Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trust Management I Anupam Datta Fall 2007-08 18739A: Foundations of Security and Privacy.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Trust Management I Anupam Datta Fall 2007-08 18739A: Foundations of Security and Privacy."— Presentation transcript:

1

2 Trust Management I Anupam Datta Fall 2007-08 18739A: Foundations of Security and Privacy

3 Distributed Access Control Logics [ABLP, PCA, GP, …] Trust Management [PolicyMaker, RT, …] Last 3 lecturesNext 2 lectures

4 Discussion Question What are the points of similarity and difference between access control logics and trust management languages?

5 Readings uBlaze, Feigenbaum, Lacy, “Decentralized Trust Management”, S&P’96 uLi, Mitchell & Winsborough: “Design of a Role-Based Trust Management Framework”, S&P’02

6 What is “Trust Management”? “It is our thesis that a coherent intellectual framework is needed for the study of security policies, security credentials, and trust relationships. We refer collectively to these components of network services as the trust management problem.” - Blaze, Feigenbaum, Lacy, 1996

7 Example An electronic banking system must enable a bank to state that at least k bank officers are needed to approve loans of $1,000,000 or more (a policy); it must enable a bank employee to prove that he can be counted as 1 out of k employees (a credential) it must enable a bank to specify who may issue such a credential (a trust relationship)

8 Principles [BFL96] uUnified mechanism Policies, credentials and trust relationships are expressed as programs in a “safe” programming language uFlexibility Expressive enough to support complex trust relationships uLocality of control Each party can decide whether to accept the credentials of a second party or, alternatively, which third party it should rely on for the appropriate “certificate” uSeparation of mechanism from policy The mechanism for verifying credentials does not depend on the credentials themselves or the semantics of the applications that use them

9 Standard PKI doesn’t work uPGP and X.509 certificates answer the question: Who is the holder of this public key? uTM seeks to answer the more relevant question: Can we trust this public key for this purpose? Need credentials that associate attributes with principals, e.g. Alice is a bank employee Policies can refer to attributes

10 Early TM languages uPolicyMaker Blaze, Feigenbaum & Lacy: “Decentralized Trust Management”, S&P’96. Blaze, Feigenbaum & Strauss: “Compliance-Checking in the PolicyMaker Trust Management System”, FC’98. uKeyNote Blaze, Feigenbaum, Ioannidis & Keromytis: “The KeyNote Trust- Management System, Version 2”, RFC 2714. uSPKI (Simple Public Key Infrastructure) / SDSI (Simple Distributed Security Framework) Rivest & Lampson: SDSI  A Simple Distributed Security Infrastructure, Web-page 1996. Ellison et al.: SPKI Certificate Theory, RFC 2693. Clarke et al.: Certificate Chain Discovery in SPKI/SDSI, JCS’01.

11 Datalog-based TM languages uDelegation Logic Li, Grosof & Feigenbaum: “Delegation Logic: A Logic-based Approach to Distributed Authorization”, TISSEC’03. (Conference versions appeared in CSFW’99 and S&P’00) uSD3 (Secure Dynamically Distributed Datalog) Jim: “SD3: A Trust Management System with Certified Evaluation”, S&P’01. uBinder DeTreville: “Binder, a Logic-Based Security Language”, S&P’02. uRT: A Family of Role-based Trust-management Languages Li, Mitchell & Winsborough: “Design of a Role-Based Trust Management Framework”, S&P’02 FOCUS

12 Concepts uPrincipal Individual or entity, identified by public key uRight Action and Resource uPolicy Statements that associate rights with principals May classify resources, other auxiliary concepts uDelegation Owner A gives a right to B B delegates that right to C

13 Attribute-based Access Control uABAC systems should be able to express the following: 1.Decentralized attributes uAn entity asserts that another entity has an attribute 2.Delegation of attribute authority uAn entity delegates (trusts the judgment of) another entity on an attribute 3.Inference of attributes 4.Attribute fields uAttribute may have field values e.g. age, credit limit 5.Attribute-based delegation of attribute authority uDelegate to entitities that are certified universities the authority to identify students

