Rule based Trust management using RT Sandro Etalle thanks to Ninghui Li - Purdue William H. Winsborough – University of Texas S. Antonio. The DTM team.

Slides:



Advertisements
Similar presentations
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Advertisements

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
+ HEALTH INSURANCE: UNDERSTANDING YOUR COVERAGE Navigator Name Blank County Extension UGA Health Navigators.
Secure Multiparty Computations on Bitcoin
Rule based Trust management using RT - second lecture Sandro Etalle thanks to Ninghui Li - Purdue William H. Winsborough – University of Texas S. Antonio.
Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Responding to Policies at Runtime in TrustBuilder Bryan Smith, Kent E. Seamons, and Michael D. Jones Computer Science Department Brigham Young University.
Securing the Broker Pattern Patrick Morrison 12/08/2005.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Using the CC2420 with AES Support
Trust Management II Anupam Datta Fall A: Foundations of Security and Privacy.
Using Digital Credentials On The World-Wide Web M. Winslett.
11 World-Leading Research with Real-World Impact! RT-Based Administrative Models for Community Cyber Security Information Sharing Ravi Sandhu, Khalid Zaman.
Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations Philipp Kärger, Daniel Olmedilla, Wolf-Tilo Balke L3S Research.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
An Introduction to Decentralized Trust Management Sandro Etalle University of Twente thanks to William H. Winsborough – University of Texas S. Antonio.
Audumbar Chormale Advisor: Dr. Anupam Joshi M.S. Thesis Defense
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.
Security Protocols in Automation Dwaine Clarke MIT Laboratory for Computer Science January 8, 2002 With help from: Matt Burnside, Todd.
Role-based Trust Management Security Policy Analysis and Correction Environment (RT-SPACE). Gregory T. Hoffer CS7323 – Research Seminar (Dr. Qi Tian)
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
Web Policy Zeitgeist Panel SWPW 2005 – Galway, Ireland Piero Bonatti, November 7th, 2005.
1 Role-Based Cascaded Delegation: A Decentralized Delegation Model for Roles Roberto Tamassia Danfeng Yao William H. Winsborough Brown University Brown.
CS590U Access Control: Theory and Practice Lecture 21 (April 11) Distributed Credential Chain Discovery in Trust Management.
TRUST NEGOTIATION IN ONLINE BUSINESS TRANSACTIONS BY CHANDRAKANTH REDDY.
Switch off your Mobiles Phones or Change Profile to Silent Mode.
Computer Science 725 – Software Security Presentation “Decentralized Trust Management” Decentralized Trust ManagementDecentralized Trust Management M.
POLIPO: Policies & OntoLogies for Interoperability, Portability, and autOnomy Daniel Trivellato.
Rule based Trust management using RT – third lecture Sandro Etalle University of Twente & Eindhoven thanks to Ninghui Li - Purdue William H. Winsborough.
1 Security on Social Networks Or some clues about Access Control in Web Data Management with Privacy, Time and Provenance Serge Abiteboul, Alban Galland.
1 Dept of Information and Communication Technology Creating Objects in Flexible Authorization Framework ¹ Dep. of Information and Communication Technology,
A Flexible Access Control Model for Web Services Elisa Bertino CERIAS and CS Department, Purdue University Joint work with Anna C. Squicciarini – University.
G53SEC 1 Access Control principals, objects and their operations.
PEP Similarity Credential Repository Gossip protocol Access request Credential request Reputation-based Similarity Evaluator AC Policy Request Decision.
1 Secure Group Collaboration in an Open Environment May, 2006 Zhengyi Le DEVLAB, Dartmouth College.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Policies September 7, 2010.
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Automatic Trust Negotiation Rajesh Gangam
Brian A. LaMacchia Director, XCG Security & Cryptography, Microsoft Research.
Dr. Bhavani Thuraisingham September 2006 Building Trustworthy Semantic Webs Lecture #5 ] XML and XML Security.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Academic Year 2014 Spring Academic Year 2014 Spring.
Introduction to Access Control and Trust Management Daniel Trivellato.
The Laboratory of Information Integration, Security and Privacy ● University of North Carolina at Charlotte URL: 306, UNC Charlotte.
Rule based Trust management using RT – third lecture Sandro Etalle University of Twente & Eindhoven thanks to Ninghui Li - Purdue William H. Winsborough.
Understanding deployment issues on the Supply Chain Ann Harding, SWITCH, Nicole Harris, TERENA Cambridge July 2014.
Newcastle uopn Tyne, September 2002 V. Ghini, G. Lodi, N. Mezzetti, F. Panzieri Department of Computer Science University of Bologna.
Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Policies June 2011.
1 Authorization Sec PAL: A Decentralized Authorization Language.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Decentralized Access Control: Overview Deepak Garg Foundations of Security and Privacy Fall 2009.
A Proof-Carrying File System Deepak Garg and Frank Pfenning (Carnegie Mellon University) IEEE Symposium on Security and Privacy May 18, 2010.
Decentralized Access Control: Policy Languages and Logics
Key management issues in PGP
Kent Seamons Brigham Young University Marianne Winslett, Ting Yu
Grid Security.
Cryptography and Network Security
Authentication Applications
Beyond Proof-of-compliance: Security Analysis in Trust Management
Protecting Privacy During On-line Trust Negotiation
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Policy Language Requirements for Trust Negotiation
Presentation transcript:

