Verfügbarkeit: Access control systems

Access control systems: security, identity management and trust models

Gespeichert in:

Bibliographische Detailangaben
1. Verfasser:	Benantar, Messaoud (VerfasserIn)
Format:	Buch
Sprache:	English
Veröffentlicht:	New York, NY Springer 2006
Schlagworte:	Réseaux d'ordinateurs - Sécurité - Mesures Computer networks > Security measures Zugriffskontrolle Rechnernetz Computersicherheit
Online-Zugang:	Inhaltsverzeichnis
Beschreibung:	XXI, 261 S. graph. Darst.
ISBN:	0387004459 9780387004457 0387277161 9780387277165

Internformat

MARC


LEADER	00000nam a2200000zc 4500
001	BV021490330
003	DE-604
005	20080724
007	t
008	060227s2006 d\|\|\| \|\|\|\| 00\|\|\| eng d
010			\|a 2005049984
020			\|a 0387004459 \|c alk. paper \|9 0-387-00445-9
020			\|a 9780387004457 \|9 978-0-387-00445-7
020			\|a 0387277161 \|9 0-387-27716-1
020			\|a 9780387277165 \|9 978-0-387-27716-5
035			\|a (OCoLC)60767092
035			\|a (DE-599)BVBBV021490330
040			\|a DE-604 \|b ger \|e aacr
041	0		\|a eng
049			\|a DE-703 \|a DE-573 \|a DE-29T \|a DE-355 \|a DE-860 \|a DE-861 \|a DE-Aug4
050		0	\|a TK5105.59
082	0		\|a 005.8 \|2 22
084			\|a ST 200 \|0 (DE-625)143611: \|2 rvk
084			\|a ST 277 \|0 (DE-625)143643: \|2 rvk
100	1		\|a Benantar, Messaoud \|e Verfasser \|4 aut
245	1	0	\|a Access control systems \|b security, identity management and trust models \|c by Messaoud Benantar
264		1	\|a New York, NY \|b Springer \|c 2006
300			\|a XXI, 261 S. \|b graph. Darst.
336			\|b txt \|2 rdacontent
337			\|b n \|2 rdamedia
338			\|b nc \|2 rdacarrier
650		4	\|a Réseaux d'ordinateurs - Sécurité - Mesures
650		4	\|a Computer networks \|x Security measures
650	0	7	\|a Zugriffskontrolle \|0 (DE-588)4293034-0 \|2 gnd \|9 rswk-swf
650	0	7	\|a Rechnernetz \|0 (DE-588)4070085-9 \|2 gnd \|9 rswk-swf
650	0	7	\|a Computersicherheit \|0 (DE-588)4274324-2 \|2 gnd \|9 rswk-swf
689	0	0	\|a Rechnernetz \|0 (DE-588)4070085-9 \|D s
689	0	1	\|a Computersicherheit \|0 (DE-588)4274324-2 \|D s
689	0		\|5 DE-604
689	1	0	\|a Zugriffskontrolle \|0 (DE-588)4293034-0 \|D s
689	1		\|5 DE-604
856	4	2	\|m Digitalisierung UB Regensburg \|q application/pdf \|u http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=014707172&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA \|3 Inhaltsverzeichnis
999			\|a oai:aleph.bib-bvb.de:BVB01-014707172

