Secure Collaboration in Mediator-Free Environments

Transcription

1 Secue Collaboation in Mediato-Fee Envionments Mohamed Shehab School of Electical and Compute Engineeing Pudue Univesity West Lafayette, IN, USA Elisa Betino Depatment of Compute Sciences and CERIAS Pudue Univesity West Lafayette, IN, USA Aif Ghafoo School of Electical and Compute Engineeing Pudue Univesity West Lafayette, IN, USA ABSTRACT The intenet and elated technologies have made multidomain collaboations a eality Collaboation enables domains to effectively shae esouces; howeve it intoduces seveal secuity and pivacy challenges Managing secuity in the absence of a cental mediato is even moe challenging In this pape, we popose a distibuted secue inteopeability famewok fo mediato-fee collaboation envionments We intoduce the idea of secue access paths which enables domains to make localized access contol decisions without having global view of the collaboation We also pesent a path authentication technique fo poving path authenticity Futhemoe, we pesent both a poactive and on-demand path discovey algoithms that enable domains to secuely discove paths in the collaboation envionment Categoies and Subject Desciptos D46 [Secuity and Potection]: Access contols; H27 [Database Administation]: Secuity, integity, and potection Geneal Tems Design, Secuity, Theoy Keywods Decentalized Secue Inteopeability, Collaboation, Access Path, Path Discovey, Role Based Access Contol 1 INTRODUCTION The phenomenal gowth of the Intenet has enabled a globalization that has emoved baies between makets, oganizations and societies The Intenet has become integated into pactices of individuals, business, and govenments In such a connected wold, thee ae immense possibilities of collaboation in distibuted envionments Fo example, inteopeability has enabled companies to outsouce thei opeations oveseas to educe poduction and Pemission to make digital o had copies of all o pat of this wok fo pesonal o classoom use is ganted without fee povided that copies ae not made o distibuted fo pofit o commecial advantage and that copies bea this notice and the full citation on the fist page To copy othewise, to epublish, to post on seves o to edistibute to lists, equies pio specific pemission and/o a fee CCS 05, Novembe 7 11, 2005, Alexandia, Viginia, USA Copyight 2005 ACM /05/0011 $500 employment costs Futhemoe, inteopeability adds to the efficiency of companies by leveaging the use of existing esouces othe than einventing the wheel Even moe inteestingly, by migating pocesses acoss oganizational boundaies companies ae able to combine thei effots and become vitual entepises [1, 17] Last but not least inteopeability is essential to suppot adaptation and evolution in complex entepises [8] Such entepises [21] ae oganized accoding to units with vaying degees of coupling and autonomous coodination linking these units As such an entepise evolves to meet new demands, new inteopeation links acoss units may need to be established and existing links emoved Though inteopeability has seveal advantages and is cucial in the context of new dynamic collaboative applications and adaptive entepises, it intoduces seveal secuity and pivacy concens These concens have to be addessed to make such inteopeability techniques a viable tool in multidomain contexts In paticula, a domain epesents a coe element in a collaboating envionment A domain is a sepaate, autonomous entity that manages a goup of esouces, and has its own administation and access contol policies Because vey often domains need to collaboate to shae esouces, a key step in setting up such a collaboation among domains is epesented by the inteopeation of access contol policies Domains typically achieve inteopeation among thei access contol policies by intoducing coss mappings between these policies An impotant equiement is that such inteopeation of policies be secue; Gong and Qian [12], among othes, have shown that if inteopeation between access contol policies is not caefully established, secuity beaches may aise Secue inteopeability in a multidomain envionment is a challenging task even in the pesence of a tusted mediato managing secuity of such collaboation [12, 4, 7] It is much hade to handle secuity in a fully distibuted and dynamic inteopeation envionment whee domains join and leave in an adhoc manne and in the absence of a tusted mediato Howeve, we believe that the development of fully decentalized solutions tailoed to dynamic envionments is cucial to meet the secuity equiements of next-geneation entepises In this pape we develop such a solution We popose a distibuted famewok addessing both the secuity and autonomy equiements of domains in a mediato-fee inteopeation envionment In ou famewok the use s access histoy migates with the use s access equests to enable domains to make localized access contol decisions without 58

