基于可信度的RBAC模型及其应用研究
|
摘要
当前,随着网络技术的飞速发展,信息安全问题日益受到关注。身份认证和访问控制作为信息安全领域的两种重要机制,在网络信息系统中发挥着至关重要的作用。但在传统的安全方案中,这两种机制之间缺乏必要的衔接和关联,形成认证与授权之间的脱节,带来了一定的安全隐患。
为解决此问题,本文提出了基于可信度的RBAC模型。该模型将可信度技术与访问控制相结合,将身份认证的结果用可信度值来度量,以此来强化身份认证与访问控制的联系。论文研究了在RBAC中引入可信度的模型及实现的相关问题,主要研究工作包括:(1)引入可信度的RBAC模型及特点;(2)可信度及其计算;(3)基于可信度的对象访问条件;(4)引入可信度的RBAC模型在教学管理系统中的应用。
论文着重分析了基于可信度的对象访问条件,用户通过不同的认证机制将获得不同的可信度值,系统以此作为访问判定的依据,授予用户不同的访问权限。将此对象访问条件应用到RBAC访问控制模型中,用户必须通过角色、权限的可信激活约束才能获得相应权限,否则其权限将减少或者受限。由于在授权中考虑了用户认证结果,因此该模型实现了身份认证和访问控制的关联。
以我校教学管理系统的研发为背景,提出了系统中安全子系统的整体结构,将基于可信度的RBAC模型应用到该系统中,规划了系统对用户进行身份认证和访问控制的流程,并详细分析了各安全组件的功能和数据库的设计。
Nowadays, with the development of network, the problem of information security is emphasized more and more. As tow important security technologies in the area of information security, authentication and access control have played an important role in network information systems. However, in traditional security plans, there exists a key problem that these two mechanisms have little relationship with each other. This causes the authentication and the authorization disjointed and thus brings potential safety threats.
To solve this problem, this issue raises the RBAC model based-on trustworthiness. This model combines access control with trustworthiness technology, using the trustworthiness value to measure the result of authentication. In this way, the relationship between authentication and access control has been strengthened. The model and the application of RBAC based-on trustworthiness are researched in this paper. The main task includes: (1) the RBAC model based-on trustworthiness and its features; (2) trustworthiness value and its calculation; (3) the object access condition base-on trustworthiness; (4) the application of the trustworthiness-based RBAC model in the teaching administration system.
The object access condition base-on trustworthiness is stressed in this paper. The users get different trustworthiness values according to the intensity of the authentication rules which they have passed. Then the trustworthiness value will become the decision basis for the system granting different authorities to the user. Applying this object access condition to RBAC access model, the users cannot get their deserved authorities unless they have satisfied the two levels trust access constraints for roles and permissions. Because the result of authentication is considered in the process of authorization, this model favorably reaches the goal of relating the authentication process and access control.
At the background of the research and development of the teaching administration system for our school, the overall structure of the security sub-system is proposed. Applying the trustworthiness-based RBAC model to the security sub-system, the flow process of authentication and access control is programmed. And the function of the security components and the design for database are also detailed discussed.
为解决此问题,本文提出了基于可信度的RBAC模型。该模型将可信度技术与访问控制相结合,将身份认证的结果用可信度值来度量,以此来强化身份认证与访问控制的联系。论文研究了在RBAC中引入可信度的模型及实现的相关问题,主要研究工作包括:(1)引入可信度的RBAC模型及特点;(2)可信度及其计算;(3)基于可信度的对象访问条件;(4)引入可信度的RBAC模型在教学管理系统中的应用。
论文着重分析了基于可信度的对象访问条件,用户通过不同的认证机制将获得不同的可信度值,系统以此作为访问判定的依据,授予用户不同的访问权限。将此对象访问条件应用到RBAC访问控制模型中,用户必须通过角色、权限的可信激活约束才能获得相应权限,否则其权限将减少或者受限。由于在授权中考虑了用户认证结果,因此该模型实现了身份认证和访问控制的关联。
以我校教学管理系统的研发为背景,提出了系统中安全子系统的整体结构,将基于可信度的RBAC模型应用到该系统中,规划了系统对用户进行身份认证和访问控制的流程,并详细分析了各安全组件的功能和数据库的设计。
Nowadays, with the development of network, the problem of information security is emphasized more and more. As tow important security technologies in the area of information security, authentication and access control have played an important role in network information systems. However, in traditional security plans, there exists a key problem that these two mechanisms have little relationship with each other. This causes the authentication and the authorization disjointed and thus brings potential safety threats.
