Enable delegation for RBAC with Secure Authorization Certificate

c om p u t e r s & s e c u r i t y 3 0 ( 2 0 1 1 ) 7 8 0e7 9 0

ava i lab le a t www.sc iencedi rec t .com

journa l homepage : www.e lsev ier . com/ loca te /cose

Enable delegation for RBAC with Secure AuthorizationCertificate

GuangXu Zhou a, Murat Demirer a,c, Coskun Bayrak a,*, Licheng Wang b

aUniversity of Arkansas at Little Rock, 2801 S. University Ave, Little Rock, AR 72204, USAbBeijing University of Posts and Telecommunications, 10 Xitucheng Rd Beijing, PR Chinac Istanbul Kultur University, Istanbul, Turkey

a r t i c l e i n f o

Article history:

Received 6 October 2010

Received in revised form

12 May 2011

Accepted 17 June 2011

Keywords:

Access Control

Computer Network Security

Random Number Generator

Secure Authorization

Secure Delegation

Quasirandom Structures

k-Uniform Hypergraph

* Corresponding author. Tel.: þ1 501 569 8131 The term fingerprint is used to refer to a

0167-4048/$ e see front matter ª 2011 Elsevdoi:10.1016/j.cose.2011.06.005

a b s t r a c t

Our motivation in this paper is to explore a Secure Delegation Scheme that could keep

access control information hidden through network transmission. This approach intro-

duces the quasirandom structure, 3-Uniform Hypergraph, as the representation structure

for authorization information. It generates a Secure Authorization Certificate (SAC) in place

of an Attribute Certificate (AC) to enable both Role-based Access Control (RBAC) and

a delegation process for hiding authorization information. We have two contributions in

this regard: (1) a value-based delegation scheme and (2) a pattern-based RBAC. A Secure

Delegation Scheme is based on the hashing values generated with the quasirandom

structure. With this scheme, the delegation process will greatly reduce the risk of sensitive

authorization information leakage for applications. In the case of pattern-based access, we

introduce a new hash function using quasirandom structure to make a fingerprint1 for

RBAC. The quasirandom structure derived from k-Uniform Hypergraph has measurable

uniformity, which is an advantage over traditional hash functions. Another advantage is

that it does not need to access the entire message context to generate the fingerprint which

is essential for traditional hash functions such as MD5, SHA-1, etc.

ª 2011 Elsevier Ltd. All rights reserved.

1. Introduction second, the approachusually combines the authentication and

Delegation service is a common requirement in Role-Based

Access Control (RBAC) (Ferraiolo et al., 2001) systems. With

the delegation process, there are no well-accepted models

addressed in the literature. The concept of delegation in access

control is not clearly defined and the basic principles for dele-

gation are not well-identified yet. The confinement problem,

for example, cannot be demonstrated as being resolved in

current delegation applications. Particularly for RBAC model,

delegation is demanding more while the Public Key Certificate

(PKC)-based delegation process has several defects: first, inor-

dinate use of the private key increases the risk of compromise;

7; fax: þ1 501 569 8144.unique pattern.ier Ltd. All rights reserve

authorization tightly, and the extensions embedded into the

certificate overloads the semantics of the authentication

certificate; third, the lifetime difference between the authen-

tication andauthorization attributesmay increase the cost and

complexity of managing the underlying Public Key Infrastruc-

ture (PKI) (Benantar, 2006); fourth, the cross-domain problems

with RBAC could not be easily resolved.

In this paper, we present a Secure Delegation Scheme that

could enhance the security of the transmission with Role-

based Access Control information through network. First,

with respect to the original work on quasirandomness with 3-

Uniform Hypergraphs appeared in (Gowers, 2006a), we

d.

http://www.sciencedirect.com

http://www.elsevier.com/locate/cose

http://dx.doi.org/10.1016/j.cose.2011.06.005



c om p u t e r s & s e c u r i t y 3 0 ( 2 0 1 1 ) 7 8 0e7 9 0 781

introduced the quasirandom structure, 3-Uniform Hyper-

graph, as the representation structure for RBAC information.

Based on this structure, we defined a hash function which

generates a quasirandom sequence as the fingerprint of RBAC

information. Each element of the quasirandom sequence is

called Secure Authorization Token (SAT). With a set of SATs,

a Secure Authorization Certificate can be compiled as the

authorization certificate in place of Attribute Certificate to

facilitate delegation process for RBAC with hiding authoriza-

tion information.

The rest of this paper is organized as follows: Section 2

discusses the related work; Section 3 reviews the authoriza-

tion scheme and presents the argument in Secure Authori-

zation Scheme; in Section 4 the definition of Secure Delegation

Scheme is introduced; Section 5 describes the system design

and architecture of the secure delegation prototype intro-

duced; Section 6 presents the use of quasirandom approach to

generate the fingerprint for RBAC; Section 7 contains an

intellectual discussion of the model; Section 8 provides

a conclusion of the study; and finally Section 9 presents the

relevant future work to be considered.

2. Related work

Most of the current authorization mechanisms do not hide

theaccess control information in transmission. For example, in

PMI (Iso, 2005) infrastructure, the Attribute Certificate (Farrell

and Housley, 2002) is transferred through the network,

including authorization information of users such as roles,

permissions, etc. With the revelation of such information, it is

possible for the adversary to recover the authorization map of

an organization, which is risky in many cases (i.e., in the mili-

tary field or in commercial competition). Recently, people have

been aware of this defect on information leakage (Holt et al.,

2003; Li and Tripunitara, 2006; Seitz et al., 2005). Li et al. devel-

oped a system that enables the hiding of policy information for

access control (Li and Li, 2005); Calvert et al. introducedamodel

to enforce information-hiding policies for network manage-

ment (Calvert andGriffioen, 2006); Frikken et al. presented how

to protect both sensitive credentials and sensitive policies by

the set of protocols they designed (Frikken et al., 2006).

