Download DefenceSlides - Google Project Hosting

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
Document related concepts
no text concepts found
Transcript 
Design and implementation of a
distributed role concept for
access control In Traceability
Networks
Student:
Weixun Li
Tutor:
Dipl.-Medien-Inf. Eberhard Grummt
Responsible Professor: Prof. Dr. rer. nat. habil. Dr. h. c. Alexander Schill
May 27, 2008, Dresden
Overview
1.
2.
3.
4.
5.
6.
Motivation and Introduction
Requirement Analysis
Concepts
Implementation
Conclusion and Future Work
Reference
slide #2
Motivation & Introduction
slide #3
The Routing Process
Figure. Theseos infrastructure[1]
slide #4
Requirement Analysis
slide #5
Security issues
Security issues in Traceability Networks:
•
Protections on Companies’ IP and physical addresses.
•
Strict and precise controls for a sharing of companies’ item
information. E.g., Who can get what kind of information from
whom.
•
Mutual authentication [2]
slide #6
Extended Role-based Access control
Extended Role-based Access control (ERBAC)
• A extension set of RBAC to deal with Distributed
Environment’s requirements.
• Extends role definitions, role constrains for role-based
access control in traceability network.
• A concept integrates many up-to-date technologies: RBAC,
EPCIS, JAXRPC, Web Service, etc.
slide #7
An Use Case
Figure. A example use case of ERBAC
slide #8
Concepts
slide #9
Role types
Roles of ERBAC system for the traceability network
are classified into two types

General Roles:
• General Roles are defined by Supply Chain (SC)
participants’ properties in the view of the whole SC
• E.g., Manufacturer, Distributor, Wholesaler, Retailer.

Perspective Roles:
• Perspective Roles are defined by directed connected
partner in the view of mutual relationship
• E.g., Directly Connected Wholesaler, Competitive
Wholesaler, Directly Connected Laptop Wholesaler, Directly
Connected CPU Wholesaler
slide #10
An Use Case
Figure. A example use case of ERBAC
slide #11
Role types
Roles of ERBAC system for the traceability network
are classified into two types

General Roles:
• General Roles are defined by Supply Chain (SC)
participants’ properties in the view of the whole SC
• E.g., Manufacturer, Distributor, Wholesaler, Retailer.

Perspective Roles:
• Perspective Roles are defined by directed connected
partner in the view of mutual relationship
• E.g., Directly Connected Wholesaler, Competitive
Wholesaler, Directly Connected Laptop Wholesaler, Directly
Connected CPU Wholesaler
slide #12
An Use Case
Figure. A example use case of ERBAC
slide #13
Role Hierarchy
Directly Connected
Laptop Wholesaler
Directly Connected CPU
Wholesaler
Directly Connected
Wholesaler
Manufacturer
Distributor
Competitive CPU
Wholesaler
Competitive Laptop
Wholesaler
Competitive Wholesaler
Wholesaler
Retailer
Company
Figure. Role Hierarchy in EPCIS servers
slide #14
Role Constraints
In Traditional RBAC for a single company:


Roles are usually defined by the administrator or company’s
committee.
The administrator extends, deletes, grants and revokes roles
without consideration about other systems.
In traceability network:


Role Administrations can not be done with only one
company’s decision at most of time. (Voting mechanisms)
A single company can play various roles at the same time.
slide #15
Role Constraints cont.
Figure. A sample Supply Chain
slide #16
Role Constraints cont.
Mutual exclusive relationship:
In traditional RBAC, two roles are mutual exclusive means
they can not be assigned to a same user.
In traceability network, mutual exclusive roles are associated
Object Class(es). That means, one company can not be
assigned two roles with the same EPC Object Class(es). Or
in other words, two roles are mutual exclusive when
associating with same EPC Object Class(es).
slide #17
Role Constraints cont.
Figure. Role Constraint
slide #18
Role administration

Motivation:
• To manage roles efficiently.
• Give features for Role Administration in distributed
environment.

Features:
•
•
•
•
Grant Role Service.
Revoke Role Service.
Add Role Service.
Delete Role Service.
slide #19
Grant Role
Figure. Role Grant
slide #20
Grant Role (Cont.)
sd roleGrant
applicant: Company
server: RSS
partner1: Company
partner2: Company
...
partnerN: Company
grantRole()
verifyApplicant()
verified
alt
[verified==false]
fail
[else]
lookForPartners()
vote()
voteResult
vote()
voteResult
vote()
voteResult
alt
[MajorityVoted==false]
SimpleMajorityVoting()
fail
[else]
grantResult
Figure. Grant Role
slide #21
Implementation
slide #22
Programming Environment:




