INSTITUTE FOR CYBER SECURITY 1 Enforcement Architecture and Implementation Model for Group-Centric Information Sharing © Ravi Sandhu Ram Krishnan (George.

Slides:



Advertisements
Similar presentations
INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University.
Advertisements

INSTITUTE FOR CYBER SECURITY 1 The ASCAA * Principles Applied to Usage Control Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security: How to Get There Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
Peer-to-Peer Access Control Architecture Using Trusted Computing Technology Ravi Sandhu and Xinwen Zhang George Mason University SACMAT05, June 1--3, 2005,
1 PEI Models towards Scalable, Usable and High-assurance Information Sharing Ram Krishnan Laboratory for Information Security Technology George Mason University.
Towards Secure Information Sharing Models for Community Cyber Security Ravi Sandhu, Ram Krishnan and Gregory B. White Institute for Cyber Security University.
INSTITUTE FOR CYBER SECURITY 1 The PEI Framework for Application-Centric Security Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for.
Stale-Safe Security Properties for Secure Information Sharing Ram Krishnan (GMU) Jianwei Niu (UT San Antonio) Ravi Sandhu (UT San Antonio) William Winsborough.
© 2006 Ravi Sandhu Secure Information Sharing Enabled by Trusted Computing and PEI * Models Ravi Sandhu (George Mason University and TriCipher)
© 2006 Ravi Sandhu Cyber-Identity, Authority and Trust Systems Prof. Ravi Sandhu Professor of Information Security and Assurance Director,
Cobalt: Separating content distribution from authorization in distributed file systems Kaushik Veeraraghavan Andrew Myrick Jason Flinn University of Michigan.
Vpn-info.com.
1 The Future of Cyber Security Prof. Ravi Sandhu Executive Director and Endowed Chair © Ravi Sandhu.
Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.
Ram Krishnan PhD Candidate Dissertation Directors: Dr. Ravi Sandhu and Dr. Daniel Menascé Group-Centric Secure Information Sharing Models Dissertation.
1 The Data and Application Security and Privacy (DASPY) Challenge Prof. Ravi Sandhu Executive Director and Endowed Chair 11/11/11
1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.
Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.
Trusted Computing Technology and Client-side Access Control Architecture Acknowledgement: Some slides and diagrams are adapted from TCG Architecture Overview,
1 Secure Information Sharing Manager (SIS-M) Thesis 2007 Stephen D. Wise
Dynasis Secure Group Information Sharing System ADVISOR: DR. AWAIS SHIBLI CO-ADVISOR: DR. ABDUL GHAFOOR GROUP MEMBERS: MANSOOR AHMED SAIF ULLAH YASIR.
Securing Information Transfer in Distributed Computing Environments AbdulRahman A. Namankani.
11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.
Secure Information and Resource Sharing in CloudSecure Information and Resource Sharing in Cloud References OSAC-SID Model [1]K. Harrison and G. White.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
1 The Future of Cyber Security Prof. Ravi Sandhu Executive Director and Endowed Chair © Ravi Sandhu.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
1 The Challenge of Data and Application Security and Privacy (DASPY) Ravi Sandhu Executive Director and Endowed Professor March 23, 2011
11 World-Leading Research with Real-World Impact! A Group-Centric Model for Collaboration with Expedient Insiders in Multilevel Systems Khalid Zaman Bijon,
Fine-Grained Access Control (FGAC) in the Cloud Robert Barton.
Scalable Security and Accounting Services for Content-based Publish/Subscribe Systems Himanshu Khurana NCSA, University of Illinois.
INSTITUTE FOR CYBER SECURITY 1 Cyber Security: Past, Present and Future Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security.
UTSA Amy(Yun) Zhang, Ram Krishnan, Ravi Sandhu Institute for Cyber Security University of Texas at San Antonio San Antonio, TX Nov 03, 2014 Presented.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Extending user controlled security domain.
INSTITUTE FOR CYBER SECURITY © Ravi Sandhu11 Group-Centric Information Sharing Ravi Sandhu Executive Director and Endowed Professor Institute for Cyber.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Trusted Platform Modules for Encrypted File System Access Control Steven Houston & Thomas Kho CS 252 May 9, 2007 Steven Houston & Thomas Kho CS 252 May.
1 The Future of Cyber Security Prof. Ravi Sandhu Executive Director and Endowed Chair © Ravi Sandhu.
11 World-Leading Research with Real-World Impact! Group-Centric Secure Information Sharing: A Lattice Interpretation Institute for Cyber Security Ravi.
INSTITUTE FOR CYBER SECURITY 1 The PEI Framework for Application-Centric Security Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for.
出處 :2010 2nd International Conference on Signal Processing Systems (ICSPS) 作者 :Zhidong Shen 、 Qiang Tong 演講者 : 碩研資管一甲 吳俊逸.
An Introduction to Trusted Platform Technology Siani Pearson Hewlett Packard Laboratories, UK
INSTITUTE FOR CYBER SECURITY A Hybrid Enforcement Model for Group-Centric Secure Information Sharing (g-SIS) Co-authored with Ram Krishnan, PhD Candidate,
1 Group-Centric Models for Secure Information Sharing Prof. Ravi Sandhu Executive Director and Endowed Chair March 30, 2012
1 Group-Centric Models for Secure and Agile Information Sharing Ravi Sandhu Executive Director and Endowed Professor April 2010
INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security.
Application-Centric Security Models
Security fundamentals Topic 5 Using a Public Key Infrastructure.
A Conceptual Framework for Group-Centric Secure Information Sharing Ram Krishnan (George Mason University) Ravi Sandhu, Jianwei Niu, William Winsborough.
Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.
Authorization Policy Specification and Enforcement for Group-Centric Secure Information Sharing Ram Krishnan and Ravi Sandhu University of Texas at San.
1 Information Security – Theory vs. Reality , Winter Lecture 12: Trusted computing architecture (cont.), Eran Tromer Slides credit:
Doc.: IEEE /0098r0 Submission July 2010 Alex Reznik, et. al. (InterDigital)Slide Security Procedures Notice: This document has been.
Ram Krishnan (George Mason University) Ravi Sandhu, Jianwei Niu, William Winsborough (University of Texas at San Antonio) Foundations for Group-Centric.
INSTITUTE FOR CYBER SECURITY 1 Purpose-Centric Secure Information Sharing Ravi Sandhu Executive Director and Endowed Professor Institute for Cyber Security.
Trusted? 05/4/2016 Charles Sheehe, CCSDS Security Working Group GRC POC All information covered is from public sources.
Past, Present and Future
Hybrid Cloud Architecture for Software-as-a-Service Provider to Achieve Higher Privacy and Decrease Securiity Concerns about Cloud Computing P. Reinhold.
World-Leading Research with Real-World Impact!
CS691 M2009 Semester Project PHILIP HUYNH
Assignment #7 – Solutions
Assured Information Sharing
Presentation transcript:

