Title: A Contentbased Authorization for Digital Library Storage Systems
1A Content-based Authorization for Digital Library
Storage Systems
- Nabil R. Adam
- Rutgers University CIMIC
- adam_at_adam.rutgers.edu
- Joint work with V. Atluri and I. Adiwijaya
- IEEE/ARL/NASA Workshop on Information Assurance
- December 4, 2001
2Characteristics of Digital Libraries
- Information
- Maintained on heterogeneous, autonomous,
distributed systems - Owned by different entities
- Available in a wide range of formats and media
3Characteristics of Digital Libraries (Contd)
- Users
- Various capabilities
- Physical
- Technical
- Linguistic
- Domain expertise
- Various Characteristics
- Mobile
- Different interests and preferences/profiles
- Use different information appliances (HW/SW)
- e.g., PC, Work station, PDA, TV, Cell phone,
Pager, etc. - Credentials
4Characteristics of Digital Libraries
- Digital Library Objects
- Multimedia, e.g., audio, video, images, text,
electric, magnetic, thermal - Complex - multicomponents -- Constraints
(specified by author of the object) - Synchronization -- Specify temporal relationships
among the components that must be adhered to - Fidelity - Specify the capabilities of the users
appliance necessary for playing the object with
specified quality - Spatial - Specify position of each component
- External Constraints such as (security) policy,
QOS - Our focus is on Security
5Sample of A DL Object
6Universal Access
- Need to facilitate access to desired data of
multimedia, composite objects according to the
various users - Capabilities and
- Characteristics
- UA Objective is
- Make it available to anyone anywhere, at
anytime. While at the same time satisfying the
objects constraints, including security
constraints
7Challenge
- How to make objects intelligent enough so that
they automatically manifest themselves to cater
to different users capabilities and
characteristics and at the same time satisfy the
various constraints
8Security For Digital Libraries
- Recall the conventional access control model
auth ltsubject,object,privilegegt - Examples
- ltJohn, Employee Table, Selectgt
- ltMary, Department Table, Insertgt
- Is not suitable for DL because
- Large number of objects
- Typically multimedia
- Stored in a variety of formats
- Owned and maintained by different entities
- Large and highly dynamic user population
- Different access restrictions on different parts
of the objects
9Data Protection Policies in DL
- Examples
- A user can be given access to a document only if
he/she is a subscriber of the magazine - A user can be given access to an R-rated video
only of he/she is 18 years or older - Anyone can access the abstract of a paper, but
the full-paper is available only upon payment - Only Rutgers students are allowed access to the
objects maintained in Rutgers library
10Security Requirements in DL (1)
- Flexible user specification.
- In current authorization models, authorization
subjects are stated in terms of user id. - In some systems, roles and groups can also be
used. - In DL environment, the user population is often
dynamic. - Need to state access policies in a DL in terms of
user characteristics., e.g., - Age, "a video rated R can only be accessed by
users who are 18 or older." - The organization the user belongs to
- Whether the user (or his/her organization) has
paid subscription - Access control should also be based on the
context of the subject, e.g., - For example, the policy may specify that a
person should not be allowed access to an object
while being at work (if accessing non work
related info), or vice versa (access confidential
info from work only).
11Security Requirements in DL (2)
- Content-based access control to multimedia and
unstructured data - For example, in RDBS "a manager can only see the
records of the employees working for him/her --
such access control policies are expressed in
terms of views. - In DL, need to automatically determine if a
certain object (doc, image, video) satisfies a
certain condition on its content. - As an example, consider a policy stating that
"all documents discussing how to operate guns
must be available only to users who are 18 years
or older -- how to determine whether a certain
document actually deals with such a topic even
if it does not use the keyword "gun - Need for content understanding
12Security Requirements in DL (3)
- In DL, we need to apply different access
restrictions to different portions of the object
-- Varying granularity of authorization - An interesting approach to support selective
document dissemination among the users of a DL is
represented by the Cryptolope system by IBM. - This approach consists of encrypting different
parts of the same document, that are subject to
different access control policies, with different
keys. All users receive the same physical
document however, each user receives only the
keys for accessing the parts of the documents
he/she is authorized to. - A limitation of this approach is that it does not
provide any tool to specify and enforce access
control policies that take into account document
content and user credentials.
