Advertisement

The GENI Book pp 203-234 | Cite as

Authorization and Access Control: ABAC

  • Ted Faber
  • Stephen Schwab
  • John Wroclawski
Chapter

Abstract

GENI’s goal of wide-scale collaboration on infrastructure owned by independent and diverse stakeholders stresses current access control systems to the breaking point. Challenges not well addressed by current systems include, at minimum, support for distributed identity and policy management, correctness and auditability, and approachability. The Attribute Based Access Control (ABAC) system [1, 2] is an attribute-based authorization system that combines attributes using a simple reasoning system to provide authorization that (1) expresses delegation and other authorization models efficiently and scalably; (2) provides auditing information that includes both the decision and reasoning; and (3) supports multiple authentication frameworks as entry points into the attribute space. The GENI project has taken this powerful theoretical system and matured it into a form ready for practical use.

Keywords

Access Control Partial Proof Reasoning Engine Authorization Policy GENI Authorization 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust management system. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy (May 2002)Google Scholar
  2. 2.
    Li, N., Winsborough, W.H., Mitchell, J.C.: Distributed credential chain discovery in trust management (extended abstract). In: Proceedings of the Eighth ACM Conference on Computer and Communications Security (CCS-8), pp. 156–165 (November 2001)Google Scholar
  3. 3.
    Callas, J., Donnerhacke, L., Finney, H., Shaw, D., Thayer, R.: Open PGP Message Format. RFC 4880 (November 2007)Google Scholar
  4. 4.
    Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Huang, S.S., Green, T.J., and Loo, B.T.: Datalog and emerging applications: an interactive tutorial. In: Proceedings of the 2011 ACM SIGMOD International Conference on Management of Data (SIGMOD '11), pp. 1213–1216. New York, NY, USA (June 2011)Google Scholar
  6. 6.
    Internet 2, InCommon: InCommon Basics and Participating in InCommon. http://www.incommon.org/docs/guides/InCommon_Resources.pdf. Retrieved Aug 2014
  7. 7.
    TIED Team: GENI-Compatible ABAC Credentials. http://groups.geni.net/geni/wiki/TIEDC redentials. Retrieved Aug 2014
  8. 8.
    ProtoGENI Team: Privileges in the Reference Implementation. http://www.protogeni.net/ProtoGeni/wiki/ReferenceImplementationPrivileges. Retrieved Aug 2014
  9. 9.
    Benzel, T.: The science of cyber-security experimentation: the DETER project. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC) '11, Orlando, FL (December 2011)Google Scholar
  10. 10.
    Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Polk, W.: Internet X.509 Public Key Infrastructure Certificate and Certificate RevocationList (CRL) Profile. RFC 5280 (May 2008)Google Scholar
  11. 11.
    Yee, P.: Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 6818 (January 2013)Google Scholar
  12. 12.
    Shibboleth Consortium: Shibboleth 3—A New Identity Platform. https://shibboleth.net/consortium/documents.html. Retrieved Aug 2014
  13. 13.
    Kohl, J., Neuman, C.: The Kerberos Network Authentication Service (V5). Internet RFC 1510 (September 1993)Google Scholar
  14. 14.
    TIED Team Libabac Software Distribution. http://abac.deterlab.net. Retrieved Aug 2014
  15. 15.
    The DETER Team: The DETER Federation Architecture. http://fedd.deterlab.net/wiki/FeddAbout. Retrieved Aug 2014
  16. 16.
    TIED Team: GENI ABAC Credentials. http://groups.geni.net/geni/wiki/TIEDABACCredential. Retrieved Aug 2014
  17. 17.
    GENI Program Office: Clearinghouse. http://groups.geni.net/geni/wiki/GeniClearinghouse. Retrieved Aug 2014
  18. 18.
    GENI Program Office: GENI Credentials. http://groups.geni.net/geni/wiki/GeniApiCredentials. Retrieved Aug 2014
  19. 19.
    Bartel, M., Boyer, J., Fox, B., LaMacchia, B., Simon, E.: XML Signature and Processing, 2nd edn. W3C Recommendation. http://www.w3.org/TR/xmldsig-core/ (June 2008)

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.USC Information Sciences InstituteLos AngelesUSA
  2. 2.USC Information Sciences InstituteArlingtonUSA

Personalised recommendations