Presentation is loading. Please wait.

Presentation is loading. Please wait.

Illinois Security Lab Using Attribute-Based Access Control to Enable Attribute- Based Messaging Rakesh Bobba, Omid Fatemieh, Fariba Khan, Carl A. Gunter.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Illinois Security Lab Using Attribute-Based Access Control to Enable Attribute- Based Messaging Rakesh Bobba, Omid Fatemieh, Fariba Khan, Carl A. Gunter."— Presentation transcript:

1 Illinois Security Lab Using Attribute-Based Access Control to Enable Attribute- Based Messaging Rakesh Bobba, Omid Fatemieh, Fariba Khan, Carl A. Gunter and Himanshu Khurana University of Illinois at Urbana-Champaign

2 Illinois Security Lab ACSAC 2006 Introduction to ABM Attribute-Based Messaging (ABM): Targeting messages based on attributes. To: faculty going on sabbatical

3 Illinois Security Lab ACSAC 2006 Introduction to ABM Examples Address all faculty going on sabbatical next term Notify all female CS graduate students who passed qualifying exams of a scholarship opportunity Attribute-Based Messaging (ABM): Targeting messages based on attributes.

4 Illinois Security Lab ACSAC 2006 Why ABM? Attribute-based systems have desirable properties –flexibility, privacy and intuitiveness Attribute-Based Messaging (ABM) brings these advantages to e-mail messaging –enhances confidentiality by supporting targeted messaging via dynamic and transient groups –enhances relevance of messages by reducing unwanted messages

5 Illinois Security Lab ACSAC 2006 Challenges Access Control –access to such a system should be carefully controlled potential for spam privacy of attributes Deployability –system should be compatible with existing infrastructure Efficiency –system should have comparable performance to regular e-mail

6 Illinois Security Lab ACSAC 2006 Enterprise Architecture Ensuing Issues ABM Address Format, Client I/F Access Control - policy specification and enforcement Attribute Database creation and maintenance To: Managers Attr. DB Policy Decision E-mail MTA ABM Server

7 Illinois Security Lab ACSAC 2006 Enterprise Architecture cont. Attribute database –all enterprises have attribute data about their users –data spread over multiple, possibly disparate databases –assume that this attribute data is available to ABM system “information fabric”, “data services layer” ABM address format −logical expressions of attribute value pairs −disjunctive normal form

8 Illinois Security Lab ACSAC 2006 Access Control Access Control Lists (ACLs) –difficult to manage

9 Illinois Security Lab ACSAC 2006 Access Control ×Access Control Lists (ACLs) ×difficult to manage Role-Based Access Control (RBAC) –simplified management if roles already exist

10 Illinois Security Lab ACSAC 2006 Access Control ×Access Control Lists (ACLs) ×difficult to manage ×Role-Based Access Control (RBAC) ×simplified management if roles already exist Attribute-Based Access Control (ABAC) −uses same attributes used to target messages −more flexible policies than with RBAC Access policy −XACML is used to specify access policies −Sun’s XACML engine is used for policy decision

11 Illinois Security Lab ACSAC 2006 Access Control cont. Problem –need policy per logical expression –policy explosion Solution? –one policy per

12 Illinois Security Lab ACSAC 2006 Deployability Use existing e-mail infrastructure (SMTP) –address ABM messages to the ABM server (MUA) and add ABM address as a MIME attachment No modification to client –use a web server to aid the sender in composing the ABM address via a thin client (web browser) E-mail like semantics –policy specialization

13 Illinois Security Lab ACSAC 2006 PDP Sun’s XACML Engine Sender Attribute DB MS SQL Server Policy xml ABM Server Web Server Windows IIS MTA PS1 PS8 PS2 AR2 AR1 AR3 PS7 AR4 MS1 MS2 Putting It All Together Legend PS: Policy Specialization MS: Messaging AR: Address Resolution

