| Foundations of Security and Access Control in Computing | p. 1 |
| Introduction | p. 1 |
| Elements of Systems Security | p. 3 |
| Identity Establishment | p. 3 |
| Resource Access Control | p. 4 |
| Data and Message Security | p. 4 |
| Nonrepudiation | p. 5 |
| Availability | p. 5 |
| Cost of Security | p. 6 |
| System Integrity: A Prelude to Security | p. 6 |
| Trusted Computing Base | p. 7 |
| Users, Principals, Subjects, and Objects | p. 9 |
| Identification and Authentication | p. 10 |
| Authentication Factors: A Comparison | p. 11 |
| Multiple-Factor Authentication | p. 11 |
| Passwords: The Prevalent Authentication Method | p. 13 |
| Approaches to Reliable Password Management | p. 13 |
| Password Encoding | p. 13 |
| Adding Salt to Password Encoding | p. 14 |
| Password Syntax Rules | p. 14 |
| Password Aging | p. 15 |
| Auditing | p. 15 |
| The Security Context | p. 17 |
| Content of a Security Context | p. 18 |
| The Flow of a Security Context | p. 19 |
| Delegating Security Contexts | p. 19 |
| Access Control | p. 20 |
| Reference-Monitor Topology | p. 21 |
| About Access-Control Policies, Models and Mechanisms | p. 23 |
| Access Control Paradigms | p. 26 |
| Role-Based Access Control | p. 26 |
| Delegation and Masquerading | p. 27 |
| The Axiom of Attenuation of Privileges | p. 27 |
| Trust and Assurance | p. 27 |
| Realizing Assurance | p. 28 |
| The Common Criteria: A Background | p. 28 |
| Overview of Assurance in the Common Criteria | p. 29 |
| Configuration Management | p. 31 |
| Delivery and Operation | p. 31 |
| Development | p. 32 |
| Guidance Documents | p. 32 |
| Life-Cycle Support | p. 33 |
| Tests | p. 33 |
| Vulnerability Assessment | p. 33 |
| About the Confinement Problem | p. 35 |
| Covert Channels | p. 36 |
| Examples | p. 36 |
| Security-Design Principles | p. 37 |
| Economy of Mechanism | p. 37 |
| Complete Mediation | p. 37 |
| Open Design | p. 37 |
| Least-Common Mechanism | p. 38 |
| Fail-Safe Defaults | p. 38 |
| Separation of Privilege | p. 38 |
| Least Privileges | p. 39 |
| Privacy Considerations | p. 39 |
| Psychological Acceptability | p. 39 |
| Introduction to Identity-Management Models | p. 40 |
| Introduction | p. 40 |
| Local Identity | p. 41 |
| Advantages of the Local-Identity Model | p. 42 |
| Management Issues in the Local-Identity Model | p. 43 |
| Example: IBM Resource Access-Control Facility | p. 44 |
| Network Identity | p. 46 |
| Federated Identity | p. 46 |
| Foundations of Federated Identity | p. 46 |
| Federation Topologies | p. 49 |
| Global Web Identity | p. 51 |
| Identity Mapping and Synchronization | p. 51 |
| MetaDirectories | p. 51 |
| Affiliate Networks (Virtual Directories) | p. 52 |
| Dynamic Scoping of a Security Context | p. 54 |
| The XNS Approach to the Global Web Identity | p. 54 |
| Elements of DNS | p. 55 |
| Elements of XNS | p. 59 |
| XNS Identity Types | p. 61 |
| The XNS Identity Document | p. 61 |
| IDs and Names in XNS | p. 62 |
| XNS Resolvers | p. 63 |
| Cross-Referencing XNS Identities | p. 64 |
| Centralized Enterprise-Level Identity Management | p. 67 |
| Synchronizing Identity Attributes | p. 68 |
| Policy-Based Identity Provisioning | p. 69 |
| Unified Identity-Representation Scheme | p. 69 |
| Example: IBM Identity Manager | p. 71 |
| Elements of Trust Paradigms in Computing | p. 73 |
| Introduction | p. 73 |
| A Third-Party Approach to Identity Trust | p. 74 |
| Kerberos: The Implicit Third-Party Authentication Paradigm | p. 76 |
| A High-Level View of the Kerberos Protocol | p. 77 |
| Federated Kerberos | p. 79 |
| A Topology of Kerberos Federations | p. 80 |
| Ticket Forwarding | p. 80 |
| Entitlement Attributes in Kerberos | p. 81 |
| Explicit Third-Party Authentication Paradigm | p. 83 |
| The Public-Key Infrastructure Approach to Trust Establishment | p. 84 |
| Foundations of Public-Key Cryptography | p. 85 |
| Digital Signatures | p. 88 |
| Trusting a Public Key | p. 89 |
| Foundations of Trust in PKI | p. 90 |
| PKI Trust Topologies | p. 93 |
| Proxy Certificates: Delegated Impersonation in PKI | p. 102 |
| Attribute Certificates: Entitlement Management in PKI | p. 106 |