2 needing to have a global view of the collaboation envionment We define a set of basic and extended path linking ules that enable domains to make access contol decisions We also povide a path authentication technique that ensues the authenticity of the use s access path as it popagates between domains Ou famewok povides both eactive and on-demand path discovey algoithms that enable uses to discove available secue access paths in the inteopeation envionment 11 Contibutions and Pape Oganization The contibutions in this pape can be summaized as follows: We pesent a mediato-fee collaboation envionment and discuss the secuity challenges in such an envionment We define access paths and pesent access path secuity equiements in a secue collaboation We povide a famewok fo enabling secue collaboation in a mediato-fee envionment, in which access contol decisions ae dependent on the use s access histoy in the collaboation envionment We discuss seveal secuity attacks that can be pefomed in a mediato-fee envionment, and povide mitigation techniques to such attacks The est of the pape is oganized as follows In Section 2 we eview the equiements of secue inteopeability, the maximal secue inteopeability and the dawbacks of the maximal secue inteopeability solution poposed by Li and Qian [12] We intoduce the mediato-fee collaboation envionment in Section 3 In Section 4 we pesent ou famewok fo secue collaboation in a mediato-fee envionment and define the notion of secue access path The equest execution stategy and path authentication module ae discussed in Sections 5 and 6, espectively The poactive and on-demand path discovey algoithms ae pesented on Section 7 Possible secuity attacks and mitigation techniques ae discussed in Section 8 The elated wok is pesented in Section 9 Concluding emaks ae added in Section 10 2 PRELIMINARIES In ou famewok, we assume that all the domains adopt a ole-based access contol (RBAC) model [10, 9] to model thei access contol policies The analysis pefomed in this pape and the famewok we have developed can still be applied when othe access contol models ae adopted We have chosen RBAC because it is suitable fo specifying the secuity equiements fo a wide ange of commecial, medical, govenment applications [23, 3] and moeove it is being standadized A domain that does not use RBAC as its access contol model can easily geneate an expot RBAC policy to join the collaboation In RBAC, pemissions ae associated with oles, and uses ae ganted membeship in appopiate oles, theeby acquiing the oles pemissions The access contol policy PO i fo domain i is modeled as a diected gaph G i = V i, A i whee the vetex set V i epesents oles and the acs set A i epesents the dominance elationship between oles Fo example, if ole 1 dominates 2, ( 2 1), then ( 1, 2) A i Thus a use acquiing ole 1 can acquie pemissions assigned to ole 2 by using the RBAC pemission inheitance popeties [6] Fo x, y V i an access ( x, y) is legal if and only if ( x, y) G + i whee G + i is the tansitive closue of G i = V i, A i We denote a legal access by ( x, y) A i 21 Secue Inteopeability In a collaboation involving n domains, in which the access contol policy of each domain i is modeled as a diected gaph G i = V i, A i, i = 1,, n, inteopeability is achieved by intoducing coss domain paiwise mappings between the n domains These mappings elate oles in diffeent domains, and ae epesented by a set of coss domain acs efeed to as the set F Solutions developed fo schema matching in the aea of heteogeneous database systems and moe ecently appoaches based on ontologies [19, 18] can be used fo geneating such links The details of such appoaches ae outside of the scope of this pape In the pesent wok we assume that the coss domain mappings ae selected by the administatos of the domains accoding to the inteopeability equiements of each system Futhemoe, the system administatos agee on a set of esticted accesses which is simila to negative authoizations adopted in seveal access contol Ë models The n esticted access is a binay elation R on i=1 Vi such that (u, v) R, u V i, v V j, and i j, whee these edges in R ae pohibited to exist duing inteopeation Given n domains G i = V i, A i, i = 1,, n, set of coss links F and a esticted access elation R, an inteopeation Q = n i=1v i, A Q, whee A Q is the esulting ac set A Q { n i=1a i F }, is secue accoding to Li Gong et al [12] if it satisfies all the following conditions: 1 A Q R = 2 u, v V i, (u, v) is legal in A i if and only if (u, v) is legal in A Q The fist equiement ensues that esticted access elation is honoed The second equiement ensues the following two popeties hold: Autonomy: It equies that any access pemitted with in an individual domain must also be pemitted unde secue inteopeation Secuity: It equies that any access denied within an individual domain must also be denied unde secue inteopeation 22 The Maximum Secue Inteopeation (MSI) Definition 1 Maximum Secue Inteopeability (MSI) Given n domains G i = V i, A i, i = 1,, n, a set of coss links F and a esticted access elation R, fo any positive intege K F, detemine whethe a secue solution Q = n i=1v i, A Q exists such that A Q = { n i=1a i S} whee S F and S K Simply, the MSI solution finds a maximal subset of the coss links set F such that the secue inteopeability is ensued The MSI solution inheently satisfies the autonomy equiement as A Q = { n i=1a i S} Taking a close look at the MSI solution we conclude it has the following dawbacks: NP-Completeness: Li Gong et al [12] showed a polynomial eduction of the Feedback Ac Set poblem, which is a known NP-complete poblem, to the 59

