Internet Security: A Novel Role/Object-Based Access Control for Digital Libraries Su-Shing Chen, Chee-Yoong Choo, Randy Y. Chow Department of CISE University of Florida Gainesville, FL 32611-6120 November 20, 2003 Abstract Internet-based, real-world applications require appropriate security mechanisms, because potentially millions of users and their agents (or subjects) will access billions of objects of information content in complex workflow processes (e.g., commerce, learning, and healthcare). Security is one of the strategic technologies that will increase the value and utility of the Internet and Internet-based applications. Traditional security issues deal with the authentication and authorization of users in network domains. Today there are numerous novel security issues concerning users, information content, and application systems in information domains. Among them, we will consider a novel role/object-based access control mechanism for both subjects and objects in workflow processes of information domains. In particular, we will present our implementation of this mechanism for digital libraries. Keywords: Internet-based application, digital library, security, access control. Tech Area: Internet security. Contact: Su-Shing Chen, PO Box 116120, Dept of CISE, University of Florida, Gainesville, FL 32611-6120; tel: 352-392-2760; fax: 352-392-1220; email:
[email protected]. 1. Introduction Internet-based, real-world applications require appropriate security mechanisms, because millions of users (or subjects) will access millions, or even billions, of objects of information content in complex workflow processes (e.g., commerce, learning, and healthcare). Security is one of the strategic technologies that will increase the value and utility of the Internet and Internet-based applications. Traditional security issues deal with the authentication and authorization of users in network domains [1, 3, 4, 5, 6, 7, 13, 15, 16]. They address system-level security policy modeling and enforcement. For example, whether an authenticated user is permitted to access an object based on its execution domain and membership in some user groups. Today there are many unique applicationspecific security policies that exhibit dependency on user interaction and information content. Many new access requirements are spatially and temporary related. For example, an authenticated user must have accessed a certain object before it is allowed to access some other related objects that are currently being used by another subject. The system presented in this paper utilizes three major concepts, role-based access control (RBAC),
1
object model, and a Boolean Expression Access Control (BEAC) mechanism, to address these issues in the context of workflow control of a community-based digital library information system. We use the term, community-based, to characterize a structure of the application user community as oppose to a general digital library where all user are loosely considered in one category. In such a community of users, additional access constraints imposed on the structure are often needed. Given an application domain, the use of roles as subjects can better capture the organizational structure of the intended community of users. Moreover, object model allows personalization of object servers according to user applications. Finally, the BEAC mechanism provides flexibility in regulating accesses to objects by roles. Although Internet technologies and global networking infrastructures have made information sharing much easier and less expensive, the availability of such information systems comes at the expenses of higher risks. Information is not preserved in the longterm: websites tend to disappear frequently and digital media become obsolete quickly. Privacy of information can be abused. Even worse, the integrity of the systems could be compromised. Although access control is often described as rules regulating how subjects are allowed to access objects, it can be viewed as information flow control since every access results in flow of information between entities (either or both subject and object). Within the information flow of an application domain, there are exceptions to the normal information flow. For example, sensitive information content can be allowed to flow from A to B and from B to C, but not permissible to go from A to C directly. This kind of security control is also addressed in our system using the BEAC mechanism. Examples of secure information sharing are numerous: (1) e-healthcare: doctors, nurses, and patients having different access control mechanisms to patient records; (2) elearning: teachers, parents, and students to student files and learning objects; (3) ebusiness: business and customers to electronic payments and business contracts; (4) egovernment: officials and travelers to smart cards and security areas for airport transportation. Obviously, some users (or subjects) should have a higher access control privilege under certain conditions than others. Thus security policy specification and enforcement must be dynamic and application dependent. Aside from the benefits naturally derived from the integration of role and object models as described in the previous paragraphs, there is performance to be gained in the system. Role-based access control [2, 26, 27] leads to efficient grouping of subjects, and object-based access control leads to effective categorizing of objects [14, 19, 20, 24]. The contributions of the paper and the implemented system are two-fold. It shows a synergetic integration of role and object models in the context of an important domain-specific application, communitybased digital library system. Furthermore, it exposes the need for a more comprehensive access control model, and demonstrates that BEAC can be realistically and effectively implemented in a combined role and object system. Recently the W3C Consortium has started several security initiatives on the Web: Web Archive Files, XML Key Management, XML Digital Signatures, XML Encryption, and P3P (Platform for Privacy Preferences) activities (w3c.org). It will be of importance to develop our research on application-specific security mechanisms of access,
2