14 ABAC and TM languages uKeynote, SPKI 1.0, X.509 cannot express 3 & 5 uSDSI 1.0, SPKI/SDSI 2.0 cannot express 4 uRT expresses all 5

15 Features of the RT family uExpressive delegation constructs uPermissions for structured resources uA tractable logical semantics based on (Constraint) Datalog uStrongly-typed credentials and vocabulary agreement uEfficient deduction with large number of distributed policy statements uSecurity analysis

16 An Example of RT 0 1.StateU.stuID  Alice 2.ABU.accredited  StateU 3.EPub.university  ABU.accredited 4.EPub.student  EPub.university.stuID 5.EPub.access  EPub.student Five statements prove Alice is entitled to access

17 Expressive Features (I) I.Simple attribute assignment StateU.stuID  Alice II.Delegation of attribute authority StateU.stuID  COE.stuID III.Attribute inferencing EPub.access  EPub.student IV.Attribute-based delegation of authority EPub.student  EPub.university.stuID Role: set of entities Credentials define role membership

18 Expressive Features (part two) V.Conjunction EPub.access  EPub.student  ACM.member VI.Attributes with fields StateU.stuID (name=.., program=.., …)  Alice EPub.access  StateU.stuID(program=“graduate”) VII.Permissions for structured resources e.g., allow connection to any host in a domain and at any port in a range

19 Languages in the RT Framework RT 0 : Decentralized Roles RT 1 : Parameterized Roles RT T : for Separation of Duties RT D : for Selective Use of Role memberships RT 2 : Logical Objects RT T and RT D can be used (either together or separately) with any of the five base languages: RT 0, RT 1, RT 2, RT 1 C, and RT 2 C RT 1 C : structured resources RT 2 C : structured resources

20 RT 1 = RT 0 + Parameterized Roles uMotivations: to represent attributes that have fields, e.g., digital ids, diplomas relationships between principals, e.g., physicianOf, advisorOf role templates, e.g., project leaders uApproach: a role term R has a role name and a list of fields

21 RT 1 (Examples) uExample 1: Alpha allows manager of an employee to evaluate the employee: Alpha.evaluatorOf(employee=y)  Alpha.managerOf(employee=y) uExample 2: EPub allows CS students to access certain resources: EPub.access(action=‘read’,resource=‘file1’)  EPub.university.stuID(dept=‘CS’)

22 Syntax of RT 1 Credentials uType I: A.r(h1,…,hn)  D uType II: A.r(h1,…,hn)  B.r1(s1,…,sn) uType III: A.r(h1,…,hn)  A.r1(t1,…,tl).r2(s1,…,sm) uType IV: A.R  B1.R1  B2.R2  …  Bk.Rk

23 RT T: Supporting Threshold and Separation-of-Duty uThreshold: require agreement among k different principals drawn from a given list Intersection of roles not sufficient uSoD: requires two or more different persons be responsible for the completion of a sensitive task want to achieve SoD without mutual exclusion, which is non-monotonic uThough related, neither subsumes the other uRT T introduces a primitive that supports both: manifold roles

24 Manifold Roles uWhile a standard role is a set of principals, a manifold role is a set of sets of principals uA set of principals that together occupy a manifold role can collectively exercise privileges of that role  Two operators: , ⊗ K 1.R 1 ⊗ K 2.R 2 contains sets of two distinct principals, one a member of K 1.R 1, the other of K 2.R 2 K 1.R 1  K 2.R 2 does not require them to be distinct

25 Syntax of RT T Credentials uType I-IV as before

26 RT T (Examples) uExample 1: require a manager and an accountant K.approval  K.manager  K.accountant members(K.approval)  {{x,y} | x  K.manager, y  K.accountant} uExample 2: require a manager and a different accountant K.approval  K.manager  K.accountant members(K.approval)  {{x,y} | x  y, x  K.manager, y  K.accountant}

27 RT T (Examples) uExample 3: require three different managers K.approval  K.manager  K.manager  K.manager members(K.approval)  {{x,y,z} | x  y  z  K.manager}

