Towards Role Based Trust Management without Distributed Searching of Credentials

  • Gang Yin
  • Huaimin Wang
  • Jianquan Ouyang
  • Ning Zhou
  • Dianxi Shi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5308)


Trust management systems enable decentralized authorization by searching distributed credentials from network. We argue that such distributed searching processes may encounter many technical or non-technical problems, and can be avoided by storing delegation credentials redundantly with acceptable costs. We propose a scoped-role based trust management system ScoRT, using a novel credential affiliation model to compute the credentials necessary for role membership decisions, which can be used to guide the storage, retrieval and revocation of credentials. The algorithm for distributed credential storage and retrieval is designed based on the model and its sound and complete properties are formally analyzed with respect to ScoRT semantics. Complexity analysis and estimation show that, by redundantly storing acceptable amount of delegation credentials, ScoRT enables more practical and automatic authorization without searching credentials from remote entities, and thus helps to overcome the deficiencies of existing approaches.


Trust Management Trust Management System Affiliation Graph Intersection Edge Credential Chain 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aura, T.: Fast access control decisions from delegation certificate databases. In: Boyd, C., Dawson, E. (eds.) ACISP 1998. LNCS, vol. 1438, pp. 284–295. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  2. 2.
    Becker, M.Y., Sewell, P.: Cassandra: Flexible Trust Management, Applied to Electronic Health Records. In: Proceedings of the 17th IEEE Computer Security Foundations Workshop (2004)Google Scholar
  3. 3.
    Becker, M.Y.: A formal security policy for an NHS electronic health record service. UCAM-CL-TR 628, University of Cambridge, Computer Laboratory, p. 81 (March 2005)Google Scholar
  4. 4.
    Becker, M.Y., Fournet, C., Gordon, A.D.: Design and Semantics of a Decentralized Authorization Language. In: 20th IEEE Computer Security Foundations Symposium, pp. 3–15 (2007)Google Scholar
  5. 5.
    Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, pp. 164–173. IEEE Computer Society Press, Los Alamitos (1996)CrossRefGoogle Scholar
  6. 6.
    Blaze, M., Feigenbaum, J., Strauss, M.: Compliance-checking in the PolicyMaker trust management system. In: Hirschfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 254–274. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  7. 7.
    Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.D.: The KeyNote trust-management system, version 2. IETF RFC 2704 (September 1999) Google Scholar
  8. 8.
    Clarke, D., Elien, J.E., Ellison, C., Fredette, M., Morcos, A., Rivest, R.L.: Certificate chain discovery in SPKI/SDSI. Journal of Computer Security 9(4), 285–322 (2001)CrossRefGoogle Scholar
  9. 9.
    Elley, Y., Anderson, A., Hanna, S., Mullan, S., Perlman, R., Proctor, S.: Building certification paths: Forward vs. reverse. In: Proceedings of the 2001 Network and Distributed System Security Symposium (NDSS 2001), pp. 153–160. Internet Society (February 2001)Google Scholar
  10. 10.
    Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: SPKI certificate theory. IETF RFC 2693 (September 1999)Google Scholar
  11. 11.
    Farrell, S., Housley, R.: An Internet Attribute Certificate Profile for Authorization, RFC3281 (April 2002)Google Scholar
  12. 12.
    Gunter, C., Jim, T.: Policy-directed certificate retrieval. Software: Practice & Experience 30(15), 1609–1640 (2000)zbMATHGoogle Scholar
  13. 13.
    Hasu, T., Kortesniemi, Y.: Implementing an SPKI Certificate Repository within the DNS. In: International Workshop on Public-Key Cryptography, PKC (2000)Google Scholar
  14. 14.
    Jim, T.: SD3: A trust management system with certified evaluation. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, pp. 106–115. IEEE Computer Society Press, Los Alamitos (2001)Google Scholar
  15. 15.
    Li, N.: Delegation Logic: A Logic-based Approach to Distributed Authorization. PhD thesis, New York University, New York (2000)Google Scholar
  16. 16.
    Li, N., Winsborough, W.H., Mitchell, J.C.: Distributed credential chain discovery in trust management (extended abstract). In: Proceedings of the Eighth ACM Conference on Computer and Communications Security (CCS-8), pp. 156–165. ACM Press, New York (2001)Google Scholar
  17. 17.
    Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust management framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 114–130. IEEE Computer Society Press, Los Alamitos (2002)Google Scholar
  18. 18.
    Mao, Z., Li, N., Winsborough, W.H.: Distributed Credential Chain Discovery in Trust Management with Parameterized Roles and Constraints. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 159–173. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  19. 19.
    Nilsson, U., Małuszyński, J.: Logic, Programming and Prolog, 2nd edn. John Wiley & Sons Ltd., Chichester (1995)zbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Gang Yin
    • 1
  • Huaimin Wang
    • 1
  • Jianquan Ouyang
    • 2
  • Ning Zhou
    • 3
  • Dianxi Shi
    • 1
  1. 1.School of ComputerNational University of Defense TechnologyChangshaChina
  2. 2.College of Information EngineeringXiangtan UniversityXiangtanChina
  3. 3.Institute of Electronic System Engineering of ChinaBeijingChina

Personalised recommendations