Datensatz im Suchindex

_version_	1804135216699146240
adam_text	Contents CHAPTER 1 FOUNDATIONS OF SECURITY AND ACCESS CONTROL IN COMPUTING 1 INTRODUCTION 1 ELEMENTS OF SYSTEMS SECURITY 3 Identity Establishment 3 Resource Access Control 4 Data and Message Security 4 nonrepudiation 5 Availability 5 COST OF SECURITY 6 SYSTEM INTEGRITY: A PRELUDE TO SECURITY 6 TRUSTED COMPUTING BASE 7 USERS, PRINCIPALS, SUBJECTS, AND OBJECTS 9 IDENTIFICATION AND AUTHENTICATION 10 Authentication Factors: A Comparison 11 Multiple-Factor Authentication 11 Passwords: The Prevalent Authentication Method 13 APPROACHES TO RELIABLE PASSWORD MANAGEMENT 13 Password Encoding 13 Adding Salt To Password Encoding 14 Password Syntax Rules 14 Password Aging 15 xii Contents AUDITING 15 THE SECURITY CONTEXT 17 Content of a Security Context 18 The Flow of a Security Context 19 Delegating Security Contexts 19 ACCESS CONTROL 20 Reference-Monitor Topology 21 ABOUT ACCESS-CONTROL POLICIES, MODELS AND MECHANISMS 23 ACCESS CONTROL PARADIGMS 26 ROLE-BASED ACCESS CONTROL 26 DELEGATION AND MASQUERADING 27 THE AXIOM OF ATTENUATION OF PRIVILEGES 27 TRUST AND ASSURANCE 27 Realizing Assurance 28 The Common Criteria: A Background 28 Overview of Assurance in the Common Criteria 29 Configuration Management 31 Delivery and Operation 31 Development 32 Guidance Documents 32 Life-Cycle Support 33 Tests 33 Vulnerability Assessment 33 ABOUT THE CONFINEMENT PROBLEM 35 Covert Channels З6 Examples 36 SECURITY-DESIGN PRINCIPLES 37 Economy of Mechanism 37 Complete Mediation 37 Open Design 37 Least-Common Mechanism З8 Fail-Safe Defaults 38 Contents xiii Separation of Privilege 38 Least Privileges 39 Privacy Considerations 39 Psychological Acceptability 39 CHAPTER! INTRODUCTION TO ( IDENTITY-MANAGEMENT MODELS 40 INTRODUCTION 40 LOCAL IDENTITY 41 Advantages of the Local-Identity Model 42 Simplicity 42 Scalability 43 Flat Name Space 43 Management Issues in the Local-Identity Model 43 Password and Attribute Synchronization 43 Single Sign-On 44 Identity Provisioning 44 Example: IBM Resource Access-Control Facility 44 NETWORK IDENTITY 46 FEDERATED IDENTITY 46 Foundations of Federated Identity 46 Federation Topologies 49 Local Profiling 50 Distributed Profiling 50 Profiling by a Third Party 50 GLOBAL WEB IDENTITY 51 Identity Mapping and Synchronization 51 MetaDirectories 51 Affiliate Networks (Virtual Directories) 52 Dynamic Scoping of a Security Context 54 THE XNS APPROACH TO THE GLOBAL WEB IDENTITY 54 Elements of DNS 55 Elements of XNS 59 XNS Identity Types 61 xiv Contents The XNS Identity Document 61 IDs and Names in XNS 62 XNS Resolvers 63 Cross-Referencing XNS Identities 64 Forming Trust Relationships in XNS 65 XNS Services 66 CENTRALIZED ENTERPRISE-LEVEL IDENTITY MANAGEMENT 67 Synchronizing Identity Attributes 68 Policy-Based Identity Provisioning 69 Unified Identity-Representation Scheme 69 Dynamic Definition of Identity Attributes 70 Decoupled Identity-Representation Scheme 70 Example: IBM Identity Manager 71 CHAPTER 3 ELEMENTS OF TRUST PARADIGMS IN COMPUTING 73 INTRODUCTION 73 A THIRD-PARTY APPROACH TO IDENTITY TRUST 74 KERBEROS: THE IMPLICIT THIRD-PARTY AUTHENTICATION PARADIGM 76 A High-Level View of the Kerberos Protocol 77 Federated Kerberos 79 A Topology of Kerberos Federations 80 Ticket Forwarding 80 Entitlement Attributes in Kerberos 81 EXPLICIT THIRD-PARTY AUTHENTICATION PARADIGM 83 THE PUBLIC-KEY INFRASTRUCTURE APPROACH TO TRUST ESTABLISHMENT 84 Foundations of Public-Key Cryptography 85 The Problem of Factoring Large Numbers 86 Computing Discrete Logarithms in a Large Finite Field 87 Elliptic Curves over Finite Fields 88 Digital Signatures 88 RSA Signature 89 Contents xv Trusting a Public Key 89 Foundations of Trust in PKI 90 Identification Links Between a Certificate and a CRL 92 Protecting the CA Signing Key 93 PKI Trust Topologies 93 Hierarchical Trust 94 Cross-Certification 97 Cross-Certification Grid 98 Hub-Based Cross-Certification 99 Hybrid Model 99 Web-of-Trust Model 100 Proxy Certificates: Delegated Impersonation in PKI 102 The Proxy-Certificate Approach 102 Elements of the X.509 Proxy Certificate 104 Computing Trust in Proxy Certificates 104 ATTRIBUTE CERTIFICATES: ENTITLEMENT MANAGEMENT IN PKI 106 Elements of Attribute Certificates W6 Binding Information Ю6 Attribute Information Ю7 A Note About AC Attributes 108 Extensions 