Abstract
This paper deals with the maintenance of PKI certificates for Attribute Based Access Control (ABAC). We show, that the current standard has several problems in different revocation and delegation processes. This may lead to a security hole allowing usage of ABAC certificates, when it was revoked or transferred. As a solution we suggest architecture changes, that allow to perform revocation and transfer checks in such cases, based on extensions of the validation process of the ABAC certificates. We also discuss some privacy and performance challenges that are raised as a result of our proposal.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
McCollum, C.J., Messing, J.R., Notargiacomo, L.: Beyond the pale of MAC and DAC-defining new forms of access control. In: Proceedings of the 1990 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 190–200. IEEE (1990)
Adams, C., Zuccherato, R.: A general, flexible approach to certificate revocation. Entrust Technologies White Paper (1998)
Blaze, Matt, Feigenbaum, Joan, Keromytis, Angelos D.: KeyNote: trust management for public-key infrastructures. In: Christianson, Bruce, Crispo, Bruno, Harbison, William S., Roe, Michael (eds.) Security Protocols 1998. LNCS, vol. 1550, pp. 59–63. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-49135-X_9
Rivest, R.L.: Can we eliminate certificate revocation lists? In: Hirchfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 178–183. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055482
Housley, R., Ford, W., Polk, W., Solo, D.: RFC 2459: Internet X.509 Public Key Infrastructure Certificate and CRL Profile (1999)
Boneh, D., Ding, X., Tsudik, G., Wong, C.M.: A method for fast revocation of public key certificates and security capabilities. In: USENIX Security Symposium, p. 22, August 2001
Li, N., Grosof, B.N., Feigenbaum, J.: Delegation logic: a logicbased approach to distributed authorization. ACM Trans. Inf. Syst. Secur. (TISSEC) 6(1), 128–171 (2003)
Linn, J., Nystrom, M.: Attribute certification: an enabling technology for delegation and role-based controls in distributed environments. In: Proceedings of the Fourth ACM Workshop on Role-Based Access Control (1999)
Xiong, L., Liu, L.: PeerTrust: supporting reputation-based trust for peer-to-peer electronic communities. IEEE Trans. Knowl. Data Eng. 16(7), 843–857 (2004)
Ye, C., Wu, Z., Fu, Y.: An attribute-based delegation model and its extension. J. Res. Pract. Inf. Technol. 38(1), 3–18 (2006)
Naor, M., Nissim, K.: Certificate revocation and certificate update. IEEE J. Sel. Areas Commun. 18(4), 561–570 (2000)
Farrell, S., Housley, R., Turner, S.: RFC 5755: An Internet Attribute Certificate Profile for Authorization. IETF (2010)
Thompson, M.R., Essiari, A., Mudumbai, S.: Certificate-based authorization policy in a PKI environment. ACM Trans. Inf. Syst. Secur. (TISSEC) 6(4), 566–588 (2003)
Lou, W., Ren, K.: Security, privacy, and accountability in wireless access networks. IEEE Wirel. Commun. 16(4), 80–87 (2009)
Win, L.L., Thomas, T., Emmanuel, S.: Privacy enabled digital rights management without trusted third party assumption. IEEE Trans. Multimed. 14(3), 546–554 (2012)
Sufatrio, Yap, R.H.: Trusted principal-hosted certificate revocation. In: Wakeman, I., Gudes, E., Jensen, C.D., Crampton, J. (eds.) IFIPTM 2011. IFIPAICT, vol. 358, pp. 173–189. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22200-9_15
Hinarejos, M.F., Munoz, J.L., Forne, J., Esparza, O.: PREON: an efficient cascade revocation mechanism for delegation paths. Comput. Secur. 29(6), 697–711 (2010)
Crampton, J., Khambhammettu, H.: Delegation in role-based access control. Int. J. Inf. Secur. 7(2), 123–136 (2008)
Paquin, C., Zaverucha, G.: U-prove cryptographic specification v1. 1. Technical report, Microsoft Corporation (2011)
Benaloh, J., de Mare, M.: One-way accumulators: a decentralized alternative to digital signatures. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 274–285. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_24
Camenisch, J., Lysyanskaya, A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 61–76. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_5
Camenisch, J., Kohlweiss, M., Soriente, C.: An accumulator based on bilinear maps and efficient revocation for anonymous credentials. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 481–500. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00468-1_27
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Rabin, A., Gudes, E. (2018). Secure Protocol of ABAC Certificates Revocation and Delegation. In: Imine, A., Fernandez, J., Marion, JY., Logrippo, L., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2017. Lecture Notes in Computer Science(), vol 10723. Springer, Cham. https://doi.org/10.1007/978-3-319-75650-9_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-75650-9_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-75649-3
Online ISBN: 978-3-319-75650-9
eBook Packages: Computer ScienceComputer Science (R0)