3 MSI poblem, thus poving that MSI is an NP-complete poblem Thus it is not pactical to solve the MSI poblem fo a lage numbe of collaboating domains Moeove, any pactical solution to this poblem would be based on heuistics and in such cases the geneated solutions ae appoximate and ae not guaanteed to be optimal Centalized Algoithm: The MSI poblem assumes full knowledge all domains access contol policies G i = V i, A i, i = 1,, n, and the sets F and R To solve the MSI poblem a global view of the system is equied A tusted mediato having the global view computes the subset of F that satisfies the constaints of MSI The mediato epesents a bottleneck and theefoe such solution is not scalable in distibuted envionments with a lage numbe of inteacting paties Static Solution: The MSI solution computed with n collaboating domains is optimal and secue fo these n domains; if howeve a domain decides to leave o join the collaboation, the MSI solution has to be ecomputed to ensue both optimality and secuity Futhemoe, the MSI solution should be ecomputed if a domain edits o updates its secuity policy This is not pactical in dynamic envionments in which domains ae equied to join and leave the inteopeation envionment tanspaently without the need fo delays and evocations of cuent coalitions Fainess Issue: The MSI solution esolves violations by emoving coss links fom F Howeve, in a violation seveal domains ae involved and the emoval of coss links will affect a subset of these domains The following example elaboates on the fainess issue Conside Figue 1 whee domains A, B and C ae collaboating Each domain has an access contol hieachy epesented as a gaph The coss links ae epesented by the dotted lines A use in domain A acquiing ole A1 could access ole A3 by accessing oles { B3, B1, C2, C1, A3 } which is clealy a secuity violation as A1 A3 Futhemoe, using a simila agument a use at B1 and C1 could access oles B3 and C2 espectively The MSI solution would emove one o moe coss links to beak such cycle Assume that the MSI solution emoves edge ( C1, A3 ); this solution eliminates the secuity violation but uses in domain C ae unable to access oles in domain A This solution is not fai as it esticts access by uses of domain C, wheeas ights of uses in othe domains ae not affected Fom the above discussion we conclude that the MSI solution is NP-Complete, equies a tusted mediato, is static, and moeove it is not fai to all the paticipating domains In the next sections we popose a secue technique which epesents a computationally simple, distibuted, dynamic solution, and ensues fainess to the paticipating domains 3 MEDIATOR-FREE SECURE COLLABORATION In this section we pesent the key notion of ou famewok, that is, the notion of mediato-fee secue collaboation envionment, which does not equie a mediato having A3 A2 A1 Domain A (Home) C2 C1 Domain C B2 B3 B1 Domain B Figue 1: Example of a violation in a multidomain envionment with thee domains The solid lines show the intenal access links, while the dotted lines show the inteopeation coss links F a global view in ode to ensue secue inteopeability Figue 2 shows both types of collaboation envionments To design a mediato-fee envionment we need to analyze the functions pefomed by the mediato, which include: MSI computation: Fom the global view the mediato computes the MSI solution, which geneates the optimal set of collaboation coss links between the domains Role Queying and Routing: By using the global view of the collaboation envionment the mediato is able to answe queies of the fom is 2 eachable fom 1? whee 1 and 2 ae in diffeent domains Futhemoe, the mediato can easily detemine paths between eachable oles in diffeent domains G 2 G 1 G n Mediato G 3 G 4 (a) Mediated G n-1 G 2 G 1 G n G 3 G 4 (b) Mediato-Fee G n-1 Figue 2: Collaboation envionment with and without a mediato A mediato-fee collaboation is a completely distibuted fom of collaboation In this envionment the domains have to collaboate in making access contol decisions to avoid violations In a mediato-fee envionment none of the collaboating domains has the global view of all the access contol policies; instead the domains view the collaboation envionment only though thei established coss links Enfocing secue inteopeability in such an envionment is a challenging task as it equies domains to collaboate in both shaing of esouces and making access contol decisions In a mediato-fee secue collaboation the mediato functions should be executed acoss the collaboating domains accoding to a distibuted stategy 60

4 Request Pocessing Module Basic Path Linking Rules Extended Path Linking Rules Path Authentication Module Path Signatue Geneation Path Signatue Veification Path Discovey Module Poactive Path Discovey On-Demand Path Discovey Path Selection Figue 3: Modules of the mediato-fee secue inteopeability famewok The following assumptions apply to a mediato-fee envionment: 1 Each domain s fist pioity is to ensue that its secuity policy is not violated 2 Domains have limited infomation about the collaboation envionment Each domain is only equied to know its secuity policy, the coss links and esticted links in which it is involved 4 FRAMEWORK FOR SECURE MEDIATOR-FREE COLLABORATION In this section, we pesent ou famewok fo enabling secue collaboation in a mediato-fee envionment Ou famewok povides a secue inteopeability solution that pevents secuity violations as access equests ae being made Ou solution equies no complicated pepocessing, and allows the complete set of coss links to exist Futhemoe, it enables domains to make localized access contol decisions without the need fo the global view of the collaboation envionment These chaacteistics make ou solution vey suitable fo the enfocement of access contol in a mediatofee envionment Ou famewok utilizes the use s cuent access histoy duing the collaboation session to dynamically gant o deny futue access equests We efe to the use s access histoy as the use s access path, which is the sequence of oles acquied by the use duing the cuent session Ou poposed solution shaes the ideas of the Chinese Wall secuity policy [5], as the use s access histoy contols his futue accesses The basis of the Chinese Wall policy is that uses ae only allowed access to infomation which is do not conflict with any othe infomation that they have aleady accessed In this context, the use s access path epesents the use s session histoy and the use s view of the