Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ting Yu and Marianne Winslett Presented by Korporn Panyim

Published byJustina Lee Modified over 6 years ago

Similar presentations

Presentation on theme: "Ting Yu and Marianne Winslett Presented by Korporn Panyim"— Presentation transcript:

1 Ting Yu and Marianne Winslett Presented by Korporn Panyim
A Unified Scheme for Resource Protection in Automated Trust Negotiation Ting Yu and Marianne Winslett Presented by Korporn Panyim 12/9/2018

2 Introduction Traditionally, trust can be established based on identities Obtain local identities from system in order to access system services Under assumption that entities in the system already known each other 12/9/2018

3 Introduction(2) On open system like Internet, strangers can make connection and establish trust together Obviously, establishing trust based on ID is not a feasible approach Parties may come from different security domain and often do not have any pre-existing relationship Therefore, the properties of the participants will be most relevant Employment status, group membership, citizenship, … 12/9/2018

4 Introduction(3) The approach of automated trust negotiation differs from traditional identity-based access control systems mainly in the following aspects: Trust between two strangers is established based on parties’ properties. Proven through disclosure of digital credentials. Every party can define access control policies to control outsiders’ access to their sensitive resources. Instead of a one-shot authorization and authentication, trust is established incrementally through a sequence of bilateral credential disclosures. Less sensitive first. More sensitive disclosed later on as level of trust increase 12/9/2018

5 Sensitive Policies and Their Protection
Example 1: A web page’s access control policy states that in order to access documents of a project in the site, a requester should present an employee ID issued either by Microsoft or by IBM “issued by Microsoft or by IBM” can be consider as a sensitive policy One can infer that this project is a cooperative effort of the two companies 12/9/2018

6 Sensitive Policies and Their Protection(2)
Example 2: Coastal Bank’s loan application policy says that a loan applicant must be a customer of the bank who is not on the bank’s bad-customer list One can learn from the policy who is on the bank’s bad customer list 12/9/2018

7 Sensitive Policies and Their Protection(3)
How to protect sensitive policies from unauthorized disclosure? From the point of view of resource protection, sensitive policies are a type of resource that need to protect the same way as any other resources 12/9/2018

8 Resource Protection Desiderata
A resource protection scheme that satisfies the following desiderata is desirable Satisfaction-agreement Two parties have the same understanding of the semantics of policies When one party believes that a policy has been satisfied by disclosed credentials, the other party should believe the same Otherwise, a dispute may arise even though the two parties negotiate trust in good faith Example 2: Coastal Bank 12/9/2018

9 Resource Protection Desiderata(2)
Protection of sensitive policies should be as powerful as protecting other kind of resource The policy protection approach should allow fine-grained control of the protection applied to each part of a policy Different parts of a policy may be sensitive in different ways The resource protection scheme should decouple the protection of resource R and access control policy P R’s accessibility should depend only on P’s satisfaction. Whether P is disclosed or not should not affect R’s accessibility 12/9/2018

10 Resource Protection Desiderata(3)
Allow interoperability between negotiation strategies A negotiation strategy suggests the next message that a party should send to the other negotiation participant Two strategies are said to be interoperable if by adopting them respectively, two parties can always establish trust whenever their policies theoretically allow trust to be established The resource protection scheme must allow variety of negotiation strategies to interoperate correctly with one another 12/9/2018

11 Resource Protection Desiderata(4)
Allow a human friendly interface for policy capture and maintenance Perfect policies are hard to write and will require update frequently 12/9/2018

12 A Unified Scheme for Resource Protection(UniPro)
Provide a general-purpose way to protect sensitive access control policies during trust negotiation Designing of UniPro is guided by a set of desiderata for protection of sensitive access control policies 12/9/2018

13 Overview of UniPro Policy definition: Pp C is a credential
P is a policy unique ID p is the content of the policy, denoted as content(P) C is a credential Given policy definition Pp and policy content p’ we say a set C of credentials satisfies (p’)P if C satisfies (p’)(p) Also, C satisfies (p’)P if C satisfies (p’)(p) This definition allows policy IDs to appear in policy definitions 12/9/2018