authentication, authorization, and privacy on top of W3C activities of standards. The research ideas presented in this paper have been implemented in a NSDL (National Science, Technology, Engineering, and Mathematics Education Digital Library, http://www.nsdl.org/) project, called LOVE (Learning Object Virtual Exchange) at the University of Florida-Gainesville [8, 12]. These learning objects support various XML key, signature, and encryption mechanisms, and the novel integrated role/object-based access control mechanism. 2. The LOVE Environment The NSDL test bed that we have created is a generic collection of web services with the emphasis on K-99 (K-12, college, lifelong) learning and teaching. The LOVE (Learning Object Virtual Exchange) server is a web-based database management system that indexes and stores learning objects for teachers, parents, and students. This community-based digital library allows collaboration among users of many levels for sharing knowledge, working on projects, and preparing tests and exams. It differs from other publish-subscribe digital libraries in that it focuses on supporting the interaction of a hierarchically structured user group through sharing of inter-related information objects, as well as a general library service. Furthermore, it is intended to incorporate information preservation and privacy into the design of the overall system. The goal is to provide a richer and robust environment for information sharing and collaborative work. In the current system we have developed user services, such as user profiling, notification system, and customized delivery of learning objects based on the user level of learning in LOVE. Under this collaborative environment, we can develop preservation of information on the Internet, privacy of user and content information, and security mechanisms for access, authentication, and authorization to information content, resulting in a total and integrative middleware architecture for secure access and robust preservation for Internet-based digital library applications. A general framework is discussed in the next section, however, only the novel role/object-based access control result is presented in this paper. Other results will be presented elsewhere. The LOVE interface is given in the following:
3
Figure 1. The LOVE Environment 3. Integrative Security Services Middleware Architecture This section describes the general framework of our middleware architecture. First, we have designed and developed a security service middleware that addresses several issues about security and privacy for Internet-based applications. The design focuses on dealing with the complexity in information content of objects, community of users, and their interactions, which are state dependent of multiple levels of exceptions. Traditional access, authentication, and authorization mechanisms on the Internet must be appended by rules that regulate access control policies of subjects on objects. We have developed a role-based access control mechanism of users (e.g., students, teachers, and parents) based on their roles and different content materials. It addresses the fundamental problem of “what kinds of content materials can be accessed by what kinds of users, and more importantly, under what kind of circumstances?” We have tested also a privacy mechanism for respecting personal user profiles and collection content in the NSDL environment. Thus, this project integrates all the security mechanisms into a service middleware. We have made the middleware component-based and transparent in the framework of W3 Consortium. Secondly, Internet-based applications create a significant amount of information that is not necessarily preserved. For example, many web sites come and go, and we have to find strategies to preserve them. Since the security of Internet-based applications includes the integrity of information content of objects in the role-based access control mechanisms, we have researched on digital preservation issues for collection providers: authenticity and preservation of objects. We have to assure that content materials are authentic and preserved in the long-term, leaving the intellectual property rights issues for others to investigate. Thus we have developed a record management service for Internet collections. The overall middleware architecture is briefly described with some details in subsequent sections. For security mechanisms, we have developed a user profiling database management system, RBAC system, and XML ESKM (Encryption, Signature and Key Management) system. These are closely related to each other. The user profiling database management system has already existed in our notification system of LOVE. The RBAC system describes role assignments of users in the user profiling database. The XML ESKM system relates to the privacy of information content of the NSDL and web services (i.e., all XML multimedia documents) and to the user profiling database system (i.e., user signatures and keys). The preservation operations will be related to the information content and its metadata, packaged into WAF (Web Archive Files) formats, and the authentication of XML multimedia documents by signature and encryption. In this sense, security mechanisms and preservation operations are further related to each other at ESKM for instance. The authenticity of all XML multimedia documents is managed by a RMS (Record Management System), however, authenticity signatures are
4
also handled by the ESKM system. The following diagram describes the essential components of the proposed middleware architecture: User Security Mechanisms
RBAC
User Profiles & Roles
Search (Query, Full-text)
Preservation
RMS DL & Web Services
XML Metadata
ESKM XML
Graphics Image Video Text Learning Objects
Figure 2. Integrative Security Services Middleware Architecture The RBAC implementation includes a user profiles & roles database (e.g., user/role relationship, role hierarchy, constraints, and role/operation relationship) and an administrative server (user/role relationship, administration, RBAC and web API library, RBAC session management). The XML ESKM server manages the security of objects (i.e., XML multimedia documents), but interacts with the RBAC servers. The encryption, signature, and key management tasks depend on user roles. In this sense, we have extended RBAC further to include object encryption, signature, and key management tasks. The XML ESKM server is also a part of the preservation and privacy operations. The following describes the RBAC implementation of our system. Users