possible futue paths is dependent on his cuent access path 41 Famewok Oveview Ou famewok enables domains to make localized access contol decisions based on the use s access histoy in the collaboation envionment It is composed by the following majo modules (see Figue 3): M1 Request Pocessing Module: This module geneates and evaluates use access equests acoss domains M2 Path Authentication Module: Because the use path migates with the use equests, this module checks the authenticity of the eceived paths Also, this module geneates path signatues fo geneated equests M3 Path Discovey Module: This module enables uses esiding in a home domain to detemine which oles ae accessible in taget domains The above thee modules ae included in each domain The modules inteact with each othe to ensue the secuity of thei coesponding domains The detail of each module of ou famewok is discussed in detail in futhe sections As access paths constitute an impotant dimension in ou famewok, we define in what follows access paths and secue access path equiements 42 Access Paths in an Inteopeation Envionment In a use session we identify thee main types of domains, namely home, cuent and taget domains The home domain is the domain at which the use session stats The cuent domain is the domain fom which the use geneates access equests The taget domain is the domain to which the use is equesting access to When a use entes a domain the use is assigned an enty ole Similaly, when the use leaves a domain to access anothe domain the use is assigned an exit ole Note that the enty and exit oles may coincide Figue 4 shows the home, cuent and taget domains The enty and exit oles ae efeed to as E and X espectively, whee the use s access path in Figue 4 is P = { E H, X H,, E C } Definition 2 The use s access path is defined as the sequence of enty and exit oles acquied by a use duing a given session fom the home domain to the cuent domain E H X H Home Domain (H) E C X C Cuent Domain (C) E T Taget Domain (T) Figue 4: Types of domains, enty and exit oles The secue inteopeability equiements pesented by Li Gong et al [11] which wee mentioned in Section 21 ensue that all the possible paths in secue inteopeation do not 61

5 violate the access contol policy of each domain and that both the coss links set F and the esticted access set R ae honoed Hee we pesent the notion of secue access path Definition 3 Let P = { 1, 2,, n} be an access path, whee i < j implies that ole i was acquied befoe j Moeove, let Domain( i) denotes the domain of ole i P is secue if it satisfies the following conditions: C1 Fo all i < j and i, j P, if Domain( i) = Domain( j) then j i C2 Fo all i, i+1 P, if Domain( i) Domain( i+1) then ( i, i+1) F C3 Fo all i < j and i, j P, ( i, j) R Condition C1 ensues that oles acquied fom the same domain ae acquied accoding to the domain s ole hieachy This ensues that the access contol policies of the domains included in the path ae not violated Conditions C2 and C3 ensue that sets F and R ae honoed The use s access path is attached to use equests to enable domains to make localized access contol decisions This is analogous to souce outing techniques fo limited bandwidth wieless senso netwoks [14, 13] in which the oute fom souce to destination is attached to the packet to enable outing of the packet Thus, including path infomation is an acceptable assumption; in the following sections we pesent techniques to limit the size of the access path 5 REQUEST PROCESSING MODULE In a mediato-fee collaboation envionment each domain has a limited view of the collaboation envionment meaning that each domain has a complete knowledge of its own access contol policy, that is, the coss links and the esticted access links in which it is involved Let F T F and R T R be the coss links and esticted access links that the taget domain T is involved in An access equest fom anothe domain includes the equested ole, and the use s cuent access path Given this limited infomation the taget domain can decide whethe to eject o accept the access equest In such an envionment each domain is mainly concened with ensuing that its access contol policy is not violated By veifying the following basic path linking ules a taget domain is able to secuely gant o evoke a equest Definition 4 The basic path linking ules: Let P be a secue path, X C the exit ole in the cuent domain, E T the equested ole in the taget domain The taget domain must veify the following conditions in ode to gant access to the equested ole: L1 ( X C, E T ) F T L2 Fo all P, (, E T ) R T L3 Fo all P, if Domain() = T then E T The next theoem poves that the basic path linking ules assue the secuity of the computed path if all the conditions L1 3 ae veified befoe a link is added to the path Note that is the concatenation opeato Theoem 1 Let P i be a secue path, and P i+1 = P i E T be an updated path that satisfies the basic path linking ules Then P i+1 is also a secue path Poof, The initial path P i = ( 1, 2,, n) is secue, whee 1 = E H, 2 = X H and n = X C efe to Figue 4 We poceed using a poof by contadiction Assume to the contay that the new path P i+1 is not secue afte satisfying all the basic path linking ules If this is the case, then a violation exists in path P i+1 = P i E T This violation can be due to P i o ( X C, E T ) o ( k, E T ), whee k P i, 1 k n Since P i is the initial path and it is assumed to be secue then it cannot contain a violation Rule L1 checks that ( X C, E T ) F T and Rule L2 ensues that ( X C, E T ) R T thus this link cannot be the cause of the violation We ae now left with only links ( k, E T ); howeve ule L2 ensues that such links ae