13Security Requirements in DL (4)
- Access control based on the temporal attributes
of the subjects and objects. - Be able to provide access
- only during a certain predefined time interval ,
or - as long as a user holds a credential, or
- based on the time at which the object was
created. - E.g., if a user is a member of a digital library
during a certain time interval, he should be
allowed access to objects that were written
during this time, but not before or after. - Be able to provide periodic authorizations.
- E.g., a person is allowed access to certain
documents every Wednesday, during his every
computer class (held on Wednesdays), or during
the office hours every day.
14Security Requirements in DL (5)
- Distributed and remote accesses aspects of DL 2
aspects - DL may be distributed and has several information
providers - each is maintained by possibly different
organizations. - different organizations may have different access
control policies - should each organization retain its own autonomy
wrt access control policies and how to resolve
conflicts that may arise, - OR
- should the various policies should be integrated
and global policies be devised. - where to maintain authorization information and
- where to enforce access control.
- Some of those questions have been addressed in
the context of distributed DBS. However, these
solutions are not adequate to the DL environment
since one also needs to address the heterogeneity
among subject credentials and concepts associated
with objects.
15Security Requirements in DL (6)
- Users accessing a DL may be remote users, do not
belong to the organization owning the DL. - When remote users are required to provide info,
e.g., age for access control purposes. - Access control info that are recorded for users
at their organization may differ with respect to
the info required by the access control system of
the DL. - Another related question is the use of
certification and other authentication mechanisms
to ensure the authenticity of the info provided
for access control purposes as well as access
anonymity. There are many situations in which
users accessing a DL may wish to keep their
identity anonymous.
16Desirable features of a DL authorization model
- access control based on the content (rather than
the object identifier) - flexible specification of authorization based on
the user credentials (rather than user ids) - support for access control to multimedia objects
- varying granularity of authorization ranging from
sets of objects to specific portions of objects - access control based on the temporal attributes
of both users and objects - support for suitable privilege modes (link, copy,
print, distribute, overlay, zoom-in) - ability to interoperate with heterogeneous
security policies - support for object integrity
17DL Authorization Model
- Our model is based on ltcredentials,concepts,privil
egegt - Credential is a set of user attributes that are
needed for security purposes. Credentials with
similar structures are grouped into
credential-types - A Concept is a means for concisely describing the
content of a dlo. We view DL objects as organized
in a conceptual hierarchy - Our model supports browsing and authoring
privileges with various subtypes within each
privilege (these subsume read and write
privileges) - Let us examine each components
18Authorization ModelSubjects Credentials(1)
- A subject is associated with security credentials
- Credentials with similar structures are grouped
into credential-types - A credential type is a pair (ct_id,attr)
- ct_id is a credential type identifier, e.g., a
person (or legal research analyst) - attr is a set containing an item for each
attribute of the credential type, an item is a
triple (a_name,a_dom,a_type) - a_name is the attribute name, a_dom is the
attribute domain, a_type is either optional or
mandatory - Example
- (employee, (age,string,opt), (addr, string,
mand), (salary, integer, opt), nationality,
string, mand), (national origin, string, mand))
19Credential types are organized into Credential
Type Hierarchy Multiple inheritance is not
supported - An Example
person
employee
NLM employee
LLoC employee
Legal Research Directorate employee
European Division employee
Eastern Division employee
Legal Research Analyst
20Authorization ModelSubjects Credentials(2)
- A Credential is an instance of a credential type
- A credential is a 4-tuple (c_id,user_id,state,ct_i
d) - e.g., (sc1,Bob),(agenull,addressNew
St,salary90,000,nationalityUS,national
originKorea),person) - Authorization can be given
- Explicitly to users by specifying their
identifiers, or - Implicitly by imposing a set of conditions that
credentials must satisfy credential expressions
21Credential Expressions
person
- Legal research analyst(X)
- Denotes users who have a credential type legal
research analyst - (X.project ? p1)
- Users who are not involved in project P1
- (employee(X)?X.age gt 18)
- Users who are older than 18yr
- (Eastern Division employee (X) ? NLM employee(X)
- Users with credential type Eastern division
employee or NLM employee
employee
NLM employee
LLoC employee
Legal Research Directorate employee
European Division employee
Eastern Division employee
Legal Research Analyst
22DL Authorization Model - Concept
- A dlo is represented as a 4-tuple
(i,slots,links,concepts), where - iOID,
- slot a set of slot names identifying relevant
portion within a dlo, e.g., abstract, authors,
etc. - links a set of link identifiers, (a link
connecting two dlos, means contents of dlos are
related) - concepts a set of relevant concepts in dlo,
C(dlo)a set of concepts characterizing a
dlo - Object expressions (concept specification.
