Access control in heterogeneous, decentralized, distributed systems. Trust Management Give yourself a brief Introduction before leaving this slide. My Name is Scot Anderson and… Mention: Master Thesis in the area of Policy Languages Ph.D. Student – my area is in constraint databases Current Job System Administrator for the division of business and computer science at Union College, Ex Teacher from Texas. Access control in heterogeneous, decentralized, distributed systems. By Scot Anderson

Introduction What is Trust Management (TM) History of Trust Management Requirements Public Key Cryptography Policy Discovery Policy Languages Research vs Commercial Trust Management Systems Quickly go through these.

What is Trust Management (TM) Definition: Trust Management is an approach to access control in a decentralized, distributed environment with access control decisions based on policy statements made by multiple principals. Decentralized means different locations Distributed means across different organizations Access control is both authentication, authorization to perform some process (it may actually be access to a resource, but may also include permission to perform an action). Policy statements are statements of authorization in some specific policy language. We’ll talk more about the importance of this specific topic in a little bit. Principals are entities: e.g. human, corporate, computer systems or even processes on systems. HISTORY OF TM What is Trust Management

History of Trust Management It is nice to have an example to go along with a definition so lets take a look at … History of Trust Management

Areas of Active Research There are three areas of active research that coincide with the three basis’ for TM Chain discovery Policy Discovery. The semantic analysis of Policy languages The complexity of the algorithms. The three areas of active research coincide with the three items that we listed as the basis of security in TM Most of the research in Chain discovery centers around tractability and reducing the search space. We note the search space in TM is your partners on the Internet, and the search time is going to be dominated by network traffic in most cases. The major issues have to do with the expressiveness of the policy specification language. Tractability relates directly to scalability and this relates to both semantics and chain discovery. History of Trust Management

ATM Example of Trust Management Every Bank controls and services their own ATM Banks enter into a coalition with with other banks through Cirrus, INTERLINK, Pulse… In this way a bank can authorize an ATM card holder to withdraw cash even though the card holder does not have an account ATM’s have policies about what a user can do. These policies are stated in a policy language AFTER: Let’s consider a specific policy that we may wish to have a trust management system enforce. What is Trust Management

Trust Management Policies Example Accountant Company Amount Transactions/Day “Alice” “Any” Amt <= $100,000 <=5 “Bob” “Suzuki” Amt <= $10,000 <=2 “Alice” & ”Bob” 100k < Amt <= 500k We may also want to limit the number of transactions in one day to no more than $300,000 without both accountants digitally signing the transactions. These are examples of policies limiting the companies trust in it’s employees, but it also protects the company from mistakes. Suppose that a company has a couple accountants responsible for making electronic funds transfers. The accountants routinely make transfers to other companies for 10’s of thousands of dollars. However we wish to enforce the following policies. ALL THIS LEADS US TO THE REQUIREMENTS DEFINED FOR TRUST MANAGEMENT.

Requirements Local control of resources Grant full or partial access & authorization Delegate authority to grant access & authorization Operate regardless of the domains in use Enter into multiple coalitions Delegate the right to delegate authorizations An organization should have localized control of its resources. This entails granting access and authority to entities known to the organization, e.g., owners, employees, service personnel and contractors. An organization should be able to grant either full or partial access and delegate authority to other members of a coalition to which it belongs. Let me be clear: An organization does NOT grant authorizations to entities residing in the coalition. Think back to the ATM example. Union Bank does not keep track if Wells Fargo depositors are authorized to with draw money from ATMs. They trust someone else to keep track of that information. An organization should be able to have delegation of either full or partial access and authority to the resources belonging to other members of a coalition to which it belongs. The Trust Management system should be able to operate regardless of the security domains in place among members of a coalition such as hierarchical or group based domains. Domains also pertain to the way security is administrated at any location. For example, whether a user is provided with a smart card or must use a password system, the Trust Management system should be able to operate as a back-end system to the applications or systems needing to verify authorization. An organization should be able to enter into multiple coalitions independent of each other but as interlaced as desired. An organization should be able to delegate, not only the authorization but also the right to delegate authorization. We call this nested trust delegation. THESE REQUIREMENTS (4 AND 6 ESPECIALLY) ARE OPEN ENDED IN A WAY THAT CAN CAUSE EXPRESSSIVENESS PROBLEMS FOR THE CURRENT TL LANGUAGES. What is Trust Management

The Basis of Security in TM Three areas form the basis for Trust Management Public-Key Cryptography and Certificates Policy Discovery Policy specification Language Lets take a look at each one of these What is Trust Management

Public-Key Cryptography Discuss how public keys can be used for both secrecy and authentication.

Certificates: X.509 v3 digsigtrust Version Serial Number Algorithm ID Issuer Validity Not Before Not After Subject Subject Public Key Info Public Key Algorithm Subject Public Key Issuer Unique Identifier (Optional) Subject Unique Identifier (Optional) Extensions (Optional) Certificate Signature Algorithm Certificate Signature Certificates are based on Public Key / Private Key infrastructure. I am not going to talk about the details of PKI. Talk about the role of each element of a certificate Traditionally certificates are used for authentication. As we shall see in TM, authorizations are added to a certificate. This allows authorization to be distributed. Take a look at a real certificate (I switch to looking at a Verisign Certificate. digsigtrust What is Trust Management

Additional Information for TM In order to use Certificates for Policy statements we can include Policies on the Certificates Prior to the Certificate Signature. Policies may be encrypted, or in plain text. The certificate is included with a request If the certificate authorizes the request and the TM system can authenticate the requestor, the request is granted. What is Trust Management

