A Contentbased Authorization for Digital Library Storage Systems

1
A Content-based Authorization for Digital Library
Storage Systems

• Nabil R. Adam
• Rutgers University CIMIC
• adam_at_adam.rutgers.edu
• Joint work with V. Atluri and I. Adiwijaya
• IEEE/ARL/NASA Workshop on Information Assurance
• December 4, 2001

2
Characteristics of Digital Libraries

• Information
• Maintained on heterogeneous, autonomous,
  distributed systems
• Owned by different entities
• Available in a wide range of formats and media

3
Characteristics of Digital Libraries (Contd)

• Users
• Various capabilities
• Physical
• Technical
• Linguistic
• Domain expertise
• Various Characteristics
• Mobile
• Different interests and preferences/profiles
• Use different information appliances (HW/SW)
• e.g., PC, Work station, PDA, TV, Cell phone,
  Pager, etc.
• Credentials

4
Characteristics of Digital Libraries

• Digital Library Objects
• Multimedia, e.g., audio, video, images, text,
  electric, magnetic, thermal
• Complex - multicomponents -- Constraints
  (specified by author of the object)
• Synchronization -- Specify temporal relationships
  among the components that must be adhered to
• Fidelity - Specify the capabilities of the users
  appliance necessary for playing the object with
  specified quality
• Spatial - Specify position of each component
• External Constraints such as (security) policy,
  QOS
• Our focus is on Security

5
Sample of A DL Object
6
Universal Access

• Need to facilitate access to desired data of
  multimedia, composite objects according to the
  various users
• Capabilities and
• Characteristics
• UA Objective is
• Make it available to anyone anywhere, at
  anytime. While at the same time satisfying the
  objects constraints, including security
  constraints

7
Challenge

• How to make objects intelligent enough so that
  they automatically manifest themselves to cater
  to different users capabilities and
  characteristics and at the same time satisfy the
  various constraints

8
Security For Digital Libraries

• Recall the conventional access control model
  auth ltsubject,object,privilegegt
• Examples
• ltJohn, Employee Table, Selectgt
• ltMary, Department Table, Insertgt
• Is not suitable for DL because
• Large number of objects
• Typically multimedia
• Stored in a variety of formats
• Owned and maintained by different entities
• Large and highly dynamic user population
• Different access restrictions on different parts
  of the objects

9
Data Protection Policies in DL

• Examples
• A user can be given access to a document only if
  he/she is a subscriber of the magazine
• A user can be given access to an R-rated video
  only of he/she is 18 years or older
• Anyone can access the abstract of a paper, but
  the full-paper is available only upon payment
• Only Rutgers students are allowed access to the
  objects maintained in Rutgers library

10
Security Requirements in DL (1)

• Flexible user specification.
• In current authorization models, authorization
  subjects are stated in terms of user id.
• In some systems, roles and groups can also be
  used.
• In DL environment, the user population is often
  dynamic.
• Need to state access policies in a DL in terms of
  user characteristics., e.g.,
• Age, "a video rated R can only be accessed by
  users who are 18 or older."
• The organization the user belongs to
• Whether the user (or his/her organization) has
  paid subscription
• Access control should also be based on the
  context of the subject, e.g.,
• For example, the policy may specify that a
  person should not be allowed access to an object
  while being at work (if accessing non work
  related info), or vice versa (access confidential
  info from work only).

11
Security Requirements in DL (2)

• Content-based access control to multimedia and
  unstructured data
• For example, in RDBS "a manager can only see the
  records of the employees working for him/her --
  such access control policies are expressed in
  terms of views.
• In DL, need to automatically determine if a
  certain object (doc, image, video) satisfies a
  certain condition on its content.
• As an example, consider a policy stating that
  "all documents discussing how to operate guns
  must be available only to users who are 18 years
  or older -- how to determine whether a certain
  document actually deals with such a topic even
  if it does not use the keyword "gun
• Need for content understanding

12
Security Requirements in DL (3)

• In DL, we need to apply different access
  restrictions to different portions of the object
  -- Varying granularity of authorization
• An interesting approach to support selective
  document dissemination among the users of a DL is
  represented by the Cryptolope system by IBM.
• This approach consists of encrypting different
  parts of the same document, that are subject to
  different access control policies, with different
  keys. All users receive the same physical
  document however, each user receives only the
  keys for accessing the parts of the documents
  he/she is authorized to.
• A limitation of this approach is that it does not
  provide any tool to specify and enforce access
  control policies that take into account document
  content and user credentials.