14 Illinois Security Lab ACSAC 2006 Security Analysis Problem –open to replay attacks Solution –MTA configured with SMTP authentication with additional message specific checks

15 Illinois Security Lab ACSAC 2006 Experimental Setup Measured –latency over regular e-mail with and without access control –latency of Policy Specialization Setup –up to 60K users –100 attributes in the system 20% of attributes common to most users 80% of attributes sparsely distributed

16 Illinois Security Lab ACSAC 2006 Results

17 Illinois Security Lab ACSAC 2006 Results Continued… Policy Specialization Latency

18 Illinois Security Lab ACSAC 2006 Other Considerations Policy Administration –one policy per not per address –further be reduced to one policy per attribute Privacy –of sender and receivers –of ABM address Usability –user interfaces

19 Illinois Security Lab ACSAC 2006 Related Work Technologies –List Servers –Customer Relationship Management (CRM) Secure role-based messaging WSEmail

20 Illinois Security Lab ACSAC 2006 Future Work Inter-domain ABM –e.g., address doctors in the tri-state area who have expertise in a specific kind of surgical procedure –challenge – “attribute mapping” –application in ‘emergency communications’ Encrypted ABM

21 Illinois Security Lab ACSAC 2006

Download ppt "Illinois Security Lab Using Attribute-Based Access Control to Enable Attribute- Based Messaging Rakesh Bobba, Omid Fatemieh, Fariba Khan, Carl A. Gunter."

Similar presentations

0 McLean, VA August 8, 2006 SOA, Semantics and Security.

0 McLean, VA August 8, 2006 SOA, Semantics and Security.
DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.

DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.
Chapters 14 & 15 Internet Databases. E-Commerce  Bringing new products, services, or ideas to market, supporting and enhancing business operations 

Chapters 14 & 15 Internet Databases. E-Commerce  Bringing new products, services, or ideas to market, supporting and enhancing business operations 
Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.

Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.
Security Policy Implementation Strategies for Common Carrier Monitoring Service Providers Short Position Paper for IEEE POLICY 2009 Carl A. Gunter University.

Security Policy Implementation Strategies for Common Carrier Monitoring Service Providers Short Position Paper for IEEE POLICY 2009 Carl A. Gunter University.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
Chapter 12 USING TECHNOLOGY TO ENHANCE BUSINESS PROCESSES.

Chapter 12 USING TECHNOLOGY TO ENHANCE BUSINESS PROCESSES.
Remote mailbox access gateway Software lab project.

Remote mailbox access gateway Software lab project.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 5 Database Application Security Models

Chapter 5 Database Application Security Models
Web-Enabling the Warehouse Chapter 16. Benefits of Web-Enabling a Data Warehouse Better-informed decision making Lower costs of deployment and management.

Web-Enabling the Warehouse Chapter 16. Benefits of Web-Enabling a Data Warehouse Better-informed decision making Lower costs of deployment and management.
1 No More Paper, No More Stamps: Targeted myWSU Communications Jack Alilunas, Lavon Frazier October 20, 2004.

1 No More Paper, No More Stamps: Targeted myWSU Communications Jack Alilunas, Lavon Frazier October 20, 2004.
11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.

11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.
Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.

Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.
Dynamics AX Technical Overview Application Architecture Dynamics AX Technical Overview.

Dynamics AX Technical Overview Application Architecture Dynamics AX Technical Overview.
1 No More Paper, No More Stamps: Targeted myWSU Communications Lavon R. Frazier April 27, 2005 Copyright Lavon R. Frazier, 2005. This work is the intellectual.

1 No More Paper, No More Stamps: Targeted myWSU Communications Lavon R. Frazier April 27, 2005 Copyright Lavon R. Frazier, This work is the intellectual.
Final Year Project Presentation E-PM: A N O NLINE P ROJECT M ANAGER By: Pankaj Goel.

Final Year Project Presentation E-PM: A N O NLINE P ROJECT M ANAGER By: Pankaj Goel.
JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.

JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Similar presentations

Ads by Google