using attribute-based access control to enable attribute-based messaging
DESCRIPTION
Using Attribute-Based Access Control to Enable Attribute-Based Messaging. Rakesh Bobba , Omid Fatemieh, Fariba Khan, Carl A. Gunter and Himanshu Khurana University of Illinois at Urbana-Champaign. To: faculty going on sabbatical. Introduction to ABM. - PowerPoint PPT PresentationTRANSCRIPT
IllinoisSecurity Lab
Using Attribute-Based Access Control to Enable
Attribute-Based Messaging
Rakesh Bobba, Omid Fatemieh, Fariba Khan, Carl A. Gunter and Himanshu Khurana
University of Illinois at Urbana-Champaign
IllinoisSecurity Lab
ACSAC 2006
Introduction to ABM
Attribute-Based Messaging (ABM): Targeting messages based on attributes.
To: faculty going on sabbatical
IllinoisSecurity Lab
ACSAC 2006
Introduction to ABM
Examples• Address all faculty going on sabbatical
next term• Notify all female CS graduate students
who passed qualifying exams of a scholarship opportunity
Attribute-Based Messaging (ABM): Targeting messages based on attributes.
IllinoisSecurity Lab
ACSAC 2006
Why ABM?
• Attribute-based systems have desirable properties– flexibility, privacy and intuitiveness
• Attribute-Based Messaging (ABM) brings these advantages to e-mail messaging– enhances confidentiality by supporting
targeted messaging• via dynamic and transient groups
– enhances relevance of messages• by reducing unwanted messages
IllinoisSecurity Lab
ACSAC 2006
Challenges
• Access Control – access to such a system should be carefully
controlled• potential for spam • privacy of attributes
• Deployability– system should be compatible with existing
infrastructure
• Efficiency– system should have comparable
performance to regular e-mail
IllinoisSecurity Lab
ACSAC 2006
Enterprise Architecture
Ensuing Issues •ABM Address Format, Client I/F
•Access Control - policy specification and enforcement
•Attribute Database creation and maintenance
To: M
anagers
Attr.DB
Policy
Decision
E-mailMTA
ABMServer
IllinoisSecurity Lab
ACSAC 2006
Enterprise Architecture cont.
• Attribute database– all enterprises have attribute data about
their users– data spread over multiple, possibly
disparate databases– assume that this attribute data is
available to ABM system• “information fabric” , “data services layer”
• ABM address format −logical expressions of attribute value pairs−disjunctive normal form
IllinoisSecurity Lab
ACSAC 2006
Access Control
• Access Control Lists (ACLs)– difficult to manage
IllinoisSecurity Lab
ACSAC 2006
Access Control
×Access Control Lists (ACLs)× difficult to manage
• Role-Based Access Control (RBAC)– simplified management if roles already exist
IllinoisSecurity Lab
ACSAC 2006
Access Control
×Access Control Lists (ACLs)× difficult to manage
× Role-Based Access Control (RBAC)× simplified management if roles already exist
• Attribute-Based Access Control (ABAC)−uses same attributes used to target messages−more flexible policies than with RBAC
• Access policy −XACML is used to specify access policies−Sun’s XACML engine is used for policy decision
IllinoisSecurity Lab
ACSAC 2006
Access Control cont.
• Problem– need policy per logical expression– policy explosion
• Solution?– one policy per <attribute,value>
IllinoisSecurity Lab
ACSAC 2006
Deployability
• Use existing e-mail infrastructure (SMTP)– address ABM messages to the ABM server
(MUA) and add ABM address as a MIME attachment
• No modification to client– use a web server to aid the sender in
composing the ABM address via a thin client (web browser)
• E-mail like semantics– policy specialization
IllinoisSecurity Lab
ACSAC 2006
PDPSun’s XACML
Engine
Sender
AttributeDB
MS SQL ServerPolicyxml
ABM ServerWeb ServerWindows IIS
MTA
PS
1
PS
8
PS2
AR2AR1
AR
3
PS7
AR
4
MS1
MS
2
Putting It All Together
LegendPS: Policy
SpecializationMS: MessagingAR: Address
Resolution
IllinoisSecurity Lab
ACSAC 2006
Security Analysis
• Problem– open to replay attacks
• Solution– MTA configured with SMTP
authentication• with additional message specific checks
IllinoisSecurity Lab
ACSAC 2006
Experimental Setup
• Measured– latency over regular e-mail
• with and without access control
– latency of Policy Specialization
• Setup– up to 60K users – 100 attributes in the system
• 20% of attributes common to most users• 80% of attributes sparsely distributed
IllinoisSecurity Lab
ACSAC 2006
Results
IllinoisSecurity Lab
ACSAC 2006
Results Continued…
0
2
4
6
8
10
12
14
143 282 398 568 674
Number of Policies (Number of policies ~= 5 * Number of attributes)
Tim
e (s
ec)
Policy Specialization Latency
IllinoisSecurity Lab
ACSAC 2006
Other Considerations
• Policy Administration– one policy per <attribute ,value> not per
address– further be reduced to one policy per
attribute
• Privacy– of sender and receivers– of ABM address
• Usability– user interfaces
IllinoisSecurity Lab
ACSAC 2006
Related Work
• Technologies– List Servers– Customer Relationship Management
(CRM)
• Secure role-based messaging• WSEmail
IllinoisSecurity Lab
ACSAC 2006
Future Work
• Inter-domain ABM– e.g., address doctors in the tri-state area who
have expertise in a specific kind of surgical procedure
– challenge – “attribute mapping”– application in ‘emergency communications’
• Encrypted ABM
IllinoisSecurity Lab
ACSAC 2006