A key challenge in Web services security is the design of effective access control schemes that can adequately meet the unique security challenges posed by the Web services paradigm. Despite the recent advances in Web based access control approaches applicable to Web services, there remain issues that impede the development of effective access control models for Web services environment. Amongst them are the lack of context-aware models for access control, and reliance on identity or capability-based access control schemes. In this paper, we motivate the design of an access control scheme that addresses these issues, and propose an extended, trust-enhanced version of our XML-based Role Based Access Control (X-RBAC) framework that incorporates context-based access control. We outline the configuration mechanism needed to apply our model to the Web services environment, and also describe the implementation architecture for the system.

SUPERCEDED BY CERIAS TR 2005-26

We propose Oblivious Attribute Certificates (OACerts), an attribute certificate scheme in which a certificate holder can select which attributes to use and how to use them.  In particular, a user can use attribute values stored in an OACert obliviously, \ie, the user obtains a service if and only if the attribute values satisfy the policy of the service provider, yet the service provider learns nothing about these attribute values.

To build OACerts, we propose a new cryptographic primitive called Oblivious Commitment Based Envelope (OCBE).  In an OCBE scheme, Bob has an attribute value committed to Alice and Alice runs a protocol with Bob to send an envelope (encrypted message) to Bob such that: (1) Bob can open the envelope if and only if his committed attribute value satisfies a predicate chosen by Alice. (2) Alice learns nothing about Bob’s attribute value. We develop provably secure and efficient OCBE protocols for the Pedersen commitment scheme and predicates such as $=,\ge,\le,>,<,\ne$ as well as logical combinations of them.

Comparing the expressive power of access control models is recognized as a fundamental problem in computer security.  Such comparisons are generally based on simulations between different access control schemes.  However, the definitions for simulations that are used in the literature make it impossible to put results and claims about the expressive power of access control models into a single context.  Furthermore, some definitions for simulations used in the literature such as those used for comparing RBAC (Role-Based Access Control)  with other models, are too weak to distinguish access control models from one another in a meaningful way.

We propose a theory for comparing the expressive power of access control models. We perceive access control systems as state-transition systems and require simulations to preserve security properties.  We discuss the rationale behind such a theory,  apply the theory to reexamine some existing work on the expressive power of access control models in the literature and present three results. We show that: (1) RBAC with a particular administrative model from the literature (ARBAC97) is limited in its expressive power; (2) ATAM (Augmented Typed Access Matrix) is more expressive than TAM (Typed Access Matrix), thereby solving an open problem posed in the literature;  and (3) a trust-management language is at least as expressive as RBAC with a particular administrative model (the URA97 component of ARBAC97).

While Open Source software is routinely described as “more secure” than commercial off the shelf software, all available evidence suggests that there is little difference in the level of trust that should be accorded either type of system. The paper also relies on an analysis using risk perception theory to explain why Open Source is widely believed to be “more secure” than other types of software.

BGP is essential to the operation of the Internet, but is vulnerable to both accidental failures and malicious attacks. We propose a new protocol that works in concert with BGP, which Autonomous Systems will use to help detect and mitigate accidentally or maliciously introduced faulty routing information. The protocol differs from previous efforts at securing BGP in that it is receiver-driven, meaning that there is a mechanism for recipients of BGP UPDATE messages to corroborate the information ...

We describe a system that we have designed and implemented for publishing content on the web. Our publishing scheme has the property that it is very difficult for any adversary to censor or modify the content. In addition, the identity of the publisher is protected once the content is posted. Our system differs from others in that we provide tools for updating or deleting the published content, and users can browse the content in the normal point and click manner using a standard web browser and a client-side proxy that we provide. All of our code is freely available.

This paper deals with the problem of secure cooperative updates for XML documents in distributed systems. In particular, we introduce the basic notions underlying a flow language by using which a user can specify the flow that a given XML document has to follow within a group of cooperative subjects. A key feature of the flow language is to be based on the notion of subject credentials. In addition, we describe a policy language to specify special-purpose authorizations allowing selected subjects to modify or extend a given document flow. Finally, we briefly describe the protocols for verifying that the path followed by a document in a collaborative group agrees with the specified flow and to verify that modifications on a given flow are in accordance with the specified authorizations.

In this paper, we investigate a method by which smart cards can be used to enhance the security of session key distribution in the third-party setting of Needham & Schroeder. We extend the security model of Bellare & Rogaway to take into account both the strengths and weaknesses of smart card technology, we propose a session key distribution protocol, and we prove that it is secure assuming pseudo-random functions exist.