not in the R T and ule L3 checks the integity of adding such links and insues that the odeing among the oles in the domain s intenal oles hieachy is not violated; thus these links cannot esult in secuity violations In this case as all the possible links that could lead to a violation have been poven to be secue afte veifying the basic path linking ules which contadicts ou assumption and thus path P i+1 can only be a secue path Note that the basic linking ules applied by the taget domain ae based on the taget domain access policy, the educed coss link and esticted sets F T and R T, and the use s access path Thus, the taget domain is able to make secue access contol decisions without a global view of the collaboation envionment All the computations pefomed to execute ules L1-3 ae computationally simple opeations and can be computed in polynomial time Futhemoe, the basic linking ules do not emove any coss links and thus the solution is fai to all the domains in the collaboation envionment 51 Extended Path Linking Rules In addition to the basic path linking ules, the extended ules povide moe constaints on the use s access path Such constaints ae useful fo secuing many applications with special path equiements The esticted access elation R is only capable of epesenting simple binay mutual exclusion constaints of the fom ( 1, 2) stating that oles 1 and 2 must not be accessed by the same use in the same session Othe path estictions ae desiable fo cetain applications Cadinality and SoD constaints ae cucial fo secuing many applications in a commecial envionment Many eseaches have highlighted the impotance and use of cadinality and SoD constaints in RBAC models [10, 9, 16] Howeve, no one has addessed the these constaints in the context of a multidomain collaboative envionment A moe geneal type of such constaints equies that no use be a membe of t o moe oles in a set of m oles { 1, 2, m} in a given session [16] Assuming the use s access path is P, then this type of constaint can easily be checked by veifying that P { 1, 2,, m} t, whee x denotes the cadinality of the set x Cadinality constaints ae constaints on the size of the access path A cadinality constaint of the fom P Pmax bounds the numbe of oles acquied in a session to a numbe Pmax of oles Odeing constaints enfoce conditions on the ode accoding to which the oles have to be acquied Such con- 62

6 staints ae elevant in the context of wokflow systems [3], in which cetain oles should be acquied befoe othes oles can be activated 6 PATH AUTHENTICATION The access path is attached to the use s equests as it migates acoss domains A technique is equied to ensue that this path is authentic and has not been tampeed with The authentication scheme poposed is based on a signatue that is geneated by all the domains included in the access path The authentication scheme should peseve both the path contents and the odeing Each domain i has a pivate key e i and a public key d i The path signatue is computed as the use equest is sent fom the cuent domain to the taget domain Fo a use cuently in domain i and equesting access to a taget domain i + 1 the cuent path is P i = { E 1, X 1,, E i, X i }, whee E k and X k, k = 1,, i, ae the enty and exit oles in domain k espectively The signatue SP i of path P i is computed as follows: SP i = SIGNei (SP i 1 h( E i X i i + 1)) if i 1 seed if i = 0 whee is the concatenation opeato, Ä is the XOR opeato, seed is a andom numbe geneated by the home domain which is included in the path infomation, h() is a secue one-way hash function, and SIGN K(M) is a signatue function that uses key K to sign message M The signatue is geneated using modula exponentiation simila to techniques used in RSA signatues [22] Domain i aleady has the signatue SP i 1 of path P i 1, thus domain i can easily compute SP i as E i, X i, i + 1 and e i ae known by domain i The path signatue SP i is signed using the pivate key e i thus this signatue cannot be foged The signatue function has the following popety: SIGN di (SIGN ei (M)) = M Pesented with P i, SP i and the seed the taget domain i + 1 can easily veify the path signatue by pefoming the following opeation: SIGN di (SP i) h( E i X i i + 1) = SP i 1, fo i 1 The taget domain can easily check the authenticity of a path P i by ecusively computing the above equation and compaing SP 0 with the seed Note that the signatue veification is pefomed using the public key infomation of the involved domains; thus the veification does not equie contacting the involved domains 7 PATH DISCOVERY Coss links ae the main enables of collaboation Domains ae able to collaboate with neighboing domains though the established collaboation coss links Neighboing domains ae single hop collaboations as they only involve two domains Single hop collaboations ae easy to achieve and initiate as domains aleady have full knowledge of thei established coss links One the othe hand, in ode to collaboate though multi-hop collaboations domains need to build one o moe candidate access paths to taget domains To enable domains to discove available multi-hop collaboations a distibuted path discovey algoithm is equied The discovey algoithm enables domains in an inteopeation envionment to discove paths to oles in othe domains, whethe eachable though one o moe intemediate domains Futhemoe, the discoveed paths should follow the path linking ules to ensue the discoveed path(s) secuity In this section, we pesent two path discovey algoithms, poactive and on-demand path discovey algoithms 71 Poactive Path Discovey The poactive path discovey algoithm computes the paths fom the oles in cuent domain to oles in