To solve this problem, this issue raises the RBAC model based-on trustworthiness. This model combines access control with trustworthiness technology, using the trustworthiness value to measure the result of authentication. In this way, the relationship between authentication and access control has been strengthened. The model and the application of RBAC based-on trustworthiness are researched in this paper. The main task includes: (1) the RBAC model based-on trustworthiness and its features; (2) trustworthiness value and its calculation; (3) the object access condition base-on trustworthiness; (4) the application of the trustworthiness-based RBAC model in the teaching administration system.
The object access condition base-on trustworthiness is stressed in this paper. The users get different trustworthiness values according to the intensity of the authentication rules which they have passed. Then the trustworthiness value will become the decision basis for the system granting different authorities to the user. Applying this object access condition to RBAC access model, the users cannot get their deserved authorities unless they have satisfied the two levels trust access constraints for roles and permissions. Because the result of authentication is considered in the process of authorization, this model favorably reaches the goal of relating the authentication process and access control.
At the background of the research and development of the teaching administration system for our school, the overall structure of the security sub-system is proposed. Applying the trustworthiness-based RBAC model to the security sub-system, the flow process of authentication and access control is programmed. And the function of the security components and the design for database are also detailed discussed.
引文
[1]何德全.面向21世纪的Internet信息安全问题[J].保密工作.2000,(4):23-25
[2]刘萌铭,李金海,刘国丽.计算机安全技术[M].清华大学出版社,2000.
[3]冯登国,卿斯汉.信息安全—核心理论与实践[M].国防工业出版社,2000.
[4]Saltzer JH,Sehroeder MD.The Protection of Information in Computer Systems.In Proceedingsofthe IEEE,1975,63(9):1278-1308.
[5]L.Mui,M.Mohtashemi,A.Halberstadt.A computational model of trust and reputation.In:Proc of the 36~(th)Hawaii International Conference on System Sciences,Hawaii,2002.http://csdl.computer.org/comp/proceedings/hicss/2002/1435/07/14350188.pdf
[6]中国信息安全产品测评认证中心.信息安全理论与技术[M].人发邮电出版社,2003.
[7]赵亮,茅兵,谢立.访问控制研究综述.计算机工程,2004,30(2):1-2.
[8]P.A.Loscocoo,S.D.Smalley.The Inevitability of Failure:The Flawed Assumption of Security in Modem Computing Environments.In:Proc of the 21st National Information Systems Security Conefrence.1998.303-314
[9]T.Bth,M.Borcherding,B.Klein.Valuation of trust in open network.In:Proc of European Symposium on Research in Security(ESORIS),Brighton,Springer-Verlag.1994.3-18
[10]徐锋.开放协同软件环境中信任管理研究.南京:南京大学计算机软件研究所,2003.4
[11]Sandhu R S.Role Hierarchies and Constraints for Lattice-Based Access Controls[A].In Proc.of the Conference on Computer Security(ESOR ICS 96,Rome,Italy)[C].New York:NY:Springer-Verlag.1996:65-97.
[12]Osborn S.Mandatory Access Control and Role-Based Access Control Revisited[A].In Proceedings of the Second ACM Workshop on Role-Based Access Control(RBAC97,Fairfax,VA)[C].New York,NY:ACM Press,1997:31-40.
[13]Sandhu R S,Munawer Q.How To Do Discretionary Access Control Using Roles[A].In Proc.of the 3rd ACM Workshop on Role-Based Access Control(RBAC-98,Fairfax,VA)[C].New YorkNY:ACM Press,1998:47-54.
[14]Ferraiolo D,Cugini J,Kuhn D.Role-Based Access Control(RBAC):Features and Motivation[A].Proc.of 1 lth Annual Computer Security Applications Conference[C],1995.
[15]Sandhu R S,Coyne E J,Feinstein H L,Youman C E.Role-Based Access Control Models[J]. IEEE Computer,1996:29(2):38-47.
[16]Sandhu R S,Coyne E J,Feinstein H L,Youman C E.Role--Based Access Control[A]:A Multi-Dimensional View[C].10~(th)Annual Computer Security Application Conference,Orlando,Florida,Dec.1994.
