An Attributes-Based Access Control Architecture within Large-Scale Device Collaboration Systems Using XACML
Containing multiple domains and a large number of heterogeneous distributed devices, large-scale device collaboration systems require a fine-grained, flexible and secure mechanism for device access control. This chapter presents and evaluates a distributed device access control architecture Multiple Policies supported Attribute-Based Access Control (MPABAC) to support device authentication and authorization among multiple domains. Based on eXtensible Access Control Markup Language (XACML) standard and Attribute-Based Access Control (ABAC) model, this architecture supports cross-domain authentication and authorization, hierarchical policy combination and enforcement, unified device access control and fine-grained attributes-based privilege description. Experiments show that the performance of this implementation is acceptable within the production environment.
KeywordsLarge-scale device collaboration system Hierarchical policy decision point Multiple policies attributed-based access control
This research work was supported by both the self-conducted exploratory research program “Green Lighting in Internet of Things “ from State Key Laboratory for Software Development Environment in China (No. SKLSDE-2010ZX-06) and the Special Program for Seism-Scientific Research in Public Interest “Research in Online Processing Technologies for Seismological Precursory Network Dynamic Monitoring and Products” (No. 201008002).
- 1.Bonatti PA, Samarati P (2002) A uniform framework for regulating service access and information release on the web. J Comput Secur 10:241–271Google Scholar
- 2.Damiani E, di Vimercati SDC, Samarati P (2005) New paradigms for access control in open environments. In: Proceedings of the fifth IEEE international symposium on signal processing and information technology, December 2005, pp 540–545Google Scholar
- 3.ITU-T (2000) ITU-T recommendation X.509-ISO/IEC 9594-8: information technology and open systems interconnection and the directory: public-key and attribute certificate frameworks. Technical report, ITU-T, 2000. http://www.infosecurity.org.cn/content/pki_pmi/x509v4.pdf
- 5.LeMay M, Fatemieh O, Gunter CA (2007) Policymorph: interactive policy transformations for a logical attribute-based access control framework. In: Proceedings of the 12th ACM symposium on access control models and technologies, SACMAT ‘07. ACM, New York, USA, pp 205–214Google Scholar
- 6.Loscocco PA and Smalley SD (2001) Meeting critical security objectives with securityenhanced linux. In: Proceedings of the 2001 Ottawa Linux symposium, July 2001Google Scholar
- 7.Loscocco PA, Smalley SD, Muckelbauer PA, Taylor RC, Jeff TS, Farrell JF (1998) The inevitability of failure: the flawed assumption of security in modern computing environments. In: Proceedings of the 21st national information systems security conference, pp 303–314Google Scholar
- 8.Moses T (2005) eXtensible Access Control Markup Language (XACML) Version 2.0. Technical report, OASIS, Febuary 2005. http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf
- 10.Shen H, Hong F (2006) An attribute-based access control model for web services. In: Proceedings of the seventh international conference on parallel and distributed computing, applications and technologies, PDCAT ‘06, Washington, DC, USA, 2006. IEEE Computer Society, pp 74–79Google Scholar
- 11.Yu S, Ren K, Lou FW (2010) Toward fine-grained distributed data access control in wireless sensor networks. IEEE Trans Parallel Distrib Syst 99:255–273Google Scholar
- 12.Yuan E, Tong J (2005) Attributed based access control (abac) for web services. In: Proceedings of the IEEE international conference on web services, ICWS ‘05, Washington, DC, USA, 2005. IEEE Computer Society, pp 561–569Google Scholar