Administrative Server User Profiles & Roles
DL & Web Services XML Encryption, Signature, and Key Management Server
Figure 3. XML ESKM System Privacy of user profiles and content information is addressed by the XML ESKM server. Encryption will make the whole or a part of user profiles and content information private. Such a model is useful to design the necessary privacy levels for other domains (e.g., e-healthcare) as well. There are several candidate systems for the ESKM server, such as the NIST (National Institute of Standards and Technology) Digital Signature Standard (http://csrc.nist.gov/fips/fips1861.pdf). We will also use the MIT XML Security Library (Aleksey Sanin) for developing our XML ESKM server [28]. That library was created with the goal to support major XML security standards of encryption and signature. There are still many research questions about XML encryption, signature, and
5
key management. Along with our NSDL test bed, we hope that we may research and test these interesting questions. What are the unique networking characteristics of these questions? How these questions will impact the Internet infrastructure and protocols? From a concrete case of studies – NSDL – we will gain insights to some extremely complex research questions. It is all too risky to commercialize XML encryption, signature and key management without a transparent test bed, like this NSDL project. 4. The RBAC Access Control Model Traditionally security mechanisms include authentication, authorization and auditing of users into network domains. Authentication (and mutual authentication) is a wellestablished research area. The entities to be authenticated are typically the identity of subjects. We have included the roles to represent a subject. For example, teachers, parents, and students are roles. In this system, roles are authenticated in addition to the identity of the subject. The use of roles for authentication of subjects matches the organizational structure more naturally with the information system, and thus can lend a more manageable implementation of the security model. Although a role is equivalent to a group with similar privileges in a conventional system, roles carry semantic meaning that can be used to facilitate efficient and proper assignments of privileges to subjects and consistent conflict resolution when a subject carries multiple and possibly overlapping roles. In general, the number of roles required and to be managed in a system will be significantly smaller than unstructured groups. Authorization of information accesses in traditional information systems is typically a static check of what subject (including its group memberships) has the privilege of accessing what objects. The access policies that we consider in this paper are more dynamic with additional conditions imposed on the access rules. For example, a student can access certain information only after the teacher has examined the learning objects and for a limited period of time (or enrolled semester). In a sense the access control policy becomes state-dependent. The role-based concept is useful in modeling these types of complex protection policies. Objects to be accessed carry attributes information (both stateful and stateless) and roles are associated with attributes. The association of roles to a subject can change with respective to each particular instance. Furthermore, roles can be hierarchical to represent the organizational structure. For example, it might be more desirable that the role of a school counselor be considered as a subset of the role of a teacher. An access control model regulates the access of any active entity (subject) to any passive entity (object) securely on the Internet. All system attributes are given some security attributes, and a set of access control rules determines how a subject can access an object based on their security attributes. Usually access control models are divided into mandatory and discretionary access control models. Both are formulated to allow or deny particular access modes by subjects to objects. Whereas mandatory models govern reading and writing of information contained in an object by a subject, discretionary models typically allow a richer set of access modes for an object, depending upon the type of the object. Both models differ mainly in how access authorizations can be modified. In a mandatory model, authorization modifications can only be made by system security administrators through changing the security attributes of subjects and/or objects,
6
while a discretionary model gives a subject some degree of freedom to pass the whole or part of its access privileges for an object to another subject. In real world applications, we have found needs for new models and that both mandatory and discretionary models are not sufficient. For example, there are different exceptions (e.g., transitivity, aggregation, and separation) to the multilevel information flow, which violate the basic properties of lattice of the mandatory access control model. The RBAC model has been recently promoted at NIST by Barkley et al [2]. The model has been subsequently extended to include states [21, 31] to remedy the inadequacies of the mandatory and discretionary access control mechanisms. It is a promising method for controlling what information users can make use, programs they can run, and modifications they can make. However, it has some limitations (e.g., overlapping of roles) so that we have to develop another object-based access control mechanism to complement it (See the section on BEAC (Boolean Expression Access Control)). The combination of the two mechanisms is called the role/object-based access control mechanism in this paper. It is obvious that access control is state dependent of subjects and objects. For example, a decision on a subject accessing an object may depend on previous accesses of some objects by the same subject, or other subjects accessing the same object. A simple organizational hierarchy is depicted in the following diagram to represent the roles in a school system. Specifically the teacher and student classes take on state parameters, such as semester and course. The association between individual subjects of the teacher class and the object DTD that expresses the objectbased access rules is also indicated in the diagram: User
