Secure Information Sharing UsingAttribute Certificates and Role Based Access Control

Ganesh Godavari, C. Edward Chow

06/22/2005

University of Colorado at Colorado Springs

International Conference of Security and Management 2005

Introduction to Information Sharing

Information Sharing relates to the sharing of information between two or more entities.

Synchronous Information Sharing real-time communication collaboration in "same time-different place” Tools -- Instant messaging, Video conferencing ...

Asynchronous Information Sharing Collaboration in “different time-different place” Tools -- Discussion boards, E-mail …

Introduction to Information Sharing

Steps for secure Information sharing Authentication

Username/password, pin #, X509 Certificates,

Authorization Group based authorization, role based authorization etc

Access Secure storage of Authorization policy is critical

Attribute Certificates (AC)

Secure Information Sharing

Motivation Paradigm Shift “Need to Know” to “Need to Share”

Incidents like 9/11, natural disasters relief. Organizations are intertwined more so now then ever.

Rapid deployment of a secure information sharing system for a multi-agency taskforce has become critical issue for homeland security and defense

Information Sharing relates to the sharing of information between multiple agencies or organization.

Role Based Access Control

USERS ROLES

SESSIONS

operation objects

PRMS

session_rolesuser_session

User Assignment (UA)

Permission Assignment (PA)

many-to-many relationship

one-to-many relationship

Gives roles activated by the session

User is associated with a session

NIST study shows user’s role less likely to change and roles are tightly related to access rights to information.

File system operations: read, write and execute

DBMS operations: Insert, delete, append and update

Attribute Certificates AC’s

Standardized in RFC-3281, “An Internet Attribute Certificate for Authorization”

no public key like Public Key Certificate (PKC) used for storing short duration attributes

Role, resource allocation, security clearance… AC in security

Strong identity of the holder is not required access control specification

Non-repudiation of the attributes by the issuer Privilege delegation, role allocation ….

Privilege Management Infrastructure (PMI) Privilege

Management Infrastructure Similar to Public

Key Infrastructure Function is to

specify the policy for the attribute certificate issuance and management

Concept PKI entity PMI entity

Certificate Public Key Certificate (PKC)

Attribute Certificate (AC)

Certificate issuer

CertificationAuthority (CA)

Attribute Authority (AA)

Certificate user Subject Holder

Certificatebinding

Subject’s Name to Public Key

Holder’s Name to Privilege Attribute(s)

Revocation CertificateRevocation List(CRL)

Attribute CertificateRevocation List

(ACRL)

Root of trust Root CA or TrustAnchor

Source of Authority (SOA)

SubordinateAuthority

SubordinateCertificationAuthority

Attribute Authority (AA)

Comparison of PKIs and PMIs [chad2-02]

Issues with large multi-agency Information System Issues

How can we authenticate users belonging to multiple organization?

Authorization policy specification encompassing multiple organizations

Solutions X509 certificates for identification of users Authorization based on RBAC[] model

Security Administration can be a management nightmare

Context Free Grammar of Authorization Policy Specification

sisprivilegeset <role name> <privilegeset name>{

<privilege> := if ( <expression> ) do <action><expression> := <term> | <term> && <expression> |

( <expression> ) | ! ( <expression> )<term> := <factor> | <factor> || <term> | ( <term> )<factor> := <variable operator value><operator> := > | >= | < | <= | == | != | #<action> := grantAccess | rejectAccess |

acquirePrivileges <privilegeset Name> | contact <authorization server>

}#: regular expression string matching operator

RBAC specification format

<?xml version="1.0" encoding="utf-8" standalone="yes"?><!--===== SIS request example =====--><sis> <Role>administrator</Role> <Group>Info Share</Group> <OU>UCCS</OU></sis>

Example – File Access Specification Privilege specification for administrator File access control specificationsisprivilegeset administrator filematch {

if ( ( url # “/etc/passwd” ) && ( requestAction # “get” ) ) do grantAccess

# user accounts protection from get and post requests by administrator

if ( ( url # “*~*/private/” ) && ( requestAction # “get” ) ) do rejectAccess

if ( ( url # “*~*/private/” ) && ( requestAction # “post” ) ) do rejectAccess

:}#: matching operator (A # B: if A contains B)

