Ting Yu and Marianne Winslett Presented by Korporn Panyim

Slides:



Advertisements
Similar presentations
/0403 © 2004 Business & Legal Reports, Inc. BLRs Training Presentations Privacy Issues in the Workplace.
Advertisements

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Responding to Policies at Runtime in TrustBuilder Bryan Smith, Kent E. Seamons, and Michael D. Jones Computer Science Department Brigham Young University.
Privacy-Preserving Trust Negotiations Mikhail Atallah Department of Computer Science Purdue University.
Using Digital Credentials On The World-Wide Web M. Winslett.
The Traust Authorization Service A. Lee, M. Winslett, J. Basney, and V. Welch University of Illinois at Urbana-Champaign Goal: A scalable.
Unlinkable Secret Handshakes and Key-Private Group Key Management Schemes Author: Stanislaw Jarecki and Xiaomin Liu University of California, Irvine From:
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
HIPAA PRIVACY AND SECURITY AWARENESS.
Automatic Trust Negotiation Presented by: Scott Hackman 1Scott Hackman – CS5204 – Operating Systems.
TRUST NEGOTIATION IN ONLINE BUSINESS TRANSACTIONS BY CHANDRAKANTH REDDY.
OHT 11.1 © Marketing Insights Limited 2004 Chapter 9 Analysis and Design EC Security.
Cryptography, Authentication and Digital Signatures
A Flexible Access Control Model for Web Services Elisa Bertino CERIAS and CS Department, Purdue University Joint work with Anna C. Squicciarini – University.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Policies September 7, 2010.
Unit 7 Seminar.  According to Sanderson (2009), the problems with the current paper-based health record system have been well documented. The author.
The Patient Choice Project Project Kickoff December 14 th, 2015.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Interest-Based Bargaining.  Interest-based bargaining involves parties in a collaborative effort to jointly meet each other’s needs and satisfy mutual.
Security Hannes Tschofenig. Goal for this Meeting Use the next 2 hours to determine what the security consideration section of the OAuth draft(s) should.
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.
Malicious Modification Attacks by Insiders in Relational Databases: Prediction and Prevention Qussai Yaseen and Brajendra Panda 1PASSAT 2010.
Teams.
COP Introduction to Database Structures
Computer Security Introduction
CS457 Introduction to Information Security Systems
Trust Profiling for Adaptive Trust Negotiation
Access to Employee Exposure and Medical Records
Security Outline Encryption Algorithms Authentication Protocols
Michael Spiegel, Esq Timothy Shimeall, Ph.D.
Chapter 1: Introduction
Kent Seamons Brigham Young University Marianne Winslett, Ting Yu
And the finer details of patient privacy
Chapter 16 Participating in Groups and Teams.
Fundamentals of business law, 10e
IEEE MEDIA INDEPENDENT HANDOVER DCN: xxxx
The Propositional Calculus
Quick Test What do you mean by pre-test and post-test loops in C?
Formal Methods in Software Engineering
Whether you decide to use hidden frames or XMLHttp, there are several things you'll need to consider when building an Ajax application. Expanding the role.
How to Check if a site's connection is secure ?
Insurance companies come across all kinds of claim scenarios. In this article, we will discuss three different scenarios and the coverages that apply (or.
Database Design Using the REA Data Model
STOP. THINK. CONNECT. Online Safety Quiz.
Access to Employee Exposure and Medical Records
Lecture Software Process Definition and Management Chapter 3: Descriptive Process Models Dr. Jürgen Münch Fall
Pooja programmer,cse department
Define leader and leadership
Lecture 1: Foundation of Network Security
NEW YORK STATE ETHICS LAW
Secure Electronic Transaction (SET) University of Windsor
The HIPAA Privacy Rule and Research
Cryptography and Network Security
Installation & User Guide
PERSPECTIVES ON THE CAP THEOREM
KERBEROS.
AbbottLink™ - IP Address Overview
Chinese wall model in the internet Environment
Interpersonal/Social Skills
Protecting Privacy During On-line Trust Negotiation
Teamwork.
WS Standards – WS-* Specifications
Chapter 4: Security Policies
Secure Diffie-Hellman Algorithm
Digital Signatures Network Security.
Policy Language Requirements for Trust Negotiation
Presentation transcript:

Ting Yu and Marianne Winslett Presented by Korporn Panyim A Unified Scheme for Resource Protection in Automated Trust Negotiation Ting Yu and Marianne Winslett Presented by Korporn Panyim 12/9/2018

Introduction Traditionally, trust can be established based on identities Obtain local identities from system in order to access system services Under assumption that entities in the system already known each other 12/9/2018

Introduction(2) On open system like Internet, strangers can make connection and establish trust together Obviously, establishing trust based on ID is not a feasible approach Parties may come from different security domain and often do not have any pre-existing relationship Therefore, the properties of the participants will be most relevant Employment status, group membership, citizenship, … 12/9/2018

Introduction(3) The approach of automated trust negotiation differs from traditional identity-based access control systems mainly in the following aspects: Trust between two strangers is established based on parties’ properties. Proven through disclosure of digital credentials. Every party can define access control policies to control outsiders’ access to their sensitive resources. Instead of a one-shot authorization and authentication, trust is established incrementally through a sequence of bilateral credential disclosures. Less sensitive first. More sensitive disclosed later on as level of trust increase 12/9/2018

Sensitive Policies and Their Protection Example 1: A web page’s access control policy states that in order to access documents of a project in the site, a requester should present an employee ID issued either by Microsoft or by IBM “issued by Microsoft or by IBM” can be consider as a sensitive policy One can infer that this project is a cooperative effort of the two companies 12/9/2018

Sensitive Policies and Their Protection(2) Example 2: Coastal Bank’s loan application policy says that a loan applicant must be a customer of the bank who is not on the bank’s bad-customer list One can learn from the policy who is on the bank’s bad customer list 12/9/2018

Sensitive Policies and Their Protection(3) How to protect sensitive policies from unauthorized disclosure? From the point of view of resource protection, sensitive policies are a type of resource that need to protect the same way as any other resources 12/9/2018

Resource Protection Desiderata A resource protection scheme that satisfies the following desiderata is desirable Satisfaction-agreement Two parties have the same understanding of the semantics of policies When one party believes that a policy has been satisfied by disclosed credentials, the other party should believe the same Otherwise, a dispute may arise even though the two parties negotiate trust in good faith Example 2: Coastal Bank 12/9/2018

Resource Protection Desiderata(2) Protection of sensitive policies should be as powerful as protecting other kind of resource The policy protection approach should allow fine-grained control of the protection applied to each part of a policy Different parts of a policy may be sensitive in different ways The resource protection scheme should decouple the protection of resource R and access control policy P R’s accessibility should depend only on P’s satisfaction. Whether P is disclosed or not should not affect R’s accessibility 12/9/2018

Resource Protection Desiderata(3) Allow interoperability between negotiation strategies A negotiation strategy suggests the next message that a party should send to the other negotiation participant Two strategies are said to be interoperable if by adopting them respectively, two parties can always establish trust whenever their policies theoretically allow trust to be established The resource protection scheme must allow variety of negotiation strategies to interoperate correctly with one another 12/9/2018

Resource Protection Desiderata(4) Allow a human friendly interface for policy capture and maintenance Perfect policies are hard to write and will require update frequently 12/9/2018

A Unified Scheme for Resource Protection(UniPro) Provide a general-purpose way to protect sensitive access control policies during trust negotiation Designing of UniPro is guided by a set of desiderata for protection of sensitive access control policies 12/9/2018

Overview of UniPro Policy definition: Pp C is a credential P is a policy unique ID p is the content of the policy, denoted as content(P) C is a credential Given policy definition Pp and policy content p’ we say a set C of credentials satisfies (p’)P if C satisfies (p’)(p) Also, C satisfies (p’)P if C satisfies (p’)(p) This definition allows policy IDs to appear in policy definitions 12/9/2018

Overview of UniPro(2) R : P denotes that P is the ID of the access control policy for resource R A requester needs to disclose credentials that satisfy P in order to gain access to R Each resource R is protected by exactly one policy (R : P) (R : P) can be disclosed freely (just resource IDs) Each policy ID P has exactly one policy definition Pp Policies may have IDs true and false, their contents are always and never satisfied respectively true means any requester can see its content false means policy content should not be shown to anybody 12/9/2018

Revisit Example 1 A web page’s access control policy states that in order to access documents of a project in the site, a requester should present an employee ID issued either by Microsoft or by IBM Access control policy for document R is R : P P  x.type = “Employee ID”  P1 P1  x.issue = “Microsoft”  x.issuer = “IBM” P : true and P1 : false P1 contained sensitive information is protected Satisfaction-agreement assumption holds in this situation 12/9/2018

