Presentation is loading. Please wait.

Presentation is loading. Please wait.

IFIP 2000-1 Profs. Steven A. Demurjian and T.C. Ting J. Balthazar, H. Ren, and C. Phillips Computer Science & Engineering Department 191 Auditorium Road,

Published byAnnika Hayward Modified over 10 years ago

Similar presentations

Presentation on theme: "IFIP 2000-1 Profs. Steven A. Demurjian and T.C. Ting J. Balthazar, H. Ren, and C. Phillips Computer Science & Engineering Department 191 Auditorium Road,"— Presentation transcript:

1 IFIP 2000-1 Profs. Steven A. Demurjian and T.C. Ting J. Balthazar, H. Ren, and C. Phillips Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The University of Connecticut Storrs, Connecticut 06269-3155 http://www.engr.uconn.edu/~steve steve@engr.uconn.edu Role-Based Security in a Distributed Resource Environment* Role-Based Security in a Distributed Resource Environment* Dr. Paul Barr The MITRE Corp 145 Wyckoff Road Eatontown, New Jersey 07724 poobarr@mitre.org *This work supported in part by a research contract from the Mitre Corporation (Eatontown, NJ) and a research grant from AFOSR

2 IFIP 2000-2Overview Goals of Our Research Effort Goals of Our Research Effort Suns JINI Technology Suns JINI Technology A Software Architecture for Role-Based Security A Software Architecture for Role-Based Security Proposed Software Architecture Security Resources and Services Security Client and Resource Interactions Client Interactions and Processing Experimental Prototypes Experimental Prototypes JINI Prototype of Role Based Approach Security Client Prototype Related Work Related Work Conclusions and Future Work Conclusions and Future Work

3 IFIP 2000-3 Goals of Our Research Effort Incorporation of Role-Based Approach within Distributed Resource Environment Incorporation of Role-Based Approach within Distributed Resource Environment Highly-Available Distributed Applications Constructed Using Middleware Tools Demonstrate Use of JINI to Provide Selective Access of Clients to Resources Based on Role Propose Software Architecture and Role-Based Security Model for Propose Software Architecture and Role-Based Security Model for Authorization of Clients Based on Role Authentication of Clients and Resources Enforcement so Clients Only Use Authorized Services (of Resource) Propose Security Solution for Distributed Applications for Clients and Services (Resources) Propose Security Solution for Distributed Applications for Clients and Services (Resources)

4 IFIP 2000-4 Suns JINI Technology Construct Distributed Applications Using JINI by Construct Distributed Applications Using JINI by Federating Groups of Users Resources Provide Services for Users A Resource Provides a Set of Services for Use by Clients (Users) and Other Resources (Services) A Resource Provides a Set of Services for Use by Clients (Users) and Other Resources (Services) A Service is Similar to a Public Method A Service is Similar to a Public Method Exportable - Analogous to API Any Entity Utilized by Person or Program Samples Include: Computation, Persistent Store, Printer, Sensor Software Filter, Real-Time Data Source Services: Concrete Interfaces of Components Services Register with Lookup Service Services Register with Lookup Service

5 IFIP 2000-5 Suns JINI Technology Key JINI Concepts and Terms Registration of Services via Leasing Mechanism Registration of Services via Leasing Mechanism Resource Leases Services to Lookup Service Resources Renew Services Prior to Expiration If not, Services Become Unavailable Lookup Service Maintains Registry Services as Available Components Leasing Supports High-Availability Leasing Supports High-Availability Registration and Renewal Process Upon Failure, Services Removed from Registry Clients, Resources, Lookup Can Occupy Same or Different Computing Nodes Clients, Resources, Lookup Can Occupy Same or Different Computing Nodes

6 IFIP 2000-6 Suns JINI Technology Join, Lookup, and Service Invocation Client Resource Service Object Service Attributes Lookup Service Request Service AddCourse(CSE900) Return Service Proxy to AddCourse( ) JoinJoin Register & Lease Services CourseDB Class Contains Method AddCourse ( ) 1. Client Invokes AddCourse(CSE900) on Resource 2. Resource Returns Status of Invocation Service Invocation via Proxy by Transparent RMI Call Service Object Service Attributes Registry of Entries

