A Framework for Role-Based Access Control in Group Communica

In this paper we analyze the requirements access control mechanisms must fulfill in the context of group communication and define a framework for supporting fine-grained access control in client-server group communication systems. Our framework combines ro

AFrameworkforRole-BasedAccessControlinGroup

CommunicationSystems

CristinaNita-RotaruandNinghuiLiDepartmentofComputerSciences

PurdueUniversityWestLafayette,IN47907

Abstract

Inthispaperweanalyzetherequirementsaccesscontrolmechanismsmustful llinthecontextofgroupcommunicationandde neaframeworkforsupporting ne-grainedaccesscontrolinclient-servergroupcom-municationsystems.Ourframeworkcombinesrole-basedaccesscontrolmechanismswithenvironmentpa-rameters(time,IPaddress,etc.)toprovidesupportforawiderangeofapplicationswithverydi erentre-quirements.Whiletheaccesscontrolpolicyisde nedbytheapplication,itse cientenforcementisprovidedbythegroupcommunicationsystem.

1Introduction

Manycollaborativeapplicationssuchasphoneandvideoconferencing,white-boards,distance-learningapplications,games,sharedinstrumentcontrol,aswellascommand-and-controlsystems,haveincommontheneedforacommunicationinfrastructurethatpro-videse cientmessagedisseminationtomultiplepar-ties(oftenorganizedingroupsbasedonacommonin-terest),e cientsynchronizationmechanismsthatal-lowforcoordinationandlast,butnotleast,securityservices.Groupcommunicationsystems(GCS)pro-videsuchservices.Examplesofgroupcommunica-tionsystemsinclude:ISIS[9],Horus[21],Transis[4],Totem[6],RMP[28],Rampart[20],SecureRing[13],Ensemble[24]andSpread[8,3].

Animportantaspectforsecurecollaborativegroupsisde ningandenforcingasecuritypolicy.Asetofdef-initionsandrequirementsofsecuritypoliciesingroupsispresentedin[12].Theminimalsetofsecurityser-vicesthatshouldbeprovidedbyanysecureGCSandshouldbespeci edinagrouppolicyinclude:clientau-thentication,accesscontrol,groupkeymanagement,dataintegrityandcon dentiality.

Whileconsiderableresearchhasbeenconductedto

designscalableandfault-tolerantgroupkeymanage-mentprotocols[29,23,5],andtoprovidedatacon -dentialityandintegrity[17,2,25,7]forgroups,lessworkfocusedontheaccesscontrolservices.WhenGCSareusedasacommonplatformbyseveralap-plicationswithdi erentsecurityrequirements,thereisanobviousneedtocontrolwhocanjoinagroup,whocansend/receivemessages,etc.MajorchallengeswhenprovidingaccesscontrolservicestoGCSarerec-onciling exibilitywithscalability,ande cientlyen-forcingaccesscontrolinthecontextofdynamicanddistributedgroupswhilesupportingprocessfailuresandnetworkpartitions.

MostexistingworkinprovidingaccesscontrolforgroupsemploystraditionalaccesscontrolschemessuchasAccessControlLists(ACL’s).Suchschemesmakeauthorizationdecisionsbasedontheidentityoftherequester.However,indecentralizedormulti-centricenvironments,theresourceownerandtherequesterareoftenunknowntooneanother,makingaccesscon-trolbasedonidentityine ectiveorveryexpensivetomaintain.

Weadoptanapproachinwhichtheoperationsaclientisallowedtoperformdependsontheroletheclientisplayinginthegroup,andauthenticatedat-tributesoftheclientareusedtodeterminewhichrolestheclientcanplayinagroup.WefocusonaGCSus-ingaclient-serverarchitecturewherethedistributedprotocolsarerunbetweenasetofserversprovidingservicestonumerousclients.Morespeci cally,ourcontributionsare:

WeinvestigatetherequirementsforaccesscontrolmechanismsinGCSandshowwhyidentity-basedschemesdonotprovideenough exibilitytosup-portalargeclassofcollaborativeapplications. Wedesigna ne-grainedaccesscontrolframeworkforGCS,basedonideasinRole-BasedAccessControl[26,10]andRT[15],aRole-BasedTrust-Managementlanguage.Ourframeworkallowsan