Limiting the Disclosure of Access Control Policies During Automated Trust Negotiation Kent Seamons Brigham Young University seamons@cs.byu.edu Marianne Winslett, Ting Yu University of Illinois at Urbana-Champaign {winseltt,tingyu}@cs.uiuc.edu Network and Distributed System Security Symposium February 8-9, 2001 San Diego

Trust Establishment between Strangers When a client and server begin an interaction, the client is unknown to the server. The client is not a member of the server’s security domain. The client’s identity is irrelevant to the security decision. The security decision is based on properties of the client other than identity. Examples: citizenship, clearance, job classification, group memberships, etc. The client’s role within his home organization.

Trust Establishment Requirements Automated Limited human intervention Easy to use Scalable administration Ubiquitous Network service Application independence Preserve local autonomy Decentralized management

Digital Credentials A credential contains attributes (name/value pairs) of the credential owner asserted by the issuer. Credentials are cryptographically signed, and thus verifiable and unforgeable. Digital credentials are the on-line analogues of paper credentials that people carry in their wallets.

Access Control Policies Policies that specify the combination of credentials that must be submitted in order to obtain authorized access to secure services. StudentID(X) where X.university=“BYU” InternetSocietyMember(X)

Sensitive Credentials Credentials can contain sensitive information Safeguard credential disclosure using the same access control mechanisms used to safeguard protected resources Credential disclosure is governed by an access control policy that specifies credentials that must be received from another party prior to disclosing the credential to that party. IBMEmployee  TRUSTe Visa  AuthorizedVisa

Trust Negotiation The iterative exchange of digital credentials between two negotiation partners in order to establish trust. Assumptions Confidential communication between negotiation participants Credential ownership is verified An alternative: trusted third party Two parties disclose their credentials and policies to a trusted third party and rely on the third party to determine whether or not the parties should trust one another.

Trust Negotiation Strategy An algorithm used to find a successful trust negotiation. The strategy determines which credentials to disclose and when to disclose them.

Desirable Properties of Trust Negotiation Strategies Efficient The communication and computation costs are not prohibitive. Complete A negotiation succeeds whenever possible. Terminates The negotiation terminates efficiently whenever a successful negotiation is not possible.

Trust Negotiation Example Client Credential Disclosure Policies Server Credential Disclosure Policies Service  Employee  TRUSTe Visa  AuthorizedVisa StudentID   Service  StudentID  Visa TRUSTe   AuthorizedVisa   BBB   StudentID TRUSTe, BBB, AuthorizedVisa Employee, Visa Service

Policy Disclosure How does a negotiation participant know which credentials to disclose to a stranger in order to gain access to a protected resource? Access control policies can be disclosed during trust negotiation to inform a negotiation counterpart of the credentials they can disclose to advance the negotiation. Alternative approaches to policy disclosure Disclose entire policies Disclose policy extracts, or hints Access control policies can contain sensitive information.

Trust Negotiation without Support for Sensitive Policies 1) Service request 2) Policy Server 3) Service request, credentials 4) Service

Trust Negotiation with Support for Sensitive Policies 1) Service request 2) Policy 3) Service request, credentials Server 4) Policy 5) Service request, credentials 6) Service

Sensitive Access Control Policies Support for sensitive access control policies allows a negotiation participant to gradually establish trust in a negotiation partner prior to disclosing a sensitive resource (policy, credential, or service). The negotiation partner may find it unacceptable to not obtain access after satisfying the policy that appeared to govern access to a secure resource. Introduce an indicator that access to a resource is governed by additional policy not yet disclosed during the negotiation.

Access Control Policy Graph Finite, directed, acyclic graph Single sink node R represents protected resource R All nodes except R represent policies Single source node S contains a policy that can be freely disclosed Access to R is granted when an authorized path to R exists. Credentials have been received that satisfy all policies along a directed path from S to R. S R P3 P2 P1

Access Control Policy Graph A policy node is unlocked there exists an authorized path to the policy node the policy node can be disclosed An unlocked policy node that has a locked child node is known as an innermost unlocked policy. S P1 P2 P3 R

Policy Graphs Since a policy graph may contain a node with outdegree > 1, the policy details of different trusted groups can be kept private from each other. Employee(X) Employee R TopSecret PrivacyGuarantee R NRA Company_name(X)=Sun Company_name(X)=IBM Title(X) = VP R

Policy Graph Languages The semantics of the language(s) used to represent policies must be defined over paths through policy graphs, rather than only over isolated policies. Negation must be treated carefully in policy languages. The language must be monotonic.

Safe Disclosures A trust negotiation strategy must ensure that all disclosures are safe. It is always safe to disclose the source node of a policy graph. A non-source node N can be disclosed if and only if there is a directed path from S to one of N’s parents in that graph such that the other negotiation participant satisfies every policy along the path. A trust negotiation strategy is safe if all possible negotiations conducted by two parties using that strategy are safe.

Negotiation Strategies for Sensitive Policies Relevant Credentials Set strategy All Relevant Policies strategy

Relevant Credentials Set Strategy The negotiation participants do not exchange the full policies with each other. The parties send messages of the form (Credentials, CredentialRequest), Credentials – set of unlocked credentials CredentialRequest – set of syntactically relevant credentials Worst case communication costs – 2C+2 messages C is the minimum credential count of the negotiating participants Credential count = number of credentials owned + number of credentials appearing in the policies

Trust Negotiation Example 1 (,{R}) 2 (,{C4}) Client Credential Disclosure Policies 3 (,{S2}) Server Credential Disclosure Policies 4 C1 S2 S3 C2 S1 S3 ({S2},) C4 5 ({C4},) 6 (,{C1,C2,C3}) C3 C1  C2 S1 C3 S2 S3 C4 C3 S3 C4 S2 7 (,{S3}) 8 ({S3},) R 9 ({C1 ,C3},{S1}) Relevant credentials set strategy

Relevant Credentials Set Strategy Advantage Avoids direct disclosure of access control policies during trust negotiation Disadvantage Discloses more credentials than strictly necessary

All Relevant Policies Strategy The negotiation participants take turns exchanging policies and credentials with each other through messages of the form ({}, Policies) or (Credentials, {}). Each participant must always disclose all innermost unlocked policies as they become available. Negotiation terminates when there are two empty disclosure messages in a row. Worst case communication cost – 2C+P+2 messages C is the total number of combined credentials P is the total number of combined policies

Trust Negotiation Example 1 Request(R) {(R,C4)} 2 3 {(C4 ,S2)} Client Credential Disclosure Policies 4 {S2} Server Credential Disclosure Policies 5 C1 S2 S3 C2 S1 S3 {C4} C4 6 {(R,C3),(R,C1C2)} 7 {(C1,S3),(C2,S3),(C3,S3)} C3 C1  C2 S1 C3 S2 S3 C4 C3 S3 C4 S2 8 {S3} 9 {(C2 ,S1)} R {(S1, C3)} 10 11 {C3} All relevant policies strategy

All Relevant Policies Strategy Freely discloses all relevant access control policies that the other negotiating party has earned access to during trust negotiation. Fewer credential disclosures possible compared to the relevant credentials set strategy.

Conclusion The relevant credentials set strategy and all relevant policies strategy are safe and complete trust negotiation strategies. These strategies use policy graphs to provide support for safeguarding the disclosure of sensitive policy information during trust negotiation.

Future Work TrustBuilder Client initiated trust establishment Strategy-independent trust negotiation protocol Client initiated trust establishment Wireless architecture with support for back-end or out-of-band trust negotiation