[17]Sandhu R S,Bhamidipati V,Munawer Q.Role-Based administration of User-Role Assignment The URA97 Model and Its Oracle Implementation[J].The Journal of Computer Security,1999,2:105-130.
[18]David D F,Sandhu R S,Gavrila S,Kuhn D R.Chandramouli R.Proposed NIST Standard for role-based access control[A].ACM Transactions on Information and System Security(TISSEC),2001,4(3):224-274.
[19]American National Standard for Information Technology[A].Role-Based Access Control ITI 4/4 2003.
[20]Sandhu R S,Samarati P.Authentication,access control and intrusion detection[A].In The Computer Science and Engineering Handbook[C].Boca Raton FL:CRC Press Inc,1997:1929-1948.
[21]黄建,卿斯汉,温红子.带时间特性的角色访问控制.软件学报.2003,14(11):1944-1954
[22]董光宇,卿斯汉,刘克龙.带时间特性的角色授权约束.软件学报.2002,13(8):1521-1527
[23]Barkley J.Comparing Simple Role-Based Access Control Models and Access Control Lists[C].2nd ACM Workshop on Role-Based Access Control Nov,1997.
[24]Sandhu R S.Rationale for the RBAC96 Family of Access Control Models[C].1st ACM Workshop on Role-Based Access Control,1995.
[25]Sandhu Ravi,Bhamidipati Venkata.The URA97 model for role-based User-role assignment[J].In Proceedings of IFIP WG 11.3 workshop on Database Security,Lade Tahoe,California,1997,8:11-13.
[26]Sandhu RaVi,Bhamidipati Venkata.Role-Based administration of user-role assignment:The URA97 model and its Oracle implementation[J].The Journal of Computer Security,1999,7(3):317-342.
[27]马建平,余祥宣,洪帆,等.基于角色的安全策略.计算机研究与发展,1998,35(5):447-450.
[28]J Smith,F Weingarten.Research challenges of the next generation internet.Report from the Workshop on Research Directions ofNGI.May1997.
[29]Longhua,Gail-Joon Alan,Bei-Tseng Chu.A rule-based framework for role-based delegation[J].ACM Sump on Access Control Models and Technologies(SACMAT),Chantilly,2003,6(3):404-441.
[30]A.Abdul-Rhaman,S.Hailes.A distributed trust model.In:Proc of the1997 New Security Paradigms Workshop,Cumbria,ACM.1997.48-60
[31]Hine J,Yao W,Bacon J,Moody K.Architecture for distributed OASIS services[J].Proc.Middleware2000,Lecture Notes in Computer Science,Springer-Verlan,Heidelberg New York,2000,195:107-123.
[32]Ferraiolo D,Kuh R.Role-Based Access Control[C].Proc.of 15th National Computer Security Conference.1992.
[33]常晓波等译.安全体系结构的设计、部署与操作[M].清华大学出版社,2003.
[34]Nyanchama M,Osborn S.Information Flow Analysis in Role-Based Systems[J].Journal of Computing and Information,1994,1(1):1368-1384.
[35]周福才,李金双,曹光辉,等.基于MIS系统访问控制模型的研究.小型微型计算机系统,2004,25(9):1691-1695.
[36]M.Abrams,L.Lapadula,K.Eggers,Olson.A Generalized Framework of Access Control:an Informal Description.In:Proc of thel3th National Computer Security Conference.1990.134-143
[37]权义宁、胡予濮,基于多级安全策略的网格强制访问控制模型,中国计算机大会(CNCC),2005
[38]肖道举,郑涛,陈晓芬.URA97模型的实现研究[J].华中科技大学学报,2002,30(3):7-9.
[39]F.Rabitti,E.Bertino,W.Kim,D.Woelk.A model of authorization for next-generation database systems.ACM TODS.March 1991.16(1):89-131
[40]胡艳,戴英侠,卢震宇,连一峰.基于RBAC模型的认证和访问控制系统[J]计算机工程2002(10):61-63.
[41]石文吕,孙玉芳.多级安全性策略的历史敏感性.软件学报,2003,14(1):91-96.
[42]Bertino Elisa,Bonatti Piero Andrea,Ferrari Elena.TRBAC:A Temporal Role-Based Access Control Model[J].ACM Transactions on Information and Systems Security,2000,4(3):21-30.
