Automated multiparty authorization in open distributed systems

With the advent of the Internet, open distributed computing such as peer-to-peer file sharing and grid computing has become increasingly popular. As these systems exhibit an increasing level of online interactions and cooperations among individuals and organizations, there is also an increasing need for dynamic and secure sharing of resources across the boundaries of different administrative domains. Traditional identity-based access control often bases its authorization solely on the authentication of a user to a known identity, and becomes unsuitable for open systems, where the interacting parties could be total strangers to each other, yet still have the need for rapid and secure resource sharing. Another aspect of authorization in open distributed computing is that it often involves interactions among multiple parties. Such interactions can have dependencies among each other, and have to be interleaved in a certain order for the authorization to succeed. Many existing authorization approaches assume that authorizations are between two parties (either a client and a server, or two symmetric parties with no client-server relationship), and cannot be readily applied to the problem of solving authorization issues among multiple parties. Other approaches either make assumptions that cannot be generalized, or lack important features like providing the participating parties with autonomy and customization. The goal of the thesis is to provide new approaches to automatic, secure, and efficient trust establishment among multiple parties in an open distributed environment.Automated trust negotiation (ATN) is a promising approach to establishing trust between two entities without any prior knowledge of each other. ATN uses gradual trust establishment by iterative credential exchanges, thus avoiding unsecured disclosure of sensitive information. Yet the fact that it applies to only two parties makes it inadequate to solve many real-world authorizations that involve online input from third parties. Inspired by ATN, we introduce multiparty trust negotiation (MTN) as a new approach to multiparty authorization. We propose a declarative language to specify MTN policies, a generic negotiation protocol to orchestrate MTN without a centralized moderator, and two negotiation strategies to drive MTN with different tradeoffs between privacy and negotiation speed. Both the negotiation strategies we propose guarantee that each participating party's authorization policies are satisfied, and that the negotiation succeeds as long as a possible authorization exists.While MTN provides an effective solution to trust establishment among multiple parties in an interactive way, it does not support features like delegation and redissemination control. What is still missing is a general authorization framework that can be used to model and reason about the runtime behavior of a diverse set of peers in an open system, and provides a rich set of features to satisfy their assorted authorization requirements. Motivated by these needs, we introduce the PeerAccess authorization framework. PeerAccess provides a declarative language to describe a peer's access control policies, and supports delegation, disclosure control, and redissemination control. While it is easy to verify a proof of authorization encoded in PeerAccess, the multilateral and distributed nature of multiparty authorization makes it difficult to construct such proofs. To facilitate distributed proof construction, we propose query routing rules to allow each peer to customize its proof search behavior based on knowledge about where to get a certain credential. Configured with different query routing rules, PeerAccess is able to emulate the runtime behaviors of other trust management systems, which makes PeerAccess general enough to serve as a reasoning framework for authorization in heterogeneous distributed systems. Finally we extend PeerAccess's release control constructs so that they can be used to reason about the dissemination control of aggregated information derived based on sources received from other parties, including both declassification and reclassification. This makes PeerAccess the first framework to provide systematic and flexible access control for aggregated resources. Such capability is essential to multiparty authorization in an open distributed environment, without which a peer will be uncomfortable authorizing any qualified external party to access its sensitive information for any practical use, thus effectively closing up the system.