109 GENERALIZED WEB-OF-TRUST MODEL 109 EXAMPLES OF TRUST-EXCHANGE MECHANISMS OVER THE WEB Ш Web-Services Security H2 Identity and Trust Tokens ! * 5 Simple User Name Token 115 Binary Tokens ^ Referencing Security Tokens 1 ^ SAML Approach: Unifying Trust and Identity Constructs 116 SAML Constructs 119 Assertion 1* Conditions 119 Advice 119 Signature 9 Statement 119 Subject Statement ł ] 9 Authentication Statement 12^ Authorization Decision Statement 120 xvi Contents Attribute Statement 121 Trust Elements of S AML 121 Digital Signatures 121 User Confirmation 122 Authority Binding Information 122 Authorization Evidence 122 Other Trust Elements of S AML 122 A Note on Federated Trust in SAML 122 Web Cookies 123 Structure of Cookies 123 Server Role 123 Client Role 125 Example: Cookies Exchanged Between a Client and a Web Server 125 Issues with Use of Cookies 126 Secure Cookies 127 Use of a Public Key on the Client Side 127 Use of a Public Key on the Server Side 128 Use of a Shared Secret Key 128 CHAPTER 4 MANDATORY-ACCESS-CONTROL MODEL 129 INTRODUCTION 129 MANDATORY-ACCESS-CONTROL THEORY 129 Partial Orders 129 Example: Partial Orders 130 Lattices 130 Example: Lattices 131 Lattice-Based Access-Control Models 131 The Lattice Structure of the Information Flow Model 132 Implications of the Lattice-Based Flow Model on Access Control 13 5 Examples of Lattice-Based Information-Flow Models 135 The Bell-Lapadula Flow Model 137 The Biba Model 138 COMPARING INFORMATION FLOW IN BLP AND BIBA MODELS 139 IMPLEMENTATION CONSIDERATIONS FOR THE BLP AND THE BIBA MODELS 141 COMBINING THE BLP AND THE BIBA MODELS 141 Contents xvii ON THE MANDATORY-ACCESS-CONTROL PARADIGM 144 THE CHINESE-WALL POLICY 144 Simple security 146 -property 146 CHAPTER S DISCRETIONARY-ACCESS CONTROL AND THE ACCESS-MATRIX MODEL 147 INTRODUCTION 147 DEFINING THE ACCESS-MATRIX MODEL 147 IMPLEMENTATION CONSIDERATIONS FOR THE ACCESS MATRIX 148 Resource View of the Access Matrix: Access-Control Lists 149 Subject View of the Access Matrix: Capabilities 149 DEFINITIONS FROM THE HRU ACCESS-MATRIX MODEL 150 State Transitions in the HRU Access-Matrix Model 151 Example: create, confer and remove commands 152 Example: command effects 153 THE SAFETY PROBLEM OF THE ACCESS-MATRIX MODEL 153 On the Safety of the Mono-Operational Protection System 158 THE GENERAL SAFETY PROBLEM OF THE ACCESS-MATRIX MODEL 159 The Turing Machine 160 Example: Actions of a Turing Machine 161 Sketch of Proof for the Undecidability of the General Safety Problem 163 Mapping an Arbitrary Turing Machine onto the Protection System 163 Mapping the Actions of the Turing Machine onto Protection Commands 164 Moving to the Left 164 Moving to the Right 165 xviii Contents Maintaining the Same Position 166 Conclusion 167 CHAPTER 6 THE TAKE-GRANT PROTECTION MODEL 168 INTRODUCTION 168 DEFINITION OF THE TAKE-GRANT MODEL 168 Example: A Take-Grant Model 172 SAFETY IN THE TAKE-GRANT MODEL 173 Determinism of Sharing in the Take-Grant Model 175 Case 6. la: {— j— »----- ^-^} 176 Case 6.1b: {-*—------- j-^} 176 Case 6.1c: { > a >} 176 Case 6.1d: {-+-,--------+} 177 CHAPTER 7 THE SCHEMATIC-PROTECTION MODEL 180 INTRODUCTION 180 OVERVIEW OF THE SCHEMATIC-PROTECTION MODEL (SPM) 180 SPM RULES AND OPERATIONS 182 The Copy Operation 182 Examples 184 The Demand Operation 184 The Create Operation 185 Authorization 185 Create Rules 186 ATTENUATING CREATE-RULE OF SPM 187 APPLICATION OF SPM 187 Sharing Across Resource Owners 187 The Basic Take-Grant Model 188 Contents xix CHAPTER 8 ROLE-BASED ACCESS CONTROL 190 INTRODUCTION 190 BASIC RBAC 192 User, Role, and Permission Associations 193 RBAC Relationship Reviews 194 HIERARCHICAL RBAC 195 General-Role Hierarchies 196 Limited-Role Hierarchies 198 Role Reviews in Hierarchical RBAC 200 Modeling Hierarchical RBAC Using Role Graphs 200 Effective and Direct Privileges 201 Role-Graph Modeling of Generalized Role Inheritance 202 Role-Graph Operations 203 Role Addition 204 Role Deletion 205 Role-Privilege Update 207 Optimizing Role Graphs 207 RBAC: A COMPARATIVE DISCUSSION 208 Mapping of a Mandatory Policy to RBAC 209 OSM Mapping of a Confidentiality-Mandatory Policy 211 Theorem 8.1 212 OSM Mapping of an Integrity-Mandatory Policy 213 Theorem 8.2 213 RBAC Correspondence to a Mandatory Policy 213 The OSM Constraints for Mapping RBAC to a Mandatory Policy 216 