A Prolog Program for Matching Attribute-Based Credentials to Access Control Policies

In an attribute-based credential system, users employ credentials issued by credentials issuers to compute presentation tokens that prove to service providers that the user's credentials fulfill the access control policies to access services. The number of user credentials and the number of ways a policy can be satisfied can be large. Therefore, a user has to choose which subset of her credentials she wishes to employ to compute a presentation token. This choice has both efficiency and privacy implications. We present a Prolog program that lists all the credentials subsets that can be used to fulfill a given policy. In our program, credentials are represented by facts and policies by rules. By querying a rule, the Prolog engine lists all the combinations of facts that satisfy the rule. Therefore, we remark the simplicity of our approach, which simply requires representing credentials and policies in Prolog and avoids the need of implementing credential-policy matching or exhaustive search algorithms. Furthermore, our program is also useful on the verifier side. By using facts to represent the credential information disclosed by a user's presentation tokens, when the user wishes to access a new service, the service provider can verify whether the credential information already disclosed fulfills the policy for that service. Our Prolog program implements a variety of features of an attribute-based credential system: pseudonyms, key binding, different restrictions for attribute values, issuer-driven and verifier-driven revocation, and inspection. Our program can easily be extended to implement more features.

By: Jan Camenisch, Sebastian Mödersheim, Gregory Neven, Franz-Stefan Preiss, and Alfredo Rial

Published in: RZ3890 in 2015


Questions about this service can be mailed to reports@us.ibm.com .