Teacher Class
Counselor
Parent
Student
Teacher
School Principal
XML DTD
kth
1st
12th
RBAC Role Hierarchy
Figure 4. RBAC Role Hierarchy and XML DTD Relationship With role-based access control, access decisions are based on the roles that individual users have as part of an organization. Users take on certain assigned roles (such as teachers, parents, and students). The process of defining roles depends on how an organization operates, and requires very careful studies. Access rights are grouped by role name, and the use of resources is restricted to individuals authorized to assume the assigned role. For example, within a school system the role of teacher can include operations to administrate tests, assign home work, and give grades; and the role of counselor are limited to advising students and having information on students only; and the role of parent can have information on his/her child only. The use of roles to control access will be effective for developing and enforcing school-specific security policies, 7
and for streamlining the security management process. From the school and organization perspective, it is a realistic framework for implementation. In the RBAC mechanism, users are granted membership into roles based on their responsibilities in the organization. The operations that a user is permitted to perform are based on the user's role. User membership into roles can be revoked easily and new memberships established as job assignments dictate. Role assignments can be established when new operations are defined, and old operations can be deleted as organizational functions change and evolve. This simplifies the administration and management of responsibilities; roles can be updated in the role file without updating the responsibilities for every user on an individual basis. When a user is assigned to a role, the user can be given no more responsibilities than is necessary to perform the job. The concept of “least responsibility” requires identifying the user's job functions, determining the minimum set of responsibilities required to perform that function, and restricting the user to a domain with those responsibilities and nothing more. In less precisely controlled systems, this is often difficult or costly to achieve. Some one assigned to a job category may be allowed more responsibilities than needed because it is difficult to tailor access based on various attributes or constraints. Role hierarchies can be established to provide for the natural structure of a school or organization. A role hierarchy defines roles that have unique attributes and that may contain other roles; that is, one role may implicitly include the operations that are associated with another role. Role hierarchies are a natural way of organizing roles to reflect the responsibility: RBAC roles can have overlapping responsibilities, i.e., users belonging to different roles may need to perform common operations. Some general operations may be performed by all employees. In this situation, it would be inefficient and administratively cumbersome to specify repeatedly these general operations for each role that gets created. The role in which the user is gaining membership is not mutually exclusive with another role for which the user already possesses membership. These operations and roles can be subject to organizational policies or constraints. When operations overlap, hierarchies of roles can be established. Instead of instituting costly auditing to monitor access, organizations can put constraints on access through RBAC. This inheritance will be implemented by an object-oriented role database (e.g., the user profiles & roles database). 5. RBAC in LOVE The RBAC model has been applied to the general workflow processes, including the search and retrieval process of digital libraries. The LOVE access (search and retrieval) process supports both full-text and query to a backend relational database with (metadata) attributes of digital objects (e.g., learning objects) stored in some file system. In addition, LOVE supports the OAI (Open Archives Initiative) search and retrieval of other interoperable digital libraries. OAI is a harvesting protocol of metadata sets, from information resources and web services, which have been exposed for harvesting. We have extended LOVE to this harvesting protocol so that users may search and retrieve harvested metadata and their objects from other information resources and web services. This makes LOVE a much richer digital library. For secure access control, we have
8
imposed the RBAC mechanism on this test bed. For instance, teachers will be able to harvest and/or to access OAI harvested metadata and objects, but parents and students will not. Only after teachers have organized harvested results into curriculum objects, then parents and students would have access to them. Furthermore, certain harvesting between two school districts or a digital library and a publisher (or author) may be encrypted and signed for intellectual property rights. Thus the harvesting protocol might become a new secure process of information exchange or publication in the future. For illustration, we describe an example of OAI search results in the LOVE server as follows:
Figure 5. Access Control of Search and Retrieval in LOVE Some Examples of LOVE/RBAC 1. Different navigational links on the left of the screen providing different access functions depending on user role. When user is logged in as STUDENT role:
9
Access link to student pages
When user is logged in as AUTHOR role:
Access link to author pages
When user is logged in as ADMINISTRATOR role:
10
Access links to administrator pages and other roles pages.
2. Different provisions for user to view, download, provide comment or review learning objects depending on user role. Examples below show the different links for different roles when accessing the learning object information page: When user role is TEACHER:
Teacher role is able to write comments and download/view the learning object.
When user is STUDENT role (cannot add comments or download learning object):
11
When user is REVIEWER role:
Reviewer role is able to write comments as well as provide reviews and download/view learning object if the reviewer is assigned to review this learning object by the Administrator.