Authorization Process Trust Management System ETMP(EAU(Request,Authorization|Rejection) ETMU(Request) Alice is using an application that needs access to a resource controlled by the trust management system. The application uses the credentials Alice provided (i.e. possibly through a smart card) makes a connection to the TM system and sends the request and a random piece of data called a nounce. The system Uses Alice’s public key to encrypt the Nounce, with Symmetric key and sends it back to the application. Using the smart card (or other means available to the application), WHAT ISN”T CLEAR FROM THIS PICTURE IS HOW THE TM SYSTEM AUTHORIZES THE REQUEST! This requires the system to discover through some means if the certificate directly or indirectly authorizes Alice’s request. What is Trust Management

The Basis of Security in TM Three areas form the basis for Trust Management Certificates (PKI) Policy Discovery Policy specification Lets take a look at each one of these What is Trust Management

Policy Discovery Policy discovery is not trivial because authorization is included on the certificate. The key issue is who do I trust. So, given a certificate and a request, does this certificate authorize the request and is it issued by someone I trust. Most of the research in Chain discovery centers around tractability and reducing the search space. We note the search space in TM is your partners on the Internet, and the search time is going to be dominated by network traffic in most cases. What is Trust Management

Policy Discovery via Chains Consider a fourth level delegation. PA  PB  Pc  E This is a delegation chain to some entity E. If E makes a request to PA, how can PA authorize E with out knowing the chain of authorization PA  PB  Pc? This process is called chain discovery and is largely solved using graph theory. SPEAK: This has largely been solved, but is very important. If algorithms to discover the chain in every domain are not fast, then the system can not scale. If we were to allow every conceivable method of discovery we may run into a discovery model that requires an NP-Complete/Hard algorithm. This of course would be fatal to scalability. This is a fundamental problem in CS and we do not allow domains (and in fact we don’t need domains) that cause NP-Complete problems. What is Trust Management

The Basis of Security in TM Three areas form the basis for Trust Management Certificates (PKI) Policy Discovery Policy specification Lets take a look at each one of these What is Trust Management

Policy Specification The ground breaking work of certificates for authentication in a hierarchical environment such as SSL certificates used to secure web pages has been extended to include policies for authorization. Authorizations on the certificates are specified in a policy language that is often based on logic (e.g. First Order Predicate Logic). Explain why a language must be closed. Again state that the language must have semantics that can be derived quickly. What is Trust Management

Policy Languages Expression is limited The policy languages must be closed. The consequences of a closed language: Expression is limited Every Expression can be proven true or false. Approximation techniques exist in Logics that lend themselves to expanding the expressive capabilities of policy languages. First describe what it means to be closed. What is Trust Management

Research vs. Commercial Systems Research in Trust Management spans a time period from 1996 when PolicyMaker was introduced to the present time. Research has made most if not all of the theoretical breakthroughs necessary to make TM a viable commercial technology. Commercial systems approximate the capabilities of research systems. LAST POINT: research system are NOT viable for commercial use – but they set the stage for commercial products. Current Trust Management

Commercial Systems IBM provides Federated Identity Management System http://www-306.ibm.com/software/tivoli/products/federated-identity-mgr/ Microsoft has an Identity and Access Management Series that talks about their systems. http://www.microsoft.com/technet/security/topics/identitymanagement/idmanage/default.mspx RSA Security has a suite of applications to provide TM including: ClearTrust and Federated Identity Manager. http://www.rsasecurity.com/node.asp?id=1155 You will notice that these systems concentrate on IDENTITY. But buried underneath this familiar concept, so near and dear to the hearts of system administrators, is the possibility of distributed access control. MIIS = Microsoft Identity and Integration Server. Current Trust Management

Conclusions Trust Management is a system that provides access control in a decentralized distributed environment. Research on TM provides a sound theoretical basis. Commercial Systems are now providing most if not all of the components of Trust Management.

References S. Anderson. Constraint datalog in trust management. Master's thesis, University of Nebraska, Lincoln, 2003. M. Blaze, J. Feigenbaum, and J. Lacy. Decentralized trust management. Technical Report 96-17, AT and T Research, 1996. Y.-H. Chu, J. Feigenbaum, B. LaMacchia, P. Resnick, and M. Strauss. REFEREE: Trust management for Web applications. Computer Networks and ISDN Systems, 29(8-13):953-964, 1997. T. Grandison and M. Sloman. A survey of trust in internet application. IEEE Communications Surveys and Tutorials, 3(Fourth Quarter), 2000. Herzberg, Mass, Mihaeli, Naor, and Ravid. Access control meets public key infrastructure, or: Assigning roles to strangers. In RSP: 21th IEEE Computer Society Symposium on Research in Security and Privacy, 2000. N. Li and J. C. Mitchell. Datalog with constraints: A foundation for trust management languages. In Proceedings of the Fifth International Symposium on Practical Aspects of Declarative Languages, 2003. To appear. N. Li and J. Mitchell. Understanding SPKI/SDSI using first-order logic. In To Appear in IEEE Computer Security Foundations Workshop, 2003. Y. Tao, D. Papadias, and J. Sun. The TPR*-tree: An optimized spatio-temporal access method for predictive queries. In Proceedings of the Twenty-ninth International Conference on Very Large Data Bases, 2003. http://www-306.ibm.com/software/tivoli/products/federated-identity-mgr/ http://www.microsoft.com/technet/security/topics/identitymanagement/idmanage/ http://www.rsasecurity.com/node.asp?id=1155

Questions