Especially for the delegation process and regardless of the

delegation type (Role-based (Wang and Osborn, 2006; Zhang

et al., 2003, 2002; Joshi and Bertino, 2006; Na and Cheon,

2000) or Attribute-based delegation (Frikken et al., 2006;

Zhou and Meinel, 2004; Kakizaki and Tsuji, 2007; Xie et al.,

2004; Chadwick et al., 2003)), the problem of information

authorization may be revealed by the delegated certificates

when transferring through network. Therefore, all of these

delegation solutions should focus on the properties of

unforgability or undeniability issues.

Our work is related to trust negotiation with hidden

credentials and hidden policies as well as role-based delega-

tion. Most of the early research with trust negotiation focuses

on protecting resources and credentials (Winsborough et al.,

2000; Winsborough and Li, 2002, 2004; Winslett et al., 2002).

Later on, some research work considered policies as sensitive

information (Bonatti and Samarati, 2000; Yu et al., 2003; Yu

and Winslett, 2003). Li (Li and Li, 2005; Li et al., 2005), Frikken

(Frikken et al., 2006, 2004), and Brickell (Brickell and Li, 2007)

contributed accumulated work on the hidden credentials and

hidden policies to incorporate them into trust negotiation and

trust management systems.

Concerning the delegation process, MyProxy (Novotny

et al., 2001) is the most popular Credential Repository which

serves as user credential management and delegation proxy

server for grid environments. Other delegationmodels include

role-based delegation (Wang and Osborn, 2006; Zhang et al.,

2003, 2002; Joshi and Bertino, 2006; Na and Cheon, 2000) and

attribute-based, or X.509-based delegation (Zhou and Meinel,

2004; Kakizaki and Tsuji, 2007; Xie et al., 2004; Chadwick

et al., 2003). However, all of these delegation models do not

use hidden credentials or hidden policies because they accept

the assumption that authorization information or policies are

not sensitive. Later, in Li and Tripunitara (2006), the use of

security analysis techniques to maintain desirable security

properties while delegating administrative privileges was

introduced; and a precise definition of a family of security

analysis problems in RBAC (which is more general than safety

analysis that is studied in the literature) was given.

Our goal in this work is to present a theoretical framework

of a prototype implementation for encoding RBAC authoriza-

tion information into a X.509 certificate to facilitate secure

delegation process.

3. Secure Authorization Scheme

Before giving the definition of Secure Delegation Scheme, it is

necessary to clarify the definition of Secure Authorization

Scheme (SAS). Our perception of SAS is nothing more than

a authentication feature which performs the access control as

described in Example 1.

Example 1. Bob wants to operate on a PC in the lab. So, he

inquires the administrator to grant the permission for him.

The administrator distributes a token to Bob. With this token,

Bob can open the PC and operate on it. Neither Bob nor the PC

can understand what the token means. Here Bob’s concern is

that he can do what he wants to do on the PC. Similarly, the

PC’s concern is that Bob’s operation is granted by the

administrator. The administrator is responsible for the val-

idity of Bob’s operation and handles the process it works.

RBAC is the model to handle authorization for the User

through the permission with respect to Role. User, Role,

Object, and Permission are essential components for RBAC.

Here, Bob is the user, and PC is the Object.

AA (Authorization Authority) is the subsystem to grant,

revoke,modify, and retrieve authorization clearance. Here, the

administrator is theAuthorizationAuthority (AA). Basedon the

structure illustrated in Fig. 1, the following four cases should be

considered, in order to define a secure authorization model:

� Case 1: User, Object, and AA hold the authorization

information,

� Case 2: User and AA hold the authorization information,

� Case 3: Object and AA hold the authorization information,

� Case 4: Only AA holds the authorization information, where

Object is the resource that the User wants to access.



Fig. 1 e RBAC with Authorization Authority.


Here, the resource owner is a critical concept; therefore, it is

necessary to clarify it for the definition of security scheme.

Generally speaking, the resource owner is the operator of the

physical resource. For example, Bob logs into a PCwith his user

account and conducts somework. The resources owned by this

user account will be dominated by the on-going work. Most of

the current solutions for authorization are based on the

assumption that the user who physically owns the resource is

considered to be the resource owner (Inglesant et al., 2008;

Dumitrescu and Foster, 2004;Mazzoleni et al., 2005; Czajkowski

et al., 2005). But in the real world, that assumption is not really

true.Anemployeewho isassignedtoconduct somebusinesson

aPC isnotnecessarily the resourceowner.While theproperty is

owned by the company that has the privilege to make autho-

rization decisions at any time, the company is the ONLY

resource owner. Obviously, a vague or improper definition of

resource owner will lead to leaks of security.

Authorization is the mechanism to handle user’s permis-

sions of operations over resources. By the principal of least

privilege, no one is necessary to know the authorization

information except AA who takes the responsibility of

authorization distribution for the REAL resource owner. In

Cases 1, 2, and 3, the authorization information is revealed to

an end user or to the resources. This may cause security

leakage if the access control information is sensitive. But, it is

still secure for most scenarios in the real world because both

the user and the resources are trustable entities with this

specific session of access; therefore, the boundary of the

definition for secure authorization is whether the authoriza-

tion information can be revealed or not to the entities who are

untrustworthy/untrustable in the specific session of access.

Case 4 is the highest Secure Authorization Scheme out of all

cases above; it keeps theminimal information revelation level

in the process without the redundancy of authorization

information distribution.

Fig. 2 e Secure Authorization Architecture.

4. Secure Delegation Scheme

Realistically, in daily life we are to carry out several time-

sensitive tasks within the same time frame. Since it is

impossible for one person to do it all at the same time, it

becomes a necessity to look into a secure delegation scenario

in order to establish a secure delegation process. For instance,

let us consider the scenario given in Example 2.