3. A simplified view of database schema of the user profile database implementing RBAC in LOVE. The first table describes the hierarchy of roles and what they inherit and are prohibited. For examples, administrator supervises all other roles, authors cannot see reviewers’ comments, and teachers can access students and reviewers’ files, but not administrator and authors. The second table includes user entries and profiles: Roles Table
12
Index 1 2 3 4 5 Users Table user_id 30 31 9 27 26 25 23 24
name administrator author teacher student reviewer lname Dvorak Belmont Blanchard Jackson Freud Jones Smith Brown
inherits 2,3,4,5 4, 5 2 fname Michael Simon Jeremiah Robert Sigmund Indiana John James
never 5 1, 2 1, 2, 3, 5
user_name mike simon jjb rob freud indiana john james
roles 4 5 1 4 2,3,5 3 4 2
Table 1. User profile database and RBAC role hierarchy Access control in the LOVE environment is concerned on controlling the activity of legitimate users to the different DL entities (e.g., learning objects, user profiles). Access control plays a crucial role in the LOVE security model as it is the last security check point enforcing the security policy. Authentication is a separate process and has the responsibility to correctly identify users via usernames, passwords, and other biometrics. The effectiveness of access control rests upon the proper user identification by the authentication service. In this paper, we focus on access control and assume that correct authentication of user has been established. Access control in the LOVE environment is established through the concept of roles in RBAC and the use of Boolean expressions of categories in BEAC. Roles are assigned to all LOVE users as subjects. The access control to objects by roles is implemented through the use of Boolean expressions. In the LOVE environment, there are 5 roles: ADMINISTRATOR, TEACHER, REVIEWER, AUTHOR, and STUDENT. There is an additional role denoted as OTHERS for visitors to LOVE that do not have a user account (i.e., role). Below, we briefly discuss the responsibilities of the different roles. ADMINISTRATOR role oversees all the appropriate activities in the LOVE environment (acts as the security administrator) and administers and assigns users to roles. TEACHER role searches and combines appropriate objects to create a course. REVIEWER role reviews learning objects assigned to them. AUTHOR role produces learning objects and uploads it to LOVE. STUDENT role enrolls in a course, purchases and works on assigned learning objects. The ADMINISTRATOR role inherits all other roles, therefore, has access to operations permitted to all other roles. 13
6. Object-Based Access Control: BEAC From a general view point of access control, all users, their agents, and system entities in a network environment are classified either as active subjects or passive objects. An access control model specifies how security attributes can be assigned to the interacting subjects and objects, and how these attributes are used in evaluating access permission in accordance with some prescribed rules and policies. Security rules and policies are complex in an information domain, due to greater diversity of users, their agents, and information content objects. In a networked computing environment, the most visible examples are different exceptions of multilevel information flow such as transitivity, aggregation, and separation (of duty) exceptions which are all difficult to enforce by using a mandatory multilevel security model, because their enforcement must violate the basic properties of the mathematical structure that the model is based on. Nor can these policies be modeled by a discretionary security model, since the accessing characteristics of these applications still demand some degree of mandatory control. Furthermore, different types of complex security requirements may exist in an organization at the same time. To incorporate these security requirements, security administrators are often forced to resort to less graceful and complicated methods to satisfy each requirement individually. Thus, the difficulty of maintaining a secure computing environment satisfying all specific security requirements is considerable. Therefore, there is a need for a uniform and simple security model for enforcing security policies where both mandatory multilevel security and discretionary security models are inadequate. In [19, 20], Kao and Chow have proposed a powerful access control model based on Boolean expressions of categories for this purpose. In this model, each subject is associated with a category set and each object is associated with a Boolean expression of categories. Whether the access of a subject to an object is allowed or not is determined by the evaluation of the object’s Boolean expression using the subject’s category set as its input. Although its access rules look simple and straightforward, the model achieves a very rich set of regulated access patterns from subjects to objects by composing different types of Boolean expressions. Furthermore, it has been shown that this model has a greater modeling power than conventional multilevel security models with levels and categories. They have also systematically categorized the multilevel information flow exceptions in terms of access control. The model is then extended to incorporate the concept of states which must be supported in order to enforce these exceptions. In this Boolean Expression based Access Control (BEAC) model, all the entities in a computing system are divided into subjects and objects, each of which has its own security attribute. The security attribute of a subject S is a category set, CAT(S) = {c1, c2, …}. The security attribute of an object O is an Access Control Expression, ACE(O), which is a Boolean expression composed of categories assembled by any operators allowed in Boolean algebra (“ ∗ ” means AND, “+” means OR, and a bar over a category, e.g., cˆ ,
14
means negation). When S tries to access O, the access is granted if ACE(O) is evaluated TRUE with CAT(S). The evaluation process of ACE(O) is described as follows: Any category in ACE(O) has a default value of FALSE initially. If a category c in ACE(O) also appear in CAT(S), c has a value of TRUE. ACE(O) is then evaluated and the result can be only either TRUE or FALSE. One ACE can be independently defined for each access mode of an object, but only a single CAT is associated with each subject. The wildcard character, represented by the symbol “$”, is adopted by BEAC to represent any possible category except those already appearing in an ACE. Utilizing the wildcard character prudently is very effective in achieving some desired access patterns precisely. For instance, an object whose ACE = < a ∗ b ∗ $ > can be accessed only by a subject whose CAT contains only a and b and nothing else. Note that the value of the wildcat character is always determined after the value-substitutions of all other categories in an ACE.