14 Overview of UniPro(2) R : P denotes that P is the ID of the access control policy for resource R A requester needs to disclose credentials that satisfy P in order to gain access to R Each resource R is protected by exactly one policy (R : P) (R : P) can be disclosed freely (just resource IDs) Each policy ID P has exactly one policy definition Pp Policies may have IDs true and false, their contents are always and never satisfied respectively true means any requester can see its content false means policy content should not be shown to anybody 12/9/2018

15 Revisit Example 1 A web page’s access control policy states that in order to access documents of a project in the site, a requester should present an employee ID issued either by Microsoft or by IBM Access control policy for document R is R : P P  x.type = “Employee ID”  P1 P1  x.issue = “Microsoft”  x.issuer = “IBM” P : true and P1 : false P1 contained sensitive information is protected Satisfaction-agreement assumption holds in this situation 12/9/2018

16 Revisit Example 2 Coastal Bank’s loan application policy says that a loan applicant must be a customer of the bank who is not on the bank’s bad-customer list Policy definition is P  x.type = “Customer ID”  x.issuer = “Coastal Bank”  P1 P1  x.ID  BadCustomerList P : true and P1 : false P1 contained bad customer list is never been disclosed 12/9/2018

17 Example 3 McKinley Clinic makes its patient records available for online access. Let R be Alice’s record. To gain access to R, R’s policy states that a requester must either present Alice’s patient ID for McKinley Clinic, or present a California social worker license and a release-of-information credential issued to the requester by Alice. 12/9/2018

18 Example 3(2) “California social worker license” is considered a sensitive constraint Knowing that Alice’s record specifically allows access by social workers will help people infer that Alice may have a mental or emotional problem 12/9/2018

19 Example 3(3) Let R be Alice’s patient record R : P
P  P1P2 and P : true Everyone can see there’re two ways to get to Alice’s record P1 x.type = “patient ID”  x.name = “Alice”  x.issuer = “McKinley Clinic”, and P1 : true Everyone can see that Alice can access her own records P2  x.type = “Professional License”  x.profession = “Social Worker”  x.issuer = “State of California”  y.type = “Medical Records Release”  y.issuer = “Alice”  y.institution = “McKinley Clinic” Alice can also authorize social workers to look at her records 12/9/2018

20 Example 3(4) P2 : P3 to prevent the inappropriate disclosure of P2 content P3  z.type = “Employee ID”  z.issuer = “McKinley Clinic”, and P3 : true Everyone can see that McKinley employees can see another way to access Alice’s records 12/9/2018

21 UniPro Analysis According to desiderata discussed before
In UniPro, the will be no disagreement between two parties over whether a policy has been satisfied Both parties understand the semantics of the underlying policy language A requester understand that because of some part of policy that have not been disclosed (showed only policy IDs), she will not always be able to tell whether the policy has been satisfied by the credentials she has disclosed 12/9/2018

22 UniPro Analysis(2) UniPro protects policies in the same way as other resources Given resource’s policy, R : P, we cannot tell whether it’s a policy, a credential or a service UniPro explicitly separates a policy’s satisfaction from its disclosure No matter P has been disclosed or not, as long as P is satisfied, R can be accessed 12/9/2018

23 Negotiation Strategies for UniPro
Strategies for trust establishment based on UniPro Protocol Establish trust while protecting sensitive information The UniPro protocol allows three types of disclosure: Resource (service, credential or policy) Policy IDs (R : P) Relationship between a policy and a credential (a variable assignment) In trust negotiation using UniPro protocol, every message that a party Alice sends is a set of the disclosures defined above An empty message (failure message) indicates that a party has decided to terminate the negotiation 12/9/2018

24 Overview of Trust Negotiation Process
Alice wants to access one of Bob’s resource Alice sends a request for Bob’s resource R Bob calls his negotiation strategy, then sends Alice the disclosure message it outputs Alice receives message, call her strategy, and sends Bob the message suggest by her strategy This process continues until: Alice finally satisfies R’s policies and gain access to R Or one party send an empty message to terminate the negotiation 12/9/2018