Example 2. Let’s consider the following scenario in which Bob

wants to operate on a PC in the lab and he inquires the admin-

istrator to grant the permission for him. The administrator

distributesBoba token;with this token,BobcanopenthePCand

operate on it. But, sometimes, Bob has to take a class where he

cannot go to the lab. He wants to grant his privilege to David to

workonhisbehalfonthePC.Bobasks theadministrator togrant

David a new token that can obtain the privileges to operate on

the PC.With this token, David canwork on behalf of Bob on the

PC. Neither Bob, nor David, nor the PC can understandwhat the

tokenmeans.What Bob’s andDavid’s concern is thatDavid can

work on the PC on behalf of Bob. What the PC’s concern is that

David’s operation is granted by the administrator. The admin-

istrator is responsible for the validity of David’s operations and

handles the privileges that David works on.

Hence, based on the Secure Authorization Scheme, the

Secure Delegation Scheme keeps the Secure Authorization

Scheme within the delegation chain. There is no leakage of

authorization information. As can be seen in the Example 2,

David does not obtain any redundancy of authorization

information when he delegates on Bob’s privilege.

4.1. Secure delegation process

Although the architecture of the delegation process is illus-

trated in Fig. 2, it is necessary to provide the underlining

definition to clarify the role each component plays in the

process.

SAT: A Secure Authorization Token is a random number

generated from the fingerprint of the 3-uniform edge defined

in Definition 6.3. Since the result of fingerprint is a complex

number, we simply concatenate the real part and the imagi-

nary part of the complex number to generate the SAT.

User Credential: A User Credential has two elements: PKC and

SAC. PKC is the public key certificate (such as X.509 certificate)

for user identity. SAC is the authorization promise granted to

the corresponding user. A SAC consists of a single entry or

multiple entries of SATs.

AA: Authorization Authority is the domination of the autho-

rization policies and decisions. It is the single entry point to

sensitive authorization information (i.e., RBAC database).

PDP: Policy Decision Point is the point to make authorization

decisions. In XACML (Xacml, 2005), there are two other func-

tional components: PIP (Policy Information Point) and PAP

(Policy Administration Point). Some of the functions for them

will be taken by AA.

CA: The certificate authority that does authentication for PKC.

DA: Delegation Agent is the component to administer the

delegation of credentials.




In summary, CA is responsible for authentication with

users. AA is responsible for authorization with authenticated

users. Both PDP and DA will access CA and AA for the dele-

gation purpose.

5. Design of Online Credential Repository forRole-based Delegation

The source of the motivation is to manage the security clear-

ances for the delegation model presented. Therefore, an appli-

cation called the Online Credential Repository for Role-based

Delegation has been developed. The application serves as the

core component of access control with the system and is also

integrated with the authentication component; hence, Role-

based Delegation can be processed by the underlying system.

The key services of the Online Credential Repository

include:

� Generation and management of authentication certificates;

� Generation and management of Secure Authorization

Tokens (SATs) and Secure Authorization Certificates (SACs);

� Encoding RBAC attributes into single certificate;

� Enabling delegation process with the implemented Secure

Delegation Scheme.

5.1. Architecture

The architecture of the Online Credential Repository is illus-

trated in Fig. 3. CR is the subsystem of Credential Repository

which is responsible for certificate issuing and management.

The functions of PDP are implemented by CR. TA is the

subsystem of Token Authority which is responsible for

authorization verification and generation of Secure Authori-

zation Token. The functions of AA are implemented by CR and

TA. DA is the subsystem of Delegation Agent which works as

certificate proxy server to cache and manage delegated

certificates. Client includes the end users who would be the

delegatee(s) or the delegator(s) in the system.

The system has an integrated line of authentication and

authorization, as well as delegation of Role-based Access

Control. The certificate keeps the format of X.509 as authen-

tication credential and makes an extension with the X.509

certificate to process authorization and delegation services.

5.2. Certificate

We use X.509 as the PKC, and SAC is compiled as an attribute

extension in it. Because SATsmay frequently be updated, SAC

is not directly encoded into the X.509 certificate. The link to an

identity of the SAC such as URI, Local File name is compiled so

that the content update for SAC does not influence the PKC.

5.3. Workflow

Credential Assignment: PKC is assigned by CA; it generates

a X.509 certificate as a user certificate to identify the user. SAC

is assigned by TA. The identity of SAC is encoded into PKC.

Caching and Delegation: To enable delegation, SAC should be

distributed to proxy servers, which are called DAs. A creden-

tial without delegation could connect to PDP to do the vali-

dation, while the credential with delegation could access the

DAs to do the validation. Communication channels between

different servers are assumed to be secure; and SACs

exchanges within these servers are considered to be trustable.

For the purpose of caching SACs, a table is created to store SAT

items. The item is defined as (UID, SAT, UpStreamDA), where

UID is the user identity; SAT is one of the entries of the SAC of

this user; UpStreamDA is the upstream server, the DA or the

PDP, for example. SATs could be cached in the resource owner,

in the DAs, or in the PDP.

Validation: The validation process is illustrated in Fig. 4. The

client who holds the User Credential sends out the request of

validation to DA (or if it is not a delegation credential, sends to

PDP directly). The DA first does the authentication using the

PKC with the CA; then forwards the SAT to its upstream DA or

PDP to do the validation of authorization. For the initial vali-

dation, the SATs will be forwarded to the TA at the end, and

the TA would access the RBAC database to verify the SATs.

Then, the SATs retrieved in the process can be cached in the

trustable DAs for future validation. In some cases, the SATs

can be cached in the resource owner or any other trustable

parties, and that will simplify the validation of authorization.

SAC Renewal: SAT is issued by TA who manages the SATs’

lifetime. When a session of authorization has expired, the

random numbers R1, R2 and R3 of the sets ðUID;R1Þ, ðVG;R2Þ,and ðRID;R3Þ will be changed so that the SAT is invalid for

authorization the next time. Depending on the customer’s

policy, the downstream serverwill be notified by the upstream

server to update its cache for synchronization.

Credential Revocation: PKC will be expired by the end of its

lifetime. The SAC will be expired when all of its SATs are

invalid, and it will be removed from the User Credential.