Rule based Trust management using RT Sandro Etalle thanks to Ninghui Li - Purdue William H. Winsborough – University of Texas S. Antonio. The DTM team of the UT (Marcin, Jeroen, Jerry). And the many people I’ve taken ideas from for this lecture (Winslett, Li, Seamons…)

Etalle: Decentralized Trust Management 2 Overview Rule vs Reputation based TM A taste of trust negotiation The RT TM system Credential Chain discovery

Etalle: Decentralized Trust Management 3 Trust Management, the bottomline Typical access control mechanism TM alternative authorizationsubjectID showslookup authorizationsubjectCredentials hasinfers

Etalle: Decentralized Trust Management 4 2 flavors Reputation based TM Rule-based TM

Etalle: Decentralized Trust Management 5 Reputation-based TM concrete community of cooks (200 people) need to interact with someone you don’t know,  to extablish trust: you ask your friends  and friends of friends ... some recommendations are better than other you check the record (if any)  after success trust increases

Etalle: Decentralized Trust Management 6 Reputation-based TM virtual p2p community of hackers (10000 people)  exchange programs & scripts need to interact with someone you don’t know, …. difference with concrete community:  larger, trust establishment has to be to some extent automatic

Etalle: Decentralized Trust Management 7 Reputation-based TM: salient features open system (different security domains) trust is a measure & changes in time essential risk component recommendation based (NOT identity-based) peers are not continuously available Some systems:  PGP,  EigenTrust Algorithm (Stanford)

Etalle: Decentralized Trust Management 8 rule-based TM: concrete example Bart is entitled to a discount If he is a student of the local university

Etalle: Decentralized Trust Management 9 rule-based tm, virtual When is Bart now entitled to a discount?

Etalle: Decentralized Trust Management 10 Bart is now entitled to a discount … If he is a student of any accredited University. But perhaps there are other reasons why Bart is entitled to a discount  If he is an employee of any governmental organization  If he is a member of the library club  If he is a veteran  …. Too many to mention  Which problems does this raise? Possible answers:  Scalability  Knowing where and what to search

Etalle: Decentralized Trust Management 11 Summary: reputation vs rules in TM open system (different security domains) trust is a measure & changes in time risk-based no delegation recommendation based (NOT identity-based) peers are not continuously available scalability open system (different security domains) trust is boolean & less time- dependent no risk delegation rule (credential) based (NOT identity-based) peers are not continuously available scalability

Etalle: Decentralized Trust Management 12 Bart is now entitled to a discount…(2) Bart wants to prove he is a student of an accredited university  He shows his GMU student ID But, is GMU accredited? Accredited by whom?  The shop needs to specify this How does Bart/the shop prove this?  By finding other credentials demonstrating this

Etalle: Decentralized Trust Management 13 Credential A credential is a statement  Signed by the issuer  about a subject  Containing info about the subject Requirements  Unforgeable (!)  Verifiable (that it belongs to the one asking for the service)  Signed (e.g. X509)  But most of all…. A well-defined semantics

Etalle: Decentralized Trust Management 14 Bart is now entitled to a discount…(2) Bart GMU Accreditation Bureau Shop Is student of Is accredited by Is accepted by We have a chain of credentials  The subject of one is the issuer of the other one

