Mariemma I. Yagüe

Applying the semantic Web layers to access control

The Semantic Web, also known as the Web of meaning, is considered the new generation of the Web. Its objective is to enable computers and people to work in cooperation. A requisite for this is encoding data in forms that make web contents (meaning, semantics) more understandable by algorithmic means. In this paper, we present the application of semantic Web concepts and technologies to the access control area. The Semantic Access Control Model (SAC) uses different layers of metadata to take advantage of the semantics of the different components relevant for the access decision. We have developed a practical application of this access control model based on a specific language, denominated Semantic Policy Language (SPL), for the description of access criteria. This work demonstrates how the semantic web concepts and its layers infrastructure may play an important role in many relevant fields, such as the case of access control and authorization fields.

Semantic access control model: a formal specification

The Semantic Access Control Model (SAC), built on the basis of separation of the authorization and access control management responsibilities, provides adequate solutions to the problems of access control in distributed and dynamic systems with heterogeneous security requirements. SAC is characterized by its flexibility for accommodating dissimilar security policies, but also by the ease of management and control over a large number of distributed elements and the support for interoperability of authorization mechanisms. In this paper, we present the semantic validation algorithms developed in SAC to detect semantically incomplete or incorrect access control policies. Additionally, the formal model of SAC along with some proofs of its soundness is introduced. This formalization is the basis for additional model checking of the semantic validation algorithms developed.

A metadata‐based access control model for web services

One of the most relevant advantages of Web Services (WS) is their simplicity of access on the Internet. However, this feature also makes them vulnerable to a series of security threats. Additionally, the application of WS to many interesting problems is currently hindered by the lack of mechanisms that provide, among others, adequate access control functionalities for this scenario. In fact, access control and authorization are critical because of the specific characteristics of WS. When considering the requirements of this scenario we must highlight not only flexibility of the access control system for dissimilar security policies, but also the control over a large number of elements and the distributed nature of these ones. Other important issues are dynamism of the WS environment, and interoperability of authorization mechanisms for the integration of multiple WS from various sources. The present work introduces an access control model for WS that addresses all previous issues. The model is built on the basis of separation of the authorization and access control management responsibilities. We introduce mechanisms for the semantic integration of an external Privilege Management Infrastructure (PMI) and present the Semantic Policy Language (SPL) for the description of access criteria based on attribute certificates.

Integrating PMI services in CORBA applications

Application-level access control is an important requirement in many distributed environments. For instance, in new scenarios such as e-commerce, access to resources by previously unknown users is an essential problem to be solved. The integration of Privilege Management Infrastructure (PMI) services in the access control system represents a scalable way to solve this problem. Within the CORBA standards, the Resource Access Decision (RAD) facility is a mechanism used by security-aware applications to obtain authorization decisions and to manage access decision policies. This paper presents PMIRAD, an approach to integrate the services of an external PMI into CORBA applications using the RAD facility. In particular, the integration of the external PMI in the access control system is based on the semantic description of the PMI services. Our RAD implementation requests and verifies attribute certificates from the PMI in a transparent way for CORBA objects.

A secure solution for commercial digital libraries

Distributed systems usually contain objects with heterogeneous security requirements that pose important challenges for the underlying security mechanisms and especially in access control systems. Access control in distributed systems often relies on centralised security administration. Existing solutions for distributed access control do not provide the flexibility and manageability required. This paper presents the XML‐based secure content distribution (XSCD) infrastructure, which is based on the production of protected software objects that convey contents (software or data) and can be distributed without further security measures because they embed the access control enforcement mechanism. It also provides means for integrating privilege management infrastructures (PMIs). Semantic information is used in the dynamic instantiation and semantic validation of policies. XSCD is scalable, facilitates the administration of the access control system, guarantees the secure distribution of the contents, enables semantic integration and interoperability of heterogeneous sources, provides persistent protection and allows actions (such as payment) to be bound to the access to objects.