SIS system overview

authorize

Administration Tool

Server

RBACPolicy

file

UserAccess Control Decision and Enforcement

Engine

PKC

User RoleSpecification

AC

Authenticate

Mail Server

Database

Instant Msg Server

Web Server

Create/Change/Revoke Attribute Certificates

(ACDE)

Access Control and Decision Enforcement

Request fromthe WebBrowser

Apache SISModule

SSLRequest

Forbidden

Get Common Name(CN), Organization

(O) from Clientcertficate

Ldap Server

Query LdapServer getAttribute

Certificate(s)

ValidateAttribute

Certificate

Forbidden

haveprivileges ?

ForbiddenServe

Request

No

No

No Yes

Setup CA

The coordinator of the task force from multiple agencies set up a rootCA-MA (root CA for Multiple Agencies). Each agency requests a certificate to be signed by

rootCA-MA. Each agency issues a new PKC to each user in its

organization involved in the task force. At each server which providing secure information sharing

service for this task force, add the rootCA-MA information into CABundle (file containing list of valid CA's).

Each client/user installs the certificate in the local browser or application's.

Choices for storing AC’s

A user's AC can be stored central repository of the taskforce

with the agency's local administrator have control only over the AC's of the users belonging to that agency

locally at each agency that defines his role within that agency

user's privileges are the result of the association of the user with a particular agency

user's privileges are revoked all the agencies must be notified Prevent unauthorized access

Trust relationship between organizations determines where the AC's are stored

Setup PMI

Our approach Store all the user privileges in the organization the user

originally belongs to Check user's privileges on every attempt to access the

resources

Setup PMI The coordinator of the task force signs the AC’s of the members. Agency members AC’s are distributed and installed on the LDAP

server of the agency. web servers and shared applications query the PMI for authorization

and access control

Implementation Apache (v 1.3.31) + Mod_SSL(v 2.8.18-1.3.31) +

openSSL (v 0.9.7d) We modified mod_auth_ldap with AC based ACDE

OpenLDAP (v 2.0.27-8) Attribute Certificate's attribute definitions was added

to inetorg-person.schema OpenSSL libraries used for generating X509 certificates we created AC generation utility using OpenSSL

For validation we use Markus Lorch’s code We created PKC generation utility based on EXPECT

alpha-sis-connecticut

InternetInternet

Internet

Web Server

LDAP Server

sis-nissc

LDAP Server

sis-

conn

ectic

ut

Internet

alpha-sis-nissc

PKC

LDAP Server

sis-canada

LDAP Server

sis-newjersy

subject "/C=US/…./O=dc=sis-nissc,dc=edu/OU=ou=Research,OU=coordinateExercise/CN=alpha-sis-nissc/emailAddress=alpha@sis-nissc.csnet.uccs.edu

SIS Test-bed

Server LDAP AccessTime (ms) AC retrieval/validation (ms)

sis-nissc 54.62 96.88

sis-connecticut 51.84 93.77

sis-newjersey 51.19 93.31

PerformanceAccess Time from a client at sis-canada

All Machines

• Pentium-III, 500 MHz

• 256 MB RAM

• Redhat Linux-2.4.20-6

Conclusions 1. Developed efficient procedures and tools to set

up Public Key Infrastructure for authentication and Privilege Management Infrastructure for authorization.

2. Created a multi-agency SIS test bed based on LDAP and web servers.

3. OpenLDAP servers were enhanced to accept attribute certificates.

4. LDAP module of the apache web server was extended to achieve secure web access.

PKC vs. AC

PKC binds a subject (DN) to a public key AC's binds permission (attributes) to an entity

Version

Serial Number

Signature ID

Subject

Issuer

Validity Period

Subject Public Key Info

Extension’s

Sig

na

ture

Version

Serial Number

Signature ID

Holder

Issuer

Validity Period

Attributes

Extensions

Sig

na

ture

Public Key Certificate

( PKC )Attribute Certificate

(AC )