Definition 8.1 216 Definition 8.2 216 Theorem 8.3 216 Mapping Discretionary-Access Control to RBAC 217 The Elements of the OSM DAC to RBAC Mapping 218 Simulating Strict DAC 219 Simulating Liberal DAC 220 Simulating DAC with Changes to Ownership 222 Simulating Grant-Dependent Revoke 222 A Note About the OSM DAC to RBAC Mapping 223 xx Contents RBAC FLOW ANALYSIS 224 Thb Osborn Flow-Analysis Algorithm 224 Example 1: Flow Analysis of a Simple LBAC Scheme 225 Example 2: Reduction of a Role Hierarchy Governing Read and Write Access 226 SEPARATION OF DUTY IN RBAC 227 Elements of Role Conflicts in RBAC 229 Conflicting Permissions 229 Conflicting Users 230 Conflicting Tasks 230 Safety Condition from the Perspective of Conflicting Tasks 231 Static Separation of Duty 231 The Effect of Role Hierarchy 232 Dynamic Separation of Duty 233 Simple Dynamic Separation of Duty 235 Object-Based Separation of Duty 235 Operational Separation of Duty 237 History-Based Separation of Duty 237 Example: Dynamic Separation of Duty in a Workflow Ativity 238 Role Cardinality Constraints 240 RBAC CONSISTENCY PROPERTIES 241 Property 8.1 241 Property 8.2 241 Property 8.3 241 Property 8.4 241 Property 8.5 241 Property 8.6 242 Property 8.7 242 Property 8.8 242 Property 8.9 242 Property 8.10 242 Property 8.11 243 Property 8.12 243 Property 8.13 243 Contents xxi THE PRIVILEGES PERSPECTIVE OF SEPARATION OF DUTIES 243 FUNCTIONAL SPECIFICATION FOR RBAC 246 Core RBAC Functions 246 Administrative Functions 247 Supporting System Functions 247 Review Functions 247 Hierarchical RBAC Functions 248 Administrative Functions 248 Supporting System Functions 249 Review Functions 249 Functional Specification for Static Separation-of-Duty Relations 249 Administrative Functions 249 Supporting System Functions 250 Review Functions 250 Functional Specification for Dynamic Separation-of-Duty Relations 250 Administrative Functions 250 Supporting System Functions 251 Review Functions 251 References 252 Index 258
adam_txt	Contents CHAPTER 1 FOUNDATIONS OF SECURITY AND ACCESS CONTROL IN COMPUTING 1 INTRODUCTION 1 ELEMENTS OF SYSTEMS SECURITY 3 Identity Establishment 3 Resource Access Control 4 Data and Message Security 4 nonrepudiation 5 Availability 5 COST OF SECURITY 6 SYSTEM INTEGRITY: A PRELUDE TO SECURITY 6 TRUSTED COMPUTING BASE 7 USERS, PRINCIPALS, SUBJECTS, AND OBJECTS 9 IDENTIFICATION AND AUTHENTICATION 10 Authentication Factors: A Comparison 11 Multiple-Factor Authentication 11 Passwords: The Prevalent Authentication Method 13 APPROACHES TO RELIABLE PASSWORD MANAGEMENT 13 Password Encoding 13 Adding Salt To Password Encoding 14 Password Syntax Rules 14 Password Aging 15 xii Contents AUDITING 15 THE SECURITY CONTEXT 17 Content of a Security Context 18 The Flow of a Security Context 19 Delegating Security Contexts 19 ACCESS CONTROL 20 Reference-Monitor Topology 21 ABOUT ACCESS-CONTROL POLICIES, MODELS AND MECHANISMS 23 ACCESS CONTROL PARADIGMS 26 ROLE-BASED ACCESS CONTROL 26 DELEGATION AND MASQUERADING 27 THE AXIOM OF ATTENUATION OF PRIVILEGES 27 TRUST AND ASSURANCE 27 Realizing Assurance 28 The Common Criteria: A Background 28 Overview of Assurance in the Common Criteria 29 Configuration Management 31 Delivery and Operation 31 Development 32 Guidance Documents 32 Life-Cycle Support 33 Tests 33 Vulnerability Assessment 33 ABOUT THE CONFINEMENT PROBLEM 35 Covert Channels З6 Examples 36 SECURITY-DESIGN PRINCIPLES 37 Economy of Mechanism 37 Complete Mediation 37 Open Design 37 Least-Common Mechanism З8 Fail-Safe Defaults 38 Contents xiii Separation of Privilege 38 Least Privileges 39 Privacy Considerations 39 Psychological Acceptability 39 CHAPTER! INTRODUCTION TO ( IDENTITY-MANAGEMENT MODELS 40 INTRODUCTION 40 LOCAL IDENTITY 41 Advantages of the Local-Identity Model 42 Simplicity 42 Scalability 43 Flat Name Space 43 Management Issues in the Local-Identity Model 43 Password and Attribute Synchronization 43 Single Sign-On 44 Identity Provisioning 44 Example: IBM Resource Access-Control Facility 44 NETWORK IDENTITY 46 FEDERATED IDENTITY 46 Foundations of Federated Identity 46 Federation Topologies 49 Local Profiling 50 Distributed Profiling 50 Profiling by a Third Party 50 GLOBAL WEB IDENTITY 51 Identity Mapping and Synchronization 51 MetaDirectories 51 Affiliate Networks (Virtual Directories) 52 Dynamic Scoping of a Security Context 54 