[43]Sandhu R S,Sanarati R Access Control:Principles and Practice[J].IEEE Communications Magazine,1994,32(9):40-48.
[44]Ferraiolo DF,Barkley JF,Kuhn DR.A role-based access control model and reference implementation within corporate intranet[J].ACM transactions on Information and System Security(TISSEC),1999,2(1):34-64.
[45]Sejong Oh,Sandhu Ravi.A Model for Role Administration using Organization Structure.Proc.Tth ACM Symposium on Access Control Models and Technologies,Monterey,California,2002:155-162.
[46]单智勇,孙玉芳.通用访问控制框架扩展研究.计算机研究与发展,2003,40(2):228-234
[47]单智勇,孙玉芳.环境适应的通用多安全策略支持框架研究.计算机研究与发展,2003,40(2):235-244
[48]Bertino Elisa,Bettini Claudio,Ferrari Elena.A temporal access control mechanism for database systems.IEEE Trans on Knowledge and Data Engineering,1996,8(1):67-80.
[49]吴泉源,刘江宁.人工智能与专家系统.长沙:国防科技大学出版社,1995
[50]陆汝铃.人工智能.北京:科学出版社,2000
[51]Hayton RJ,Bacon JM,Moody K.OASIS:Access Control in an Open,Distribute Environment[J].In Proceedings of IEEE Symposium on Security and Privaey,Oakland,Ca,1998,5:3-I4.
[52]吴功宜,计算机网络,北京:清华大学出版社,2003
[53]宋磊,杨学良.适用于我国电子政务系统的访问控制策略[J].计算机工程与科学,2003(02):23-26.
[54]叶锡君,许勇,吴国新.基于角色的访问控制在Web中的实现技术[J].计算机工程,2002(1):167-169.
[55]黄建,卿斯汉,温红子.带时间特性的角色访问控制[J].软件学报,2003,14(11):1944-1954.
[56]刘宏月,范九伦,马建峰.访问控制技术研究进展.小型微型计算机系统,2004,25(1):56-59.
[57]乔颖,须德,戴国忠.一种基于角色访问控制(RBAC)的新模型及其实现机制.计算机研究与发展,2000,37(1):37-44.
[58]洪帆,韩兰胜.基于角色访问控制的办公自动化系统[J].华中科技大学学报(自然科学版),2002(6):67-69.
[59]Stephen Smalley,Timothy Fraser,Chris Vance.Linux Security Modules:General Security Hooks for Linux.http://lsm.immunix.org/,September 2001
[60]汪厚祥,李卉.基于角色的访问控制研究.计算机应用研究,2005,4:126-127
[61]刘启原,刘怡.数据库与信息系统的安全[M].科学出版社,2000.
[62]樊成勇,殷贤亮,段素娟.B/S系统中访问控制机制的设计与实现[J].计算机安全,2003(4):27-29.
[2]刘萌铭,李金海,刘国丽.计算机安全技术[M].清华大学出版社,2000.
[3]冯登国,卿斯汉.信息安全—核心理论与实践[M].国防工业出版社,2000.
[4]Saltzer JH,Sehroeder MD.The Protection of Information in Computer Systems.In Proceedingsofthe IEEE,1975,63(9):1278-1308.
[5]L.Mui,M.Mohtashemi,A.Halberstadt.A computational model of trust and reputation.In:Proc of the 36~(th)Hawaii International Conference on System Sciences,Hawaii,2002.http://csdl.computer.org/comp/proceedings/hicss/2002/1435/07/14350188.pdf
[6]中国信息安全产品测评认证中心.信息安全理论与技术[M].人发邮电出版社,2003.
[7]赵亮,茅兵,谢立.访问控制研究综述.计算机工程,2004,30(2):1-2.
[8]P.A.Loscocoo,S.D.Smalley.The Inevitability of Failure:The Flawed Assumption of Security in Modem Computing Environments.In:Proc of the 21st National Information Systems Security Conefrence.1998.303-314
[9]T.Bth,M.Borcherding,B.Klein.Valuation of trust in open network.In:Proc of European Symposium on Research in Security(ESORIS),Brighton,Springer-Verlag.1994.3-18
[10]徐锋.开放协同软件环境中信任管理研究.南京:南京大学计算机软件研究所,2003.4
[11]Sandhu R S.Role Hierarchies and Constraints for Lattice-Based Access Controls[A].In Proc.of the Conference on Computer Security(ESOR ICS 96,Rome,Italy)[C].New York:NY:Springer-Verlag.1996:65-97.
