-server models, i.e., end-users collaborate with Cloud Service Providers (CSPs) through Web interfaces or Web portals. Cloud computing is a combination of technologies, e.g., SOA services, virtualization, grid computing, clustering, P2P overlay networks, management automation, and the Internet, etc. With these technologies, cloud computing can deliver services with specific properties: on-demand self-service, broad network access, resource pooling, rapid elasticity, measured services. However, theses core technologies have their own intrinsic vulnerabilities, so they induce specific attacks to cloud computing. Furthermore, since public clouds are a form of outsourcing, the security of users' resources must rely on CSPs' administration. This situation raises two crucial security concerns for users: locking data into a single CSP and losing control of resources. Providing inter-operations between Application Service Providers (ASPs) and untrusted cloud storage is a countermeasure that can protect users from lock-in with a vendor and losing control of their data. To meet the above challenge, this thesis proposed a new authorization scheme, named OAuth and ABE based authorization (AAuth), that is built on the OAuth standard and leverages Ciphertext-Policy Attribute Based Encryption (CP-ABE) and ElGamal-like masks to construct ABE-based tokens. The ABE-tokens can facilitate a user-centric approach, end-to-end encryption and end-to-end authorization in semi-trusted clouds. With these facilities, owners can take control of their data resting in semi-untrusted clouds and safely use services from unknown ASPs. To this end, our scheme divides the attribute universe into two disjointed sets: confined attributes defined by owners to limit the lifetime and scope of tokens and descriptive attributes defined by authority(s) to certify the characteristic of ASPs. Security analysis shows that AAuth maintains the same security level as the original CP-ABE scheme and protects users from exposing their credentials to ASP, as OAuth does. Moreover, AAuth can resist both external and internal attacks, including untrusted cloud storage. Since most cryptographic functions are delegated from owners to CSPs, AAuth gains computing power from clouds. In our extensive simulation, AAuth's greater overhead was balanced by greater security than OAuth's. Furthermore, our scheme works seamlessly with storage providers by retaining the providers' APIs in the usual way. Security Cloud Computing Access Control Authorization OAuth Attribute Based Encryption Electrical and Computer Engineering

Search results