othe domains a pioi Each domain geneates and maintains a ole outing table, which is a patial map of the collaboation envionment epesenting the view with espect to the cuent domain Neighboing domains exchange peiodic discovey updates via coss links indicating eachable domains though these links Note that coss link elated to domain i can be divided into outgoing and incoming coss links, efeed to by F O i and F I i espectively, whee F O i F I i = F i The peiodic messages ae sent by domains on thei incoming coss links Figue 5(a) shows the diection of the peiodic discovey updates in an example collaboation envionment The content of the peiodic message is chosen by the advetising domain to indicate paths to oles accessible though the coss link ove which the message is sent To avoid loops, paths that include the domain to which the update message is to be sent ae dopped o tuncated Fo example in Figue 5(a) the update message sent fom domain B to domain A acoss ( A3, B1 ) will epot the oles eachable via B1 in all domains othe than domain A, this clealy avoids loops To avoid infinitely gowing paths, a cadinality constaint should be set on the path length; the path length could be limited to double the numbe of estimated collaboating domains The poactive path discovey algoithm is simila to link state outing; howeve, thee ae seveal diffeences Fo example, in a collaboation envionment coss links ae not necessaily bidiectional and outing metics ae not necessaily based on distance instead on highe level logic dictated by the coss links and the domain hieachies To ensue the authenticity of the epoted paths, a path signatue is computed based on technique simila to the path authentication scheme discussed in Section 6 Howeve, the path signatue is computed in the evese diection, fom the taget domain to the home domain, as the path is discoveed fom taget to home The advantage of a poactive path discovey is that when a domain needs to collaboate with a taget domain, the path is aleady available and thus thee is no latency Futhemoe, this technique is eactive to collaboation envionment changes such as changes in the coss links, domain policies, and the enty o exit of collaboating domains The disadvantage is that some paths may neve be used duing the collaboation peiod Anothe poblem is that the dissemination of path infomation will peiodically consume netwok bandwidth 72 On-Demand Path Discovey The on-demand path discovey algoithm computes paths fom the oles in the cuent domain to oles in a taget domain only when such path is needed Neighboing domains do not exchange peiodic path message updates; instead simple Hello messages ae sent between domains that shae coss links to announce that the link is still alive When a home domain needs to establish a path to a cetain ole in a 63

7 A 1 B 1 Coss Links Path Discovey Messages A 2 A 3 D 2 D 1 D 3 B 2 C 1 C 2 C 3 (a) Poactive Path Discovey A 1 B 1 Coss Links Path Discovey Requests A 2 A 3 D 2 D 1 D 3 B 2 C 1 C 2 C 3 (b) On-demand Path Discovey Figue 5: Examples of poactive and on-demand path discovey taget domain, a path equest message is geneated by the home domain and is sent on its outgoing coss links Upon eceiving the path equest message, the eceiving domain pefoms a path evaluation based on the basic path linking ules If the path is accepted, the domain updates the path and esends the equest though its coss link excluding the coss links that involve domains aleady included in the path This ensues that the path is loop fee and educes the numbe of esent equests Figue 5(b) shows an example of a on-demand path discovey initiated by domain A to detemine oles eachable at domain D fom ole A3 The solid aows show the path discovey messages; note that domains B does not fowad the equest on the coss link ( B2, A1 ) as domain A is in the computed path Also, note that domain D does not fowad the equest on the coss link ( D3, B2 ) as domain B is in the computed path Figue 6 shows the algoithm executed when a domain j eceives a path equest fom a neighboing domain Afte sending the path equest the home domain waits fo a timeout peiod of T max If no eply aives fom the taget domain then this means thee ae no secue paths fom home domain to the taget domain The value of T max is assigned based on the numbe of collaboating domains The path authenticity is ensued by using the path signatue scheme discussed in Section 6 as the path equest message takes the path taken by the actual access equest The majo advantage of on-demand path discovey is that it saves netwok bandwidth because it limits the amount of bandwidth consumed in the exchange of path discovey infomation by maintaining paths to only those taget domains to which the domains need to collaboate with The home domain could include constaints on the equested path, to futhe educe the path discovey taffic Fo example, the equest could include a list of domains that should o should not be included in the path discovey On-demand path discovey also obviates the need fo disseminating path discovey infomation peiodically, o flooding such infomation wheneve a coss link changes o when a domain leaves o joins the collaboation envionment The pimay poblem with on-demand path discovey is the lage latency at the beginning of the collaboation caused by popagation of the path equest message 73 Path Selection Both path discovey algoithms could etun multiple secue paths between the home and taget domains The home domain, selects one path accoding to a selection citeia The selection citeia is based on the path popeties which include: Path length: The path having the shotest length in tems of the numbe of visited domains is selected Visited domains: Select the path that contains a cetain set of domains o visits domains accoding to a cetain sequence Composite domain eputation: Domains could be given eputation metics and the path eputation is computed using the domains included in the path, and the path having the highest eputation be selected 8 SECURITY ANALYSIS In this section we discuss some secuity attacks that could be pefomed in a mediato-fee collaboation envionment Moeove, we show that ou secue famewok is esilient to these attacks Path Couption The access path is one of the main elements equied when making access contol decisions A malicious domain may attempt to alte the access path by emoving o adding enties to the 64