Etalle: Decentralized Trust Management 15 2 features of rule based TM: No predefined security monitor  Needs a well-defined semantics  Credentials need to be disclosed to a possibly untrusted party  ISSUE 1: Trust negotiation Credentials are distributed  stored by the subject AND/OR by the issuer  ISSUE 2: credential chain discovery

Etalle: Decentralized Trust Management 16 A flavor of trust negotiation Credentials may contain private information and should be treated as such  E.g. medical record

Etalle: Decentralized Trust Management 17 Disclosing Credentials Credentials should be disclosed only according to a given access control policy “I will show my medical record only to accredited surgeons” To disclose a credential one requires to see another credential

Etalle: Decentralized Trust Management 18 Example A: please send me this treatment (request) H: I’ll do so if you show me your medical (policy) A: I’ll show you my medical if you show me that you subscribe to GoodPrivacyPolicies H: Here is a credential showing this. A: here is my medical H here is the treatment.

Etalle: Decentralized Trust Management 19 Trust Negotiation Seamons: “The process of establishing trust between strangers in open systems based on the attributes of the participants” Goal: establish trust while maintaining privacy How: by iterative disclosure of credentials additional problem: what do you do with the info in a credential after it has been disclosed

Etalle: Decentralized Trust Management 20 Problems/challenges Many, to mention some: Circularities, Strategies (see [Seamons]) Naive Reasonable Informed

Etalle: Decentralized Trust Management 21 Question to think about Clearly: The disclosure of an additional credential may not lead to the revocation of a permission. But do we need full monotonicity? We are going to come back on this one…

Part 2 The RT family language

Etalle: Decentralized Trust Management 23 Policy Language Wish List Decentralize authority to define attributes  Utilize policy and credentials from many sources Delegation of attribute authority  To specific principals  To principals with certain attributes Intersection of attributes Parameterization, constraints Support for thresholds, separation of duty

Etalle: Decentralized Trust Management 24 Role-based Trust Management (RT ) A family of credential / policy languages  Simplest, RT 0, has no parameterization, thresholds, or separation of duty [Li, Mitchell, Winsborough] RT 0 example: student discount subscription  EPub.studentDiscount  StateU.student  StateU.student  URegistrar.fulltimeLoad  StateU.student  URegistrar.parttimeLoad  URegistrar.parttimeLoad  Alice principal role name role credential

Etalle: Decentralized Trust Management 25 RT0 Syntax A, B, D: principals r, r1, r2: role names A.r: a role (a principal + a role name) Four types of credentials:  A.r  D  A.r  B.r1  A.r  A.r1.r2  A.r  A1.r1  A2.r2

Etalle: Decentralized Trust Management 26 Type 1 credentials Epub.discount  Alice Epub states that “Alice belongs to the role Epub.discount” Semantics Alice  [[Epub.discount]] Issuer: Epub Subject: Alice Where is this stored? We don’t know. Yet. Here I am trying to get away with something….

Etalle: Decentralized Trust Management 27 Type 2 credentials Epub.discount  StateU.student Epub states  “If StateU states that X is a student then I state that X gets a discount” Operationally:  “anyone showing a student certificate signed by stateU gets a discount” Epub delegates authority to StateU Semantics [[StateU.student]]  [[Epub.discount]] Issuer: Epub Subject: StateU

Etalle: Decentralized Trust Management 28 Type 3 credentials Epub.discount  AccredBureau.university.student Epub states  if AccredBureau states that X is an accredited university and  X states that Y is a student  then I state that Y gets a discount. “attribute-based delegation” Semantics  For every X  [[AccredBureau.university]], [[X.student]]  [[Epub.discount]] Note:  like in SDSI, but links are of length max 2 (does not affect expressivity)  In the original RT0 the subject and the issuer are supposed to be the same

Etalle: Decentralized Trust Management 29 Type 4 credentials ITbizz.maysign  ITbizz.manager  ITbizz.senior ITbizz states that “… senior managers may sign..”  “anyone showing a manager certificate and a senior certificate (both signed by ITbizz)) may ‘sign’” Semantics  [[ITbizz.manager]]  [[ITbizz.senior]]  [[ITbizz.maysign]] Issuer, subject: …

