BIB-VERSION:: CS-TR-v2.0
ID:: ncstrl.dartmouthcs//TR2004-529
ENTRY:: December 21, 2004
ORGANIZATION:: Dartmouth College, Computer Science
TITLE:: Secure Context-sensitive Authorization
TYPE:: Technical Report (paper)
REVISION:: 1
AUTHOR:: Minami, Kazuhiro
AUTHOR:: Kotz, David
DATE:: December 2004	
RETRIEVAL:: For a paper copy, email <reports@cs.dartmouth.edu>
RETRIEVAL:: For a paper copy, write to
       Technical Report Librarian
       Department of Computer Science
       Dartmouth College
       6211 Sudikoff Laboratory
       Hanover, NH 03755-3510
       USA
RETRIEVAL:: PDF at http://www.cs.dartmouth.edu/reports/TR2004-529.pdf
ABSTRACT:: 
There is a recent trend toward rule-based authorization systems to achieve
flexible security policies. Also, new sensing technologies in pervasive
computing make it possible to define context-sensitive rules, such as ``allow
database access only to staff who are currently located in the main office.''
However, these rules, or the facts that are needed to verify authority, often
involve sensitive context information.  This paper presents a secure
context-sensitive authorization system that protects confidential information in
facts or rules.  Furthermore, our system allows multiple hosts in a distributed
environment to perform the evaluation of an authorization query in a
collaborative way;  we do not need a universally trusted central host that
maintains all the context information.  The core of our approach is to decompose
a proof for making an authorization decision into a set of sub-proofs produced
on multiple different hosts, while preserving the integrity and confidentiality
policies of the mutually untrusted principals operating these hosts. We prove
the correctness of our algorithm.
END:: ncstrl.dartmouthcs//TR2004-529