Chun Ruan

Identity-Based authenticated broadcast encryption and distributed authenticated encryption

Since its introduction, broadcast encryption has attracted many useful applications. In this paper, we propose two identity-based schemes for authenticated broadcasting and distributed message authentication. The first scheme supports multiple broadcasters and allows each broadcaster to dynamically broadcast messages into an arbitrary group of receivers determined by the broadcaster. The receivers can obtain the broadcasted message using the identity of the broadcaster and his own secret decryption key; hence it ensures both confidentiality and authenticity of the message. The second scheme allows users (receivers) to send messages back to the broadcaster where the authentication of messages is done with the identity of the user. We also provide security proofs for our schemes under the random oracle model.

Resolving Conflicts in Authorization Delegations

In this paper, we first discuss some drawbacks of the existing conflict authorization resolution methods when access rights are delegated, and then propose a flexible authorization model to deal with the conflict resolution problem with delegation. In our model, conflicts are classified into comparable and incomparable ones. With comparable conflicts, the conflicts come from the grantors that have grant connectivity relationship with each other, and the predecessors authorizations will always take precedence over the successors. In this way, the access rights can be delegated but the delegation can still be controlled. With incomparable conflicts, the conflicts come from the grantors that do not have grant connectivity relationship with each other. Multiple resolution policies are provided so that users can select the specific one that best suits their requirements. In addition, the overridden authorizations are still preserved in the system and they can be reactivated when other related authorizations are revoked or the policy for resolving conflicts is changed. We give a formal description of our model and describe in detail the algorithms to implement the model. Our model is represented using labelled digraphs, which provides a formal basis for proving the semantic correctness of our model.

Logic-Based Reasoning on Delegatable Authorizations

In this paper, we propose a logic program based formulation that supports delegatable authorizations, where negation as failure, classical negation and rules inheritance are allowable. A conflict resolution policy has been developed in our approach that can be used to support the controlled delegation and exception. In our framework, authorization rules are specified in a Delegatable Authorization Program (DAP) which is an extended logic program associated with different types of partial orderings on the domain, and these orderings specify various inheritance relationships among subjects, objects and access rights in the domain. The semantics of a DAP is defined based on the well-known stable model and the conflict resolution is achieved in the process of model generation for the underlying DAP. Our framework provides users a feasible way to express complex security policies.

A Weighted Graph Approach to Authorization Delegation and Conflict Resolution

Solving conflicts in authorization delegation has not been considerably explored by researchers. In [5] we proposed a graph based framework supporting authorization delegation and conflict resolution. We proposed a predecessor-take-precedence based conflict resolution method, which gives higher priorities to the predecessors along the delegation paths to achieve the well-controlled delegations. In this paper, we further extend the model to allow grantors to express degrees of certainties about their delegations and grants of authorizations. This expression of certainty gives subjects more flexibility on the control of their delegations of access rights. A new conflict resolution policy based on weighted lengths of authorization paths is proposed. This policy deals with the conflicts in a more flexible way in that not only the relationship of predecessor-successor but also the weights of authorizations are taken into consideration. Cyclic authorizations are allowed to further enhance the expressive flexibility, and the undesired situations caused by them can be avoided through the proposed conflict resolution method. The intuitive graph interpretation provides a formal basis for the underlying semantics of our model.

A Logic Model for Temporal Authorization Delegation with Negation

In this paper, we present a logic based approach to temporal decentralized authorization administration that supports time constrained authorization delegations, both positive and negative authorizations, and implicit authorizations. A set of domain-independent rules are given to capture the features of temporal delegation correctness, temporal conflict resolution and temporal authorization propagation along the hierarchies of subjects, objects and access rights. The basic idea is to combine these general rules with a set of domain-specific rules defined by users to derive the authorizations holding at any time in the system. In addition, some important semantic properties including the unique answer set property are further investigated.

Dynamic delegation framework for role based access control in distributed data management systems

This paper proposes a logic based framework that extends role based access control systems with dynamic delegation in a decentralised environment. It allows delegation of administrative privileges for both roles and access rights between roles. We have introduced the notion of trust in delegation and have shown how extended logic programs can be used to express and reason about roles and their delegations with trust degrees, roles’ privileges and their propagations, delegation depth as well as conflict resolution. Furthermore, our framework is able to enforce various role constraints such as separation of duties, role composition and cardinality constraints. The implementation of the framework is also discussed. The proposed framework is flexible and provides a sound basis for specifying and evaluating sophisticated role based access control policies in decentralised environments.

