PAMINA: A Certificate Based Privilege Management System
نویسندگان
چکیده
In this paper we present PAMINA (Privilege Administration and Management INfrAstructure), a privilege management system using authorization certificates. Our system supports distributed environments where autonomous authorities can manage and delegate privileges in accordance with their own policies. We introduce Improved Certification Verification Trees (I-CVTs) that guarantee very efficient and trustworthy certificate management. I-CVTs can provide undeniable proofs for the non-existence of a given certificate in contrast to CVTs as proposed in [1]. As a result, each authority can store its own I-CVT in a central, non-trusted, and replicable database. This database provides authenticated verifiers with basically only those certificates that are required to determine whether a user should be granted access to a resource or not. Since the system implements the pull model, clients need not to be involved in the access control decision process. PAMINA handles delegation trees instead of simple delegation chains because authorities can delegate privileges in one certificate that were assigned to them by several certificates. In the prototype that we describe here, PAMINA manages certificates based on X.509.
منابع مشابه
sichere und effiziente Zugriffskontrolle mit PAMINA
Der Beitrag stellt PAMINA (Privilege Administration and Management INfrAstructure) vor, ein System für die zertifikatsbasierte Autorisierung und Zugriffskontrolle. PAMINA verwaltet die Zertifikate mit Improved Certification Verification Trees (I-CVT). I-CVTs beruhen auf den in [GGM00] vorgeschlagenen CVTs, sie bieten aber bessere Performanz und die Möglichkeit, Verifizierern die Vollständigkeit...
متن کاملRole-Based Privilege Management Using Attribute Certificates and Delegation
The Internet provides tremendous connectivity and immense information sharing capability which the organizations can use for their competitive advantage. However, we still observe security challenges in Internet-based applications that demand a unified mechanism for both managing the authentication of users across enterprises and implementing business rules for determining user access to enterp...
متن کاملSecure Information Sharing Using Attribute Certificates and Role Based Access Control
In this paper, we explore the issues involved with the design and rapid deployment of large scale secure information sharing (SIS) systems for coordination involved with multiple agencies. Procedures and tools were developed for setting up quickly the public key infrastructure (PKI) and privilege management infrastructure (PMI) for the multi-agency SIS systems. A multi-agency SIS testbed based ...
متن کاملA Privilege Management Scheme for Mobile Agent Systems
In this paper, we describe a general method for controlling the behavior of mobile agent-system entities through the allocation of privileges. Privileges refer to policy rules that govern the access and use of computational resources and services. The scheme is based on the capability of most mobile agent systems to extend the platform processing environment and the use of two forms of privileg...
متن کاملScalability Issues in PMI Delegation
The Canadian Department of National Defence (DND) is shifting its methods for the delegation and exercise of authority from paper-based to electronic-based means. DND has deployed a commercial PKI but there is no general technical solution presently employed by DND for access control or electronic authorization of workflow in distributed processing environments. The aim of this research is to s...
متن کامل