5.4. Multi-Agent Delegation

To facilitate the delegation process through the Internet,

Multi-Agents could be deployed. The architecture is described

in Fig. 5.

Virtual Organizations (VOs) are domains that may hold

a set of resources, as well as a set of components for delega-

tion, such as the TA, the PDP, and the DAs, etc. Authentication

and authorization can be done independently within

a domain. Different VOs could share CAs or TAs when secure

channels can be created among these servers. A portal of

delegation is developed for each VO as the singleton entry of

the VO to accept the request of User Credential validation and

response to the client outside the VO.

The authorization and delegation assignments are enco-

ded as a token instead of a set of attributes. The simpler

semantic of the SAT over a set of attributes helps to decouple

the logic of authorization and delegation between different

domains. The PDP is easier to be relocated from different VOs

or redesigned by another VO. Furthermore, the transmission

of the token is light weighted and risk-free compared to the

transmission of the set of attributes, which might be a great

concern for some VOs in cooperation because their secrets

may be unintentionally revealed. All of the before-mentioned



Fig. 3 e Credential Repository Architecture.


properties could reduce the complexity and administrating

cost for providing cross-domain solutions.

6. Quasirandom approach

A new hash function needs to be defined in order to make

a unique pattern (the fingerprint) for RBAC. First, we give the

definition of quasirandomness for 3-Uniform Hypergraphs:

Definition 6.1. (Definition 2.4. in (Gowers, 2006b))

m ¼ ðu; g; rÞ;u˛U; g˛G; r˛R

Let H be a tripartite 3-Uniform Hypergraph with vertex sets

X, Y, and Z of size L,M, andN, respectively, and suppose thatH

has pLMN edges. Then H is a-quasirandom if it contains at

most ðp8 þ aÞL2M2N2 octahedra.

To map the RBAC information to 3-Uniform Hypergraph,

we define RBAC fingerprint as follows:

Definition 6.2. Let H be a tripartite 3-Uniform Hypergraph

with vertex sets U, G, and R of size L, M, and N, respectively,

and suppose that H has pLMN edges. The 3-uniform edge of H

is denoted as m. h is the fingerprint of m if h ¼ fðu; g; rÞ has the



Fig. 4 e Validation process.


production of unique value within all of the 3-uniform edges

of H, where m ¼ ðu; g; rÞ;u˛U; g˛G; r˛R.As Fig. 6 shows, U represents the User set that keeps the

identities of users who will be authorized. R represents the

Role set that keeps the identities of roles that can be granted to

users in U. G represents the Virtual Group, which is the

dynamic domain from which roles will be collected when the

sessions of authorization for the users in U are created. A

session of authorization for a user is created if the user is

qualified to work within the Virtual Group. The 3-uniform

edge of m represents an authorization statement by the qua-

sirandom structure H.

Fig. 5 e Multi-Age

Definition 6.3. The hash function to make a fingerprint for

RBAC is defined as f : Z3N/C by

fðx; y; zÞ ¼ uðx4y4zÞ2 ; u ¼ e2pi=N

where Z is the vertex set of the 3-UniformHypergraph;C is the

set of complex numbers; and N is an odd positive integer. The

nodes for the set of User, Virtual Group, and Role are defined

as ðUID;R1Þ, ðVG;R2Þ and ðRID;R3Þ respectively, where UID, VG

and RID are the identities of User item, Virtual Group item, and

Role item; Ri are random integer numbers.

x4y4z ¼ R1 � l1 þ R2 � l2 þ R3

nt Delegation.



Fig. 6 e 3-Uniform Hypergraph mapping for RBAC.


where li is the radix. To guarantee the value of f is unique to

different sessions of (User, Virtual Group, Role), two restric-

tions are put on the generation of Ri and N:

1. Ri is unique within each set User, Virtual Group, or Role,

respectively.

2. N > 2p� ðx4y4zÞ

6.1. Authentication and authorization: the differentphilosophy

The functions for authentication are to verify “who” the user

is, or the “identity” of the user. The function of authorization

is to identify “what” the user can do, or “Access Control”. Since

authorization needs to bridge Resources, Policies, Owners,

and Users/Roles to facilitate the Access Control, it has more

complex logic than authentication does. The PKI-based

authentication mechanism such as X.509 certificate, cannot

optimally meet the requirement of authorization, especially

for the delegation process.

6.2. PKI-based authorization: a curse?

There are several deficiencies of PKI-based authorization

(Benantar, 2006):

� Excessive use of the private key (especially for CA) to sign

the certificate, leads to more risk of compromise;

� Extensions embedded into the certificate overload the

semantics of the authentication certificate; hence this leads

to the leakage of authorization information which may be

sensitive in some scenarios;

� The difference in lifetime between the authentication and

authorization attributes; the authentication is relatively

stable because it is the identity of a user while the authori-

zation is variant. The granting or revoking of privileges is

changed frequently. It will lead to the frequent update of the

certificate for a user;

� Cross-domain problems with RBAC; in different organiza-

tions, the authorization specification may have a big

difference due to their different business logics. Even if the

certificate for authentication such as X.509 is a standard

specification for information exchange between different

systems, the gap between the authorization logicswill make

it difficult to communicate or to integrate with different

organizations.

Current PKI-based technologies (i.e., XACML or most of

Attribute Certificate) extend the X.509 specification with

authorization information; however, all of them suffer from

the above deficiencies. To overcome all of these deficiencies,

we defined a new delegation architecture and a quasirandom

hash function to replace the PKI. The interpreted advantages

of quasirandom hash function over PKI are introduced in

Section 6.3, and the advantages of the presented delegation

model are discussed in Section 7.

6.3. Where to hash?

Since current PKI-based approaches are not suitable for secure

authorization processing, we have to figure out a better solu-

tion. The key points are where to hash the business logics and

where to interpret them. With quasirandom approach, the

hash is done in the Token Authority (TA), and the business

logics are hidden from transmissions. Only one step is

necessary for hash or verification of the authorization signa-

ture. The path is:

Token Authority4Client

With PKI-based approach, the hash is done in the certificate,

and the business logics are exposed from transmissions.