INSTITUTE FOR CYBER SECURITY 1 Enforcement Architecture and Implementation Model for Group-Centric Information Sharing © Ravi Sandhu Ram Krishnan (George Mason University) Ravi Sandhu (Univ. of Texas at San Antonio)

INSTITUTE FOR CYBER SECURITY PEI Models: 3 Layers/5 Layers © Ravi Sandhu2

INSTITUTE FOR CYBER SECURITY A fundamental problem in cyber security  Share but protect Current approaches not satisfactory  Traditional models (MAC/DAC/RBAC) do not work  Recent approaches Proprietary systems for Enterprise Rights Management  Many solutions: IBM, CA, Oracle, Sun, Authentica, etc.  Interoperability is a major issue Many languages have been standardized  XrML, ODRL, XACML, etc. Primarily, dissemination or object centric © Ravi Sandhu3 Secure Information Sharing (SIS)

INSTITUTE FOR CYBER SECURITY Attach attributes and policies to objects  Objects are associated with sticky policies  Policy language standards such as XrML and ODRL provide sticky policies © Ravi Sandhu4 Dissemination Centric Sharing AliceBobCharlieJakeJohn Attribute + Policy Cloud Object Attribute + Policy Cloud Object Attribute + Policy Cloud Object Attribute + Policy Cloud Object Dissemination Chain with Sticky Policies on Objects Attribute Cloud

INSTITUTE FOR CYBER SECURITY Advocates bringing users & objects together in a group  In practice, co-exists with dissemination centric sharing © Ravi Sandhu5 Group-Centric Sharing (g-SIS) Never Group User Leave Current Group User Past Group User Join Never Group Object Remove Current Group Object Past Group Object Add Two useful metaphors  Secure Meeting/Document Room Users’ access may depend on their participation period E.g. Program committee meeting, Collaborative Product Development, Merger and Acquisition, etc.  Subscription Model Access to content may depend on when the subscription began E.g. Magazine Subscription, Secure Multicast, etc.

