Secure Information Sharing Using Role-based Delegation * Gail-Joon Ahn and Badrinath Mohan University of North Carolina at Charlotte Charlotte, NC, U.S.A. {gahn,bmohan}@uncc.edu Abstract As computing becomes more pervasive, information sharing occurs in broad, highly dynamic network-based en- vironments. Such pervasive computing environments pose a difficult challenge in formally accessing the resources. The digital information generally represents sensitive and con- fidential information that organizations must protect and allow only authorized personnel to access and manipulate them. As organizations implement information strategies that call for sharing access to resources in the networked environment, mechanisms must be provided to protect the resources from adversaries. In this paper we seek to address the issue of how to advocate selective information sharing while minimizing the risks of unauthorized access. We inte- grate a role-based delegation framework to propose a sys- tem architecture. We also demonstrate the feasibility of our framework through a proof-of-concept implementation. Keywords: Information Sharing, Role-based, Delegation 1. Introduction Several organizations have transited from their old and disparate business models based on ink and paper to a new, consolidated ones based on digital information on the In- ternet. The Internet is uniquely and strategically positioned to address the needs of a growing segment of population in a very cost-effective way. It provides tremendous connec- tivity and immense information sharing capability which the organizations can use for their competitive advantage. However, balancing the competing goals of collaboration and security is difficult because interaction in collaborative systems is targeted towards making people, information, and resources available to all who need it, whereas informa- tion security seeks to ensure the integrity of these elements while providing it only to those with proper authorization. * This work was supported, in part, by funds provided by National Science Foundation (NSF-IIS-0242393) and Department of Energy Early Career Principal Investigator Award (DE-FG02-03ER25565). Furthermore, as computing becomes more pervasive, infor- mation sharing occurs in broad, highly dynamic network- based environments. Such pervasive computing environ- ments pose a difficult challenge in formally accessing the resources. Digital information generally represents sensitive and confidential information that organizations must protect and allow only authorized personnel to access and manipulate them. As organizations implement information strategies that call for sharing access to resources in the networked environment, mechanisms must be provided to protect the resources from adversaries. We seek to address the issue of how to advocate selective information sharing in perva- sive computing environments while minimizing the risks of unauthorized access. We integrate a role-based delega- tion framework [12] to propose a system architecture. We also demonstrate the feasibility of our framework through a proof-of-concept implementation. The rest of this paper is organized as follows. In section 2 we discuss role-based delegation including details of system architecture. Section 3 overviews other research and related technologies. Section 4 describes implementation details. Section 5 concludes this paper. 2. Role-based Delegation Ahn et al. [2] recently identified the following issues in collaborative environments. First, selective information sharing is necessary. We are dealing with friends, not enemies, and should provide relevant information expedi- tiously. Second, the information may be shared across or- ganizational boundaries. Because sharing a resource across organizational boundaries often means authorizing a server to give access to a third party, it implies enabling resource servers to reason about previously unknown third parties. This requirement contrasts with many conventional sys- tems, wherein a server need only reason about the set of users known inside a given organization. Third, it is impos- sible to fully predicate what data should be shared, when and to whom. And another thing is that a mechanism must Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC’04) 0-7695-2108-8/04 $ 20.00 © 2004 IEEE