There are two steps to hash or verify the authorization

signature. The path is:

Attribute Authority4CA4Client

Another difference is that the quasirandom approach does

not need to access a private key to hash. Moreover, for inter-

organizational access, with quasirandom approach, the

interpretation of the authorization logics neither takes place

in the client side (which retrieves the information from

certificate) nor in the Attribute Authority (like PKI-based

approach which suffers from compatibility of different

authorization between different organizations). The solution

for the quasirandom approach is to build Authorization

Agents to cache the Tokens of authorization to facilitate the

integration between different organizations and keep the

authorization information unrevealed to other organizations.

Therefore, the hash with the quasirandom approach could

providemore secure andmore flexible authorization encoding

than the hash with the PKI-based approach does.

6.4. From authorization to delegation: what needs to bedone?

For a delegation process derived from authorization systems,

the following properties should be considered,

� Unforgeable

� Undeniable

� Resource owner/originator

� DAC/MAC/ORCON/RBAC

� Least privileges

� Least information leakage

In the current delegation models, which are mostly based

on the Attribute Certificate, the properties of being unforge-

able and undeniable are well implemented. The rest of the

properties are not well identified or well implemented.

For the delegation process, we think the users only care

about “WHAT” they can do, but not “WHY” they can do it.

Therefore, the extensive amount of redundant authorization

information involved in the certificate is the reason that leads

to complexity and leakage of information during the delega-

tion process. With the property of Resource owner/originator,

there is not a delegation model to identify these two entities.

This will lead to an ambiguous authorization assignment as

well as an information leakage.

We have defined the resource owner which is a critical

concept in defining the implemented Secure Delegation

Scheme (Section 3, Example 1). The originator, to some extent,

is the synonym for resource owner. But for the delegation

process, the originator could be a different subject other than

the resource owner in current delegation models. The origi-

nator who invokes a delegation chain might be a different

subject that has been authorized by the resource owner in

a different way, for example, by a traditional non-electronic

approach. Our understanding is that the originator is even-

tually the resource owner, but we do not treat them as

different subjects in the implemented scheme. Because only

the owner of the resource has the rights to grant any

permissions/roles to other users, any originator other than the

owner itself can only obtain the delegated rights to control the

resource or grant permissions/roles to others unless the

ownership of the property is switched to him/her.

For DAC/MAC/ORCON/RBAC, the current delegationmodels

simply inherit the properties of these and do not put more

specific properties for delegation. For example, most of the

current role-based delegation approaches implement a DAC

model which is unable to adequately address the business

logics and, hence, leads tomuch overhead. The confusionmay

originate fromthe resourceoperatorsoroperatingsystemsover

the resource or the authorized owners of the resource through

the delegation chain. To distinguish the different imple-

mentation for DAC/MAC/ORCON/RBAC delegation, these

concepts must be clarified. Resource operators or operating

systems, as we define them (we call them operators for

simplicity), are the subjects who physically own the resource

and conductworkon it. The authorizedowners are the subjects

who were directly or indirectly granted permissions/roles by

the resource owner/originator and are able to transfer those

permissions/roles through the delegation chain. In Section 4,

Example 2, Bob and David are operators; the operating systems

on the PC is also the operator; the administrator is an autho-

rized owner; Bob is another authorized owner; the company

whoowns thepropertiesof the lab is theactual resourceowner/

originator which is the unique and final authority. This struc-

ture is an exact mapping for real world authorization and

delegation model, but the current delegation models compli-

cates the resource owner/originator with operators or autho-

rized owners which generates more confusion.

The access policies are eventually issued by the resource

owner/originator, but they can also be implemented down-

stream over the delegation chains. The difference of

enforcement places for access policies will form the different

schemes DAC/MAC/ORCON. For example, in the presented

delegation scheme, if the PDP is implemented by the operator,

a DACmodel will be formed; if the PDP is unique and attached

to AA, an ORCON model could be formed; or if the PDP is

controlled by the administrators in VOs separately, a MAC

model could be formed (Note: RBAC has been implemented by

default for any of the above cases in the model introduced.).

Also, the principles of least privilege and least information

leakage are not well implemented in current delegation

models, especially in role-based delegation.

7. Discussion

7.1. Pros and cons

The advantages over the traditional delegation models are

summarized as follows:

1. Transmission of none-sensitive information through

network.

2. Managing the credentials of users with least privilege. Only

the necessary privileges are granted to the SAC with cor-

responding SATs.

3. Meeting the scenario of frequent authorization variationwith

minimal change.Anychangewithaccess control information




will cause the update of the SAT for the corresponding

session; while with our approach, the minimal change is

sufficient both for the client side and the server side.

4. Administering large number of users’ credentials with

multiple Delegation Agents and caching. It will enhance the

performance of processing with delegation.

5. With Multi-Agent Delegation architecture, the cross-

domain delegation could be more easily issued and veri-

fied (see Sections 5.4 and 6.3).

6. Less overhead with credential design.

The following two issues are known to be the disadvan-

tages when compared to the other delegation models:

1. More restrictions are put on the client, and the distribution

of policy is less flexible than some other models.

2. No implementation for role hierarchy.

7.2. Quasirandom approach: what is the difference?

Compared to traditional hash functions or other general hash

functions, there are several features demonstrating the

differences and justifying why the quasirandom approach is

a proper way to do the hashing for the presented scheme:

� Input: it does not need PKI to have the message digest be

signed. Because the input message is a specific tuple of

access control information, it is different with the entire

message that hashed, signed, and published for trans-

mission by the PKI-based approaches.

� Output: the random number generated by the quasirandom

function which is a theoretical perfect hash. We will inter-

pret it in 7.3.

� Measurable Uniformity: the uniformity of the random

number is measurable, which is different with the non-

measurable hash functions.

From the differences listed above, it is obvious that tradi-

tional hash functions cannot meet our requirement of RBAC

encoding with Secure Authorization Certificate, while the

quasirandom hash function easily generates the token we

need for the scheme presented.