Etalle: Decentralized Trust Management 30 Summary: A, B, D: principals r, r1, r2: role names A.r: a role (a principal + a role name) Four types of credentials:  A.r  D Role A.r contains principal D as a member  A.r  B.r 1 A.r contains role B.r 1 as a subset  A.r  A.r 1.r 2 A.r  B.r 2 for each B in A.r 1  A.r  A 1.r 1  A 2.r 2 A.r contains the intersection The first 3 statement types: equivalent to pure SDSI Notice the higher-order flavour of A.r  A.r 1.r 2. More complex versions have parameters (RT 1 ), constraints (RT C ), and can model thresholds and separation of duty (RT T )

Etalle: Decentralized Trust Management 31 Exercise: find the semantics Alice.s  Alice.u.v Alice.u  Bob Bob.v  Charlie Bob.v  Charlie.s Charlie.s  David Charlie.s  Edward

Etalle: Decentralized Trust Management 32 Solution Alice.s  Alice.u.v Alice.u  Bob Bob.v  Charlie Bob.v  Charlie.s Charlie.s  David Charlie.s  Edward [[Charlie.s]] = {David, Edward} [[Bob.v]] = {Charlie, David, Edward} [[Alice.u]] = {Bob} [[Alice.s]] = {Charlie, David, Edward}

Etalle: Decentralized Trust Management 33 Other exercise The flexible company FC delegates the definition of buyer to any of its territorial divisions FCDiv1…. FCDivN FC uses the role FC.division to list all the territorial divisions. FC has accountants (role FC.accountants), which must be approved by Accrinst, and must have a certification as controller given by FedCert. Alice is both a buyer and an accountant. Write an RT0 set of credentials for this.

Etalle: Decentralized Trust Management 34 Solution FC.division  FCDiv1 … FC.division  FCDivN FC.buyer  FC.division.buyer FCDiv1.buyer  Alice FC.accountant  Accrinnst.approved  FedCert.controller Accrinst.approved  Alice FedCert.controller  Alice

Etalle: Decentralized Trust Management 35 Further down the lane In the Flexible Company FC, a buyer may also be an accountant, provided that his/her behaviour is logged. How do we do this?

Etalle: Decentralized Trust Management 36 First way of solving this Use negation in the policies  FC.acc  FC.acc2 – FC.buyer  FC.acc  FC.acc2  FC.buyer  FC.log  FC.acc2  Accrinst.approved  … But negation is nonmonotonic.  How do we deal with this?

Etalle: Decentralized Trust Management 37 A personal view on negation in TM. Negation is good provided that  It is always in a context GOOD: all doctors that don’t have a specialty BAD: all non-doctors.  The negated predicate should rely on a definition we can “count on” Eg: FC.acc  FC.acc2 – FC.buyer FC should be able to tell who populates FC.buyer without having to beg around for credentials. See paper by Czenko et. al  (yes, I confess, I am one of the authors).

Etalle: Decentralized Trust Management 38 A second way of solving this Using an integrity constraint. FC.log ⊒ FC.buyer  FC.accountant Need a mechanism to monitor it. External to the RT system.  See Etalle & Winsborough…

Etalle: Decentralized Trust Management 39 Conclusions Context:  2 or more parties in an open system.  parties are not in the same security domain. Goal  establish trust between parties to exchange information and services (access control) Constraint  access control decision is made NOT according to the party identity BUT according to the credentials it has

Etalle: Decentralized Trust Management 40 Open problems Analysis  safety analysis we are now working with Spin in RT0, for RTC (with constraints) nothing is available  of negotiations protocols w.r.t. the TM goals. Integration with other systems  e.g. privacy protection location-dependent policies  ambient calculi? DRM Semantics is not correct when considering:  chain discovery  negotiations is not modular  certainly possible to improve this using previous work on omega-semantics. Types

Etalle: Decentralized Trust Management 41 Biblio Ninghui Li, William H. Winsborough, John C. Mitchell: Distributed Credential Chain Discovery in Trust Management. Journal of Computer Security 11(1): (2003) Ninghui Li, John C. Mitchell, William H. Winsborough: Design of a Role-Based Trust- Management Framework. IEEE Symposium on Security and Privacy 2002: Marianne Winslett: An Introduction to Trust Negotiation. iTrust 2003: iTrust 2003