1 / 20

Managing key hierarchies for access control enforcement: Heuristic approaches

Managing key hierarchies for access control enforcement: Heuristic approaches. Author: Carlo Blundo, Stelvio Cimato, Sabrina De Capitani di Vimercati, Alfredo De Santis, Sara Foresti, Stefano Paraboschi, Pierangela Samarati

brooke-fowler
Download Presentation

Managing key hierarchies for access control enforcement: Heuristic approaches

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Managing key hierarchies for access control enforcement: Heuristic approaches Author:Carlo Blundo, Stelvio Cimato, Sabrina De Capitani di Vimercati, Alfredo De Santis, Sara Foresti, Stefano Paraboschi, Pierangela Samarati Source: Computers & Security, vol.29, 2010, pp. 533-547 Presenter: Tsuei-Hung Sun Date: 2010/7/6

  2. Outline • Introduction • Motivation • Scheme • Advantage vs. weakness • Conclusion

  3. Introduction • Data outsourcing promises higher availability and more effective disaster protection than in-house operations. • It need to protect the privacy of the data from the so called honest-but-curious servers.

  4. Introduction • Prim's algorithm Image source: Prim's algorithm, 清華大學資訊工程所 劉炯朗 教授http://nthucad.cs.nthu.edu.tw/~yyliu/personal/nou/04ds/prim.html

  5. Motivation • Existing approaches do not address the problem of supporting different access authorizations for different users. • Enforcing the authorization policy by heuristic and minimizing the number of keys to be maintained by the system and distributed to users.

  6. Scheme • Basic concept Fig. Access matrix Fig. User tree acl(r):access control list of r, users that can access r. Ex. acl(r2) = {A, C} cap(u):capability list of u, resources that u can access. Ex. cap(C) = {r2 , r4 , r6} v.acl: set of users represented by vertex v. v.key: key associated with v.

  7. Scheme • Integer Linear Programming (ILP) minimum user tree Fig. ILP minimum weight user tree Fig. General minimum weight user tree

  8. Scheme • ILP minimum user tree problem is formulated as follows

  9. Scheme • Three families of heuristics • sibling-based (S) • leaf-based (L) • mixed (M) • Three preference criteria • rnd: at random. • max: |vi.acl| + |vj.acl| is maximum, ties are broken randomly. • min: |vi.acl| + |vj.acl| is minimum, ties are broken randomly.

  10. Sibling-based heuristic

  11. Sibling-based heuristic

  12. Leaves-based heuristic

  13. Leaves-based heuristic

  14. Mixed heuristics

  15. Experimental result • Compare three heuristics with Damiani’s approach. Fig. sibling-based heuristic with different preference criteria.

  16. Experimental result • Compare three heuristics adopting the min preference criterion with Damiani’s approach. Fig. Percentage of times each heuristic returns a solution at distance d from the lowest weight solution computed.

  17. Advantage vs. weakness • Advantage • Three families of heuristics preference better than Damiani’s heuristics. • Integer linear programming formulation of the minimization problem. • Weakness • Execution time of the mixed heuristic is higher than the time requested by the other heuristics. • High variability of the time necessary to solve the ILP problem.

  18. Conclusion • Protect the resource confidentiality from both unauthorized users and ‘‘honest-but-curious’’ servers. • Most of the existing efforts focus on the techniques for the evaluation of queries on encrypted outsourced data. • Integrating access control and encryption and by exploiting key derivation methods as a way for minimizing the number of keys distributed to users.

  19. References • Prim's algorithm http://en.wikipedia.org/wiki/Prim%27s_algorithm (2010/7/7) • 普林演算法(Prim's algorithm) http://nthucad.cs.nthu.edu.tw/~yyliu/personal/nou/04ds/prim.html (2010/7/8) • Graph (mathematics) http://en.wikipedia.org/wiki/Undirected_graph (2010/7/7) • Minimum spanning tree http://en.wikipedia.org/wiki/Minimum_spanning_tree (2010/7/7) • Regular graph http://en.wikipedia.org/wiki/Regular_graph (2010/7/8) • Graph factorization http://en.wikipedia.org/wiki/Graph_factorization (2010/7/8) • Directed acyclic graph http://en.wikipedia.org/wiki/Directed_acyclic_graph (2010/7/8) • Linear programming http://en.wikipedia.org/wiki/Linear_programming (2010/7/9)

  20. Thank you

More Related