Abstract
Enterprise Rights Management (ERM) systems aim to protect disseminated data even after it has been sent to remote locations. Existing systems are based on common components, have similar functionalities and often have two shortcomings: a centralised architecture and a lack of concern for the trust and privacy of data recipients. To access the data, recipients must present their credentials to a policy evaluation authority, which they cannot choose and may not trust. Furthermore, recipients may be unable to access the data if their connection is intermittent or if they are off-line. To address these limitations, we propose PAES: a Policy-based Authority Evaluation Scheme, which combines data protection with a distributed policy evaluation protocol. The result allows us to implement the sticky policies paradigm in combination with trust management techniques. This permits distributing policy evaluation over a flexible set of authorities, simultaneously increasing the resilience of policy enforcement.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
eXtensible Access Control markup language (xacml) (version 2.0, 2005), http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf
Liquid machines and microsoft windows rights management services (rms): End-to-end rights management for the enterprise (2006), http://www.cmdsolutions.com/pdfs/LiquidMachines%20Windows%20RMS%20Business%20White%20Paper%20FINAL%20060213.pdf
Ashley, P., Hada, G., Karjoth, S., Powers, C., Schunter, M.: The enterprise privacy authorization language (epal 1.1) - reader’s guide to the documentation -. Technical Report 93951, IBM (2003)
Authentica. Enterprise rights management for document protection, White Paper (2005)
Becker, M., Fournet, C., Gordon, A.: Secpal: Design and semantics of a decentralized authorization language. Technical Report MSR-TR-2006-120, Microsoft (2006)
Becker, M., Fournet, C., Gordon, A.: Design and semantics of a decentralized authorization language. In: CSF 2007: Proc. 20th IEEE Computer Security Foundations Symposium, Washington, DC, USA, pp. 3–15 (2007)
Boneh, D., Franklin, M.: Identity based encryption from the weil pairing. In: Proc. 21st Annual Int. Cryptology Conference, Santa Barbara, USA, pp. 213–229 (2001)
Chase, M.: Multi-authority attribute based encryption. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 515–534. Springer, Heidelberg (2007)
Clarke, D., Elien, J.-e., Ellison, C., Fredette, M., Morcos, A., Rivest, R.L.: Certificate chain discovery in spki/sdsi. J. of Computer Security 9 (2001)
Felten, E.W.: Understanding trusted computing: Will its benefits outweigh its drawbacks? IEEE Security and Privacy 1(3), 60–62 (2003)
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Proc. 13th ACM Conf. on Computer and Communications Security, pp. 89–98. ACM, New York (2006)
Content Guard. extensible rights markup language (xrml) 2.0 (2001), http://www.xrml.org/
Housley, R., Ford, W., Polk, W., Solo, D.: Internet x.509 public key infrastructure certificate and crl profile. Request for Comments: 2459 (1999), www.ietf.org/rfc/rfc2459.txt
Iannella, R.: Open digital rights language (odrl), version 1.1. W3c note, World Wide Web Consortium (2002), http://www.w3.org/TR/odrl
Li, N., Mitchell, J.-C., Winsborough, W.H.: Design of a role-based trust management framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 114–130. IEEE Computer Society Press, Los Alamitos (2002)
Microsoft. Technical overview of windows rights management services for windows server 2003. White Paper (2005), download.microsoft.com/download/8/d/9/8d9dbf4a-3b0d-4ea1-905b-92c57086910b/RMSTechOverview.doc
Mont, M.-C., Pearson, S., Bramhall, P.: Towards accountable management of identity and privacy: Sticky policies and enforceable tracing services. In: DEXA Workshops, pp. 377–382 (2003)
Park, J., Sandhu, R.S., Schifalacqua, J.: Security architectures for controlled digital information dissemination. In: 16th An. Computer Security Applications Conf. (ACSAC), New Orleans, USA, p. 224. IEEE Computer Society, Los Alamitos (2000)
Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005)
Sandhu, R.S., Ranganathan, K., Zhang, X.: Secure information sharing enabled by trusted computing and pei models. In: ASIACCS, pp. 2–12 (2006)
Sandhu, R.S., Zhang, X., Ranganathan, K., Covington, M.: Client-side access control enforcement using trusted computing and pei models. J. High Speed Networks 15(3), 229–245 (2006)
Schoen, S.: Trusted computing: Promise and risk (2003), http://www.eff.inorg/files/20031001_tc.pdf
Avoco Secure. Choosing an enterprise rights management system: Architectural approach (2007), www.windowsecurity.com/uplarticle/Authentication_and_Access_Control/ERM-architectural-approaches.pdf
Yu, Y., Chiueh, T.-c.: Enterprise digital rights management: Solutions against information theft by insiders. Research Proficiency Examination (RPE) report TR-169, Department of Computer Science, Stony Brook University (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 IFIP International Federation for Information Processing
About this paper
Cite this paper
Scalavino, E., Gowadia, V., Lupu, E.C. (2009). PAES: Policy-Based Authority Evaluation Scheme. In: Gudes, E., Vaidya, J. (eds) Data and Applications Security XXIII. DBSec 2009. Lecture Notes in Computer Science, vol 5645. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03007-9_18
Download citation
DOI: https://doi.org/10.1007/978-3-642-03007-9_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-03006-2
Online ISBN: 978-3-642-03007-9
eBook Packages: Computer ScienceComputer Science (R0)