13
Security Requirements in DL (4)

• Access control based on the temporal attributes
  of the subjects and objects.
• Be able to provide access
• only during a certain predefined time interval ,
  or
• as long as a user holds a credential, or
• based on the time at which the object was
  created.
• E.g., if a user is a member of a digital library
  during a certain time interval, he should be
  allowed access to objects that were written
  during this time, but not before or after.
• Be able to provide periodic authorizations.
• E.g., a person is allowed access to certain
  documents every Wednesday, during his every
  computer class (held on Wednesdays), or during
  the office hours every day.

14
Security Requirements in DL (5)

• Distributed and remote accesses aspects of DL 2
  aspects
• DL may be distributed and has several information
  providers
• each is maintained by possibly different
  organizations.
• different organizations may have different access
  control policies
• should each organization retain its own autonomy
  wrt access control policies and how to resolve
  conflicts that may arise,
• OR
• should the various policies should be integrated
  and global policies be devised.
• where to maintain authorization information and
• where to enforce access control.
• Some of those questions have been addressed in
  the context of distributed DBS. However, these
  solutions are not adequate to the DL environment
  since one also needs to address the heterogeneity
  among subject credentials and concepts associated
  with objects.

15
Security Requirements in DL (6)

• Users accessing a DL may be remote users, do not
  belong to the organization owning the DL.
• When remote users are required to provide info,
  e.g., age for access control purposes.
• Access control info that are recorded for users
  at their organization may differ with respect to
  the info required by the access control system of
  the DL.
• Another related question is the use of
  certification and other authentication mechanisms
  to ensure the authenticity of the info provided
  for access control purposes as well as access
  anonymity. There are many situations in which
  users accessing a DL may wish to keep their
  identity anonymous.

16
Desirable features of a DL authorization model

• access control based on the content (rather than
  the object identifier)
• flexible specification of authorization based on
  the user credentials (rather than user ids)
• support for access control to multimedia objects
• varying granularity of authorization ranging from
  sets of objects to specific portions of objects
• access control based on the temporal attributes
  of both users and objects
• support for suitable privilege modes (link, copy,
  print, distribute, overlay, zoom-in)
• ability to interoperate with heterogeneous
  security policies
• support for object integrity

17
DL Authorization Model

• Our model is based on ltcredentials,concepts,privil
  egegt
• Credential is a set of user attributes that are
  needed for security purposes. Credentials with
  similar structures are grouped into
  credential-types
• A Concept is a means for concisely describing the
  content of a dlo. We view DL objects as organized
  in a conceptual hierarchy
• Our model supports browsing and authoring
  privileges with various subtypes within each
  privilege (these subsume read and write
  privileges)
• Let us examine each components

18
Authorization ModelSubjects Credentials(1)

• A subject is associated with security credentials
• Credentials with similar structures are grouped
  into credential-types
• A credential type is a pair (ct_id,attr)
• ct_id is a credential type identifier, e.g., a
  person (or legal research analyst)
• attr is a set containing an item for each
  attribute of the credential type, an item is a
  triple (a_name,a_dom,a_type)
• a_name is the attribute name, a_dom is the
  attribute domain, a_type is either optional or
  mandatory
• Example
• (employee, (age,string,opt), (addr, string,
  mand), (salary, integer, opt), nationality,
  string, mand), (national origin, string, mand))

19
Credential types are organized into Credential
Type Hierarchy Multiple inheritance is not
supported - An Example
person
employee
NLM employee
LLoC employee
Legal Research Directorate employee
European Division employee
Eastern Division employee
Legal Research Analyst
20
Authorization ModelSubjects Credentials(2)

• A Credential is an instance of a credential type
• A credential is a 4-tuple (c_id,user_id,state,ct_i
  d)
• e.g., (sc1,Bob),(agenull,addressNew
  St,salary90,000,nationalityUS,national
  originKorea),person)
• Authorization can be given
• Explicitly to users by specifying their
  identifiers, or
• Implicitly by imposing a set of conditions that
  credentials must satisfy credential expressions