8 Input: Request = (Taget Domain T, Path P, Path Signatue SP) aiving to domain j fom domain i via coss link ( X i, E j ) Algoithm: 1 Check Path signatue SP, if invalid dop equest, End 2 Check the Path linking ules on P and link ( X i, E j ), if insecue path then dop equest, End 3 If P > Pmax then dop equest, End 4 If domain j is equal to the taget domain T (a) Update path P new = P E j (b) Geneate path signatue SP new = SIGN ej (SP h( E j )) (c) Send Path Request Reply =(P new, SP new) to Home domain in P 5 Fo all coss links L = ( X j, E k ) F O j and ( E j, X j ) A j and domain k DP, (a) Update path P new = P E j X j (b) Geneate path signatue SP new (c) Send Request = (Taget Domain T, P new, SP new) to domain k 6 End Figue 6: Algoithm executed by domain j upon eceiving a path equest cuent access path The path couption could be divided into two types of attacks, namely path insetion and deletion The path insetion attack is pefomed by an attacke in an attempt to inset a domain in the path Given P i = {1 E, 1 X,, i E, i X }, the attacke attempts to change it by inseting oles y E, y X in the path sting, P i = { 1 E, 1 X,, k E, k X, y E, y X, k+1, E k+1, X, i E, i X } Figue 7(b) shows such an attack The attacke is unable to geneate the signatue of the new path SP i as this equies the geneation of new signatues SP j, k j i and this equies the knowledge of the secet keys e j, fo k j i This shows that this path cannot be authenticated by the attacke The path deletion attack is pefomed by an attacke in an attempt to delete a domain in the path Given P i = {1 E, 1 X,, i E, i X } the attacke attempts to change it by deleting oles E k, X k in the path sting, P i = { E 1, X 1,, E k 1, X k 1, E k+1, X k+1,, E i, X i } Figue 7(c) shows such an attack The attacke is unable to geneate the signatue of the new path SPi as this equies the geneation of new signatues SPj, j {k 1, k + 1,, i}, which equies the knowledge of the coesponding secet keys This shows that this path cannot be authenticated by the attacke Note that othe types of attacks such as path eodeing ae not possible because the attacke cannot pove the authenticity of such path Anothe type of attack in which domains in the collaboation collude to foge an access path, in this case two o moe domains agee to povide coss links which did not exist Howeve, if these coss links only involve the colluding domains then this cannot be an attack because both domains ageed to povide such coss link If the coss links involve domains othe than the colluding domains, then this is easily detected fom the path signatue and when the path linking ules ae executed (a) Oiginal Path P y 4 (b) Path Insetion Attack (c) Path Deletion Attack Figue 7: Types of path couption attacks Path Replay Attacks An attacke could captue a equest submitted duing a valid session and ty to eplay such a equest This attack is not possible as fo each session a new seed is used to authenticate the path and thus the captued equest will have an old seed Denial of Sevice An attacke would equest a ole via a path that contains a loop P = { 1, 2,, n, 1, 2, } and epeat such equests infinitely to incease the path size infinitely Such an attack can be easily dealt with by intoducing a bound on the pemissible path size, which is basically the path cadinality constaint mentioned in Section 51, and the pemissible path size can be set to double the numbe of domains pesent in the collaboation Violations of the Resticted Relation R In this attack a malicious domain involved in a esticted ac- 65

9 cess elation does not hono such elations In such a case this domain gives access to a use that violates the esticted access elation R This attack is easily detected by the neighboing domain, as such ole access will be ecoded in the use s access path Futhemoe, violating the esticted access elation will only diectly affect the secuity of the malicious domain Thus domains that do not abide by the path linking ules cause secuity violations to thei own secuity policies 9 RELATED WORK The poblem of secue inteopeation in a multi-domain envionment has been addessed in [11, 4] In paticula, Li Gong et al [11] chaacteized the popeties that must be satisfied to compose a global secue policy They poposed the maximal secue inteopeability poblem and detemined its complexity to be NP-Complete In all such appoaches a tusted thid paty that has a global view of the collaboation envionment is equied to pefom the secue policy composition and integation Dawson et al [7] pesented a mediato based appoach to povide secue inteopeability fo heteogeneous databases This appoach assumes a mandatoy access contol policy, such as the Bell LaPadula [2] policy, which is not flexible and not applicable in many commecial applications Futhemoe, all access equests go though the cental mediato which has a global view of the collaboation envionment This appoach is thus not appopiate fo a