JAXRPC
DERBY 10.3.2.1
J2EE 1.4 SDK
Sun Java Application Server 8.2
slide #23
Figure. Simulated Network
slide #24
Figure. Work flow of Role Grant
slide #25
Voting Algorithm
D.C.M. 11100
(TopTech)
M. 11000 (Target Role)
D.C.D 12100
C. M. 11200
D. 12000
W. 13000
Company 10000
M. = Manufacturer
D. = Distributor
W. = Wholesaler
R. = Retailer
D.C.M. = Directed Connected Manufacturer
C.M. = Competitive Manufacturer
10000 = Integer number indicting Role’s Position
R. 14000
M. 11000 (Target Role)
C. D. 12200 (TopTech)
D. 12000
W. 13000
R. 14000
Company 10000
M. = Manufacturer
D. = Distributor
W. = Wholesaler
R. = Retailer
D.C.D. = Directed Connected Distributor
C.D. = Competitive Distributor
10000 = Integer number indicting Role’s position in the role
hierarchy
Figure. Role hierarchies of Market Huge and Market
Much.
slide #26
Figure. Work flow of Role Grant
slide #27
Conclusion and Future Work
slide #28
Conclusion and Future Work
Conclusion:



We proposed a ERBAC concept that enables role-based
access control in a distributed environment.
We gave role definitions and constraints for access control in
a traceability network.
We implemented role administration features based on
innovative voting mechanisms.
Future Work:


Privileges assignment for item composition and
decomposition
Improve the dependence of the system in the distributed
environment
slide #29
Reference
[1] Steve Beier, Tyrone Grandison, Karin Kailing, and Ralf
Rantzau. Discovery service – enabling rfid traceability in
epcglobal networks. Proc. of the 13th International
Conference on Management of Data (COMAD) 2006. Delhi,
India, December 2006.
URL http://www.almaden.ibm.com/cs/projects/iis/rfid/.
[2] J2EE Tutorial p.1179
slide #30
Thank you!
&
Questions?
slide #31
Database Schemas
roleGrant
company
PK
lid
INTEGER
PK
PK
comName VARCHAR(50)
address
VARCHAR(100)
lid
EPCClass
INTEGER
VARCHAR(18)
roleName VARCHAR(80)
expireDate DATETIME
itemTrack
PK
PK
EPC
lid_from
CHAR(27)
INTEGER
roleDictionary
PK
lid_to
ts
INTEGER
DATETIME
roleName
VARCHAR(80)
ts
DATETIME
Figure. Data Schemas in RSS
slide #32
Database Schemas
DCPartner
PK
lid
INTEGER
comName
address
VARCHAR(50)
VARCHAR(100)
sentTo
PK
receivedFrom
EPC
CHAR(27)
lid
ts
INTEGER
DATETIME
PK
roleGrant
PK
PK
lid
EPCClass
INTEGER
CHAR(18)
EPC
CHAR(27)
lid
ts
INTEGER
DATETIME
roleHierarchy
PK
roleName
VARCHAR(80)
position
INTEGER
roleName VARCHAR(80)
expireDate DATETIME
Figure. Data Schemas in EPCIS Server
slide #33
Activity Diagram for Role Assignment
Initial point
Process Authentication Request
no
success?
yes
Verify Partners' Addresses
return null
no
verified?
yes
Wait for all partners' votings
no
all voting?
yes
return Role Certificate
Figure. Activity Diagram for Role Assignment
slide #34
An Use Case
Figure. A example use case of ERBAC
slide #35
Competitive Wholesaler (CompanyC)
Manufacturer
Distributor
Directed Connected Retailer (CompanyE)
Wholesaler
Retailer
Company
Figure. Role Hierarchy of CompanyD
slide #36
Competitive Wholesaler (CompanyD)
Directed Connected Distributor
(CompanyB)
Manufacturer
Distributor
Wholesaler
Retailer
Company
Figure. Role Hierarchy of CompanyC
slide #37
Introduction of Traceability Network
Figure. An example of Traceability Network[1]
slide #38
Revoke Role
sd roleRevoke
manufacturer: Company
server: RSS
revokeRole()
verifyCertificate()
verified
alt
[verified==false]
certificateVerifyFailed
[else]
verifyRoleStatus()
verified
alt
[verified==false]
roleStatusVerifailed
[else]
processRoleRevoke()
succeed
return
Figure. Revoke Role
slide #39
Add Role
sd roleAdd
applicant: Company
server: RSS
participant: Company
participant2: Company
...
participantN: Company
addRole()
verifyApplicant()
verified
alt
[verified==false]
authenticationFailed
[else]
verifyRole'sExistence()
exist
alt
[exist==true]
roleExist
[else]
addRole()
confirm
addRole()
confirm
addRole()
confirm
addRole()
addSucceed
Figure. Add Role
slide #40
Delete Role
sd roleDelete
applicant: Company
server: RSS
roleOwner1: Company
...
roleOwnerN: Company
participant1: Company
...
participantN: Company
deleteRole()
verifyCertificate()&verifyRole'sExistence()
lookForAllRoleOwners()
result
alt
[result==null]
deleteRole()
deleteSucceed
VoteForDeleteRole()
[else]
result
VoteForDeleteRole()
result
alt
[allAgreed==false]
reject
[else]
lookForAllParticipants()
deleteRole()
confirm
deleteRole()
confirm
deleteRole()
deleteSucceed
Figure. Delete Role
slide #41
Motivation
Figure. A RFID tag
 RFID tag is a tag that carries information about item. It
can be tagged on a item and read at certain point.
 The information read from RFID tag can be easily
transferred into data record by EPCIS.
 The use of RFID tags enables many innovative
implementations. E.g. Anti-counterfeit, Item callback
slide #42
Related documents