Академический Документы
Профессиональный Документы
Культура Документы
Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY’04)
0-7695-2141-X/04 $ 20.00 © 2004 IEEE
Strength of Enforcement
Content type and value Weak Medium Strong
Sensitive and proprietary Password-protected documents Software-based client Hardware based trusted
controls for documents viewers, displays and
inputs
Revenue driven IEEE, ACM digital libraries DRM-enabled media Dongle-based copy
protected by server access controls players such as for digital protection, hardware
music and eBooks based trusted viewers,
displays and inputs
Sensitive and revenue Analyst and business reports Software-based client Hardware based trusted
protected by server access controls controls for documents viewers, displays and
inputs
1
We use DRM in the sense usually found in the trade press to mean the
mechanisms that control entertainment content, and view it as a subset
and enabling technology for the broader problem of DCON.
Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY’04)
0-7695-2141-X/04 $ 20.00 © 2004 IEEE
Functionality Strength of enforcement
Simple Complex Weak/Medium Strong
Legally Reliance on legal Strong system-
enforceable enforcement; enforceable rights,
versus system Limited system revocable rights.
enforced rights. enforced controls.
Dissemination Limited to one-step Flexible, multi-step, and Mostly legal System enforceable
chains and disseminations. multi-point. enforcement; controls.
flexibility.
Object types Simple, read-only Support for complex, Reliance on legally System supported
supported. and single-version multi-version objects. enforceable rights. and enforceable
objects. Support for object rights and
sensitivity/confidentiality. sanitization on
multiple versions.
Persistence and Immutable, Not viral and modifiable Reliance on legally System enforceable.
modifiability of persistent and viral by recipient. enforceable rights.
rights and on all disseminated
licenses. copies.
Online versus No offline access Allows offline access to Few unprotected No unprotected
offline access and no client-side client-side copies. copies are copies are tolerated.
and persistent copies. tolerated.
client-side
copies
Usage controls Control of basic Flexible, rule-based usage Some usage abuse No potential for
dissemination. controls on instances. allowed. usage abuse.
Preservation of Recipient has legal System-enabled Attribution can Attribution is
attribution. obligation to give preservation and trace- only be legally system enforced.
attribution to back of the attribution enforced.
disseminator. chain back to original
disseminator.
Revocation Simple explicit Complex policy-based No timeliness Guaranteed to take
revocations. revocation. guarantees. immediate effect.
Support for Not supported. Supported. Reliance on legally System enforceable
derived and enforceable rights. rights for derived
value-added and valued-added
objects. objects.
Integrity Out of band or non- Cryptographic schemes Off-line validation. High-assurance
protection for crypto based for integrity validation. cryptographic
disseminated validation. validation.
objects.
Audit Audit support for Additional support for the Offline audit Real-time audit
basic dissemination audit of instance usage. analysis. analysis and alerts.
operations.
Payment Simple payment Multiple pricing models Tolerance of some No revenue loss;
schemes (if any). and payment schemes revenue loss. Objective is to
including resale. maximize revenue.
Figure 2. Characterizing the technical dimensions of DCON by functionality and strength of enforcement
Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY’04)
0-7695-2141-X/04 $ 20.00 © 2004 IEEE
Persistence and modifiability of rights. Rights may one application area to another. Nevertheless, an
have to persist along the dissemination chain, as in some elaboration and understanding of these individual
models of open software licensing, or they could be dimensions and associated dependencies is important to
modified by the recipient. having a unified approach to DCON.
Online versus offline access and persistent client-side The work presented here is an initial step towards the
copies. In certain applications, digital objects may be formulation of a family of DCON models. The richness of
disseminated but clients may not be allowed to make the DCON space and associated policies leads us to
client-side copies. For example, in satellite-based radio believe that this effort will inevitably be more
services, music is streamed and never stored. In many complicated than past efforts at building families of
intelligence community systems, users are allowed to models in areas such as role-based, discretionary and
download and view documents but not allowed to save or lattice-based access controls.
print. The DCON problem is inherently more complex Acknowledgement
when client-side copies can be retained. This work was supported by the Advanced Research and
Usage controls. In the simplest case, usage controls Development Activity (ARDA).
prevent redissemination but do not limit the legitimate
recipients in frequency or duration of usage. More
complex usage controls can enforce such limits on a per
5. References
[1] Abrams, Marshall, et al., “Generalized Framework for
instance and per recipient basis. Access Control: Towards Prototyping the ORGCON Policy.”