Subject
Category Set
ACE of O
S1 X
S1
{a}
S2
{b}
S3
{a, b}
X
S2
S3 X
X
X
X
X
< a ∗b >
X
X
X
< a +b >
X
X
< a ∗b >
Table 2. Eight access patterns to 3 subjects. An “X” in the entry means that subject Si can access object O with the corresponding ACE. A rich set of access control among subjects to an object can be provided by the use of Boolean expressions as shown in Table 2. Suppose that in a system there are three subjects S1, S2, and S3 with {a}, {b}, and {a, b}, respectively, as their category sets (e.g., S1 and S2 are two different employees, and S3 is their manager), and one object called O (e.g., a document). Because any subject is either allowed or denied access to O, the total number of all possible access patterns of these three subjects to O is eight. By specifying the ACE of O appropriately, it can be seen that any of these eight access patterns can be exactly enforced by the BEAC model. The modeling power of BEAC is surprisingly great because both complex authorized and prohibitive access control can be expressed by Boolean expressions in an elegant manner [19, 20]. It is believed that Boolean expressions more closely model many commercial security requirements than multilevel security with levels and categories. In fact, it has been shown that all the security policies which can be enforced 15
by multilevel security models is only a subset of the policies that can be enforced by BEAC [19, 20]. Motivated by the fact that the access privileges of subjects to objects need to be restricted or expanded in order to enforce some complex security policies, the security attribute of a subject or an object must be changed dynamically, yet in a controllable way. To facilitate this mechanism, the categories in the CAT of a subject are divided into two different types, the reusable category which represents the reusable key and permanently belongs to a subject S once it is assigned to S, and the one-time category which, as its name implies, can be used by a subject only once. A one-time category is usually assigned to a subject dynamically when the subject needs it, and no matter whether it makes an ACE TRUE or FALSE, it is deleted from the CAT of the subject after its first use. To differentiate these two types of categories, we put a hat on a category in a CAT to represent a one-time category, e.g., cˆ . The other way of changing a subject’s privilege to an object by BEAC is to classify the categories composing the ACE of an object into two different types. A persistent category is a category whose value remains TRUE once it is converted to TRUE. A non-persistent category (lock), however, needs to be value-substituted (opened) each time the ACE is evaluated. Similarly, a cˆ in an ACE indicates that c is a persistent category. It should be noticed that changing an object’s security attribute affects more than just changing a subject’s security attribute because the access privileges of all related subjects will possibly be expanded or restricted, and thus must be used very carefully such that only the exact access control desired is achieved. To safeguard this, we assume that whenever a new access control requirement is desired on an object, a new Boolean expression is generated just for that requirement and is then ANDed with the original ACE. To enforce a state-dependent complex security policy, both mechanisms mentioned above are often required. The objects to be accessed by the different roles in LOVE can be generalized into two forms: 1) DL entities (e.g., learning objects, metadata, user profiles) and 2) procedures that encapsulate the DL entities (e.g., web page, JSP, Servlets). For the latter to be used as objects accessed by the roles, we can establish access control policies to a set of objects. However, in the LOVE and DL environments, access control policy to each individual object is more advantageous. For example, we might have a particular learning object in LOVE that requires additional work by the author before it can be searched and utilized by other users. This learning object therefore, needs a separate and different access control policy than the other learning objects. We will use all DL entities in LOVE as objects that are to be accessed by the roles. Currently, there are five kinds of DL entities in LOVE: learning object, metadata, user profile, learning object comment, and learning object review. Each DL entity has its own access control policy governed by the BEAC model. A DL entity has different access modes (e.g., read, write, etc.) and is being modeled through the use of Category
16
Set (CATS) for the roles and Access Control Expression (ACE) for the DL entity. Examples of access modes for learning objects in LOVE are READ, WRITE and REVIEW_PURCHASE. The REVIEW_PURCHASE access mode controls the access of REVIEWER providing a review to that learning object and STUDENT purchasing that learning object. The BEAC (Boolean Expression Access Control) is an object-based access control mechanism. The Category Set (CATS) of a user in LOVE is determined based on the user’s role and other relevant user account information. For example, for a user who is assigned a role of REVIEWER, the categories in the user’s CATS would be created based on the user’s role (role=REVIEWER) and the learning object reference numbers (e.g., LO_ID=396) for which the reviewer has been assigned to review. Similarly, for a STUDENT role, we would create the CATS based on the role (role=STUDENT) and the learning objects reference numbers for which the student has purchased. Other categories can be created based on the access control policy for a role to a DL entity. Below shows an example of a CATS for a user who has a LOVE user reference number of 53 and is assigned a role of STUDENT. This user has purchased 3 learning objects. user_ID=53, role=STUDENT, LO_ID=8, LO_ID=12, LO_ID=92