7 IFIP 2000-7 Proposed Software Architecture for Role-Based Security Many Current Lookup Services Many Current Lookup Services Successfully Dictates Service Utilization Requires Programmatic Solution for Security Does Not Selectively and Dynamically Control Access Based on Client Role Security of a Distributed Resource Should Selectively and Dynamically Control Client Access to Services Based on the Role Security of a Distributed Resource Should Selectively and Dynamically Control Client Access to Services Based on the Role Our Approach Our Approach Define Dedicated Resources to Authorize, Authenticate, and Enforce Security by Role Proposed Resources Role-Based Privileges, Authorization List, Security Registration

8 IFIP 2000-8 Proposed Software Architecture for Role-Based Security Resources Provide ServicesClients Using Services Figure 3.1: General Architecture of Clients and Resources. Role-Based Privileges Authorization List Security Registration Legacy COTS Database Lookup Service Lookup Service Java Client Java Client Legacy Client Database Client Software Agent COTS Client

9 IFIP 2000-9 Security Resources and Services Role-Based Privileges Resource Role-Based Privileges Resource Define User-role Grant/Revoke Access of Role to Resource Register Services Authorization List Resource Authorization List Resource Maintains Client Profile (Many Client Types) Client Profile and Authorize Role Services Security Registration Resource Security Registration Resource Register Client Service Identity Registration at Startup Uses IP Address Services of Resource Services of Resource Functionally Separated and Organized Resemble Method Definitions (OO)

10 IFIP 2000-10 The Services of the Role-Based Privilege Resource

11 IFIP 2000-11 The Services of the Authorization-List Resource

12 IFIP 2000-12 The Services of the Security Registration Resource

13 IFIP 2000-13 Security Client and Resource Interactions Figure 3.3: Security Client and Database Resource Interactions. Role-Based Privileges Authorization List Security Registration Lookup Service Security Client Find_Client(C_Id, IP_Addr); Find_All_Active_Clients(); Discover Service Return Proxy General Resource Grant_UR_Client(UR_Id, C_Id); Revoke_UR_Client(UR, C_Id); Find_AllUR_Client(C_Id); Find_All_Clients_UR(UR); Create_New_Role(UR_Name, UR_Disc, UR_Id); Delete_Role(UR_Id); Find_UR_Name(UR_Name); Find_UR_Id(UR_Id); Grant_Resource(UR_Id, R_Id); Grant_Service(UR_Id, R_Id, S_Id); Grant_Method(UR_Id, R_Id, S_Id, M_Id); Revoke_Resource(UR, R_Id); Revoke_Service(UR, R_Id, S_Id); Revoke_Method(UR, R_Id, S_Id, M_Id); Find_AllUR_Resource(UR,R_Id); Find_AllUR_Service(UR,R_Id,S_Id); Find_AllUR_Method(UR,R_Id,S_Id,M_Id); Find_UR_Privileges(UR); Register_Resource(R_Id); Register_Service(R_Id, S_Id); Register_Method(R_Id, S_Id, M_Id); UnRegister_Resource(R_Id); UnRegister_Service(R_Id, S_Id); UnRegister_Method(R_Id, S_Id, M_Id); Create_New_Client(C_Id); Delete_Client(C_Id); Find_Client(C_Id); Find_All_Clients();

14 IFIP 2000-14 8. Check_Privileges(UR,R_Id,S_Id,M_Id); Client Interactions and Processing Database Resource Figure 3.4: Client Interactions and Service Invocations. Role-Based Privileges Authorization List Security Registration Lookup Service GUI Client 1. Register_Client(C_Id, IP_Addr,UR); 2. Verify_UR_Client(UR,C_Id); Discover Service Return Proxy 3. Client OK? 4. Registration OK? 5. ModifyAttr(C_ID,UR,Value) 6.IsClient_Registered(C_ID) 7. Registration OK? 9. Privileges OK? 10. Modification OK?