Slot-specification)
23Conceptual Hierarchy
GLIN Legal Document
General Concepts
Index terms provide the framework
- Country - LawReference - Provisions -
Amends/Repeals
Taxation
Import-Export
- Product - Business Entity - Action
- Industry
- Tax Type - Taxed Entity
Imports Tax
Export Controls
Tax Incentive
Tax Credit
Specific Concepts
- Control
- ImportTax
- Incentive
- Credit
24Authorization Model - Privileges
- Browse - view, link (see the existence of a
link), view-all - Authoring - refer (to include a link in an
object), append,update
25Authorization Model - Authorizations
- /- authorizations - permission/denial
- Authorizations apply to concepts, objects, slots
within objects and links - An access request is represented as pair( u,dlo)
- Authorization, e.g.,
- (person(x),World Law Bulletin.Blue page report,
view-all,-) -- prevents all users with security
type person from seeing the info in the blue page
report of the World Law Bulletin - (NML employee (X), Import Controls, link, -)
- (NML employee (X) ? legal research analyst(X)),
(Imports Tax ? Tax incentive), view, )
26Conflict Resolution Policy
- Conflicts occur due to
- the presence of both negative and positive
authorizations - propagation of authorizations along the
credential and conceptual hierarchies - Explicit authorization given to users have the
highest priority - most specific auth wrt the credential type
hierarchy prevails - most specific auth wrt the conceptual hierarchy
prevails - when conflicts are not solved with the above,
most specific privilege prevails - when conflicts are not solved with the above,
negative authorizations take precedence
27Architecture
28Client and Server Interactions
- Assume Rutgers DL is the Client, which decides to
give access to its users to the SUNY Buffalo
DL(server) - Who will maintain the credentials?
- How will they be evaluated?
- Will need mapping between Client side
authorizations (CSA) and server side
authorizations (SSA) - SSA maintains the information that need to be
provided by CSA for each object (concept), CSA
has to supply that info. - This has two phases
- Introduction phase in which the server
establishes a trusted relationship with the
client - Access control phase A users request for a DL
object is processed - This communication uses public-key encryption
29(No Transcript)
30(No Transcript)
31Extension of DLAM to Image DL
- Our access control model is based on
ltcredentials,concepts,privilegegt can still be
used - simply build a conceptual hierarchy of the image
database - May need to support additional privilege modes
- However, geo-spatial image databases pose more
challenging access control requirements - We are currently working on this extension
32Conclusion and Future Work
- Continue working on addressing some aspects of
the general class of problem - How to make objects intelligent enough so that
they automatically manifest themselves to cater
to different users capabilities and
characteristics and at the same time satisfy the
various constraints including security. - References
- N.R. Adam, V. Atluri, E. Bertino and E.
Ferrari, A Content-based Authorization Model
for Digital Libraries,'' IEEE Transactions
Knowledge and Data Engineering, in press. - N. Adam, V. Atluri, I. Adiwijaya, Sujata
Banerjee, "A Dynamic Manifestation Approach for
Providing Universal Access to Digital Library
Objects", IEEE Transactions on Knowledge and Data
Engineering, June 2001.