The Access Control Expression (ACE) for an object’s access mode is constructed based on the access control policy and categories. The example below shows a READ mode ACE for a learning object with reference number 8. (role=REVIEWER * LO_ID=8) + (role=STUDENT * LO_ID=8) + role=TEACHER In order to have READ access to this learning object, the user either has to be a TEACHER role, or a REVIEWER role and is assigned to this learning object (has categories role=REVIEWER and LO_ID=8 in the CATS), or a STUDENT role and has purchased this learning object (has categories role=STUDENT and LO_ID=8 in the CATS). A screen shot of a learning object’s ACEs in LOVE is shown in Figure 3.
17
Figure 6. A example of learning object ACEs in LOVE An important note about using object reference numbers as categories like the examples above is that it simplifies the ACE. We could have easily used the subjects reference numbers in the Boolean expression instead and achieve the same results. In general, the number of objects allowed to be accessed by a subject is limited by other factors. For example, in LOVE the number of learning objects allowed to be purchased by a student is limited by credit hours. Therefore, the number of categories in the student’s CATS has a maximum fixed amount. The converse could not be said for the number of categories in the ACE of an access mode for an object. By using object reference numbers as categories, the Boolean expression of an access mode for an object is simplified and is easier to maintain, edit, and understood by the security administrator. From a technical point of view, the evaluation speed of the expression is made faster with the shorter expressions. Examples of Using BEAC Extension Model
The state concept of the BEAC model allows us to enforce transitivity, aggregation and separation exceptions. It also allows us to order accesses of subjects to objects. In the LOVE environment, every learning object needs to be reviewed by a REVIEWER before that learning object can be purchased by a STUDENT. This ordering access to the learning objects can be easily accomplished by adding an extra category (I) to the REVIEWER’s CATS and an extra category (J) to the STUDENT’s CATS. Below shows an example of CATS for the REVIEWER and STUDENT after the additional categories are added. REVIEWER role=REVIEWER, LO_ID=7, LO_ID=10, I
STUDENT role=STUDENT, J
18
The ACE of an access mode (REVIEW_PURCHASE mode) for a learning object that provides for ordering accesses is shown below where the expressions in bold are the newly added expressions. [(role=REVIEWER * LO_ID=7) + role=STUDENT] * (I + Î * J)
Î is a persistent category which value remains TRUE once it is converted to TRUE.
From the REVIEWER and STUDENT CATS and the learning object ACE, we can see that initially a user with role STUDENT is not able to purchase the learning object because the Boolean expression will evaluate to FALSE. The only way STUDENT is able to purchase the learning object is to have a REVIEWER to access the learning object first (have the REVIEWER provide a review for the learning object). After the REVIEWER has accessed the learning object, the Î category’s value will remain TRUE and STUDENT will be allowed to purchase the learning object. Conclusion
We have introduced an integrated role/object-based access control mechanism for digital libraries, which exploits fully the role hierarchy of a digital library community and the information content at the document level of the collection. We have also implemented a concrete digital library test bed LOVE for testing RBAC, BEAC, and the integrated role/object-based access control mechanism. The test bed has given us good validation and verification mechanisms for addressing Internet security. Acknowledgement
We acknowledge Jeremiah Blanchard’s effort in collaborating with us, while researching for his university scholar program. The research is partially supported by the NSF NSDL Program. References
1. M. Abadi and R. Needham, Prudent engineering practice for cryptographic protocols, DEC SRC Research Report 125, 1994. 2. J. Barkley, T. Cincotta, S. Gavrila, RBAC/Web Release 1.1, May 1998, http://hissa.ncsl.nist.gov/rbac/. 3. D. Bell and L. LaPadula, Computer security model: Unified exposition and multics interpretation, Technical Report ESDTR-75-306, The Mitre Corporation, Bedford, MA, 1975. 4. S. M. Bellovin and M. Merritt, Limitations of the Kerberos authentication system, Proc. Winter 1991 Usenix Conferences, Dallas Texas, 1991. 5. D. Brewer and M. Nash, The Chinese wall security policy, Proc. IEEE Symposium on Security and Privacy, Oakland CA, May 1989, pp. 206-214.