dynamic distibuted envionment Othe appoaches elated to centalized database collaboation have been poposed in [20, 15, 24, 25] Also these appoaches have limited applicability because assume a centalized global view of the systems to be inteopeated 10 CONCLUSIONS In this pape, we have pesented a mediato-fee collaboation envionment in which domains collaboate in making localized access contol decisions We pesented a famewok to enable collaboation in such an envionment whee domains collaboate secuely without needing a tusted mediato and without needing a global view of the collaboation envionment In ou famewok the use s access path is used to povide domains with enough infomation to make secue access contol decisions using both basic and extended path linking ules We also povided a path authentication scheme that ensues that the path is not tampeed with as it popagates between domains Futhemoe, we have povided poactive and on-demand path discovey algoithms that enable domains to discove available multi-hop collaboations We also analyzed seveal secuity attacks that could be pefomed and showed how ou famewok can easily handle such attacks 11 ACKNOWLEDGMENTS The eseach of Mohamed Shehab and Aif Ghafoo has been suppoted by the sponsos of the Cente fo Education and Reseach in Infomation Assuance and Secuity (CERIAS) at Pudue Univesity, and the National Science Foundation unde NSF Gant IIS The eseach by Elisa Betino was suppoted in pat by the NSF unde the Poject The Design and Use of Digital Identities, by an IBM Fellowship, and by the sponsos of CERIAS at Pudue Univesity 12 REFERENCES [1] H Afsamanesh, C Gaita, and L Hetzbege Vitual Entepises and Fedeated Infomation Shaing In DEXA 98: Poceedings of the 9th Intenational Confeence Database and Expet Systems Applications, pages , Aug 1998 [2] D Bell and L LaPadula Secue Compute Systems: Mathematical Foundations Technical Repot MTR-2547, 1, Mach 1973 [3] E Betino, E Feai, and V Atlui The Specification and Enfocement of Authoization Constaints in Wokflow Management Systems ACM Tansactions on Infomation and Systems Secuity, 2(1):65 104, Feb 1999 [4] P Bonatti, M Sapino, and V Subahmanian Meging Heteogenous Secuity Odeings Jounal of Compute Secuity, 5(1):3 29, 1997 [5] D Bewe and M Nash The Chinese Wall Secuity Policy In Poceedings of IEEE Symposium on Secuity and Pivacy, pages , 1989 [6] J Campton On Pemissions, Inheitance and Role Hieachies In CCS 03: Poceedings of the 10th ACM confeence on Compute and communications secuity, pages ACM Pess, Oct 2003 [7] S Dawson, S Qian, and P Samaati Poviding Secuity and Inteopeation of Heteogeneous Systems Distibuted Paallel Databases, 8(1): , 2000 [8] A Desai and N Awad Special Issue on Adaptive Complex Entepises Communications of ACM, 48(5), May 2005 [9] D Feaiolo, D Kuhn, and R Chandamouli Role-Based Access Contol Atech House, Ap 2003 [10] D Feaiolo, R Sandhu, S Gavila, D Kuhn, and R Chandamouli Poposed NIST Standad fo Role-Based Access Contol ACM Tansactions on Infomation and Systems Secuity, 4(3): , Aug 2001 [11] L Gong and X Qian The Complexity and Composability of Secue Inteopeation In Poceedings of IEEE Symposium on Secuity and Pivacy, pages IEEE Compute Society, 1994 [12] L Gong and X Qian Computational Issues in Secue Inteopeation IEEE Tansaction on Softwae and Engineeing, 22(1), Jan 1996 [13] Y Hu, A Peig, and D Johnson Aiadne: A Secue On-demand Routing Potocol fo Adhoc Netwoks In MobiCom 02: Poceedings of the 8th annual intenational confeence on Mobile computing and netwoking, pages ACM Pess, Sept 2002 [14] D Johnson, D Maltz, and J Boch DSR: The Dynamic Souce Routing Potocol fo Multihop Wieless Adhoc Netwoks Ad hoc netwoking, pages , 2001 [15] D Jonsche and K Dittich An Appoach fo Building Secue Database Fedeations In VLDB 94: Poceedings of the 20th Intenational Confeence on Vey Lage Data Bases, pages 24 35, Santiago de Chile, Chile, Sept 1994 Mogan Kaufmann 66

10 [16] N Li, Z Bizi, and M Tipunitaa On Mutually Exclusive Roles and Sepaation of Duty In CCS 04: Poceedings of ACM Confeence on Compute and Communications Secuity, Oct 2004 [17] H Ludwig, C Bussle, M Shan, and P Gefen Coss-Oganisational Wokflow Management and Co-odination In WACC 99: Poceedings of the Wokshop on Coss-Oganisational Wokflow Management and Co-odination, Feb 1999 [18] J Madhavan, P Benstein, A Doan, and A Halevy Copus-Based Schema Matching In ICDE 05: Poceedings of the Twenty Fist Intenational Confeence on Data Engineeing, Apil 2005 [19] J Madhavan and A Halevy Composing Mappings Among Data Souces In VLDB 2003 : Poceedings of the Twenty Ninth Intenational Confeence on Vey Lage Databases, 2003 [20] M Mogensten, T Lunt, B Thuaisingham, and D Spoone Secuity Issues in Fedeated Database Systems: Panel Contibutions In Results of the IFIP WG 113 Wokshop on Database Secuity V, pages Noth-Holland, 1992 [21] R Ramnath and D Landsbegen IT-Enabled Sense-and-Respond Stategies in Complex Public Oganizations Communications of ACM, 48(5):58 64, May 2005 [22] R Rivest, A Shami, and L Adleman A Method fo Obtaining Digital Signatues and Public-Key Cyptosystems Communications of the ACM, 21(2): , Feb 1978 [23] R Sandhu, E Coyne, H Feinstein, and C Youman Role-Based Access Contol Models IEEE Compute, 29(2):38 47, Feb 1996 [24] S Vimecati and P Samaati Authoization Specification and Enfocement in Fedeated Database Systems Jounal of Compute Secuity, 5(2): , 1997 [25] G Wiedehold, M Bilello, and C Donahue Web Implementation of a Secuity Mediato fo Medical Databases In Poceedings of the IFIP TC11 WG113 Eleventh Intenational Confeence on Database Secuty XI, pages 60 72, London, UK, UK, 1998 Chapman & Hall, Ltd 67