Preservation of attribution. In the simplest case, Proceedings of the 14th National Computer Security
preservation of attribution (including copyright notices) Conference, 1991, pages 257-266.
during redissemination can only be done through [2] David F. Ferraiolo, Ravi Sandhu, Serban Gavrila, D.
procedural and legal controls. More complex Richard Kuhn and Ramaswamy Chandramouli. “Proposed
functionality would involve system-enabled preservation NIST Standard for Role-Based Access Control.” ACM
and trace-back of the attribution chain back to the original Transactions on Information and System Security, Volume 4,
disseminator. This is an important requirement in Number 3, August 2001, pages 224-274.
[3] Graubart, Richard., “On the Need for a Third Form of
application domains such as that for the intelligence
Access Control.” Proceedings of the 12th National Computing
community. Security Conference, 1989 pages. 296-303.
Revocation. The ability to revoke rights on previously [4] MIT Technology Review Editors. “Ten Emerging
disseminated objects is an important one, but this is often Technologies that will Change the World.” MIT Technology
difficult to enforce on client-side copies. The simplest Review, Jan/Feb 2001.
case would be explicit revocations by the disseminator, [5] McCollum, C.J., Messing, J.R. and Notargiacomo, L.
but more complex rule-based schemes based on “Beyond the pale of MAC and DAC-defining new forms of
monitoring ongoing conditions are possible. access control.” Proceedings of IEEE Symposium on Security
Support for derived and value-added objects. Objects and Privacy, May 1990, pages 190-200.
[6] Jaehong Park, Ravi Sandhu and James Schifalacqua,
may be derived from or bundled with disseminated
“Security Architectures for Controlled Digital Information
objects. The simple cases of DCON would not support Dissemination.” Proc. 16th Annual Computer Security
this functionality. Applications Conference, New Orleans, Louisiana, December
Other dimensions of DCON include integrity 11-15, 2000, pages 224-233.
protection, audit and payment and these can be supported [7] Jaehong Park and Ravi Sandhu, “Originator Control in
to varying degrees as indicated in the table. It is Usage Control.” Proc. 3rd IEEE International Workshop on
interesting to note that most revenue-driven services such Policies for Distributed Systems and Networks, Monterey,
as retailing of digital music support only a single pricing California, June 5-7, 2002, pages 60-66.
model. Also, the current pricing and DCON models for [8] Ravi Sandhu, Edward Coyne, Hal Feinstein and Charles
Youman, “Role-Based Access Control Models.” IEEE
digital music don’t support the resale of music.
Computer, Volume 29, Number 2, February 1996, pages 38-47.
[9] Ravi Sandhu and Jaehong Park, “Usage Control: A Vision
4. Summary and conclusions for Next Generation Access Control.” Proc. Mathematical
Methods, Models and Architectures for Computer Networks
We have briefly presented a high level decomposition Security, Saint Petersburg, Russia, September 21-23, 2003,
of the DCON space and presented some detailed technical Lecture Notes in Computer Science.
dimensions that exhibit the diversity of requirements that [10] The Next-Generation Secure Computing Base: An
Overviewhttp://www.microsoft.com/resources/ngscb/ngscb_ove
need to be considered in the design of DCON models and
rview.mspx
schemes. The relevance, priority and level of [11] The Trusted Computing Group TPM Specification,
sophistication of these dimensions vary considerably from https://www.trustedcomputinggroup.org/home
Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY’04)
0-7695-2141-X/04 $ 20.00 © 2004 IEEE