Decentralized Policy Information Points for Multi-Domain Environments

TL;DR

This paper introduces a decentralized Policy Information Point (PIP) model for Attribute-Based Access Control (ABAC) in multi-domain environments, enhancing privacy and collaboration over open networks.

Contribution

It proposes a novel decentralized PIP architecture using Attribute-Based Signatures to improve privacy and support multi-domain resource sharing in ABAC systems.

Findings

Decentralized PIP enhances privacy in ABAC systems.

The model supports cross-domain resource sharing.

Evaluation shows feasibility and security benefits.

Abstract

Access control models have been developed to control authorized access to sensitive resources. This control of access is important as there is now a need for collaborative resource sharing between multiple organizations over open environments like the internet. Although there are multiple access control models that are being widely used, these models are providing access control within a closed environment i.e. within the organization using it. These models have restricted capabilities in providing access control in open environments. Attribute-Based Access Control (ABAC) has emerged as a powerful access control model to bring fine-grained authorization to organizations that possess sensitive data and resources and want to collaborate over open environments. In an ABAC system, access to resources that an organization possess can be controlled by applying policies on attributes of the users. These policies are conditions that need to be satisfied by the requester in order to gain access to the resource. In this paper, we provide an introduction to ABAC and by carrying forward the architecture of ABAC, we propose a Decentralized Policy Information Point (PIP) model. Our model proposes the decentralization of PIP, which is an entity of the ABAC model that allows the storage and query of user attributes and enforces fine-grained access control for controlling the access of sensitive resources over multiple domains. Our model makes use of the concept of a cryptographic primitive called Attribute-Based Signature (ABS) to keep the identities of the users involved, private. Our model can be used for collaborative resource sharing over the internet. The evaluation of our model is also discussed to reflect the application of the proposed decentralized PIP model.