25 Negotiation Strategies for UniPro(2)
In negotiation strategies for UniPro, there is a tradeoff between privacy and access (establishing trust) UniPro allows portions of the content of a resource’s access control policy to be hidden from a requester To protect privacy, a requester may not want to disclose all her credentials in an attempt to satisfy those hidden constraints Trust establishment may fail because she cannot see the contents of a policy even though she may have the right credentials that will satisfy that policy 12/9/2018

26 Negotiation Strategies for UniPro(3)
Two strategies that work with UniPro policies: Unified Eager Strategy Send all safe disclosures to the other party Does not carefully analyze what disclosures are useful for establishing trust Strong interoperability can be achieved. (Tend to establish trust more than preserve privacy) Unified Relevant Strategy Analyze ongoing negotiation and try to identify disclosures that are relevant to the current negotiation Does not try to satisfy undisclosed policies (Protocol may fail) Only weak interoperability can be achieved. (Tend to preserve privacy more than establish trust) 12/9/2018

27 Discussion… 12/9/2018

Download ppt "Ting Yu and Marianne Winslett Presented by Korporn Panyim"

Similar presentations

31511230/0403 © 2004 Business & Legal Reports, Inc. BLRs Training Presentations Privacy Issues in the Workplace.

/0403 © 2004 Business & Legal Reports, Inc. BLRs Training Presentations Privacy Issues in the Workplace.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Responding to Policies at Runtime in TrustBuilder Bryan Smith, Kent E. Seamons, and Michael D. Jones Computer Science Department Brigham Young University.

Responding to Policies at Runtime in TrustBuilder Bryan Smith, Kent E. Seamons, and Michael D. Jones Computer Science Department Brigham Young University.
Privacy-Preserving Trust Negotiations Mikhail Atallah Department of Computer Science Purdue University.

Privacy-Preserving Trust Negotiations Mikhail Atallah Department of Computer Science Purdue University.
Using Digital Credentials On The World-Wide Web M. Winslett.

Using Digital Credentials On The World-Wide Web M. Winslett.
The Traust Authorization Service A. Lee, M. Winslett, J. Basney, and V. Welch University of Illinois at Urbana-Champaign www.iti.uiuc.edu Goal: A scalable.

The Traust Authorization Service A. Lee, M. Winslett, J. Basney, and V. Welch University of Illinois at Urbana-Champaign Goal: A scalable.
Unlinkable Secret Handshakes and Key-Private Group Key Management Schemes Author: Stanislaw Jarecki and Xiaomin Liu University of California, Irvine From:

Unlinkable Secret Handshakes and Key-Private Group Key Management Schemes Author: Stanislaw Jarecki and Xiaomin Liu University of California, Irvine From:
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
Automatic Trust Negotiation Presented by: Scott Hackman 1Scott Hackman – CS5204 – Operating Systems.

Automatic Trust Negotiation Presented by: Scott Hackman 1Scott Hackman – CS5204 – Operating Systems.
TRUST NEGOTIATION IN ONLINE BUSINESS TRANSACTIONS BY CHANDRAKANTH REDDY.

TRUST NEGOTIATION IN ONLINE BUSINESS TRANSACTIONS BY CHANDRAKANTH REDDY.
OHT 11.1 © Marketing Insights Limited 2004 Chapter 9 Analysis and Design EC Security.

OHT 11.1 © Marketing Insights Limited 2004 Chapter 9 Analysis and Design EC Security.
Cryptography, Authentication and Digital Signatures

Cryptography, Authentication and Digital Signatures
A Flexible Access Control Model for Web Services Elisa Bertino CERIAS and CS Department, Purdue University Joint work with Anna C. Squicciarini – University.

A Flexible Access Control Model for Web Services Elisa Bertino CERIAS and CS Department, Purdue University Joint work with Anna C. Squicciarini – University.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Policies September 7, 2010.

Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Policies September 7, 2010.
Unit 7 Seminar.  According to Sanderson (2009), the problems with the current paper-based health record system have been well documented. The author.

Unit 7 Seminar.  According to Sanderson (2009), the problems with the current paper-based health record system have been well documented. The author.
The Patient Choice Project Project Kickoff December 14 th, 2015.

The Patient Choice Project Project Kickoff December 14 th, 2015.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Similar presentations

Ads by Google