INSTITUTE FOR CYBER SECURITY © Ravi Sandhu6 g-SIS Policy Model GROUP Authz (S,O,R)? Join Leave AddRemove Users Objects

INSTITUTE FOR CYBER SECURITY Enforcement Model Objectives Allow offline access Assumes a Trusted Reference Monitor (TRM)  Resides on group user’s access machine  Enforces group policy  Synchronizes attributes periodically with server Objects available via Super-Distribution  Encrypt objects using group key and distribute  Other users with access to group key may access © Ravi Sandhu7

INSTITUTE FOR CYBER SECURITY g-SIS Architecture © Ravi Sandhu8 CC 5.2 Set Leave-TS (u) = Current Time 6.2 Update: a. Remove_TS (o) = Current Time b. ORL = ORL U {id, Add_TS (o), Remove_TS (o)} GA Group Users TRM … 3. Read Objects Non-Group User TRM 1.1 Request Join {AUTH = FALSE} 1.2 Authz Join {AUTH = TRUE} 1.4 Provision Credentials {id, Join_TS, Leave_TS, ORL, gKey, N} 1.3 User Join {AUTH=TRUE}, Integrity Evidence Object Cloud 2.1 Add Object o 2.2 Distribute o 4.1 Request Refresh 4.2 Update Attributes 5.1 Remove User (id) 6.1 Remove Object (o) Obtain Object o User Attributes: {id, Join-TS, Leave-TS, ORL, gKey} Object Attributes: {id, Add-TS} ORL: Object Revocation List gKey: Group Key Authz (s,o,r) -> Add-TS(o) > Join-TS(s) & Leave-TS(s) = NULL & o NotIn ORL

INSTITUTE FOR CYBER SECURITY Super Vs Micro-distribution in g-SIS Super-Distribution (SD)  Single key for all group users  Encrypt once, access where authorized  Total offline access except periodic refresh times Micro-Distribution (MD)  CC shares a key with each user in the group  Initial access requires CC participation CC custom encrypts using key shared with user  Subsequent accesses can be offline as allowed by TRM © Ravi Sandhu9 UserObject Cloud CCAuthor Add (C) Set Add_TS for o Distribute (C) Read o and Store C Locally Get (o) Provide (C) Super-Distribution in g-SISMicro-Distribution in g-SIS C = Enc (o, K) UserCCAuthor Encrypt o with key k1 shared with CC (C = Enc(o,k1))) Add (C) Dec (c, k1), Set Add_TS for o and Store Locally Encrypt o with key k2 shared with User (C’ = Enc (o, k2)) Get (o) Provide (C’) Store C’ Locally Dec (C’, k2)

INSTITUTE FOR CYBER SECURITY Super Vs Micro-Distribution (contd) © Ravi Sandhu10

INSTITUTE FOR CYBER SECURITY Protocols © Ravi Sandhu11

INSTITUTE FOR CYBER SECURITY Background (Trusted Computing) Trusted Computing  An industry standard/alliance Proposed by Trusted Computing Group  Basic premise Software alone cannot provide an adequate foundation for trust  TCG proposes root of trust at the hardware level using a Trusted Platform Module or TPM © Ravi Sandhu12

INSTITUTE FOR CYBER SECURITY Background (TPM) Trusted storage for keys  Encrypt user keys with a chain of keys  Storage Root key (SRK) is stored in TPM & never exposed Trusted Capabilities  Operations exposed by the TPM  Guaranteed to be trust-worthy Platform Configuration Registers (PCR)  Hardware registers used to store integrity of software (e.g. boot-chain) © Ravi Sandhu13

INSTITUTE FOR CYBER SECURITY Background (TPM Capabilities) Seal  Data/Key coupled with a PCR value encrypted with SRK Unseal  Data/Key will be decrypted by the TPM only if current PCR value matches that of PCR value in sealed blob CertifyKey  Create a key pair  Private key is sealed to a PCR value  Public key signed by TPM only if Private part is non- migratable  Private part available in the future only if future PCR value matches the PCR value at seal time  Third parties can encrypt data with public key Data can be decrypted only under known PCR state Data cab be decrypted only using the same TPM that created the key (non-migratable) © Ravi Sandhu14

INSTITUTE FOR CYBER SECURITY Join (Authorization) © Ravi Sandhu15

INSTITUTE FOR CYBER SECURITY Join (Provisioning) © Ravi Sandhu16

INSTITUTE FOR CYBER SECURITY Object Add © Ravi Sandhu17

INSTITUTE FOR CYBER SECURITY Object Read © Ravi Sandhu18

INSTITUTE FOR CYBER SECURITY Attribute Refresh © Ravi Sandhu19

INSTITUTE FOR CYBER SECURITY Leave and Remove © Ravi Sandhu20 User Leave Object Remove

INSTITUTE FOR CYBER SECURITY Conclusion Group-Centric Vs Dissemination-Centric Sharing Super Vs Micro-Distribution approach in g-SIS g-SIS Architecture supports both SD and MD Offline access realizable due to Trusted Computing Future Work  Investigate Implementation Model  Read-Write Access  Multiple Groups © Ravi Sandhu21