introduction to access control and trust management daniel trivellato
TRANSCRIPT
Introduction to Access Control and
Trust Management
Daniel Trivellato
04/09/2009 Minor project course 2
Outline
Introduction to Access Control Discretionary and Mandatory Access Control Role-Based Access Control Distributed Trust Management
Reputation-based TM Rule-based TM
04/09/2009 Minor project course 3
Authentication vs. Access Control
Authentication: establishing who you are (of whether you possess
a certain pseudonym) Access Control:
establishing if you have the right of doing a certain action
Authentication is often necessary for access control
04/09/2009 Minor project course 4
Outline
Introduction to Access Control Discretionary and Mandatory Access Control Role-Based Access Control Distributed Trust Management
Reputation-based TM Rule-based TM
04/09/2009 Minor project course 5
Basics: Subject, Object, Action
Subjects Alice, Bob, Alice’s program
Objects a file, the printer
Actions read, write, execute, modify, send
04/09/2009 Minor project course 6
Discretionary Access Control
Goal: prevent illegitimate access to resources Access is granted to users, or user groups Ownership: Users have all the rights about
the objects they create Delegation: Users can grant the rights they
have to others Users that have control can remove rights
04/09/2009 Minor project course 7
DAC Models
Take-grant model Lampson (1974) Graham-Denning (1972) Harrison-Rizzo-Ullman (1976) Griffiths-Wade (1976) Originator control (1989)
04/09/2009 Minor project course 8
Lampson’s Access Matrix
Set of objects O Set of users U Access Matrix A (UxU and UxO)
Entries are sets of allowed actions (read, write, call,…)
Plus owns for administration of rights * flag for delegation right
04/09/2009 Minor project course 9
Access Matrix - Example
File 1 File 2 File 3 Program 1
Alice
owns
read
write
read
write
Bob read*read
writeexecute
Charlie readexecute
read
04/09/2009 Minor project course 10
Mandatory Access Control
Goal: prevent illegitimate flow (leakage) of information
Attach security labels to subjects and objects Users, processes are given a clearance Objects, resources are given a label
Information can not flow to lower or incomparable security classes
04/09/2009 Minor project course 11
MAC – Example
SUBJECTS OBJECTS
…….....
…….....
…….....
…….....
TS
S
C
U
Info
rma
tion
flow
TS
S
C
U
writ
e
read
writ
e
read
writ
e
read
writ
e
read
Bell-La Padula: NO READ UP NO WRITE DOWN
04/09/2009 Minor project course 12
Outline
Introduction to Access Control Discretionary and Mandatory Access Control Role-Based Access Control Distributed Trust Management
Reputation-based TM Rule-based TM
04/09/2009 Minor project course 13
Role-Based Access Control
Users are assigned to roles Roles are assigned rights
File 1 File 2 File 3 Program 1
Tester write read, write
Programmer read, write
Group member read execute
Tester Programmer Group member
Alice x x
Bob x x
File 1 File 2 File 3 Program 1
Alice read, write read, write execute
Bob read read, write execute
04/09/2009 Minor project course 14
RBAC
Roles can be hierarchical Rights are inherited
Project leader
Project member
Tester Programmer
04/09/2009 Minor project course 15
Outline
Introduction to Access Control Discretionary and Mandatory Access Control Role-Based Access Control Distributed Trust Management
Reputation-based TM Rule-based TM
04/09/2009 Minor project course 16
Trust Management
Typical access control mechanism
TM alternative
authorizationsubject ID
shows lookup
authorizationsubject attributes
has infers
04/09/2009 Minor project course 17
Distributed Trust Management
Deals with authorizations in a distributed system (e.g., the Internet)
need to interact with people you don’t know 2 types of DTM
Reputation-based TM Rule-based TM
04/09/2009 Minor project course 18
Outline
Introduction to Access Control Discretionary and Mandatory Access Control Role-Based Access Control Distributed Trust Management
Reputation-based TM Rule-based TM
04/09/2009 Minor project course 19
Reputation-based TM (concrete)
community of cooks (200 people) to establish trust:
you ask your friends and friends of friends
... some recommendations are better than others you check the record (if any)
after success trust increases
04/09/2009 Minor project course 20
Reputation-based TM (virtual)
eBay (hundreds of millions of users)
04/09/2009 Minor project course 21
Reputation-based TM (virtual)
Buyers and sellers rate each other after a transaction Positive (r(i,j) = 1) Neutral (r(i,j) = 0) Negative (r(i,j) = -1)
04/09/2009 Minor project course 22
Key features
open system (different security domains) trust is a measure & changes in time essential risk component recommendation based (NOT identity-based) peers are not continuously available
Algorithms (e.g., EigenTrust)
04/09/2009 Minor project course 23
Outline
Introduction to Access Control Discretionary and Mandatory Access Control Role-Based Access Control Distributed Trust Management
Reputation-based TM Rule-based TM
04/09/2009 Minor project course 24
Rule-based TM (concrete)
Bart is entitled to a discount
If he is a student of the local university
04/09/2009 Minor project course 25
Rule-based TM (virtual)
When is Bart now entitled to a discount?