Revisit Example 2 Coastal Bank’s loan application policy says that a loan applicant must be a customer of the bank who is not on the bank’s bad-customer list Policy definition is P  x.type = “Customer ID”  x.issuer = “Coastal Bank”  P1 P1  x.ID  BadCustomerList P : true and P1 : false P1 contained bad customer list is never been disclosed 12/9/2018

Example 3 McKinley Clinic makes its patient records available for online access. Let R be Alice’s record. To gain access to R, R’s policy states that a requester must either present Alice’s patient ID for McKinley Clinic, or present a California social worker license and a release-of-information credential issued to the requester by Alice. 12/9/2018

Example 3(2) “California social worker license” is considered a sensitive constraint Knowing that Alice’s record specifically allows access by social workers will help people infer that Alice may have a mental or emotional problem 12/9/2018

Example 3(3) Let R be Alice’s patient record R : P P  P1P2 and P : true Everyone can see there’re two ways to get to Alice’s record P1 x.type = “patient ID”  x.name = “Alice”  x.issuer = “McKinley Clinic”, and P1 : true Everyone can see that Alice can access her own records P2  x.type = “Professional License”  x.profession = “Social Worker”  x.issuer = “State of California”  y.type = “Medical Records Release”  y.issuer = “Alice”  y.institution = “McKinley Clinic” Alice can also authorize social workers to look at her records 12/9/2018

Example 3(4) P2 : P3 to prevent the inappropriate disclosure of P2 content P3  z.type = “Employee ID”  z.issuer = “McKinley Clinic”, and P3 : true Everyone can see that McKinley employees can see another way to access Alice’s records 12/9/2018

UniPro Analysis According to desiderata discussed before In UniPro, the will be no disagreement between two parties over whether a policy has been satisfied Both parties understand the semantics of the underlying policy language A requester understand that because of some part of policy that have not been disclosed (showed only policy IDs), she will not always be able to tell whether the policy has been satisfied by the credentials she has disclosed 12/9/2018

UniPro Analysis(2) UniPro protects policies in the same way as other resources Given resource’s policy, R : P, we cannot tell whether it’s a policy, a credential or a service UniPro explicitly separates a policy’s satisfaction from its disclosure No matter P has been disclosed or not, as long as P is satisfied, R can be accessed 12/9/2018

Negotiation Strategies for UniPro Strategies for trust establishment based on UniPro Protocol Establish trust while protecting sensitive information The UniPro protocol allows three types of disclosure: Resource (service, credential or policy) Policy IDs (R : P) Relationship between a policy and a credential (a variable assignment) In trust negotiation using UniPro protocol, every message that a party Alice sends is a set of the disclosures defined above An empty message (failure message) indicates that a party has decided to terminate the negotiation 12/9/2018

Overview of Trust Negotiation Process Alice wants to access one of Bob’s resource Alice sends a request for Bob’s resource R Bob calls his negotiation strategy, then sends Alice the disclosure message it outputs Alice receives message, call her strategy, and sends Bob the message suggest by her strategy This process continues until: Alice finally satisfies R’s policies and gain access to R Or one party send an empty message to terminate the negotiation 12/9/2018

Negotiation Strategies for UniPro(2) In negotiation strategies for UniPro, there is a tradeoff between privacy and access (establishing trust) UniPro allows portions of the content of a resource’s access control policy to be hidden from a requester To protect privacy, a requester may not want to disclose all her credentials in an attempt to satisfy those hidden constraints Trust establishment may fail because she cannot see the contents of a policy even though she may have the right credentials that will satisfy that policy 12/9/2018

Negotiation Strategies for UniPro(3) Two strategies that work with UniPro policies: Unified Eager Strategy Send all safe disclosures to the other party Does not carefully analyze what disclosures are useful for establishing trust Strong interoperability can be achieved. (Tend to establish trust more than preserve privacy) Unified Relevant Strategy Analyze ongoing negotiation and try to identify disclosures that are relevant to the current negotiation Does not try to satisfy undisclosed policies (Protocol may fail) Only weak interoperability can be achieved. (Tend to preserve privacy more than establish trust) 12/9/2018

Discussion… 12/9/2018