Quality of service concerns in wireless and cellular networks

The increasing popularity of wireless and cellular networks multimedia traffic among the consumers has raised new demands for investigation of their underlying Quality of Service (QoS) and Quality of experience (QoE) requirements. In this work, we carry out an application-based analysis of such requirements. Using this approach, we can properly take into account the heterogeneous nature of the underlying networks and the diversity of their traffic. There are several other reasons that justify the use of this approach. For instance, different QoS expectations and user Quality of Experience (QoE) in developed and developing countries can be mentioned. Many parts of the developing world are highly dependent on wireless and cellular technologies, while the provision of socioeconomic services in industrialized countries is generally based on conventional broadband and advanced cellular systems. Clearly, the variations of the underlying networking technologies perturb the QoS and QoE. So, we also examine the relationship between network QoS and QoE to propose a conceptual mapping between them. To achieve these aims, we first evaluate QoS requirements for network-based applications over different access technologies. To reach tangible outcomes, we then focus on UMTS based 3G cellular networks and WiMAX, and analyze several network-based applications with different path loss models, varying number of active users, and diverse types of traffic. The results exhibit that variant technologies, network congestions, user perceptions, and radio channel conditions affect QoS and QoE parameters to a certain extent.

A formal graph based framework for supporting authorization delegations and conflict resolutions

Authorization delegations and negations are two important features of a flexible access control model. When a system allows both authorization delegation and negation, conflict problems can become crucial since multiple administrators greatly increase the chance of conflicts. However the problem of handling conflicts in authorization delegations has not been explored by researchers. The existing conflict resolution methods seem limited for certain applications and cyclic authorizations can even lead to undesirable situations. This paper presents an authorization framework that can support authorization delegation for both positive and negative authorizations. A conflict resolution method based on the underlying grant-connectivity relation is proposed, which gives higher priorities to the predecessors to achieve controlled delegation. For conflicts where grantors are not grant-connected, our model supports multiple resolution policies so that users can select the specific one that best suits their requirements. In addition, cyclic authorizations are avoided and cascade overriding is supported when an administrative privilege is overridden. We give a formal description of our model and describe in detail the algorithms to implement the model. Our model is represented using labeled digraphs that provide a formal basis for proving the semantic correctness of our model.

Implementing authorization delegations using graph

Graph-based approach to access control models have been studied by researchers due to its visualization, flexible representation and precise semantics. In this paper, we present a detailed graph-based algorithm to evaluate authorization delegations and resolve conflicts based on the shorter weighted path-take-precedence method. The approach makes it possible for administrators to control their granting of authorizations in a very flexible way. The correctness proof and time complexity of the algorithm are provided. We then consider how the authorization state can be changed, since in a dynamic environment an authorization state is not static. The detailed algorithm of state transformation and its correctness proof are also given.

QoS analysis and evaluations: Improving cellular-based distance education

Mobile broadband technologies are now an important part of the communication infrastructure even for most of the developing world. These technologies can potentially play an important role in improving the socioeconomic status of rural areas. However, adaptation of these technologies for provision of relevant multimedia services faces major challenges. Perhaps, Quality of Service (QoS) issues still tops the list of such challenges. In this work we study how to evaluate the QoS of cellular-based systems focusing on an application perspective. We quantify the QoS levels for different traffic models using application and network related parameters to identify the most suitable configuration for running multimedia-based services. More specifically, our analysis is based on considering a unified measure combining key QoS metrics such as packet loss, and delay. For evaluation purposes, we also investigate the QoS issues of deploying a distance education platform running over UMTS cellular systems. The QoS issues related to the deployment of multimedia services in cellular technologies are then considered and analyzed in detail through simulation studies. The results show that by inclusion of the communication technology and application related parameters along with the number of users in QoS evaluations, better performing network configurations can be readily selected. This is achieved, through our proposed application-based QoS evaluation scheme that is based on combining various related measures. The proposed scheme is shown to be particularly beneficial for evaluating and improving QoS for multimedia-based heterogeneous networks.