IJCNIS Vol. 6, No. 3, 8 Feb. 2014
Cover page and Table of Contents: PDF (size: 819KB)
Full Text (PDF, 819KB), PP.1-9
Views: 0 Downloads: 0
Access-control, Authentication, Authorization, RBES, Role, Privileges, Examination
Over the years, e-learning and e-examination has become standard in many institutions of higher learning. It has been observed that examination questions and results can be easily intercepted by invalid users, thus the security of resources shared among valid users is not guaranteed. In order to solve these problems as it relates to access control, a Role based Examination System (RBES) was designed, developed and evaluated. RBES attempted to solve the security issue by the combination of two authentication techniques: text-based authentication and graphical password authentication. The Text-based authentication utilizes two text-based parameters namely the username and password. The graphical password authentication makes use of a finite set of controls (RBES chooses radio buttons) which are identified by numbers. These numbers constitute the password used for graphical authentication. To improve on resource sharing among users in the examination system, RBES proposes role management (role creation, role update, role removal) and user management (user creation, user update and user removal). The developed system made use of asp.net, C#, IIS server, WAMP server, Mysql and other tools for its development. RBES was tested by some legitimate and illegitimate users and the performance of the system was found to be satisfactory, hence RBES shows an efficient and reliable scheme that can be deployed in any examination or e-learning system. Finally the potential threats to the system were modeled and the use of weak passwords was found to be the most likely threat the system could be vulnerable to.
Adebukola Onashoga, Adebayo Abayomi-Alli, Timileyin Ogunseye, "Enhanced Role Based Access Control Mechanism for Electronic Examination System", International Journal of Computer Network and Information Security(IJCNIS), vol.6, no.3, pp.1-9, 2014. DOI:10.5815/ijcnis.2014.03.01
[1]Onashoga, S. A. and Sodiya, A. S. (2011). “A Confidential Electronic Result Transfer Using a Hybrid XML Security”. In Proc. of the 8th International Conference on Information Technology: New Generations (ITNG), Las Vagas, USA, August, 2011.
[2]Orchard, K. (1998). “The use of Optical mark reading (OMR) for census data collection”. 18th Population Census Conference, 26 – 29 August, 1998, East-West Center, Honolulu, Hawaii USA.
[3]Karami, M.; Heussen, N.; Schmitz-Rode, T. and Baumann, M. (2009). “Advantages and Disadvantages of Electronic Assessments in Biomedical Education”. World Congress on Medical Physics and Biomedical Engineering, September 7 - 12, 2009, Munich, Germany. 25(12): 61-64.
[4]American National Standards Institute (ANSI), “Role-based access control”, International Committee for Information Technology Standards (INCITS). ANSI INCITS Standard, 359 (2004), February 2004.
[5]Weil, T. (2012). “Role-Based Access Control”, INCITS CS1 Standards Series, Computer Science Colloquium, University of Denver, 13 January, 2012.
[6]Sandhu, R. (1996). “Issues in RBAC”. In Proc. of the ACM RBAC Workshop.MD: ACM Press, pp 21-24, 1996.
[7]Sandhu, R. S.; Cogne, E. J. and Feinstein, H. L. (1996). “Role-Based Access Control Models”. IEEE Computer, 29(1996):38-47.
[8]Sasturkar, A.; Yang, P.; Stoller, S. D. and Ramakrishnan. C.R. (2011). “Policy Analysis for Administrative Role Based Access Control”. Theoretical Computer Science, Elsevier, 412(44):6208-6234, October 2011.
[9]Schaad A., Moffett J., and Jacob J. (2001). The role-based access control system of a European bank: A case study and discussion. In Proceeding of 6th ACM Symposium on Access Control Models and Technologies (SACMAT).
[10]Schaad A. and Moffett J. D. (2002): A lightweight approach to specification and analysis of role-based access control extensions. In Proceeding of 7th ACM Symposium on Access Control Models and Technologies (SACMAT).
[11]Ferraiolo D. F., Sandhu R., Gavrila S., Kuhn D. R., and Chandramouli R. (2001): Proposed NIST standard for role-based access control. ACM Transactions on Information and Systems Security.
[12]Moyer, M. J. and Ahamad, M. (2001). “Generalized role-based access control”, In Proc. 21st International Conference on Distributed Computing Systems (ICDCS '01), Washington DC, April 2001, IEEE Computer Society, pp. 391-398.
[13]Covington, M. J.; Fogla, P.; Zhan, Z. and Ahamad, M. (2002). “A Context-Aware Security Architecture for Emerging Applications”. In Proceedings of the Annual Computer Security Applications Conference, Las Vegas, NV, December 2002.
[14]Bertino, E.; Bonatti, P. A. and Ferrari, E. (2001). “A temporal role-based access control model”. ACM Trans. on Information System Security, 6(1):11-27, 2001.
[15]Joshi, J.; Bertino, E.; Ghafoor, A. (2002). “Hybrid role hierarchy for generalized temporal role based access control model”, in Proc. 26th International Computer Software and Applications Conference on Prolonging Software Life: Development and Redevelopment (COMPSAC '02), Washington DC., IEEE Computer Society 2002, pp. 951-956.
[16]Zhang, G. and Parashar, M. (2003). “Dynamic context-aware access control for grid applications”. In IEEE Computer Society Press, editor, 4th International Workshop on Grid Computing (Grid 2003), November 2003, Phoenix, AZ, USA. pp 101–108.
[17]Kim, Y-G.; Mon, C-J.; Jeong, D.; Lee, J-O.; Song, C-Y. and Baik, D-K. (2005). “Context-Aware Access Control Mechanism for Ubiquitous Applications”. Advances in Web Intelligence, Lecture Notes in Computer Science, 3528 (2005): 236-242.
[18]Chae, S.; Kim, W. and Kim, D. (2006). “Role-based access control model for ubiquitous computing environment”, Information Security Applications, Springer Berlin / Heidelberg, 3786 (2006): 354-363.
[19]Diep, N. N.; Lee, S-Y.; Lee, Y. K. and Lee, H. (2007). “Contextual Risk-Based Access Control”, Security and Management, 2007: 406-412.
[20]Evered, M. and Bögeholz, S. (2004). “A case study in access control requirements for a health information system”. In Proceedings to Australasian Information Security Workshop (AISW), Volume 32 of Conferences in Research and Practice in Information Technology.