introduction to access control and trust management daniel trivellato

Introduction to Access Control and

Trust Management

Daniel Trivellato

04/09/2009 Minor project course 2

Outline

Introduction to Access Control Discretionary and Mandatory Access Control Role-Based Access Control Distributed Trust Management

Reputation-based TM Rule-based TM


Authentication vs. Access Control

Authentication: establishing who you are (of whether you possess

a certain pseudonym) Access Control:

establishing if you have the right of doing a certain action

Authentication is often necessary for access control


Outline




Basics: Subject, Object, Action

Subjects Alice, Bob, Alice’s program

Objects a file, the printer

Actions read, write, execute, modify, send


Discretionary Access Control

Goal: prevent illegitimate access to resources Access is granted to users, or user groups Ownership: Users have all the rights about

the objects they create Delegation: Users can grant the rights they

have to others Users that have control can remove rights


DAC Models

Take-grant model Lampson (1974) Graham-Denning (1972) Harrison-Rizzo-Ullman (1976) Griffiths-Wade (1976) Originator control (1989)


Lampson’s Access Matrix

Set of objects O Set of users U Access Matrix A (UxU and UxO)

Entries are sets of allowed actions (read, write, call,…)

Plus owns for administration of rights * flag for delegation right


Access Matrix - Example

File 1 File 2 File 3 Program 1

Alice

owns

read

write

read

write

Bob read*read

writeexecute

Charlie readexecute

read


Mandatory Access Control

Goal: prevent illegitimate flow (leakage) of information

Attach security labels to subjects and objects Users, processes are given a clearance Objects, resources are given a label

Information can not flow to lower or incomparable security classes


MAC – Example

SUBJECTS OBJECTS

…….....

…….....

…….....

…….....

TS

S

C

U

Info

rma

tion

flow

TS

S

C

U

writ

e

read

writ

e

read

writ

e

read

writ

e

read

Bell-La Padula: NO READ UP NO WRITE DOWN


Outline




Role-Based Access Control

Users are assigned to roles Roles are assigned rights


Tester write read, write

Programmer read, write

Group member read execute

Tester Programmer Group member

Alice x x

Bob x x


Alice read, write read, write execute

Bob read read, write execute


RBAC

Roles can be hierarchical Rights are inherited

Project leader

Project member

Tester Programmer


Outline




Trust Management

Typical access control mechanism

TM alternative

authorizationsubject ID

shows lookup

authorizationsubject attributes

has infers


Distributed Trust Management

Deals with authorizations in a distributed system (e.g., the Internet)

need to interact with people you don’t know 2 types of DTM



Outline




Reputation-based TM (concrete)

community of cooks (200 people) to establish trust:

you ask your friends and friends of friends

... some recommendations are better than others you check the record (if any)

after success trust increases


Reputation-based TM (virtual)

eBay (hundreds of millions of users)


Reputation-based TM (virtual)

Buyers and sellers rate each other after a transaction Positive (r(i,j) = 1) Neutral (r(i,j) = 0) Negative (r(i,j) = -1)


Key features

open system (different security domains) trust is a measure & changes in time essential risk component recommendation based (NOT identity-based) peers are not continuously available

Algorithms (e.g., EigenTrust)


Outline




Rule-based TM (concrete)

Bart is entitled to a discount

If he is a student of the local university


Rule-based TM (virtual)

When is Bart now entitled to a discount?


Bart is entitled to a discount…

If he is a student of any accredited University. But perhaps also…

If he is an employee of any governmental organization If he is a member of the library club If he is a veteran ….

Too many to mention Which problems does this raise?

Scalability Knowing where and what to search


Reputation vs. Rules

open system (different security domains)

trust is a measure & changes in time

risk-based no delegation recommendation based

(NOT identity-based) peers are not continuously

available scalability

open system (different security domains)

trust is boolean & less time-dependent

no risk delegation rule (credential) based

(NOT identity-based) peers are not continuously

available scalability


Credentials

A credential is a statement Signed by the issuer about a subject Containing info about the subject

Requirements Unforgeable (!) Verifiable (that it belongs to the subject asking for the

service) Signed (e.g. X509)


Credential Chains

Bart

TU/e

Accreditation Bureau

Shop

Is student of

Is accredited by

Is accepted by

We have a chain of credentials The subject of one is the issuer of the other one


Languages for TM

A good language for TM must be able to express: Decentralized attributes Delegation of attribute authority Inference of attributes Attribute fields (e.g., age) Attribute-based delegation of authority


Decentralized Attributes

An entity asserts that another entity has a certain attribute e.g., student(TU/e,Alice)

The TU/e asserts that Alice is a student Issuer: TU/e Subject: Alice Where is it stored?


Delegation of Attribute Authority

An entity delegates (i.e. trusts) the authority over an attribute to another entity e.g., student(DSA,X) student(TU/e,X)

The “Dutch Students Association” considers as students all the students of the TU/e Operationally: anyone showing a TU/e student

credential can get a student credential from the DSA Issuers: DSA, TU/e Subject: X


Inference of Attributes

An entity uses one attribute to make inferences about another attribute e.g., employee(TU/e,X) professor(TU/e,X)

The TU/e asserts that every TU/e professor is also a TU/e employee


Attribute Fields

Credentials may carry field values e.g. student(DSA,Alice,university=TU/e)

Field values can be used to infer additional attributes and for conditional delegation e.g. ccard(VISA,X) client(ABN,X,credit=Y)

AND Y > 2000 VISA releases credit cards only to ABN clients

with more than 2000€ in their account


Attribute-based Delegation of Authority

An entity may delegate the authority to another entity depending on its attributes e.g. ccard(VISA,X) client(Y,X) AND certified(EB,Y)

VISA releases a credit card only to clients of banks which are certified by the “European Bank”

By doing so, VISA does not need to explicitly mention all the banks which are trusted

VISA trusts EB’s opinion about banks


Credential Storage

Every credential can be stored by its issuer, its subject, or a third party

When we try to build a credential chain, we must be able to retrieve the appropriate credentials

Credential chain discovery algorithms suggest storage schemas according to which credentials are retrieved RT: backward and forward search algorithm TuLiP POLIPO


In the next lecture…

The POLIPO framework a rule-based TM language a reputation system an algorithm for credential chain discovery


Thank you for your [email protected]

[email protected]

introduction to access control and trust management daniel trivellato

Documents

access controldiscretionary

illegitimate access

access controlauthentication

originator control

administration of rights

alices programobjectsa

certain actionauthentication

distributed system