Dongwan Shin

On modeling system-centric information for role engineering

In this paper we present an approach to modeling system-centric information in order to facilitate role engineering (RE). In particular, we first discuss the general characteristics of the information required in RE. Afterwards, we discuss two informational flow types among authorities involved in RE process, forward information flow (FIF) and backward information flow (BIF), together with the introduction of an information model which is greatly suitable for use in the backward information flow. System-centic information is incorporated in the information model and UML extension mechanisms are exploited for modeling the information. Not only can the information model provide those different authorities with a method for both analysis of resources and communication of knowledge in the RE process, but it can also help lay a foundation for successful implementations of RBAC.

A novel node level security policy framework for wireless sensor networks

Wireless sensor networks are commonly used for critical security tasks such as intrusion or tamper detection, and therefore must be protected. To date, security of these networks relies mostly on key establishment and routing protocols. We present an approach to protecting wireless sensor networks based on a security policy, enforced at the node level. This policy is based on a new approach to key establishment, which combines a group-based distribution model and identity-based cryptography. Using this solution enables nodes to authenticate each other, and provides them with a structure to build secure communications between one another, and between various groups. Using our key establishment protocol and security policy, we show how to reduce or prevent significant attacks on wireless sensor networks.

Ensuring information assurance in federated identity management

Surveys and polling data confirm that the Internet is now a prime vehicle for business, community, and personal interactions. The notion of identity is the important component of this vehicle. When users interact with services on the Internet, they often tailor the services in some way for their personal use. For example, a user may establish an account with a username and password and/or set some preferences for what information the user wants displayed and how the user wants it displayed. The network identity of each user is the overall global set of these attributes constituting the various accounts. In this paper, we investigate two well-known federated identity management (FIM) solutions, Microsoft Passport and Liberty Alliance, attempting to identify information assurance (IA) requirements in FIM. In particular, we focus on principal IA requirements for Web services (WS) which plays an integral role in enriching identity management through federation.

Authorization management for role-based collaboration

Information sharing among collaborating organizations usually occurs in broad, highly dynamic network-based environments, and formally accessing the resources in a secure manner poses a difficult challenge. The mechanisms must be provided to protect the resources from adversaries. The proposed delegation framework addresses the issue of how to advocate selective information sharing among collaborating organizations. We introduce a systematic approach to manage delegated privileges with the specification of delegation and revocation policies using a set of rules. We demonstrate the feasibility of our approach by providing a proof-of-concept implementation. We also briefly discuss several issues from our experiment including future directions.

Permission Management System: Permission as a Service in Cloud Computing

One of the challenging problems cloud computing is facing today is the security of data in the cloud. Since the physical location of user data in the cloud is unknown and the data are often distributed across multiple cloud services, a user controllable and privacy preserving access control mechanism is necessary for the success of cloud computing in general and for the protection of user data in specific. In this paper, we discuss a novel approach to controlling access to user data in the cloud; the concept is called Permission as a Service (PaaS). Specifically, PaaS separates access control from other services to provide a separate service in the cloud. This allows users to set permissions for all data in a single location. In PaaS, user data are encrypted to maintain confidentiality and permissions are managed via decryption keys. As a proof-of-concept, we discuss the design and implementation of our prototype leveraging attribute based encryption (ABE).

Using A Two Dimensional Colorized Barcode Solution for Authentication in Pervasive Computing

The task of establishing secure communication in a wireless pervasive computing environment faces several challenges. One of the most critical is determining the authenticity of the parties wishing to communicate. An existing method of enabling authenticated key agreement involves using a two-dimensional visual code system with digital camera enabled devices as a way of demonstratively identifying entities. This paper seeks to extend that solution by colorizing the code system, thereby extending the amount of data which can be carried by a visual tag, and thus reducing the necessary size of such tags. This create images more easily recognized by the devices establishing secure communication in wireless pervasive computing environments. A detailed explanation of an implementation of this method is presented, along with performance evaluation and analysis

Secure device pairing using audio

Secure device pairing between mobile devices is a challenging task. The lack of a trusted authority and low computational power make it difficult for mobile devices to establish secure communication channels in ubiquitous computing environments. Solutions have been proposed using locationlimited channels to transmit secure pairing information that can be verified as originating from the intended device, enabling users to establish secure channels over insecure mediums. Of particular interest is using audio as a location-limited channel, due to the widespread deployment of audio capabilities on mobile devices. We describe a solution for secure device pairing using audio, called UbiSound, which only requires a single audio transmission to authenticate both devices. We describe our communication protocol, implementation details and results, and discuss how our solution is resistant to a number of attacks. Additionally, we emphasize how our solution is usable for visually impaired users.

Information assurance in federated identity management: Experimentations and issues

Identity management has been recently considered to be a viable solution for simplifying user management across enterprise appli- cations. When users interact with services on the Internet, they often tailor the services in some way for their personal use through their per- sonalized accounts and preferences. The network identity of each user is the global set of such attributes constituting the various accounts. In this paper, we investigate two well-known federated identity management (FIM) solutions, Microsoft Passport and Liberty Alliance, attempting to identify information assurance (IA) requirements in FIM. In particular, this paper focuses on principal IA requirements for Web Services that plays an integral role in enriching identity federation and management. We also discuss our experimental analysis of those models.

A policy-based decentralized authorization management framework for cloud computing

In this paper we introduce a framework which facilitates policy-based decentralized authorization management in infrastructure as a service (IaaS). Specifically, our framework enables an IaaS service provider to delegate its administrative work to its business users. This allows each business user to build within the public cloud service provider a private cloud where the business user can manage its own users and resources allocated from the public cloud service provider. We discuss a security architecture based on our framework, along with a proof-of-concept implementation using an open source cloud software called Eucalyptus.

Toward role-based provisioning and access control for infrastructure as a service (IaaS)

Cloud computing has drawn much attention in recent years. One of its service models, called infrastructure as a service (IaaS), provides users with infrastructure services such as computation and data storage, heavily dependent upon virtualization techniques. Most of the current IaaS providers take the user-resource direct mapping approach for their business, where individual users are the only type of service consumer who can request and use virtualized resources as long as they pay for the usage. Therefore, in this approach, the users and virtual resources are centrally managed at the IaaS providers. However, this also results in the lack of support for scalable authorization management of users and resources, organization-level policy support, and flexible pricing for business users. Considering the increasing popularity and growing user base of cloud computing, there is a strong need for a more flexible IaaS model with a finer grained access control mechanism than the aforementioned all-or-nothing approach. In this paper we propose a domain-based, decentralized framework for provisioning and managing users and virtualized resources in IaaS. Specifically, an additional layer called domain is introduced to the user-resource direct mapping scheme, whereby de-centralization of user and resource management is facilitated. Our framework also allows the IaaS service provider to delegate its administrative routines to domains so that each domain is able to manage its users and virtualized resources allocated by the IaaS provider. Our domain-based approach offers benefits such as scalable user/resource management, domain-based security and governance policy support, and flexible pricing.