Showing papers by "Ninghui Li published in 2003"

Delegation logic: A logic-based approach to distributed authorization

Abstract: We address the problem of authorization in large-scale, open, distributed systems. Authorization decisions are needed in electronic commerce, mobile-code execution, remote resource sharing, privacy protection, and many other applications. We adopt the trust-management approach, in which "authorization" is viewed as a "proof-of-compliance" problem: Does a set of credentials prove that a request complies with a policy?We develop a logic-based language, called Delegation Logic (DL), to represent policies, credentials, and requests in distributed authorization. In this paper, we describe D1LP, the monotonic version of DL. D1LP extends the logic-programming (LP) language Datalog with expressive delegation constructs that feature delegation depth and a wide variety of complex principals (including, but not limited to, k-out-of-n thresholds). Our approach to defining and implementing D1LP is based on tractably compiling D1LP programs into ordinary logic programs (OLPs). This compilation approach enables D1LP to be implemented modularly on top of existing technologies for OLP, for example, Prolog.As a trust-management language, D1LP provides a concept of proof-of-compliance that is founded on well-understood principles of logic programming and knowledge representation. D1LP also provides a logical framework for studying delegation.

Distributed credential chain discovery in trust management

Abstract: We introduce a simple Role-based Trust-management language RT0 and a set-theoretic semantics for it. We also introduce credential graphs as a searchable representation of credentials in RT0 and prove that reachability in credential graphs is sound and complete with respect to the semantics of RT0. Based on credential graphs, we give goal-directed algorithms to do credential chain discovery in RT0, both when credential storage is centralized and when credential storage is distributed. A goal-directed algorithm begins with an access-control query and searches for credentials relevant to the query, while avoiding considering the potentially very large number of credentials that are unrelated to the access-control decision at hand. This approach provides better expected-case performance than bottom-up algorithms. We show how our algorithms can be applied to SDSI 2.0 (the 'SDSI' part of SPKI/SDSI 2.0).Our goal-directed, distributed chain discovery algorithm finds and retrieves credentials as needed. We prove that the algorithm is correct by proving that the algorithm is sound and complete with respect to the credential graph composed of the credentials it retrieves, and that the algorithm retrieves all credentials that constitute a traversable chain. We further introduce a storage type system for RT0, which guarantees traversability of chains when credentials are well typed. This type system can also help improve search efficiency by guiding search in the right direction, making distributed chain discovery with large number of credentials feasible.

RT: a Role-based Trust-management framework

Abstract: The RT Role-based Trust-management framework provides policy language, semantics, deduction engine, and pragmatic features such as application domain specification documents that help distributed users maintain consistent use of policy terms This paper provides a general overview of the framework, combining some aspects described in previous publications with recent improvements and explanation of motivating applications

DATALOG with Constraints: A Foundation for Trust Management Languages

Abstract: Trust management (TM) is a promising approach for authorization and access control in distributed systems, based on signed distributed policy statements expressed in a policy language. Although several TM languages are semantically equivalent to subsets of Datalog, Datalog is not sufficiently expressive for fine-grained control of structured resources. We define the class of linearly decomposable unary constraint domains, prove that DATALOG extended with constraints in any combination of such constraint domains is tractable, and show that permissions associated with structured resources fall into this class. We also present a concrete declarative TM language, RT1C, based on constraint DATALOG, and use constraint DATALOG to analyze another TM system, KeyNote, which turns out to be less expressive than RT1C in significant respects, yet less tractable in the worst case. Although constraint DATALOG has been studied in the context of constraint databases, TM applications involve different kinds of constraint domains and have different computational complexity requirements.

Oblivious signature-based envelope

Abstract: Exchange of digitally signed certificates is often used to establish mutual trust between strangers that wish to share resources or to conduct business transactions. Automated Trust Negotiation (ATN) is an approach to regulate the flow of sensitive information during such an exchange. Previous work on ATN are based on access control techniques, and cannot handle cyclic policy interdependency satisfactorily. We show that the problem can be modelled as a 2-party secure function evaluation (SFE) problem, and propose a scheme called oblivious signature-based envelope (OSBE) for efficiently solving the SFE problem. We develop a provably secure and efficient OSBE protocol for certificates signed using RSA signatures. We also build provably secure and efficient one-round OSBE for Rabin and BLS signatures from recent constructions for identity-based encryption. We also discuss other applications of OSBE.

Beyond proof-of-compliance: safety and availability analysis in trust management

Abstract: Trust management is a form of distributed access control using distributed policy. statements. Since one party may delegate partial control to another party, it is natural to ask what permissions may be granted as the result of policy changes by other parties. We study security properties such as safety, and availability for a family of trust management languages, devising algorithms for deciding the possible consequences of certain changes in policy. While trust management is more powerful in certain ways than mechanisms in the access matrix model, and the security properties considered are more than simple safety, we find that in contrast to the classical HRU undecidability of safety properties, our primary security properties are decidable. In particular, most properties we studied are decidable in polynomial time. Containment, the most complicated security property we studied, is decidable in polynomial time for the simplest TM language in the family. The problem becomes co-NP-hard when intersection or linked roles are added to the language.

Understanding SPKI/SDSI using first-order logic

Abstract: SPKI/SDSI is a language for expressing distributed access control policy, derived from SPKI and SDSI We provide a first-order logic (FOL) semantics for SDSI, and show that it has several advantages over previous semantics For example, the FOL semantics is easily extended to additional policy concepts and gives meaning to a larger class of access control and other policy analysis queries We prove that the FOL semantics is equivalent to the string rewriting semantics used by SDSI designers, for all queries associated with the rewriting semantics We also provide a FOL semantics for SPKI/SDSI This reveals some problems For example, the standard proof procedure in RFC 2693 is semantically incomplete In addition, as noted before by other authors, authorization tags in SPKI/SDSI are algorithmically problematic, making a complete proof procedure unlikely We compare SPKI/SDSI with RT/sub 1//sup C/, which is a language in the RT role-based trust-management framework that can be viewed as an extension of SDSI The constraint feature of /sub 1//sup C/, based on constraint datalog, provides an alternative mechanism that is expressively similar to SPKI/SDSI tags, semantically natural, and algorithmically tractable

China's Food Economy and Its Implications for the Rest of the World

Abstract: This article aims to gain a better understanding of the capacity of China to feed its growing population given its limited natural resources, and the impact of China's growing economy on rest of the world and vice versa In order to reflect China's real food economy and reasonable assumptions, China's Agricultural Policy Simulation Model (CAPSiM) is used which can comprehensively and simultaneously account for the major driving forces and policies determining China's domestic food demand and supply The influence of the linkages of China's economy with the rest of the world is examined by linking Global Trade Analysis Project (GTAP) and CAPSiM in two scenarios This article points out that China's food economy is stable and health, and a stable and healthy China's food economy benefits not only China, but also the whole world