[12]Osborn S.Mandatory Access Control and Role-Based Access Control Revisited[A].In Proceedings of the Second ACM Workshop on Role-Based Access Control(RBAC97,Fairfax,VA)[C].New York,NY:ACM Press,1997:31-40.
[13]Sandhu R S,Munawer Q.How To Do Discretionary Access Control Using Roles[A].In Proc.of the 3rd ACM Workshop on Role-Based Access Control(RBAC-98,Fairfax,VA)[C].New YorkNY:ACM Press,1998:47-54.
[14]Ferraiolo D,Cugini J,Kuhn D.Role-Based Access Control(RBAC):Features and Motivation[A].Proc.of 1 lth Annual Computer Security Applications Conference[C],1995.
[15]Sandhu R S,Coyne E J,Feinstein H L,Youman C E.Role-Based Access Control Models[J]. IEEE Computer,1996:29(2):38-47.
[16]Sandhu R S,Coyne E J,Feinstein H L,Youman C E.Role--Based Access Control[A]:A Multi-Dimensional View[C].10~(th)Annual Computer Security Application Conference,Orlando,Florida,Dec.1994.
[17]Sandhu R S,Bhamidipati V,Munawer Q.Role-Based administration of User-Role Assignment The URA97 Model and Its Oracle Implementation[J].The Journal of Computer Security,1999,2:105-130.
[18]David D F,Sandhu R S,Gavrila S,Kuhn D R.Chandramouli R.Proposed NIST Standard for role-based access control[A].ACM Transactions on Information and System Security(TISSEC),2001,4(3):224-274.
[19]American National Standard for Information Technology[A].Role-Based Access Control ITI 4/4 2003.
[20]Sandhu R S,Samarati P.Authentication,access control and intrusion detection[A].In The Computer Science and Engineering Handbook[C].Boca Raton FL:CRC Press Inc,1997:1929-1948.
[21]黄建,卿斯汉,温红子.带时间特性的角色访问控制.软件学报.2003,14(11):1944-1954
[22]董光宇,卿斯汉,刘克龙.带时间特性的角色授权约束.软件学报.2002,13(8):1521-1527
[23]Barkley J.Comparing Simple Role-Based Access Control Models and Access Control Lists[C].2nd ACM Workshop on Role-Based Access Control Nov,1997.
[24]Sandhu R S.Rationale for the RBAC96 Family of Access Control Models[C].1st ACM Workshop on Role-Based Access Control,1995.
[25]Sandhu Ravi,Bhamidipati Venkata.The URA97 model for role-based User-role assignment[J].In Proceedings of IFIP WG 11.3 workshop on Database Security,Lade Tahoe,California,1997,8:11-13.
[26]Sandhu RaVi,Bhamidipati Venkata.Role-Based administration of user-role assignment:The URA97 model and its Oracle implementation[J].The Journal of Computer Security,1999,7(3):317-342.
[27]马建平,余祥宣,洪帆,等.基于角色的安全策略.计算机研究与发展,1998,35(5):447-450.
[28]J Smith,F Weingarten.Research challenges of the next generation internet.Report from the Workshop on Research Directions ofNGI.May1997.
[29]Longhua,Gail-Joon Alan,Bei-Tseng Chu.A rule-based framework for role-based delegation[J].ACM Sump on Access Control Models and Technologies(SACMAT),Chantilly,2003,6(3):404-441.
[30]A.Abdul-Rhaman,S.Hailes.A distributed trust model.In:Proc of the1997 New Security Paradigms Workshop,Cumbria,ACM.1997.48-60
[31]Hine J,Yao W,Bacon J,Moody K.Architecture for distributed OASIS services[J].Proc.Middleware2000,Lecture Notes in Computer Science,Springer-Verlan,Heidelberg New York,2000,195:107-123.
[32]Ferraiolo D,Kuh R.Role-Based Access Control[C].Proc.of 15th National Computer Security Conference.1992.
[33]常晓波等译.安全体系结构的设计、部署与操作[M].清华大学出版社,2003.