| Elements of Attribute Certificates | p. 106 |
| Generalized Web-of-Trust Model | p. 109 |
| Examples of Trust-Exchange Mechanisms Over the Web | p. 111 |
| Web-Services Security | p. 112 |
| SAML Approach: Unifying Trust and Identity Constructs | p. 116 |
| Web Cookies | p. 123 |
| Mandatory-Access-Control Model | p. 129 |
| Introduction | p. 129 |
| Mandatory-Access-Control Theory | p. 129 |
| Partial Orders | p. 129 |
| Lattices | p. 130 |
| Lattice-Based Access-Control Models | p. 131 |
| The Lattice Structure of the Information Flow Model | p. 132 |
| Implications of the Lattice-Based Flow Model on Access Control | p. 135 |
| Examples of Lattice-Based Information-Flow Models | p. 135 |
| The Bell-Lapadula Flow Model | p. 137 |
| The Biba Model | p. 138 |
| Comparing Information Flow in BLP and Biba Models | p. 139 |
| Implementation Considerations for the BLP and the Biba Models | p. 141 |
| Combining the BLP and the Biba Models | p. 141 |
| On the Mandatory-Access-Control Paradigm | p. 144 |
| The Chinese-Wall Policy | p. 144 |
| Simple security | p. 146 |
| *-property | p. 146 |
| Discretionary-Access Control and the Access-Matrix Model | p. 147 |
| Introduction | p. 147 |
| Defining the Access-Matrix Model | p. 147 |
| Implementation Considerations for the Access Matrix | p. 148 |
| Resource View of the Access Matrix: Access-Control Lists | p. 149 |
| Subject View of the Access Matrix: Capabilities | p. 149 |
| Definitions from the HRU Access-Matrix Model | p. 150 |
| State Transitions in the HRU Access-Matrix Model | p. 151 |
| The Safety Problem of the Access-Matrix Model | p. 153 |
| On the Safety of the Mono-Operational Protection System | p. 158 |
| The General Safety Problem of the Access-Matrix Model | p. 159 |
| The Turing Machine | p. 160 |
| Sketch of Proof for the Undecidability of the General Safety Problem | p. 163 |
| The Take-Grant Protection Model | p. 168 |
| Introduction | p. 168 |
| Definition of the Take-Grant Model | p. 168 |
| Example: A Take-Grant Model | p. 172 |
| Safety in the Take-Grant Model | p. 173 |
| Determinism of Sharing in the Take-Grant Model | p. 175 |
| The Schematic-Protection Model | p. 180 |
| Introduction | p. 180 |
| Overview of the Schematic-Protection Model (SPM) | p. 180 |
| SPM Rules and Operations | p. 182 |
| The Copy Operation | p. 182 |
| The Demand Operation | p. 184 |
| The Create Operation | p. 185 |
| Attenuating Create-Rule of SPM | p. 187 |
| Application of SPM | p. 187 |
| Sharing Across Resource Owners | p. 187 |
| The Basic Take-Grant Model | p. 188 |
| Role-Based Access Control | p. 190 |
| Introduction | p. 190 |
| Basic RBAC | p. 192 |
| User, Role, and Permission Associations | p. 193 |
| RBAC Relationship Reviews | p. 194 |
| Hierarchical RBAC | p. 195 |
| General-Role Hierarchies | p. 196 |
| Limited-Role Hierarchies | p. 198 |
| Role Reviews in Hierarchical RBAC | p. 200 |
| Modeling Hierarchical RBAC Using Role Graphs | p. 200 |
| RBAC: A Comparative Discussion | p. 208 |
| Mapping of a Mandatory Policy to RBAC | p. 209 |
| RBAC Correspondence to a Mandatory Policy | p. 213 |
| Mapping Discretionary-Access Control to RBAC | p. 217 |
| RBAC Flow Analysis | p. 224 |
| The Osborn Flow-Analysis Algorithm | p. 224 |
| Separation of Duty in RBAC | p. 227 |
| Elements of Role Conflicts in RBAC | p. 229 |
| Static Separation of Duty | p. 231 |
| Dynamic Separation of Duty | p. 233 |
| Role Cardinality Constraints | p. 240 |
| RBAC Consistency Properties | p. 241 |
| p. 241 |
| p. 241 |
| p. 241 |
| p. 241 |
| p. 241 |
| p. 242 |
| p. 242 |
| p. 242 |
| p. 242 |
| p. 242 |
| p. 243 |
| p. 243 |
| p. 243 |
| The Privileges Perspective of Separation of Duties | p. 243 |
| Functional Specification for RBAC | p. 246 |
| Core RBAC Functions | p. 246 |
| Hierarchical RBAC Functions | p. 248 |
| Functional Specification for Static Separation-of-Duty Relations | p. 249 |
| Functional Specification for Dynamic Separation-of-Duty Relations | p. 250 |
| References | p. 252 |
| Index | p. 258 |
| Table of Contents provided by Ingram. All Rights Reserved. |
