managing key hierarchies for access control enforcement: heuristic approaches
DESCRIPTION
Managing key hierarchies for access control enforcement: Heuristic approaches. Author: Carlo Blundo, Stelvio Cimato, Sabrina De Capitani di Vimercati, Alfredo De Santis, Sara Foresti, Stefano Paraboschi, Pierangela Samarati - PowerPoint PPT PresentationTRANSCRIPT
Managing key hierarchies for access control enforcement: Heuristic approaches
Author: Carlo Blundo, Stelvio Cimato, Sabrina De Capitani di Vimercati, Alfredo De Santis, Sara Foresti, Stefano Paraboschi, Pierangela Samarati
Source: Computers & Security, vol.29, 2010, pp. 533-547
Presenter: Tsuei-Hung Sun
Date: 2010/7/6
2
Outline
ه Introduction ه Motivation ه Schemeه Advantage vs. weakness ه Conclusion
3
Introduction
ه Data outsourcing promises higher availability and more effective disaster protection than in-house operations.
ه It need to protect the privacy of the data from the so called honest-but-curious servers.
4
Introduction
ه Prim's algorithm
Image source: Prim's algorithm, 清華大學資訊工程所 劉炯朗 教授 http://nthucad.cs.nthu.edu.tw/~yyliu/personal/nou/04ds/prim.html
5
Motivation
ه Existing approaches do not address the problem of supporting different access authorizations for different users.
ه Enforcing the authorization policy by heuristic and minimizing the number of keys to be maintained by the system and distributed to users.
6
Scheme
ه Basic concept
Fig. Access matrixFig. User tree
acl(r): access control list of r, users that can access r. Ex. acl(r2) = {A, C}cap(u): capability list of u, resources that u can access. Ex. cap(C) = {r2 , r4 , r6}v.acl: set of users represented by vertex v.v.key: key associated with v.
7
Scheme
ه Integer Linear Programming (ILP) minimum user tree
Fig. General minimum weight user tree Fig. ILP minimum weight user tree
8
Scheme
ه ILP minimum user tree problem is formulated as follows
9
Scheme
ه Three families of heuristicsه sibling-based (S)ه leaf-based (L) ه mixed (M)
ه Three preference criteriaه rnd: at random.ه max: |vi.acl| + |vj.acl| is maximum, ties are broken rando
mly.ه min: |vi.acl| + |vj.acl| is minimum, ties are broken rando
mly.
10
Sibling-based heuristic
11
Sibling-based heuristic
12
Leaves-based heuristic
13
Leaves-based heuristic
14
Mixed heuristics
15
Experimental result
ه Compare three heuristics with Damiani’s approach.
Fig. sibling-based heuristic with different preference criteria.
16
Experimental result
ه Compare three heuristics adopting the min preference criterion with Damiani’s approach.
Fig. Percentage of times each heuristic returns a solution at distance d from the lowest weight solution computed.
17
Advantage vs. weakness
ه Advantageه Three families of heuristics preference better than Dami
ani’s heuristics.ه Integer linear programming formulation of the minimiz
ation problem.
ه Weaknessه Execution time of the mixed heuristic is higher than the
time requested by the other heuristics.ه High variability of the time necessary to solve the ILP
problem.
18
Conclusion
ه Protect the resource confidentiality from both unauthorized users and ‘‘honest-but-curious’’ servers.
ه Most of the existing efforts focus on the techniques for the evaluation of queries on encrypted outsourced data.
ه Integrating access control and encryption and by exploiting key derivation methods as a way for minimizing the number of keys distributed to users.
19
Referencesه Prim's algorithm http://en.wikipedia.org/wiki/Prim%27s_algorithm (2010/7/7)ه 普林演算法 (Prim's algorithm) http://nthucad.cs.nthu.edu.tw/~yyliu/personal/
nou/04ds/prim.html (2010/7/8)ه Graph (mathematics) http://en.wikipedia.org/wiki/Undirected_graph (2010/7/
7)ه Minimum spanning tree http://en.wikipedia.org/wiki/Minimum_spanning_tree
(2010/7/7)ه Regular graph http://en.wikipedia.org/wiki/Regular_graph (2010/7/8)ه Graph factorization http://en.wikipedia.org/wiki/Graph_factorization (2010/7/
8)ه Directed acyclic graph http://en.wikipedia.org/wiki/Directed_acyclic_graph
(2010/7/8)ه Linear programming http://en.wikipedia.org/wiki/Linear_programming (2010/
7/9)
Thank you