15 IFIP 2000-15 Two Experimental Prototypes JINI Prototype of Role Based Approach JINI Prototype of Role Based Approach University Database (UDB) Initial GUI for Sign In (Authorization List) Student/faculty GUI Client (Coursedb) Access to Methods Limited Based on Role (Ex: Only Student Can Enroll in a Course) Security Client Prototype Security Client Prototype Generic Tool Uses Three Resources and Their Services Role-Based Privileges Authorization-List Security Registration

16 IFIP 2000-16 Experimental Prototype One JINI Prototype of Role Based Approach Figure 4.1: An Architecture of URBS based on JINI Technology. Java GUI Client1 JINI Lookup Service Author. List Res. (copy 2) Author. List Res. (copy 1) Role-Based Privileges & Sec. Reg. Java GUI Client2 CourseDB Resource (copy 1) CourseDB Resource (copy 2) Role-Based Privileges & Sec. Reg. DBServer Service GetClasses(); PreReqCourse(); GetVacantClasses(); EnrollCourse(); AddCourse(); RemoveCourse(); UpdateCourse().

17 IFIP 2000-17 Experimental Prototype One Execution Process Figure 4.2: Execution Process for Architecture. Java GUI Client1 JINI Lookup Service Role-Base Privileges & Sec. Reg. 1a, 5a 1b, 5b 2 4 6 CourseDB Resource 8a 9a 8b 9b 10 7a 7b Author. List Res. 3aa3b 1a. Discover Register_Client Service 1b. Return Service Proxy 2. Register the Client 3a. Is Client Authorized? 3b. Succeed - return Role 4. Return Success or Failure 5a. Discover CourseDB Service 5b. Return Service Proxy 6. Invoke a Method, e.g., Invoke EnrollCourse() 7a. Discover Role-Based Priv. & Sec. Reg. Services 7b. Return Service Proxies 8a. Is Client Registered? 8b. Return Yes or No 9a. Can Client Invoke Method? 10. addCourse() or do nothing

18 IFIP 2000-18 Experimental Prototype Two The Security Client Prototype Figure 4.3: Initial Security Client Screen.

19 IFIP 2000-19 Recall Security Resources and Services

20 IFIP 2000-20 Experimental Prototype Two Role-Based Privilege Resource & Services Figure 4.4: The Role-Based Privileges Services Screen

21 IFIP 2000-21 Experimental Prototype Two Authorization List Resource & Services Figure 4.5: The Authorization-List Services Screen.

22 IFIP 2000-22 Experimental Prototype Two Security Registration Resource & Services Figure 4.6: The Security Registration Services Screen.

23 IFIP 2000-23 Related Work Security Policy & Enforcement (OS Security) Security Policy & Enforcement (OS Security) Security Filters and Screens Header Encryption User-level Authen. IP Encapsulation Key Mgmt. Protocols Browser Security Use of Encryption Use of Encryption Access Control Securing Comm. Channel Establishing a Trusted Computer Base Network Services Kerberos and Charon Security: Mobile Agents Security: Mobile Agents Saga Security Architecture Access Tokens Control Vectors Security Monitor Concordia Storage Protection Transmission Protection Server Resource Protection Other Topics Trust Appraisal Metric Analysis Short-lived Certificates Seamless Object Authentication

24 IFIP 2000-24Conclusions For a Distributed Resource Environment For a Distributed Resource Environment Proposed & Explained a Role-Based Approach Authorize, Authenticate, and Enforce Presented an Software Architecture Containing Presented an Software Architecture Containing Role-Based Security Model for a Distributed Resource Environment Security Registration, Authorization-List, and Role-based Privileges Resources Developed Two Independent Prototypes Developed Two Independent Prototypes JINI-Based Prototype for Role-Based Security Model that Allows Clients to Access Resources Based on Role Security Client for Establishing Privileges

25 IFIP 2000-25 Future Work Negative Privileges Negative Privileges Chaining of Resource Invocations Client Uses S1 on R1 that Calls S2 on R2 Client Authorized to S1 but Not S2 Multiple Security Clients Multiple Security Clients What Happens When Multiple Security Clients Attempt to Modify Privileges at Same Time? Is Data Consistency Assured? Leasing Concept available with JINI Leasing Concept available with JINI Leasing Allows Services to Expire Can Role-Based Privileges Also Expire?

