A computing environment may contain a variety of entities and resources. Entities may include users, operating systems, applications, processes, threads, objects, etc. Resources may include information, files, network connections, properties and methods of objects, etc. Generally, when one entity (“client”) wants to access a resource owned or administered by another entity (“server”), the client issues an access request to the server. The server may use a program that manages the resource (“resource manager”) to decide whether to grant the access request. The decision process is usually called an access control process. The resource manager may make the decision by consulting pre-configured access policies for the resource (“use policy”). The resource manager, the resource, and the associated use policy may be considered as parts of the server. The resource manager and the associated use policy constitute an access control system.
Traditional access control systems tend to be static and closed with regard to which entity can access a resource. In such access control systems, a client typically is an authenticated entity that is locally known to the server, and information needed to make a decision is usually available locally on the server. As a result, the server needs to administer the entire complexity of access control locally and cannot delegate some of the administration work to other entities.
The development of distributed and dynamic computing environments, such as the Internet, has made static and closed access control systems inadequate. For example, an entity that is not locally known to a server may request to access a resource on the server. The entity may provide information for the resource manager to use during its decision process. The information provided by an entity can be a reply to a proposition from the server that requests the entity to prove before granting the entity the requested access. Such a reply is also called a proof. The entity may supply credential statements along with the access request. The credential statements provide information to identify who the entity is. The credential statements may include more than authentication information used to help determine who the entity is. The credential statements may also include additional policy statements. Because the authenticity and integrity of policy statements can be secured with current cryptographic technologies, an owner of a resource may remotely author policy statements and provide the policy statements to a client. The client can then present the policy statements to the resource manager of the resource. The resource manager may then check the veracity of the policy statements and consult with the owner of the resource. The resource manager may eventually provide access in a manner consistent with the resource owner's intent as expressed in the policy statements.
The ability to configure policy remotely through cryptographically protected statements provides many opportunities for an access control system to depart from the traditional closed and static model. For example, a client may bring a statement authored by an entity that certifies the client to be a member of a pre-determined group. The client may also bring a statement authored by the resource owner, saying that members of the group, according to the entity, may access the resource. Together, these statements imply that the client should be able to access the resource. In such an example, the resource manager may have no prior knowledge of the entity that certifies the client to be a member of the authenticated group. The resource manager also may not know a priori that the resource owner has delegated the certifying ability to the entity only for the purpose of this specific access control decision.
Certain approaches, such as ISO Rights Expression Language (XrML 2.x) and Delegation Logic, represent statements in a logical form so that the access control decision can be computed symbolically from the statements themselves. More specifically, these approaches have their basis in predicate calculus, and their computing process on whether access should be granted according to the owner's intent is equivalent to finding a proof The proof-based approach has several advantages. The most important advantage is that it provides a mathematically verifiable reason why access ought to be granted. Another advantage is that there is no need to translate the meaning of the expression to some other form to uncover the owner's intent; reasoning can be done at the expression level itself.
To enable diverse delegation scenarios, a resource manager needs to process the statements provided by clients and decide whether or not to grant the requested access. To allow for multiple statements to imply access in a scalable and manageable fashion, a resource manager needs to reason with the underlying meaning and intent inherent in the statements supplied by a client. Such a reasoning process may be called “computing the proof” or “theorem proving.”
However, the process of theorem proving can become cumbersome. Declarative authorization systems are closely aligned with declarative programming languages, such as Prolog. Theorem proving is computationally equivalent to the imperative semantics of more common programming systems like C++, C#, or Java. As such, theorem proving can be used to encode arbitrary computation problems, i.e. arbitrary computer programs. As such, theoretical limitations exist as to how fast proofs can be computed. For example, for full predicate calculus, in the worst case, no existing algorithm can guarantee to terminate when computing proofs just as there exist questions that cannot be answered in C++, C#, etc. As a result, a decision on access control may never be reached for this class of problems. The open ending may expose a resource manager to adversary attacks. For example, a client can build bogus assertions to severely task a resource manager into computing proofs, including constructing proofs of unbounded size. The bogus assertions may also induce a resource manager to spend an unbounded amount of time and/or space in order to conclude the nonexistence of a proof. When a resource manager enters endless computation, the resource manager has to deny services to other entities. Such situations are called denial of service attacks, which can interrupt network routing services and render networks inoperable.
Therefore, there exists a need to relieve a resource manager's onerous computing of proofs so as to avoid the negative consequences, such as denial of service attacks, brought by endless computing.