THE XNS APPROACH TO THE GLOBAL WEB IDENTITY 54 Elements of DNS 55 Elements of XNS 59 XNS Identity Types 61 xiv Contents The XNS Identity Document 61 IDs and Names in XNS 62 XNS Resolvers 63 Cross-Referencing XNS Identities 64 Forming Trust Relationships in XNS 65 XNS Services 66 CENTRALIZED ENTERPRISE-LEVEL IDENTITY MANAGEMENT 67 Synchronizing Identity Attributes 68 Policy-Based Identity Provisioning 69 Unified Identity-Representation Scheme 69 Dynamic Definition of Identity Attributes 70 Decoupled Identity-Representation Scheme 70 Example: IBM Identity Manager 71 CHAPTER 3 ELEMENTS OF TRUST PARADIGMS IN COMPUTING 73 INTRODUCTION 73 A THIRD-PARTY APPROACH TO IDENTITY TRUST 74 KERBEROS: THE IMPLICIT THIRD-PARTY AUTHENTICATION PARADIGM 76 A High-Level View of the Kerberos Protocol 77 Federated Kerberos 79 A Topology of Kerberos Federations 80 Ticket Forwarding 80 Entitlement Attributes in Kerberos 81 EXPLICIT THIRD-PARTY AUTHENTICATION PARADIGM 83 THE PUBLIC-KEY INFRASTRUCTURE APPROACH TO TRUST ESTABLISHMENT 84 Foundations of Public-Key Cryptography 85 The Problem of Factoring Large Numbers 86 Computing Discrete Logarithms in a Large Finite Field 87 Elliptic Curves over Finite Fields 88 Digital Signatures 88 RSA Signature 89 Contents xv Trusting a Public Key 89 Foundations of Trust in PKI 90 Identification Links Between a Certificate and a CRL 92 Protecting the CA Signing Key 93 PKI Trust Topologies 93 Hierarchical Trust 94 Cross-Certification 97 Cross-Certification Grid 98 Hub-Based Cross-Certification 99 Hybrid Model 99 Web-of-Trust Model 100 Proxy Certificates: Delegated Impersonation in PKI 102 The Proxy-Certificate Approach 102 Elements of the X.509 Proxy Certificate 104 Computing Trust in Proxy Certificates 104 ATTRIBUTE CERTIFICATES: ENTITLEMENT MANAGEMENT IN PKI 106 Elements of Attribute Certificates W6 Binding Information Ю6 Attribute Information Ю7 A Note About AC Attributes 108 Extensions 109 GENERALIZED WEB-OF-TRUST MODEL 109 EXAMPLES OF TRUST-EXCHANGE MECHANISMS OVER THE WEB Ш Web-Services Security H2 Identity and Trust Tokens ! * 5 Simple User Name Token 115 Binary Tokens ^ Referencing Security Tokens 1 ^ SAML Approach: Unifying Trust and Identity Constructs 116 SAML Constructs 119 Assertion 1" Conditions 119 Advice 119 Signature 9 Statement 119 Subject Statement ł ] 9 Authentication Statement 12^ Authorization Decision Statement 120 xvi Contents Attribute Statement 121 Trust Elements of S AML 121 Digital Signatures 121 User Confirmation 122 Authority Binding Information 122 Authorization Evidence 122 Other Trust Elements of S AML 122 A Note on Federated Trust in SAML 122 Web Cookies 123 Structure of Cookies 123 Server Role 123 Client Role 125 Example: Cookies Exchanged Between a Client and a Web Server 125 Issues with Use of Cookies 126 Secure Cookies 127 Use of a Public Key on the Client Side 127 Use of a Public Key on the Server Side 128 Use of a Shared Secret Key 128 CHAPTER 4 MANDATORY-ACCESS-CONTROL MODEL 129 INTRODUCTION 129 MANDATORY-ACCESS-CONTROL THEORY 129 Partial Orders 129 Example: Partial Orders 130 Lattices 130 Example: Lattices 131 Lattice-Based Access-Control Models 131 The Lattice Structure of the Information Flow Model 132 Implications of the Lattice-Based Flow Model on Access Control 13 5 Examples of Lattice-Based Information-Flow Models 135 The Bell-Lapadula Flow Model 137 The Biba Model 138 COMPARING INFORMATION FLOW IN BLP AND BIBA MODELS 139 IMPLEMENTATION CONSIDERATIONS FOR THE BLP AND THE BIBA MODELS 141 COMBINING THE BLP AND THE BIBA MODELS 141 Contents xvii ON THE MANDATORY-ACCESS-CONTROL PARADIGM 144 THE CHINESE-WALL POLICY 144 Simple security 146 '-property 146 CHAPTER S DISCRETIONARY-ACCESS CONTROL AND THE ACCESS-MATRIX MODEL 147 INTRODUCTION 147 DEFINING THE ACCESS-MATRIX MODEL 147 IMPLEMENTATION CONSIDERATIONS FOR THE ACCESS MATRIX 148 Resource View of the Access Matrix: Access-Control Lists 149 Subject View of the Access Matrix: Capabilities 149 DEFINITIONS FROM THE HRU ACCESS-MATRIX MODEL 150 State Transitions in the HRU Access-Matrix Model 151 Example: create, confer and remove commands 152 Example: command effects 153 THE SAFETY PROBLEM OF THE ACCESS-MATRIX MODEL 153 On the Safety of the Mono-Operational Protection System 158 THE GENERAL SAFETY PROBLEM OF THE ACCESS-MATRIX MODEL 159 The Turing Machine 160 Example: Actions of a