Authorizing Slice Creation How ABAC Coordinates Distributed Authorization Alefiya Hussain 1.

Slides:



Advertisements
Similar presentations
INDIANAUNIVERSITYINDIANAUNIVERSITY GENI Global Environment for Network Innovation James Williams Director – International Networking Director – Operational.
Advertisements

The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.
The Challenges of CORBA Security It is important to understand that [CORBAsecurity] is only a (powerful) security toolbox and not the solution to all security.
BRAUNTON BMX CLUB The Role of the Secretary / Go-Ride contact The Secretary/Go-Ride Contact is the principal administrator for the club. This is a pivotal.
D u k e S y s t e m s Some tutorial slides on ABAC Jeff Chase Duke University.
Sponsored by the National Science Foundation 1 Activities this trimester 0.5 revision of Operational Security Plan Independently (from GPO) developing.
Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
D u k e S y s t e m s Authorization Framework: Status Jeff Chase Duke University.
Information Sciences Institute Internet and Networked Systems Managing Security Policies for Federated Cyberinfrastructure Stephen Schwab, John Wroclawski.
1 Authentication Trustworthiness The Next Stage in Identity-Based Access and Security Tom Board, NUIT.
Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
C++ fundamentals.
Introduction to UDDI From: OASIS, Introduction to UDDI: Important Features and Functional Concepts.
D u k e S y s t e m s Accountability and Authorization GEC 12 Jeff Chase Duke University Thanks: NSF TC CNS
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.
Digital Object Architecture
Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.
D u k e S y s t e m s A Tale of Two Federations Jeff Chase Duke University.
Federation Strategy Robert Ricci GENI-FIRE Workshop September 2015.
In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:
TIED: A Cluster of One. TIED: Trial Integration Environment DETER The DETER folks: Terry Benzel, Bob Braden, Ted Faber, John Hickey, Alefiya Hussain,
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.
Sponsored by the National Science Foundation GEC17 Developer Sessions: ABAC: Life after Speaks-For Marshall Brinn, GPO July 22, 2013.
D u k e S y s t e m s ABAC: An ORCA Perspective GEC 11 Jeff Chase Duke University Thanks: NSF TC CNS
Sponsored by the National Science Foundation GEC16 Plenary Session: GENI Solicitation 4 Tool Context Marshall Brinn, GPO March 20, 2013.
Sponsored by the National Science Foundation Enabling Trusted Federation Marshall Brinn, GENI Program Office October 1, 2014.
CLARIN work packages. Conference Place yyyy-mm-dd
How to Log-in to EPIC for the First Time. to FY 2015 Form 471 Authorized Signer Looks Like:
In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:
INTERNET AND ADHOC SERVICE DISCOVERY BY: NEHA CHAUDHARY.
D u k e S y s t e m s Building the GENI Federation With ABAC Jeff Chase Duke University Thanks: NSF TC CNS
Sponsored by the National Science Foundation Distributed Identity & Authorization Mechanisms Spiral 2 Year-end Project Review SPARTA, Inc. PI: Stephen.
Configuration Management and Change Control Change is inevitable! So it has to be planned for and managed.
Access Control Status Report Group Name: ARC/SEC Source: Dragan Vujcic, Oberthur Technologies, Meeting Date: 09/12/2013 Agenda Item:
Status Report on Access TP8 Group Name: WG2 Decision  Meeting Date: Discussion  Source: OBERTHUR Technologies Information  Contact:
SecPAL Presented by Daniel Pechulis CS5204 – Operating Systems1.
Sponsored by the National Science Foundation Meeting Introduction: Integrating GENI Networks with Control Frameworks Aaron Falk GENI Project Office June.
Mairéad Martin The University of Tennessee December 16, 2015 Federated Digital Rights Management.
Attribution for GENI Jeffrey Hunker, JHA LLC Matt Bishop, UC Davis Carrie Gates, CA Labs.
Sponsored by the National Science Foundation Establishing Policy-based Resource Quotas at Software-defined Exchanges Marshall Brinn, GPO June 16, 2015.
Access Control Status Report Group Name: ARC/SEC Source: Dragan Vujcic, Oberthur Technologies, Meeting Date: 09/12/2013 Agenda Item:
State of Georgia Release Management Training
Sponsored by the National Science Foundation GENI Cloud Security GENI Engineering Conference 12 Kansas City, MO Stephen Schwab University of Southern California.
Be in the know Visual Intercept Project from Elsinore Technologies David Hershman Regional Sales Manager
M2M Service Layer – DM Server Security Group Name: OMA-BBF-oneM2M Adhoc Source: Timothy Carey, Meeting Date:
AuthZ WG Conceptual Grid Authorization Framework document Presentation of Chapter 2 GGF8 Seattle June 25th 2003 Document AID 222 draft-ggf-authz-framework pdf.
Clearing house for all GENI news and documents GENI Architecture Concepts Global Environment for Network Innovations The GENI Project Office.
Introduction to Metadata March 2016 What is Metadata?
Chapter 4 Access Control. Access Control Principles RFC 4949 defines computer security as: “Measures that implement and assure security services in a.
OGF 43, Washington 26 March FELIX background information Authorization NSI Proposed solution Summary.
Sponsored by the National Science Foundation ABAC and GPO Clearinghouse Authorization Marshall Brinn, GPO GEC20: June 22, 2014.
Real Property Policy Update Planning and Development Committee August 4, 2015.
ReBAC in ABAC Tahmina Ahmed Department of Computer Science University of Texas at San Antonio 4/29/ Institute for Cyber Security World-Leading Research.
Lesson 14: Configuring File and Folder Access MOAC : Configuring Windows 8.1.
Decentralized Access Control: Policy Languages and Logics
Trust Profiling for Adaptive Trust Negotiation
NIH Public Access Policy: FAQs and Answers
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
The COG “Cookbook” Course Lesson 1 - Introduction to COG Basics
Health Ingenuity Exchange - HingX
Federated Digital Rights Management
JINI ICS 243F- Distributed Systems Middleware, Spring 2001
Presentation transcript:

Authorizing Slice Creation How ABAC Coordinates Distributed Authorization Alefiya Hussain 1

TIED Joins GENI How does TIED get to know GENI users? Keeping local ABAC policy same (there are many other ways too) – Sharing known attributes – Discovery of partner policy changes – Coordinating with new partners 2

The Players TIED the resource owner provides equipment and establishes high-level policies for utilization 3 Alex the researcher received a GENI award and want to use the substrate for experiments

The Players TIED the resource owner provides equipment and establishes high-level policies for utilization 4 Alex the researcher received a GENI award and want to use the substrate for experiments GENI the coordinator/certifier asserts attributes for these new principals

The Players: GENI, TIED, Alex The GENI defines various attributes to manage groups of people Defines groups such as researchers, gradStudents, vendors…. And publishes facts about them Alex is a GENI researcher 5

The Players: GENI, TIED, Alex TIED learns about GENI’s facts and incorporates them into its local authorization policy So TIED publishes a fact All GENI researchers can create slices on TIED Thus it delegates some resource control to GENI 6

The Players: GENI, TIED, Alex Alex learns he needs to identify himself as a researcher to create a slice 7

ABAC Enables the Players TIED Slice Manager ABAC Alex: I want to create a slice? GENI.researcher  Alex TIED Local Policy: If you are a GENI researcher, you can create a slice. TIED.createSlice  GENI.researcher GENI GENI Welcome Package: A researcher credential is sent to Alex 8

ABAC Negotiation Grants Access TIED Slice Manager ABAC GENI.researcher  Alex TIED.createSlice  GENI.researcher 1.Sends request with cred+key. 2. ABAC constructs proof. Proof: TIED.createSlice  GENI.researcher  Alex Grants Access 9

Summary: Alex creates a slice GENI added Alex to the researcher attribute space TIED uses GENI’s credential (GENI.researcher) to authorize users to create slices 10

The GENI expands it’s attribute space Keeping local ABAC policy same – Sharing known attributes – Discovery of partner policy changes – Coordinating with new partners 11

The Players: GENI, TIED, Bob GENI decides gradStudents are also a kind of researcher So, GENI publishes a new fact All gradstudents are also researchers 12

The Players: GENI, TIED, Bob Policy at TIED does not change TIED.createSlice  GENI.researcher TIED is unaware of the change 13

The Players: GENI, TIED, Bob Bob identifies himself as a gradStudent to TIED 14

ABAC Enables the Players TIED Slice Manager ABAC 1.I want to create a slice? TIED.createSlice  GENI.researcher GENI Registry GENI.gradStudent  Bob GENI.researcher  GENI.gradStudent. 15

TIED discovers credentials TIED Slice Manager ABAC 1.I want to create a slice? TIED.createSlice  GENI.researcher GENI Registry 2. ABAC proof construction fails Proof: TIED.createSlice  GENI.researcher  ? GENI.gradStudent  Bob Need more information from GENI 16

TIED discovers credentials TIED Slice Manager ABAC 1.I want to create a slice? TIED.createSlice  GENI.resercher GENI Registry 2. ABAC proof construction fails 3. Is Bob a researcher? 4. I don’t know, but here are some relevant credentials GENI.researcher  GENI.gradStudent 5. ABAC constructs proof. Proof: TIED.createSlice  GENI.resercher GENI.researcher  GENI.gradStudent  Bob Grants Access 17

Summary: Bob creates the slice! No policy impact on the resource provider TIED, the resource provider, learned relevant information from the external certifiers 18

GENI Coordinates with the NSF 19 Keeping local ABAC policy same – Sharing know attributes – Discovery of partner policy changes, – Coordinating with new partners

Chloe wants to create a slice Chloe is a NSF NeTS FIND researcher 20

The Players: NSF, GENI, TIED, Chloe NSF makes each program initiative a principal – FIND, CISE NSF assigns each initiative a program attribute NSF.program  FIND Each initiative defines its own attribute space; specifically researcher attributes FIND.researcher  Chloe 21

The Players: NSF, GENI, TIED, Chloe GENI and NSF negotiate and decide to treat all NSF program researchers as GENI researchers GENI publishes a new fact All NSF program researchers are also GENI researchers This is expressed as a linked credential GENI.researcher  NSF.program.researcher 22

The Players: NSF, GENI, TIED, Chloe TIED has no policy changes Chloe identifies herself as a FIND researcher to TIED 23

ABAC Enables the Access TIED Slice Manager ABAC FIND.researcher  Chloe NSF.program  FIND TIED.createSlice  GENI.researcher NSF 1.I want to create a slice? 2. ABAC proof construction fails Proof: TIED.createSlice  GENI.researcher  ? FIND.researcher  Chloe NSF.program  FIND Need more information from GENI 24

ABAC Enables the Access TIED Slice Manager ABAC TIED.createSlice  GENI.researcher GENI 1.I want to create a slice? 2. ABAC proof construction fails 3. Do you know the NSF? 4. Yes, here are some relevant credentials GENI.researcher  NSF.program.researcher 5. ABAC constructs proof. Proof: TIED.createSlice  GENI.resercher  NSF.program.researcher; NSF.program  FIND; FIND.researcer  Chloe Grants Access 25

Summary ABAC can expresses complex relationships between principals – Through principal delegation – Through attribute-based delegation Local policy at the resource provider need not change Many entities can coordinate complex policy End user is insulated from policy details 26

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.