[34]Nyanchama M,Osborn S.Information Flow Analysis in Role-Based Systems[J].Journal of Computing and Information,1994,1(1):1368-1384.
[35]周福才,李金双,曹光辉,等.基于MIS系统访问控制模型的研究.小型微型计算机系统,2004,25(9):1691-1695.
[36]M.Abrams,L.Lapadula,K.Eggers,Olson.A Generalized Framework of Access Control:an Informal Description.In:Proc of thel3th National Computer Security Conference.1990.134-143
[37]权义宁、胡予濮,基于多级安全策略的网格强制访问控制模型,中国计算机大会(CNCC),2005
[38]肖道举,郑涛,陈晓芬.URA97模型的实现研究[J].华中科技大学学报,2002,30(3):7-9.
[39]F.Rabitti,E.Bertino,W.Kim,D.Woelk.A model of authorization for next-generation database systems.ACM TODS.March 1991.16(1):89-131
[40]胡艳,戴英侠,卢震宇,连一峰.基于RBAC模型的认证和访问控制系统[J]计算机工程2002(10):61-63.
[41]石文吕,孙玉芳.多级安全性策略的历史敏感性.软件学报,2003,14(1):91-96.
[42]Bertino Elisa,Bonatti Piero Andrea,Ferrari Elena.TRBAC:A Temporal Role-Based Access Control Model[J].ACM Transactions on Information and Systems Security,2000,4(3):21-30.
[43]Sandhu R S,Sanarati R Access Control:Principles and Practice[J].IEEE Communications Magazine,1994,32(9):40-48.
[44]Ferraiolo DF,Barkley JF,Kuhn DR.A role-based access control model and reference implementation within corporate intranet[J].ACM transactions on Information and System Security(TISSEC),1999,2(1):34-64.
[45]Sejong Oh,Sandhu Ravi.A Model for Role Administration using Organization Structure.Proc.Tth ACM Symposium on Access Control Models and Technologies,Monterey,California,2002:155-162.
[46]单智勇,孙玉芳.通用访问控制框架扩展研究.计算机研究与发展,2003,40(2):228-234
[47]单智勇,孙玉芳.环境适应的通用多安全策略支持框架研究.计算机研究与发展,2003,40(2):235-244
[48]Bertino Elisa,Bettini Claudio,Ferrari Elena.A temporal access control mechanism for database systems.IEEE Trans on Knowledge and Data Engineering,1996,8(1):67-80.
[49]吴泉源,刘江宁.人工智能与专家系统.长沙:国防科技大学出版社,1995
[50]陆汝铃.人工智能.北京:科学出版社,2000
[51]Hayton RJ,Bacon JM,Moody K.OASIS:Access Control in an Open,Distribute Environment[J].In Proceedings of IEEE Symposium on Security and Privaey,Oakland,Ca,1998,5:3-I4.
[52]吴功宜,计算机网络,北京:清华大学出版社,2003
[53]宋磊,杨学良.适用于我国电子政务系统的访问控制策略[J].计算机工程与科学,2003(02):23-26.
[54]叶锡君,许勇,吴国新.基于角色的访问控制在Web中的实现技术[J].计算机工程,2002(1):167-169.
[55]黄建,卿斯汉,温红子.带时间特性的角色访问控制[J].软件学报,2003,14(11):1944-1954.
[56]刘宏月,范九伦,马建峰.访问控制技术研究进展.小型微型计算机系统,2004,25(1):56-59.
[57]乔颖,须德,戴国忠.一种基于角色访问控制(RBAC)的新模型及其实现机制.计算机研究与发展,2000,37(1):37-44.
[58]洪帆,韩兰胜.基于角色访问控制的办公自动化系统[J].华中科技大学学报(自然科学版),2002(6):67-69.
[59]Stephen Smalley,Timothy Fraser,Chris Vance.Linux Security Modules:General Security Hooks for Linux.http://lsm.immunix.org/,September 2001
[60]汪厚祥,李卉.基于角色的访问控制研究.计算机应用研究,2005,4:126-127
[61]刘启原,刘怡.数据库与信息系统的安全[M].科学出版社,2000.
[62]樊成勇,殷贤亮,段素娟.B/S系统中访问控制机制的设计与实现[J].计算机安全,2003(4):27-29.