Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kent Seamons Brigham Young University Marianne Winslett, Ting Yu

Published byCleopatra Hudson Modified over 6 years ago

Similar presentations

Presentation on theme: "Kent Seamons Brigham Young University Marianne Winslett, Ting Yu"— Presentation transcript:

1 Limiting the Disclosure of Access Control Policies During Automated Trust Negotiation
Kent Seamons Brigham Young University Marianne Winslett, Ting Yu University of Illinois at Urbana-Champaign Network and Distributed System Security Symposium February 8-9, 2001 San Diego

2 Trust Establishment between Strangers
When a client and server begin an interaction, the client is unknown to the server. The client is not a member of the server’s security domain. The client’s identity is irrelevant to the security decision. The security decision is based on properties of the client other than identity. Examples: citizenship, clearance, job classification, group memberships, etc. The client’s role within his home organization.

3 Trust Establishment Requirements
Automated Limited human intervention Easy to use Scalable administration Ubiquitous Network service Application independence Preserve local autonomy Decentralized management

4 Digital Credentials A credential contains attributes (name/value pairs) of the credential owner asserted by the issuer. Credentials are cryptographically signed, and thus verifiable and unforgeable. Digital credentials are the on-line analogues of paper credentials that people carry in their wallets.

5 Access Control Policies
Policies that specify the combination of credentials that must be submitted in order to obtain authorized access to secure services. StudentID(X) where X.university=“BYU” InternetSocietyMember(X)

6 Sensitive Credentials
Credentials can contain sensitive information Safeguard credential disclosure using the same access control mechanisms used to safeguard protected resources Credential disclosure is governed by an access control policy that specifies credentials that must be received from another party prior to disclosing the credential to that party. IBMEmployee  TRUSTe Visa  AuthorizedVisa

7 Trust Negotiation The iterative exchange of digital credentials between two negotiation partners in order to establish trust. Assumptions Confidential communication between negotiation participants Credential ownership is verified An alternative: trusted third party Two parties disclose their credentials and policies to a trusted third party and rely on the third party to determine whether or not the parties should trust one another.

8 Trust Negotiation Strategy
An algorithm used to find a successful trust negotiation. The strategy determines which credentials to disclose and when to disclose them.

9 Desirable Properties of Trust Negotiation Strategies
Efficient The communication and computation costs are not prohibitive. Complete A negotiation succeeds whenever possible. Terminates The negotiation terminates efficiently whenever a successful negotiation is not possible.

10 Trust Negotiation Example
Client Credential Disclosure Policies Server Credential Disclosure Policies Service Employee  TRUSTe Visa  AuthorizedVisa StudentID   Service  StudentID  Visa TRUSTe   AuthorizedVisa   BBB   StudentID TRUSTe, BBB, AuthorizedVisa Employee, Visa Service

11 Policy Disclosure How does a negotiation participant know which credentials to disclose to a stranger in order to gain access to a protected resource? Access control policies can be disclosed during trust negotiation to inform a negotiation counterpart of the credentials they can disclose to advance the negotiation. Alternative approaches to policy disclosure Disclose entire policies Disclose policy extracts, or hints Access control policies can contain sensitive information.

12 Trust Negotiation without Support for Sensitive Policies
1) Service request 2) Policy Server 3) Service request, credentials 4) Service

13 Trust Negotiation with Support for Sensitive Policies
1) Service request 2) Policy 3) Service request, credentials Server 4) Policy 5) Service request, credentials 6) Service

14 Sensitive Access Control Policies
Support for sensitive access control policies allows a negotiation participant to gradually establish trust in a negotiation partner prior to disclosing a sensitive resource (policy, credential, or service). The negotiation partner may find it unacceptable to not obtain access after satisfying the policy that appeared to govern access to a secure resource. Introduce an indicator that access to a resource is governed by additional policy not yet disclosed during the negotiation.

15 Access Control Policy Graph
Finite, directed, acyclic graph Single sink node R represents protected resource R All nodes except R represent policies Single source node S contains a policy that can be freely disclosed Access to R is granted when an authorized path to R exists. Credentials have been received that satisfy all policies along a directed path from S to R. S R P3 P2 P1

16 Access Control Policy Graph
A policy node is unlocked there exists an authorized path to the policy node the policy node can be disclosed An unlocked policy node that has a locked child node is known as an innermost unlocked policy. S P1 P2 P3 R

17 Policy Graphs Since a policy graph may contain a node with outdegree > 1, the policy details of different trusted groups can be kept private from each other. Employee(X) Employee R TopSecret PrivacyGuarantee R NRA Company_name(X)=Sun Company_name(X)=IBM Title(X) = VP R

18 Policy Graph Languages
The semantics of the language(s) used to represent policies must be defined over paths through policy graphs, rather than only over isolated policies. Negation must be treated carefully in policy languages. The language must be monotonic.