28 RT D: Delegation of Role Activations uDelegation of the capacity to exercise one’s membership in a role uExamples Administrator logs in as ordinary user to read email User delegated certain access rights by his manager when manager is out of town uDifferent concept from delegation of authority to define a role EPub lets CMU define student role

29 New Delegation Credential B1 B2 B1 delegates to B2 the ability to act on behalf of D in D’s capacity as a member of A.R D as A.R

30 Special keyword all B1 B2 B1 delegates all role activations it has to B2 all

31

32

33

34 Discussion Question What are the points of similarity and difference between access control logics and trust management languages? TM languages closer to implementation of distributed authorization systems? Underlying logic of TM languages is simpler (and hence tractable)? TM languages are less expressive than some logics, but is something essential missing from RT? Can RT express policies not expressible in some of the logics

35 Acknowledgement uA number of the RT slides are based on slides from Ninghui Li and John Mitchell

36 Thanks ! Questions?

Download ppt "Trust Management I Anupam Datta Fall 2007-08 18739A: Foundations of Security and Privacy."

Similar presentations

ROWLBAC – Representing Role Based Access Control in OWL

ROWLBAC – Representing Role Based Access Control in OWL
Towards Usage Control Models: Beyond Traditional Access Control 7 th SACMAT, June 3, 2002 Jaehong Park and Ravi Sandhu Laboratory for Information Security.

Towards Usage Control Models: Beyond Traditional Access Control 7 th SACMAT, June 3, 2002 Jaehong Park and Ravi Sandhu Laboratory for Information Security.
The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.

The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.
Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.

Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.
The Relational Model and Relational Algebra Nothing is so practical as a good theory Kurt Lewin, 1945.

The Relational Model and Relational Algebra Nothing is so practical as a good theory Kurt Lewin, 1945.
D u k e S y s t e m s Some tutorial slides on ABAC Jeff Chase Duke University.

D u k e S y s t e m s Some tutorial slides on ABAC Jeff Chase Duke University.
Access Control A Meta-Model 1Dennis Kafura – CS5204 – Operating Systems.

Access Control A Meta-Model 1Dennis Kafura – CS5204 – Operating Systems.
Rule based Trust management using RT - second lecture Sandro Etalle thanks to Ninghui Li - Purdue William H. Winsborough – University of Texas S. Antonio.

Rule based Trust management using RT - second lecture Sandro Etalle thanks to Ninghui Li - Purdue William H. Winsborough – University of Texas S. Antonio.
REFEREE: Trust Management for Web Applications Yang-hua Chu (MIT/W3C) Joint Work with Joan Feigenbaum (AT&T Labs) Brian LaMacchia (AT&T Labs) Paul Resnick.

REFEREE: Trust Management for Web Applications Yang-hua Chu (MIT/W3C) Joint Work with Joan Feigenbaum (AT&T Labs) Brian LaMacchia (AT&T Labs) Paul Resnick.
High Performance Computing Course Notes 2007-2008 Grid Computing.

High Performance Computing Course Notes Grid Computing.
RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.

RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.
OASIS Reference Model for Service Oriented Architecture 1.0

OASIS Reference Model for Service Oriented Architecture 1.0
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.

Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.
Trust Management II Anupam Datta Fall 2007-08 18739A: Foundations of Security and Privacy.

Trust Management II Anupam Datta Fall A: Foundations of Security and Privacy.
Ninghui Li (Purdue University) Logic and Logic Programming in Distributed Access Control (Part One) Ninghui Li Department of Computer Science and CERIAS.

Ninghui Li (Purdue University) Logic and Logic Programming in Distributed Access Control (Part One) Ninghui Li Department of Computer Science and CERIAS.
Implementing a Distributed Firewall

Implementing a Distributed Firewall
An Introduction to Decentralized Trust Management Sandro Etalle University of Twente thanks to William H. Winsborough – University of Texas S. Antonio.

An Introduction to Decentralized Trust Management Sandro Etalle University of Twente thanks to William H. Winsborough – University of Texas S. Antonio.
Lecture 7 Access Control

Lecture 7 Access Control

Similar presentations

Ads by Google