7.3. Uniqueness of the string

With the “Roots of Unity” properties, the uniqueness of SAT

can be guaranteed. From the Definition 6.3, as long as the

random numbers are unique within each set (User, Virtual

Group, Role) and the two restrictions are satisfied, both the

real part and imaginary part of the hashing result are irra-

tional numbers. The concatenation of the two parts as a string

is considered as unique. For example, get a length of 512 digits

for the numbers, and use them as string to generate a string

with 1024 digits. This string can be considered a fingerprint.

7.4. Avalanche effect

The avalanche effect is evident in our hashing approach

because it is not based on the mixing operation with the

original information as done in traditional hash technologies.

A minor change with the source data will cause great differ-

ence with the output. This property can be tested by using the

roots formula introduced in Definition 6.3.

7.5. Quasi-random level

a-quasirandom (Gowers, 2006b) is the metrics of uniformity.

With the formula ðp8 þ aÞL2M2N2, we know that for a given

graph, the density and size of the sets are fixed; only the value

of a can be customized. Therefore, the security level is

controlled by the variant of a, which can be pre-defined or

dynamically adjusted by the runtime application.

7.6. Computational complexity

The hashing algorithm is not based on trapdoor function. The

infeasibility of the fingerprint depends on the infeasibility of

equation solving with “Roots of Unity” involved. A hacker,

whowants to crack the fingerprint or to forge it, needs to solve

the following equation.

aiþ b ¼ uðx4y4zÞ2 ;u ¼ e2pi=N

where a, b, and N are given. But a and b are trimmed with

a specific length. Hence, the result will be an approximate

value, which will lead to difficulty working out the random

numbers R1, R2, and R3 with their exact values. Even if the

random numbers are cracked, the hacker needs to get the

mapping table for ðUID;R1Þ, ðVG;R2Þ, and ðRID;R3Þ, which are

stored in the RBAC database or cached in the secure servers

working along the delegation chain. The cost to compute the

fingerprint is not more expensive than traditional hash func-

tions such as MD5, SHA-x, et al. The computational cost

depends on the following calculation,

fðx; y; zÞ ¼ uðx4y4zÞ2 ;u ¼ e2pi=N

7.7. Implementation considerations

The prototype Online Credential Repository for Role-based

Delegation has been developed to demonstrate our proposed

delegationmodel. For the real world applications, therewill be

more concerns.

� Integration with existing systems such as authentication

systems and the organization’s policy enforcement. In our

implemented prototype, the SAT is simply embedded into

X.509 certificate to take place of attributes. But the loosely

coupled authorization and authentication pieces could be

distributed separately, because the SAT does not carry

explicit authorization information.

� Communications between different organizations. In the

Multi-Agent Delegation architecture, the interpretation of

the SAT could be different by different organizations. The

implementation will depend on exchanging of policies or

not between the involved organizations. If not, the policy

enforcement could be implemented the same way as the

Single-Agent Delegation model; or if the organizations need

to share policies, there will need a way to generate shared

points for policies access, which has no difference with




solutions by other models how to share policies between

different organizations.

� Performance at large scaled system. Especially the imple-

mentation of delegation agents for caching and updating

will impact the performance significantly. The frequency of

caching and updating depends on the volatility of the role

map updating, the caching could be updated very frequently

in a large scaled system with role granting/revoking

changed frequently. There are no heavy calculations for

updating except the RBAC server, the performance mostly

depends on the SATs transmission over network. Therefore,

there is no evident performance bottleneck in our proposed

architecture because the SAT is a pretty small piece of text,

the transmission of the SATs over network will be faster

than transmission of a set of attributes.

Overall, the introduced SAT reduced the complexity of the

implementation than the systems employing attribute certif-

icates, except it loses embedded authorization information

which could enforce the access control and enable delegations

discretionarily.

8. Conclusions

In this paper, we redefined the Secure Authorization Scheme

as well as the Secure Delegation Scheme with all of the listed

properties (see Section 6.4) for the concept of delegation,

allowing less leakage with authorization information to

unauthorized users. Based on our definition of Secure Dele-

gation Scheme, we provided a secure delegation model that

encodes RBAC information to a single certificate as a reference

implementation for open environment applications.

For this secure delegation architecture, we argued the

deficiencies current PKI-based approaches suffer from in

Section 6.2. Then, we introduced the Secure Authorization

Certificate in place of the Attribute Certificate. A new

hashing approach that employs the quasirandom structure

is introduced to generate the Secure Authorization Tokens

for Secure Authorization Certificate. This is a novel solution

that solves the problems for PKI-based delegation

mechanism.

9. Future work

Introducing quasirandomness into the security area is

preliminary; more research to compare it to MD5, SHA-x, or

other Message Digest approaches by more metrics may give

more hints about the new hashing approach. Moreover, there

will be more revenues if the k-UniformHypergraphs (Gowers,

2006a; Nagle et al., 2006) are explored in order to generate

more complex logic for security. For the random generation

function, if an invertible function can be designed, there will

be more possibilities to do encryption or compression with

quasirandom structures. For the current application, we plan

to refine the mappings from RBAC to the quasirandom

structure in order to include more features such as role

hierarchy.

Acknowledgment

This study was conducted as an extension to the project

funded by DOD under the grant number H98230-07-C-0403.

r e f e r e n c e s

Benantar M. Access control systems: security, identitymanagement and trust models. New York, NY, USA: Springer;2006. 102e109.

Bonatti P, Samarati P. Regulating service access and informationrelease on the web. In: CCS ’00: Proceedings of the 7th ACMconference on Computer and communications security, ACM,New York, NY, USA, 2000, pp. 134e143. doi:http://0-doi.acm.org.iii-server.ualr.edu:80/10.1145/352600.352620.