19
6. L. S. Chalmers, An analysis of the differences between the computer security practices in the military and private sectors, Proc. IEEE Symposium on Security and Privacy, Oakland CA, April 1986, pp. 71-74. 7. D. Chaum, Achieving Electronic Privacy, Scientific American, Aug. 1992, pp. 96-101; http://www.digicash. com/publish/sciam.html. 8. S. Chen and C. Choo, A DL server with OAI capabilities: LOVE, ACM/IEEE Joint Conference on Digital Libraries, Portland Oregon, July 2002. 9. S. Chen, Knowledge dissemination = digital libraries + collaboration technology, Building and Sharing of Very Large Scale Knowledge Bases, IOS Press, 1995, pp. 297-301. 10. S. Chen, Digital Libraries: The Life Cycle of Information, BE Publisher, 1998, http://www.amazon.com/. 11. S. Chen, The paradox of digital preservation, Computer, March 2001, pp. 2-6. 12. S. Chen, O. Rodriguez, C. Choo, Y. Shang, and H. Shi, Personalizing digital libraries for learners, 12th International Conference DEXA 2001, Munich Germany, Sept. 2001, pp. 112-121. 13. D. D. Clark and D. R. Wilson, A comparison of commercial and military computer security policies, Proc. IEEE Symposium on Security and Privacy, Oakland CA, 1987. 14. C. S. Cummings, H. Shi, Y. Shang and S. Chen, A flexible authentication and authorization scheme for a learner information management web services, First International Conference on Web Services, June 23-26, 2003, Las Vegas, NV. 15. D. E. Denning, A lattice model of secure information flow, Comm. ACM, 19, May 1976, pp. 236-243. 16. W. Diffie et al, Authentication and authenticated key exchanges, Design, Codes and Cryptography, Vol. 2, 1992, pp. 107-125. 17. Dublin Core Metadata Initiative, http://purl.org/dc/ 18. J. Futrelle, S. Chen, and K. Chang, NBDL: National Biological Digital Library, ACM/IEEE Joint Conference on Digital Libraries, Roanoke VA, June 2001. 19. I. L. Kao and R. Chow, An Extended Capability Architecture for Enhancing Dynamic Access Control Policies, Proc. Computer Security Application Conference, pp. 148-157, December 1996. 20. I. L. Kao and R. Chow, Enforcement of Complex Security Policies, Proc. 18th National Information System Security Conference, pp. 1-10, October 1995. 21. M. J. Moyer, M. Ahamad, Generalized role-based access control, Proc. 21st Int. Conference on Distributed Computing Systems, pp. 391-398, 2001. 22. NSF NSDL Program, http://www.nsf.gov/cgi-bin/getpub?nsf0155. 23. NSF NSDL Community, http://comm.nsdlib.org/. 24. V. Parmar, H. Shi, S. Chen, XML access control for semantically related XML documents, Proc. 36th Hawaii International Conference on System Science (HICSS-36), Big Island Hawaii, January, 2003. 25. O. Rodriguez, S. Chen, H. Shi, and Y. Shang, Open learning objects: The case for inner metadata, International WWW Conference, May 2002, Hawaii. 26. R. Sandhu, D. Ferraiolo and R. Kuhn, The NIST model for role-based access control: Towards a unified standard, Proc. Fifth ACM Workshop on RBAC, July 2000, pp. 47-63.
20
27. R. Sandhu, E. Coyne, H. Feinstein, and C. Youman, Role-based access control models, IEEE Computer, 29 (2), 1996, pp. 38-47. 28. A. Sanin, The ML Security Library, MIT, http://www.aleksey.com/xmlsec/. 29. Y. Shang, H. Shi, and S. Chen, Agent technology in computer science and engineering curriculum, Fifth Annual Conference on Innovation and Technology in Computer Science Education, Helsinki, Finland, July 11-13, 2000, pp. 120-123. 30. H. Shi, Y. Shang, and S. Chen, A multi-agent system for computer science education, Fifth Annual Conference on Innovation and Technology in Computer Science Education, Helsinki, Finland, July 11-13, 2000, pp. 1-4. 31. B. Steimuller and J. Safarik, Extending role-based access control model with states, Proc. International Conference on Trends in Communications (EUROCON 2001), 2001, pp. 398-399. 32. W3 Consortium, http://www.w3.org/.
21