21
Credential Expressions
person

• Legal research analyst(X)
• Denotes users who have a credential type legal
  research analyst
• (X.project ? p1)
• Users who are not involved in project P1
• (employee(X)?X.age gt 18)
• Users who are older than 18yr
• (Eastern Division employee (X) ? NLM employee(X)
• Users with credential type Eastern division
  employee or NLM employee

employee
NLM employee
LLoC employee
Legal Research Directorate employee
European Division employee
Eastern Division employee
Legal Research Analyst
22
DL Authorization Model - Concept

• A dlo is represented as a 4-tuple
  (i,slots,links,concepts), where
• iOID,
• slot a set of slot names identifying relevant
  portion within a dlo, e.g., abstract, authors,
  etc.
• links a set of link identifiers, (a link
  connecting two dlos, means contents of dlos are
  related)
• concepts a set of relevant concepts in dlo,
  C(dlo)a set of concepts characterizing a
  dlo
• Object expressions (concept specification.
  Slot-specification)

23
Conceptual Hierarchy
GLIN Legal Document
General Concepts
Index terms provide the framework
- Country - LawReference - Provisions -
Amends/Repeals
Taxation
Import-Export
- Product - Business Entity - Action
- Industry
- Tax Type - Taxed Entity
Imports Tax
Export Controls
Tax Incentive
Tax Credit
Specific Concepts
- Control
- ImportTax
- Incentive
- Credit
24
Authorization Model - Privileges

• Browse - view, link (see the existence of a
  link), view-all
• Authoring - refer (to include a link in an
  object), append,update

25
Authorization Model - Authorizations

• /- authorizations - permission/denial
• Authorizations apply to concepts, objects, slots
  within objects and links
• An access request is represented as pair( u,dlo)
• Authorization, e.g.,
• (person(x),World Law Bulletin.Blue page report,
  view-all,-) -- prevents all users with security
  type person from seeing the info in the blue page
  report of the World Law Bulletin
• (NML employee (X), Import Controls, link, -)
• (NML employee (X) ? legal research analyst(X)),
  (Imports Tax ? Tax incentive), view, )

26
Conflict Resolution Policy

• Conflicts occur due to
• the presence of both negative and positive
  authorizations
• propagation of authorizations along the
  credential and conceptual hierarchies
• Explicit authorization given to users have the
  highest priority
• most specific auth wrt the credential type
  hierarchy prevails
• most specific auth wrt the conceptual hierarchy
  prevails
• when conflicts are not solved with the above,
  most specific privilege prevails
• when conflicts are not solved with the above,
  negative authorizations take precedence

27
Architecture
28
Client and Server Interactions

• Assume Rutgers DL is the Client, which decides to
  give access to its users to the SUNY Buffalo
  DL(server)
• Who will maintain the credentials?
• How will they be evaluated?
• Will need mapping between Client side
  authorizations (CSA) and server side
  authorizations (SSA)
• SSA maintains the information that need to be
  provided by CSA for each object (concept), CSA
  has to supply that info.
• This has two phases
• Introduction phase in which the server
  establishes a trusted relationship with the
  client
• Access control phase A users request for a DL
  object is processed
• This communication uses public-key encryption

29
(No Transcript)
30
(No Transcript)
31
Extension of DLAM to Image DL

• Our access control model is based on
  ltcredentials,concepts,privilegegt can still be
  used
• simply build a conceptual hierarchy of the image
  database
• May need to support additional privilege modes
• However, geo-spatial image databases pose more
  challenging access control requirements
• We are currently working on this extension

32
Conclusion and Future Work

• Continue working on addressing some aspects of
  the general class of problem
• How to make objects intelligent enough so that
  they automatically manifest themselves to cater
  to different users capabilities and
  characteristics and at the same time satisfy the
  various constraints including security.
• References
•      N.R. Adam, V. Atluri, E. Bertino and E.
  Ferrari, A Content-based Authorization Model
  for Digital Libraries,'' IEEE Transactions
  Knowledge and Data Engineering, in press.
• N. Adam, V. Atluri, I. Adiwijaya, Sujata
  Banerjee, "A Dynamic Manifestation Approach for
  Providing Universal Access to Digital Library
  Objects", IEEE Transactions on Knowledge and Data
  Engineering, June 2001.