Turing Machine 161 Sketch of Proof for the Undecidability of the General Safety Problem 163 Mapping an Arbitrary Turing Machine onto the Protection System 163 Mapping the Actions of the Turing Machine onto Protection Commands 164 Moving to the Left 164 Moving to the Right 165 xviii Contents Maintaining the Same Position 166 Conclusion 167 CHAPTER 6 THE TAKE-GRANT PROTECTION MODEL 168 INTRODUCTION 168 DEFINITION OF THE TAKE-GRANT MODEL 168 Example: A Take-Grant Model 172 SAFETY IN THE TAKE-GRANT MODEL 173 Determinism of Sharing in the Take-Grant Model 175 Case 6. la: {— j— »----- ^-^} 176 Case 6.1b: {-—------- j-^} 176 Case 6.1c: { > a >} 176 Case 6.1d: {-+-,--------+} 177 CHAPTER 7 THE SCHEMATIC-PROTECTION MODEL 180 INTRODUCTION 180 OVERVIEW OF THE SCHEMATIC-PROTECTION MODEL (SPM) 180 SPM RULES AND OPERATIONS 182 The Copy Operation 182 Examples 184 The Demand Operation 184 The Create Operation 185 Authorization 185 Create Rules 186 ATTENUATING CREATE-RULE OF SPM 187 APPLICATION OF SPM 187 Sharing Across Resource Owners 187 The Basic Take-Grant Model 188 Contents xix CHAPTER 8 ROLE-BASED ACCESS CONTROL 190 INTRODUCTION 190 BASIC RBAC 192 User, Role, and Permission Associations 193 RBAC Relationship Reviews 194 HIERARCHICAL RBAC 195 General-Role Hierarchies 196 Limited-Role Hierarchies 198 Role Reviews in Hierarchical RBAC 200 Modeling Hierarchical RBAC Using Role Graphs 200 Effective and Direct Privileges 201 Role-Graph Modeling of Generalized Role Inheritance 202 Role-Graph Operations 203 Role Addition 204 Role Deletion 205 Role-Privilege Update 207 Optimizing Role Graphs 207 RBAC: A COMPARATIVE DISCUSSION 208 Mapping of a Mandatory Policy to RBAC 209 OSM Mapping of a Confidentiality-Mandatory Policy 211 Theorem 8.1 212 OSM Mapping of an Integrity-Mandatory Policy 213 Theorem 8.2 213 RBAC Correspondence to a Mandatory Policy 213 The OSM Constraints for Mapping RBAC to a Mandatory Policy 216 Definition 8.1 216 Definition 8.2 216 Theorem 8.3 216 Mapping Discretionary-Access Control to RBAC 217 The Elements of the OSM DAC to RBAC Mapping 218 Simulating Strict DAC 219 Simulating Liberal DAC 220 Simulating DAC with Changes to Ownership 222 Simulating Grant-Dependent Revoke 222 A Note About the OSM DAC to RBAC Mapping 223 xx Contents RBAC FLOW ANALYSIS 224 Thb Osborn Flow-Analysis Algorithm 224 Example 1: Flow Analysis of a Simple LBAC Scheme 225 Example 2: Reduction of a Role Hierarchy Governing Read and Write Access 226 SEPARATION OF DUTY IN RBAC 227 Elements of Role Conflicts in RBAC 229 Conflicting Permissions 229 Conflicting Users 230 Conflicting Tasks 230 Safety Condition from the Perspective of Conflicting Tasks 231 Static Separation of Duty 231 The Effect of Role Hierarchy 232 Dynamic Separation of Duty 233 Simple Dynamic Separation of Duty 235 Object-Based Separation of Duty 235 Operational Separation of Duty 237 History-Based Separation of Duty 237 Example: Dynamic Separation of Duty in a Workflow Ativity 238 Role Cardinality Constraints 240 RBAC CONSISTENCY PROPERTIES 241 Property 8.1 241 Property 8.2 241 Property 8.3 241 Property 8.4 241 Property 8.5 241 Property 8.6 242 Property 8.7 242 Property 8.8 242 Property 8.9 242 Property 8.10 242 Property 8.11 243 Property 8.12 243 Property 8.13 243 Contents xxi THE PRIVILEGES PERSPECTIVE OF SEPARATION OF DUTIES 243 FUNCTIONAL SPECIFICATION FOR RBAC 246 Core RBAC Functions 246 Administrative Functions 247 Supporting System Functions 247 Review Functions 247 Hierarchical RBAC Functions 248 Administrative Functions 248 Supporting System Functions 249 Review Functions 249 Functional Specification for Static Separation-of-Duty Relations 249 Administrative Functions 249 Supporting System Functions 250 Review Functions 250 Functional Specification for Dynamic Separation-of-Duty Relations 250 Administrative Functions 250 Supporting System Functions 251 Review Functions 251 References 252 Index 258
any_adam_object	1
any_adam_object_boolean	1
author	Benantar, Messaoud
author_facet	Benantar, Messaoud
author_role	aut
author_sort	Benantar, Messaoud
author_variant	m b mb
building	Verbundindex
bvnumber	BV021490330
callnumber-first	T - Technology
callnumber-label	TK5105
callnumber-raw	TK5105.59
callnumber-search	TK5105.59
callnumber-sort	TK 45105.59
callnumber-subject	TK - Electrical and Nuclear Engineering
classification_rvk	ST 200 ST 277