26 IFIP 2000-26 Future Work Location of Client vs. Affect on Service Location of Client vs. Affect on Service What if Client in on Local Intranet? What if Client is on WAN? Are Privileges Different? Tracking Computation for Identification Purposes Tracking Computation for Identification Purposes Currently Require Name, Role, IP Addr, Port # How is this Tracked when Dynamic IP Addresses are Utilized? Integration of the the Two Prototypes Integration of the the Two Prototypes Combining Both Prototypes into Working System Likely Semester Project during Fall 2000

Download ppt "IFIP 2000-1 Profs. Steven A. Demurjian and T.C. Ting J. Balthazar, H. Ren, and C. Phillips Computer Science & Engineering Department 191 Auditorium Road,"

Similar presentations

1 Senn, Information Technology, 3 rd Edition © 2004 Pearson Prentice Hall James A. Senns Information Technology, 3 rd Edition Chapter 7 Enterprise Databases.

1 Senn, Information Technology, 3 rd Edition © 2004 Pearson Prentice Hall James A. Senns Information Technology, 3 rd Edition Chapter 7 Enterprise Databases.
Copyright 1987-2009 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor – Cyberspace Law & Policy UNSW and at the ANU and the Uni. of.

Copyright Roger Clarke Xamax Consultancy, Canberra Visiting Professor – Cyberspace Law & Policy UNSW and at the ANU and the Uni. of.
Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
ISA 662 Internet Security Protocols Kerberos Prof. Ravi Sandhu.

ISA 662 Internet Security Protocols Kerberos Prof. Ravi Sandhu.
Gail-Joon Ahn and Ravi Sandhu George Mason University Myong Kang and Joon Park Naval Research Laboratory Injecting RBAC to Secure a Web-based Workflow.

Gail-Joon Ahn and Ravi Sandhu George Mason University Myong Kang and Joon Park Naval Research Laboratory Injecting RBAC to Secure a Web-based Workflow.
Chapter 1: The Database Environment

Chapter 1: The Database Environment
Chapter 27 Software Change.

Chapter 27 Software Change.
Distributed Systems Architectures

Distributed Systems Architectures
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
September 2013 ASTM Officers Training Workshop September 2013 ASTM Officers Training Workshop Membership & Roster Maintenance September 2013 ASTM Officers.

September 2013 ASTM Officers Training Workshop September 2013 ASTM Officers Training Workshop Membership & Roster Maintenance September 2013 ASTM Officers.
Document #07-12G 1 RXQ.11.4.1 Customer Enrollment Using a Registration Agent Process Flow Diagram (Switch) Customer Supplier Customer authorizes Enrollment.

Document #07-12G 1 RXQ Customer Enrollment Using a Registration Agent Process Flow Diagram (Switch) Customer Supplier Customer authorizes Enrollment.
Document #07-12G 1 RXQ.11.4.1 Customer Enrollment Using a Registration Agent Process Flow Diagram (Switch) Customer Supplier Customer authorizes Enrollment.

Document #07-12G 1 RXQ Customer Enrollment Using a Registration Agent Process Flow Diagram (Switch) Customer Supplier Customer authorizes Enrollment.
SDI Business Phases and derived INSPIRE Horizontal Services Relates to INSPIRE DT Network Services, DT Sharing Relates to OGC GeoDRM WG, Price & Order.

SDI Business Phases and derived INSPIRE Horizontal Services Relates to INSPIRE DT Network Services, DT Sharing Relates to OGC GeoDRM WG, Price & Order.
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
What's a Proxy Printer Provider? PWG WIMS-CIM Working Group Rick Landau Dell, CTO Office 2008/08/08 v0.2.

What's a Proxy Printer Provider? PWG WIMS-CIM Working Group Rick Landau Dell, CTO Office 2008/08/08 v0.2.
18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.

18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Universitá degli Studi di LAquila Mälardalens Högskola, Västerås 10th September 2009 Integrating Wireless Systems into Process Industry and Business Management.

Universitá degli Studi di LAquila Mälardalens Högskola, Västerås 10th September 2009 Integrating Wireless Systems into Process Industry and Business Management.

Similar presentations

Ads by Google