Brickell E, Li J. Enhanced privacy id: a direct anonymousattestation scheme with enhanced revocation capabilities. In:WPES ’07: Proceedings of the 2007 ACM workshop on Privacyin electronic society, ACM, New York, NY, USA, 2007, pp.21e30. doi:http://0-doi.acm.org.iii-server.ualr.edu:80/10.1145/1314333.1314337.

Calvert KL, Griffioen J. On information hiding and networkmanagement. In: INM ’06: Proceedings of the 2006 SIGCOMMworkshop on Internet network management, ACM, New York,NY, USA, 2006, pp. 35e40. doi:http://0-doi.acm.org.iii-server.ualr.edu:80/10.1145/1162638.1162644.

Chadwick D, Otenko A, Ball E. Role-based access control with x.509 attribute certificates. Internet Comput IEEE 2003;7(2):62e9.doi:10.1109/MIC.2003.1189190.

Czajkowski K, Foster I, Kesselman C. Agreement-based resourcemanagement, Proceedings of the IEEE 93(3) (2005) 631e643.doi:10.1109/JPROC.2004.842773.

Dumitrescu C, Foster I. Usage policy-based cpu sharing in virtualorganizations. In: GRID ’04: Proceedings of the 5th IEEE/ACMInternational Workshop on Grid Computing, IEEE ComputerSociety, Washington, DC, USA, 2004, pp. 53e60. doi:http://dx.doi.org/10.1109/GRID.2004.62.

Farrell S, Housley R. An Internet attribute certificate profile orauthorization. RFC 2002;3281.

Ferraiolo DF, Sandhu R, Gavrila S, Kuhn DR, Chandramouli R.Proposed NIST standard for role-based access control. ACMTrans Inf Syst Secur 2001;4(3):224e74. doi:http://0-doi.acm.org.iiiserver.ualr.edu:80/10.1145/501978.501980.

Frikken K, Atallah M, Li J. Hidden access control policies withhidden credentials. In: WPES ’04: Proceedings of the 2004 ACMworkshop on Privacy in the electronic society, ACM, NewYork, NY, USA, 2004, pp. 27e27. doi:http://0-doi.acm.org.iii-server.ualr.edu:80/10.1145/1029179.1029186.

Frikken K, Atallah M, Li J. Attribute-based access control withhidden policies and hidden credentials. Comput IEEE Trans2006;55(10):1259e70. doi:10.1109/TC.2006.158.

Gowers WT. Hypergraph regularity and the multidimensionalszemeredi theorem. Ann Math 2006a;166(3):897e946.

Gowers WT. Quasirandomness, counting and regularity for 3-uniform hypergraphs. Comb Probab Comput 2006b;15(1e2):143e84. doi:http://dx.doi.org/10.1017/S0963548305007236.

Holt JE, Bradshaw RW, Seamons KE, Orman H. Hiddencredentials. In: WPES ’03: proceedings of the 2003 ACMworkshop on privacy in the electronic society, ACM, NewYork, NY, USA, 2003, pp. 1e8. doi:http://0-doi.acm.org.iii-server.ualr.edu:80/10.1145/1005140.1005142.

Inglesant P, Sasse MA, Chadwick D, Shi LL. Expressions ofexpertness: the virtuous circle of natural language for accesscontrol policy specification. In: SOUPS ’08: Proceedings of the4th symposium on Usable privacy and security, ACM, New

http://0-doi.acm.org.iii-server.ualr.edu:80/10.1145/352600.352620






http://dx.doi.org/10.1109/GRID.2004.62


http://0-doi.acm.org.iiiserver.ualr.edu:80/10.1145/501978.501980

http://0-doi.acm.org.iiiserver.ualr.edu:80/10.1145/501978.501980



http://dx.doi.org/10.1017/S0963548305007236






York, NY, USA, 2008, pp. 77e88. doi:http://0-doi.acm.org.iii-server.ualr.edu:80/10.1145/1408664.1408675.

Iso 9594-8/itu-t rec. x.509 (2005) the directory: public-key andattribute certificate frameworks; 2005.

Joshi JBD, Bertino E. Fine-grained role-based delegation inpresence of the hybrid role hierarchy. In: SACMAT ’06:Proceedings of the eleventh ACM symposium on Accesscontrol models and technologies, ACM, New York, NY, USA,2006, pp. 81e90. doi:http://0-doi.acm.org.iii-server.ualr.edu:80/10.1145/1133058.1133071.

Kakizaki Y, Tsuji H. A new method for reducing therevocation delay in the attribute authentication,Availability, Reliability and Security, 2007. ARES 2007. TheSecond International Conference on (2007) 1175e1182 doi:10.1109/ARES.2007.10.

Li J, Li N. Policy-hiding access control in open environment. In:PODC ’05: Proceedings of the twenty-fourth annual ACMsymposium on Principles of distributed computing, ACM, NewYork, NY, USA, 2005, pp. 29e38. doi:http://0-doi.acm.org.iii-server.ualr.edu:80/10.1145/1073814.1073819.

Li N, Tripunitara MV. Security analysis in role-based accesscontrol. ACM Trans Inf Syst Secur 2006;9(4):391e420. doi:http://0-doi.acm.org.iii-server.ualr.edu:80/10.1145/1187441.1187442.

Li J, Li N, Winsborough WH. Automated trust negotiation usingcryptographic credentials. In: CCS ’05: Proceedings of the12th ACM conference on Computer and communicationssecurity, ACM, New York, NY, USA, 2005, pp. 46e57. doi:http://0-doi.acm.org.iii-server.ualr.edu:80/10.1145/1102120.1102129.

Mazzoleni P, Crispo B, Sivasubramanian S, Bertino E. Efficientintegration of fine-grained access control in large-scale gridservices, Services Computing, 2005 IEEE InternationalConference on 1 (2005) 77e84 vol. 1. doi:10.1109/SCC.2005.49.

Na S, Cheon S. Role delegation in role-based access control. In:RBAC ’00: Proceedings of the fifth ACM workshop on Role-based access control, ACM, New York, NY, USA, 2000, pp.39e44. doi:http://0-doi.acm.org.iii-server.ualr.edu:80/10.1145/344287.344300.

