IllinoisSecurity Lab

Using Attribute-Based Access Control to Enable

Attribute-Based Messaging

Rakesh Bobba, Omid Fatemieh, Fariba Khan, Carl A. Gunter and Himanshu Khurana

University of Illinois at Urbana-Champaign

IllinoisSecurity Lab

ACSAC 2006

Introduction to ABM

Attribute-Based Messaging (ABM): Targeting messages based on attributes.

To: faculty going on sabbatical

IllinoisSecurity Lab

ACSAC 2006

Introduction to ABM

Examples• Address all faculty going on sabbatical

next term• Notify all female CS graduate students

who passed qualifying exams of a scholarship opportunity

Attribute-Based Messaging (ABM): Targeting messages based on attributes.

IllinoisSecurity Lab

ACSAC 2006

Why ABM?

• Attribute-based systems have desirable properties– flexibility, privacy and intuitiveness

• Attribute-Based Messaging (ABM) brings these advantages to e-mail messaging– enhances confidentiality by supporting

targeted messaging• via dynamic and transient groups

– enhances relevance of messages• by reducing unwanted messages

IllinoisSecurity Lab

ACSAC 2006

Challenges

• Access Control – access to such a system should be carefully

controlled• potential for spam • privacy of attributes

• Deployability– system should be compatible with existing

infrastructure• Efficiency

– system should have comparable performance to regular e-mail

IllinoisSecurity Lab

ACSAC 2006

Enterprise Architecture

Ensuing Issues •ABM Address Format, Client I/F•Access Control - policy specification and enforcement•Attribute Database creation and maintenance

To: Managers

Attr.DB

Policy

Decision

E-mailMTA

ABMServer

IllinoisSecurity Lab

ACSAC 2006

Enterprise Architecture cont.

• Attribute database– all enterprises have attribute data about

their users– data spread over multiple, possibly

disparate databases– assume that this attribute data is

available to ABM system• “information fabric” , “data services layer”

• ABM address format −logical expressions of attribute value pairs−disjunctive normal form

IllinoisSecurity Lab

ACSAC 2006

Access Control

• Access Control Lists (ACLs)– difficult to manage

IllinoisSecurity Lab

ACSAC 2006

Access Control

×Access Control Lists (ACLs)× difficult to manage

• Role-Based Access Control (RBAC)– simplified management if roles already exist

IllinoisSecurity Lab

ACSAC 2006

Access Control

×Access Control Lists (ACLs)× difficult to manage

× Role-Based Access Control (RBAC)× simplified management if roles already exist

• Attribute-Based Access Control (ABAC)−uses same attributes used to target messages−more flexible policies than with RBAC

• Access policy −XACML is used to specify access policies−Sun’s XACML engine is used for policy decision

IllinoisSecurity Lab

ACSAC 2006

Access Control cont.

• Problem– need policy per logical expression– policy explosion

• Solution?– one policy per <attribute,value>

IllinoisSecurity Lab

ACSAC 2006

Deployability• Use existing e-mail infrastructure (SMTP)

– address ABM messages to the ABM server (MUA) and add ABM address as a MIME attachment

• No modification to client– use a web server to aid the sender in

composing the ABM address via a thin client (web browser)

• E-mail like semantics– policy specialization

IllinoisSecurity Lab

ACSAC 2006

PDPSun’s XACML

Engine

Sender

AttributeDB

MS SQL ServerPolicyxml

ABM ServerWeb ServerWindows IIS

MTA

PS

1

PS

8

PS2

AR2AR1

AR

3

PS7

AR

4

MS1M

S2

Putting It All Together

LegendPS: Policy

SpecializationMS: MessagingAR: Address

Resolution

IllinoisSecurity Lab

ACSAC 2006

Security Analysis

• Problem– open to replay attacks

• Solution– MTA configured with SMTP

authentication• with additional message specific checks

IllinoisSecurity Lab

ACSAC 2006

Experimental Setup

• Measured– latency over regular e-mail

• with and without access control– latency of Policy Specialization

• Setup– up to 60K users – 100 attributes in the system

• 20% of attributes common to most users• 80% of attributes sparsely distributed

IllinoisSecurity Lab

ACSAC 2006

Results

IllinoisSecurity Lab

ACSAC 2006

Results Continued…

0

2

4

6

8

10

12

14

143 282 398 568 674

Number of Policies (Number of policies ~= 5 * Number of attributes)

Tim

e (s

ec)

Policy Specialization Latency

IllinoisSecurity Lab

ACSAC 2006

Other Considerations

• Policy Administration– one policy per <attribute ,value> not per

address– further be reduced to one policy per

attribute• Privacy

– of sender and receivers– of ABM address

• Usability– user interfaces

IllinoisSecurity Lab

ACSAC 2006

Related Work

• Technologies– List Servers– Customer Relationship Management

(CRM)• Secure role-based messaging• WSEmail

IllinoisSecurity Lab

ACSAC 2006

Future Work

• Inter-domain ABM– e.g., address doctors in the tri-state area who

have expertise in a specific kind of surgical procedure

– challenge – “attribute mapping”– application in ‘emergency communications’

• Encrypted ABM

IllinoisSecurity Lab

ACSAC 2006