04/09/2009 Minor project course 26
Bart is entitled to a discount…
If he is a student of any accredited University. But perhaps also…
If he is an employee of any governmental organization If he is a member of the library club If he is a veteran ….
Too many to mention Which problems does this raise?
Scalability Knowing where and what to search
04/09/2009 Minor project course 27
Reputation vs. Rules
open system (different security domains)
trust is a measure & changes in time
risk-based no delegation recommendation based
(NOT identity-based) peers are not continuously
available scalability
open system (different security domains)
trust is boolean & less time-dependent
no risk delegation rule (credential) based
(NOT identity-based) peers are not continuously
available scalability
04/09/2009 Minor project course 28
Credentials
A credential is a statement Signed by the issuer about a subject Containing info about the subject
Requirements Unforgeable (!) Verifiable (that it belongs to the subject asking for the
service) Signed (e.g. X509)
04/09/2009 Minor project course 29
Credential Chains
Bart
TU/e
Accreditation Bureau
Shop
Is student of
Is accredited by
Is accepted by
We have a chain of credentials The subject of one is the issuer of the other one
04/09/2009 Minor project course 30
Languages for TM
A good language for TM must be able to express: Decentralized attributes Delegation of attribute authority Inference of attributes Attribute fields (e.g., age) Attribute-based delegation of authority
04/09/2009 Minor project course 31
Decentralized Attributes
An entity asserts that another entity has a certain attribute e.g., student(TU/e,Alice)
The TU/e asserts that Alice is a student Issuer: TU/e Subject: Alice Where is it stored?
04/09/2009 Minor project course 32
Delegation of Attribute Authority
An entity delegates (i.e. trusts) the authority over an attribute to another entity e.g., student(DSA,X) student(TU/e,X)
The “Dutch Students Association” considers as students all the students of the TU/e Operationally: anyone showing a TU/e student
credential can get a student credential from the DSA Issuers: DSA, TU/e Subject: X
04/09/2009 Minor project course 33
Inference of Attributes
An entity uses one attribute to make inferences about another attribute e.g., employee(TU/e,X) professor(TU/e,X)
The TU/e asserts that every TU/e professor is also a TU/e employee
04/09/2009 Minor project course 34
Attribute Fields
Credentials may carry field values e.g. student(DSA,Alice,university=TU/e)
Field values can be used to infer additional attributes and for conditional delegation e.g. ccard(VISA,X) client(ABN,X,credit=Y)
AND Y > 2000 VISA releases credit cards only to ABN clients
with more than 2000€ in their account
04/09/2009 Minor project course 35
Attribute-based Delegation of Authority
An entity may delegate the authority to another entity depending on its attributes e.g. ccard(VISA,X) client(Y,X) AND certified(EB,Y)
VISA releases a credit card only to clients of banks which are certified by the “European Bank”
By doing so, VISA does not need to explicitly mention all the banks which are trusted
VISA trusts EB’s opinion about banks
04/09/2009 Minor project course 36
Credential Storage
Every credential can be stored by its issuer, its subject, or a third party
When we try to build a credential chain, we must be able to retrieve the appropriate credentials
Credential chain discovery algorithms suggest storage schemas according to which credentials are retrieved RT: backward and forward search algorithm TuLiP POLIPO
04/09/2009 Minor project course 37
In the next lecture…
The POLIPO framework a rule-based TM language a reputation system an algorithm for credential chain discovery