ctrlnum	(OCoLC)60767092 (DE-599)BVBBV021490330
dewey-full	005.8
dewey-hundreds	000 - Computer science, information, general works
dewey-ones	005 - Computer programming, programs, data, security
dewey-raw	005.8
dewey-search	005.8
dewey-sort	15.8
dewey-tens	000 - Computer science, information, general works
discipline	Informatik
discipline_str_mv	Informatik
format	Book
fullrecord	<?xml version="1.0" encoding="UTF-8"?><collection xmlns="http://www.loc.gov/MARC21/slim"><record><leader>01896nam a2200481zc 4500</leader><controlfield tag="001">BV021490330</controlfield><controlfield tag="003">DE-604</controlfield><controlfield tag="005">20080724 </controlfield><controlfield tag="007">t</controlfield><controlfield tag="008">060227s2006 d\|\|\| \|\|\|\| 00\|\|\| eng d</controlfield><datafield tag="010" ind1=" " ind2=" "><subfield code="a">2005049984</subfield></datafield><datafield tag="020" ind1=" " ind2=" "><subfield code="a">0387004459</subfield><subfield code="c">alk. paper</subfield><subfield code="9">0-387-00445-9</subfield></datafield><datafield tag="020" ind1=" " ind2=" "><subfield code="a">9780387004457</subfield><subfield code="9">978-0-387-00445-7</subfield></datafield><datafield tag="020" ind1=" " ind2=" "><subfield code="a">0387277161</subfield><subfield code="9">0-387-27716-1</subfield></datafield><datafield tag="020" ind1=" " ind2=" "><subfield code="a">9780387277165</subfield><subfield code="9">978-0-387-27716-5</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(OCoLC)60767092</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(DE-599)BVBBV021490330</subfield></datafield><datafield tag="040" ind1=" " ind2=" "><subfield code="a">DE-604</subfield><subfield code="b">ger</subfield><subfield code="e">aacr</subfield></datafield><datafield tag="041" ind1="0" ind2=" "><subfield code="a">eng</subfield></datafield><datafield tag="049" ind1=" " ind2=" "><subfield code="a">DE-703</subfield><subfield code="a">DE-573</subfield><subfield code="a">DE-29T</subfield><subfield code="a">DE-355</subfield><subfield code="a">DE-860</subfield><subfield code="a">DE-861</subfield><subfield code="a">DE-Aug4</subfield></datafield><datafield tag="050" ind1=" " ind2="0"><subfield code="a">TK5105.59</subfield></datafield><datafield tag="082" ind1="0" ind2=" "><subfield code="a">005.8</subfield><subfield code="2">22</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">ST 200</subfield><subfield code="0">(DE-625)143611:</subfield><subfield code="2">rvk</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">ST 277</subfield><subfield code="0">(DE-625)143643:</subfield><subfield code="2">rvk</subfield></datafield><datafield tag="100" ind1="1" ind2=" "><subfield code="a">Benantar, Messaoud</subfield><subfield code="e">Verfasser</subfield><subfield code="4">aut</subfield></datafield><datafield tag="245" ind1="1" ind2="0"><subfield code="a">Access control systems</subfield><subfield code="b">security, identity management and trust models</subfield><subfield code="c">by Messaoud Benantar</subfield></datafield><datafield tag="264" ind1=" " ind2="1"><subfield code="a">New York, NY</subfield><subfield code="b">Springer</subfield><subfield code="c">2006</subfield></datafield><datafield tag="300" ind1=" " ind2=" "><subfield code="a">XXI, 261 S.</subfield><subfield code="b">graph. Darst.</subfield></datafield><datafield tag="336" ind1=" " ind2=" "><subfield code="b">txt</subfield><subfield code="2">rdacontent</subfield></datafield><datafield tag="337" ind1=" " ind2=" "><subfield code="b">n</subfield><subfield code="2">rdamedia</subfield></datafield><datafield tag="338" ind1=" " ind2=" "><subfield code="b">nc</subfield><subfield code="2">rdacarrier</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Réseaux d'ordinateurs - Sécurité - Mesures</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Computer networks</subfield><subfield code="x">Security measures</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Zugriffskontrolle</subfield><subfield code="0">(DE-588)4293034-0</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Rechnernetz</subfield><subfield code="0">(DE-588)4070085-9</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Computersicherheit</subfield><subfield code="0">(DE-588)4274324-2</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="689" ind1="0" ind2="0"><subfield