Nagle B, Rodl V, Schacht M. The counting lemma for regular k-uniform hypergraphs. Random Struct Algorithms 2006;28(2):113e79. doi:http://dx.doi.org/10.1002/rsa.v28:2.

Novotny J, Tuecke S, Welch V. An online credential repository forthe grid: Myproxy, High Performance Distributed Computing,2001. Proceedings. 10th IEEE International Symposium on(2001) 104e111 doi:10.1109/HPDC.2001.945181.

Seitz L, Rissanen E, Sandholm T, Firozabadi B, Mulmo O. Policyadministration control and delegation using xacml anddelegent, Grid Computing, 2005. The 6th IEEE/ACMInternational Workshop on (2005) 6 pp.e doi:10.1109/GRID.2005.1542723.

Wang H, Osborn SL. Delegation in the role graph model. In:SACMAT ’06: Proceedings of the eleventh ACM symposium onaccess control models and technologies, ACM, New York, NY,USA, 2006, pp. 91e100. doi:http://0-doi.acm.org.iii-server.ualr.edu:80/10.1145/1133058.1133072.

Winsborough W, Li N. Towards practical automated trustnegotiation, Policies for Distributed Systems and Networks,2002. Proceedings. Third International Workshop on (2002)92e103 doi:10.1109/POLICY.2002.1011297.

Winsborough W, Li N. Safety in automated trust negotiation,Security and Privacy, 2004. In: Proceedings. 2004 IEEESymposium on (2004) 147e160.

Winsborough W, Seamons K, Jones V. Automated trustnegotiation, DARPA Information Survivability Conference andExposition, 2000. DISCEX ’00. Proceedings 1 (2000) 88e102 vol.1. doi:10.1109/DISCEX.2000.824965.

Winslett M, Yu T, Seamons K, Hess A, Jacobson J, Jarvis R, et al.Negotiating trust in the web. Internet Comput IEEE 2002;6(6):30e7. doi:10.1109/MIC.2002.1067734.

Extensible access control markup language (xacml) (Feb 2005).Xie D, Wang Y, Chen H. A new role-based access control model

using attribute certificate, Intelligent Control and Automation,2004. WCICA 2004. Fifth World Congress on 5 (2004) 4335e4338vol. 5.

Yu T, Winslett M. A unified scheme for resource protection inautomated trust negotiation, Security and Privacy, 2003.Proceedings. 2003 Symposium on (2003) 110e122.

Yu T, Winslett M, Seamons KE. Supporting structured credentialsand sensitive policies through interoperable strategies forautomated trust negotiation. ACM Trans Inf Syst Secur 2003;6(1):1e42. doi:http://0-doi.acm.org.iii-server.ualr.edu:80/10.1145/605434.605435.

Zhang L, Ahn G-J, Chu B-T. A role-based delegation framework forhealthcare information systems. In: SACMAT ’02: Proceedingsof the seventh ACM symposium on Access control models andtechnologies, ACM, New York, NY, USA, 2002, pp. 125e134.doi:http://0-doi.acm.org.iii-server.ualr.edu:80/10.1145/507711.507731.

Zhang L, Ahn G-J, Chu B-T. A rule-based framework for role-baseddelegation and revocation. ACM Trans Inf Syst Secur 2003;6(3):404e41. doi:http://0-doi.acm.org.iii-server.ualr.edu:80/10.1145/937527.937530.

Zhou W, Meinel C. Implement role based access control withattribute certificates, Advanced Communication Technology,2004. The 6th International Conference on 1 (2004) 536e540.doi:10.1109/ICACT.2004.1292928.

Mr. Guangxu Zhou currently serves as a software engineer inNational Center for Toxicological Research. His research interestsfocus on software engineering and networking, including Object-Oriented Design, testing automation and tools, network protocols,algorithms, and network security. He received a Master of Soft-ware Engineering degree from Tsinghua University, Beijing,China, in 2005 and an M.S. degree from the University of Arkansasat Little Rock in 2009.

Dr. R. Murat Demirer received the B.S. degree in Electrical Engi-neering from Kocaeli DMMA and the M.S. degree in ElectricalEngineering from Istanbul Technical University, in 1980 and 1982,respectively and the Ph.D. degree in biomedical engineering fromBogazici University, Istanbul, Turkey in 2000. He is currently anassistant professor in the department of Mathematics andComputer Science, Faculty of Science and Letters, Istanbul KulturUniversity, Istanbul Turkey. His current research interests includebrainecomputer interface, neurodynamics and cryptography.

Dr. Coskun Bayrak is a professor in the department of ComputerScience at the University of Arkansas at Little Rock. His primaryresearch is in the intersection of software engineering, datamining, and Biomedical Engineering. However, he also hasinterest in modeling and simulation and cellular automata. He isa member of IEEE and ACM. Dr. Bayrak holds a B.S. from SlipperyRock University, and an M.S. from Texas Tech University, andPh.D. from Southern Methodist University in Computer Science.

Dr. Licheng Wang received a B.S. degree in Computer Sciencefrom Northwest Normal University, China, in 1995 and an M.S.degree in mathematics from Nanjing University, China, in 2001,and a Ph.D. degree in Computer Science from Shanghai Jiao TongUniversity, China, Beijing University of Posts and Telecommuni-cations. His current research interests include cryptography,information security and trust computation, etc.





http://dx.doi.org/10.1109/ARES.2007.10

http://dx.doi.org/10.1109/ARES.2007.10







http://dx.doi.org/10.1109/SCC.2005.49



http://dx.doi.org/10.1002/rsa.v28:2

http://dx.doi.org/10.1109/HPDC.2001.945181





http://dx.doi.org/10.1109/POLICY.2002.1011297

http://dx.doi.org/10.1109/DISCEX.2000.824965







http://dx.doi.org/10.1109/ICACT.2004.1292928



Enable delegation for RBAC with Secure Authorization Certificate

Documents