19 Safe Disclosures A trust negotiation strategy must ensure that all disclosures are safe. It is always safe to disclose the source node of a policy graph. A non-source node N can be disclosed if and only if there is a directed path from S to one of N’s parents in that graph such that the other negotiation participant satisfies every policy along the path. A trust negotiation strategy is safe if all possible negotiations conducted by two parties using that strategy are safe.

20 Negotiation Strategies for Sensitive Policies
Relevant Credentials Set strategy All Relevant Policies strategy

21 Relevant Credentials Set Strategy
The negotiation participants do not exchange the full policies with each other. The parties send messages of the form (Credentials, CredentialRequest), Credentials – set of unlocked credentials CredentialRequest – set of syntactically relevant credentials Worst case communication costs – 2C+2 messages C is the minimum credential count of the negotiating participants Credential count = number of credentials owned + number of credentials appearing in the policies

22 Trust Negotiation Example
1 (,{R}) 2 (,{C4}) Client Credential Disclosure Policies 3 (,{S2}) Server Credential Disclosure Policies 4 C1 S2 S3 C2 S1 S3 ({S2},) C4 5 ({C4},) 6 (,{C1,C2,C3}) C3 C1  C2 S1 C3 S2 S3 C4 C3 S3 C4 S2 7 (,{S3}) 8 ({S3},) R 9 ({C1 ,C3},{S1}) Relevant credentials set strategy

23 Relevant Credentials Set Strategy
Advantage Avoids direct disclosure of access control policies during trust negotiation Disadvantage Discloses more credentials than strictly necessary

24 All Relevant Policies Strategy
The negotiation participants take turns exchanging policies and credentials with each other through messages of the form ({}, Policies) or (Credentials, {}). Each participant must always disclose all innermost unlocked policies as they become available. Negotiation terminates when there are two empty disclosure messages in a row. Worst case communication cost – 2C+P+2 messages C is the total number of combined credentials P is the total number of combined policies

25 Trust Negotiation Example
1 Request(R) {(R,C4)} 2 3 {(C4 ,S2)} Client Credential Disclosure Policies 4 {S2} Server Credential Disclosure Policies 5 C1 S2 S3 C2 S1 S3 {C4} C4 6 {(R,C3),(R,C1C2)} 7 {(C1,S3),(C2,S3),(C3,S3)} C3 C1  C2 S1 C3 S2 S3 C4 C3 S3 C4 S2 8 {S3} 9 {(C2 ,S1)} R {(S1, C3)} 10 11 {C3} All relevant policies strategy

26 All Relevant Policies Strategy
Freely discloses all relevant access control policies that the other negotiating party has earned access to during trust negotiation. Fewer credential disclosures possible compared to the relevant credentials set strategy.

27 Conclusion The relevant credentials set strategy and all relevant policies strategy are safe and complete trust negotiation strategies. These strategies use policy graphs to provide support for safeguarding the disclosure of sensitive policy information during trust negotiation.

28 Future Work TrustBuilder Client initiated trust establishment
Strategy-independent trust negotiation protocol Client initiated trust establishment Wireless architecture with support for back-end or out-of-band trust negotiation

29

Download ppt "Kent Seamons Brigham Young University Marianne Winslett, Ting Yu"

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
The Challenges of CORBA Security It is important to understand that [CORBAsecurity] is only a (powerful) security toolbox and not the solution to all security.

The Challenges of CORBA Security It is important to understand that [CORBAsecurity] is only a (powerful) security toolbox and not the solution to all security.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Responding to Policies at Runtime in TrustBuilder Bryan Smith, Kent E. Seamons, and Michael D. Jones Computer Science Department Brigham Young University.

Responding to Policies at Runtime in TrustBuilder Bryan Smith, Kent E. Seamons, and Michael D. Jones Computer Science Department Brigham Young University.
8.2 Discretionary Access Control Models Weiling Li.

8.2 Discretionary Access Control Models Weiling Li.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Gabriel Tsang Supervisor: Jian Yang.  Initial Problem  Related Work  Approach  Outcome  Conclusion  Future Work 2.

Gabriel Tsang Supervisor: Jian Yang.  Initial Problem  Related Work  Approach  Outcome  Conclusion  Future Work 2.
Privacy-Preserving Trust Negotiations Mikhail Atallah Department of Computer Science Purdue University.

Privacy-Preserving Trust Negotiations Mikhail Atallah Department of Computer Science Purdue University.
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
Using Digital Credentials On The World-Wide Web M. Winslett.

Using Digital Credentials On The World-Wide Web M. Winslett.
The Traust Authorization Service A. Lee, M. Winslett, J. Basney, and V. Welch University of Illinois at Urbana-Champaign www.iti.uiuc.edu Goal: A scalable.

The Traust Authorization Service A. Lee, M. Winslett, J. Basney, and V. Welch University of Illinois at Urbana-Champaign Goal: A scalable.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

Similar presentations

Ads by Google