code="a">Rechnernetz</subfield><subfield code="0">(DE-588)4070085-9</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="0" ind2="1"><subfield code="a">Computersicherheit</subfield><subfield code="0">(DE-588)4274324-2</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="0" ind2=" "><subfield code="5">DE-604</subfield></datafield><datafield tag="689" ind1="1" ind2="0"><subfield code="a">Zugriffskontrolle</subfield><subfield code="0">(DE-588)4293034-0</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="1" ind2=" "><subfield code="5">DE-604</subfield></datafield><datafield tag="856" ind1="4" ind2="2"><subfield code="m">Digitalisierung UB Regensburg</subfield><subfield code="q">application/pdf</subfield><subfield code="u">http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=014707172&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA</subfield><subfield code="3">Inhaltsverzeichnis</subfield></datafield><datafield tag="999" ind1=" " ind2=" "><subfield code="a">oai:aleph.bib-bvb.de:BVB01-014707172</subfield></datafield></record></collection>
id	DE-604.BV021490330
illustrated	Illustrated
index_date	2024-07-02T14:12:29Z
indexdate	2024-07-09T20:36:59Z
institution	BVB
isbn	0387004459 9780387004457 0387277161 9780387277165
language	English
lccn	2005049984
oai_aleph_id	oai:aleph.bib-bvb.de:BVB01-014707172
oclc_num	60767092
open_access_boolean
owner	DE-703 DE-573 DE-29T DE-355 DE-BY-UBR DE-860 DE-861 DE-Aug4
owner_facet	DE-703 DE-573 DE-29T DE-355 DE-BY-UBR DE-860 DE-861 DE-Aug4
physical	XXI, 261 S. graph. Darst.
publishDate	2006
publishDateSearch	2006
publishDateSort	2006
publisher	Springer
record_format	marc
spelling	Benantar, Messaoud Verfasser aut Access control systems security, identity management and trust models by Messaoud Benantar New York, NY Springer 2006 XXI, 261 S. graph. Darst. txt rdacontent n rdamedia nc rdacarrier Réseaux d'ordinateurs - Sécurité - Mesures Computer networks Security measures Zugriffskontrolle (DE-588)4293034-0 gnd rswk-swf Rechnernetz (DE-588)4070085-9 gnd rswk-swf Computersicherheit (DE-588)4274324-2 gnd rswk-swf Rechnernetz (DE-588)4070085-9 s Computersicherheit (DE-588)4274324-2 s DE-604 Zugriffskontrolle (DE-588)4293034-0 s Digitalisierung UB Regensburg application/pdf http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=014707172&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA Inhaltsverzeichnis
spellingShingle	Benantar, Messaoud Access control systems security, identity management and trust models Réseaux d'ordinateurs - Sécurité - Mesures Computer networks Security measures Zugriffskontrolle (DE-588)4293034-0 gnd Rechnernetz (DE-588)4070085-9 gnd Computersicherheit (DE-588)4274324-2 gnd
subject_GND	(DE-588)4293034-0 (DE-588)4070085-9 (DE-588)4274324-2
title	Access control systems security, identity management and trust models
title_auth	Access control systems security, identity management and trust models
title_exact_search	Access control systems security, identity management and trust models
title_exact_search_txtP	Access control systems security, identity management and trust models
title_full	Access control systems security, identity management and trust models by Messaoud Benantar
title_fullStr	Access control systems security, identity management and trust models by Messaoud Benantar
title_full_unstemmed	Access control systems security, identity management and trust models by Messaoud Benantar
title_short	Access control systems
title_sort	access control systems security identity management and trust models
title_sub	security, identity management and trust models
topic	Réseaux d'ordinateurs - Sécurité - Mesures Computer networks Security measures Zugriffskontrolle (DE-588)4293034-0 gnd Rechnernetz (DE-588)4070085-9 gnd Computersicherheit (DE-588)4274324-2 gnd
topic_facet	Réseaux d'ordinateurs - Sécurité - Mesures Computer networks Security measures Zugriffskontrolle Rechnernetz Computersicherheit
url	http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=014707172&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA
work_keys_str_mv	AT benantarmessaoud accesscontrolsystemssecurityidentitymanagementandtrustmodels

Verfügbarkeit

Es ist kein Print-Exemplar vorhanden.

Fernleihe Bestellen Achtung: Nicht im THWS-Bestand! Inhaltsverzeichnis

MARC

Datensatz im Suchindex

Es ist kein Print-Exemplar vorhanden.

Ähnliche Einträge