Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Credential-Based Approach for Facilitating Automatic, Secure Resource Sharing Among Ad-hoc Dynamic Coalitions Janice Warner and Vijayalakshmi Atluri.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "A Credential-Based Approach for Facilitating Automatic, Secure Resource Sharing Among Ad-hoc Dynamic Coalitions Janice Warner and Vijayalakshmi Atluri."— Presentation transcript:

1 A Credential-Based Approach for Facilitating Automatic, Secure Resource Sharing Among Ad-hoc Dynamic Coalitions Janice Warner and Vijayalakshmi Atluri Rutgers University Ravi Mukkamala Old Dominion University August 2005

2 IFIP05-Warner, Atluri and Mukkamala 2 Coalition Resource Sharing Dynamic and Ad-hoc – members may leave and new members may join Examples: Natural Disaster: government agencies, non-government organizations and private organizations may share data about victims, supplies and logistics. Homeland Security: Information collected by various governmental agencies shared for comprehensive data mining Virtual Enterprises: Collaboration between companies

3 August 2005IFIP05-Warner, Atluri and Mukkamala 3 Current Approaches to Resource Sharing Form teams (workgroups) comprising of users from all coalition entities Problems: not viable and scalable - may result in delays User ids given to each external member of the coalition and access control is provisioned on these ids. Problem: administratively burdensome; requires explicit revocation upon coalition or user termination Single access id provided to each external coalition entity Problem: Fine-grained access control is not possible Resources are copied to external coalition member Problem: Updates are difficult and may result in uncontrolled sharing

4 August 2005IFIP05-Warner, Atluri and Mukkamala 4 Outline Motivation What is needed CBAC Model DCBAC Model Conclusions and Future Work

5 August 2005IFIP05-Warner, Atluri and Mukkamala 5 Resource Sharing among Coalitions Typically, the policies for sharing are stated at the coalition level Example – The Red Cross and Doctors without Borders will work together to investigate the spread of infectious diseases in the wake of a natural disaster. Enforcing coalition-level security policies requires transforming them to implementation level Example - Dr. Roberts of Doctors without Borders can access reports on the spread of infectious diseases in Turkey.

6 August 2005IFIP05-Warner, Atluri and Mukkamala 6 Our Preliminary Solution (presented at ICDCIT04) A formal model comprising of three levels (user-object, role, coalition levels) Enables handshaking of relevant information by appropriate levels of the agencies Allows distributed access control – control remains in the hands of the resource owner

7 August 2005IFIP05-Warner, Atluri and Mukkamala 7  role segment  user-object request  Layered CBAC Model User-Object Level Role Level Coalition Level  user-object request   role segment  user-object request  Entity A Drs-w/o-Borders Entity B Red Cross User-Object Level Role Level Coalition Level  user-object request   coalition segment  role segment  user-object request  =  roberts, concept: disease, type: data  =  doctor (location: Turkey, specialty: immunology)  concept: disease, type: data  =  555444555, DB99, RC11,  doctor (location: Turkey, specialty: immunology)  concept: disease, type: data  =  doctor (location: Turkey, specialty: immunology)  concept: disease, type: data  =  RID799, RID223 

8 August 2005IFIP05-Warner, Atluri and Mukkamala 8 Limitations of CBAC Model Coalitions need to have high level agreements in place before there is a flow of information: Coalition entities know what is available and how to find it. Coalition entity ids are pre-assigned. Credentials requirements are union of all associated with role that has access to requested object.

9 August 2005IFIP05-Warner, Atluri and Mukkamala 9 Dynamic Coalition-Based Access Control Model (DCBAC) Dynamic because: Employs a Coalition Service Registry (CSR) where shared resources and coalition level policies are publicized Agreements do not need to established between coalition partners beforehand Computes credentials needed by external user from local access control policies through Mapper layer. Coalition access control policy determined through transformation of local access control policy

10 August 2005IFIP05-Warner, Atluri and Mukkamala 10 Principals of DCBAC Existing access control mechanisms within each coalition entity remain intact. Access rights are granted to subjects only if they belong to an organization recognized by the coalition. Subjects of a coalition entity must have credentials with attribute values comparable to those of local subjects.

11 August 2005IFIP05-Warner, Atluri and Mukkamala 11 Network (e.g., Internet) DCBAC Architecture Local User Interface Local Access Control (LAC) Credential to LAC Mapper Credential Filter Local User Interface Local Access Control (LAC) Credential to LAC Mapper Credential Filter Coalition Level Local Services (shared and private) Local Services (shared and private) Coalition Service Registry (CSR) Coalition Access Point (CAP)

12 August 2005IFIP05-Warner, Atluri and Mukkamala 12 Example Emergency Management Scenario International Red Cross makes available its Emergency Response IS subject to: Organization Level Policy: Must be member of a non-profit, certified, relief organization. Individual Policy: Access is restricted to information concerning the emergency site in which they are currently working. Policy Based on LAC Mapping: Credentials must be comparable with those of internal users.

13 August 2005IFIP05-Warner, Atluri and Mukkamala 13 Coalition Service Registry Similar to UDDI Web Service Registry Advertises resources that coalition entities make available Describes interface to resources Describes credentials needed to access resources Verifies organizational-level credentials Issues a “ticket” which can be submitted by individuals in authenticated organization with request to access a specific resource. Coalition Service Registry (CSR)

14 August 2005IFIP05-Warner, Atluri and Mukkamala 14 CSR is a UDDI-like Registry Coalition Service Registry (CSR) businessEntity businessService bindingTemplate UDDI:name UDDI:discovery URL UDDI:contacts UDDI:description UDDI:name UDDI:category bag UDDI:description UDDI:accessPoint UDDI:category bag UDDI:description UDDI:tModelInstanceDetails

15 August 2005IFIP05-Warner, Atluri and Mukkamala 15 CSR is a UDDI-like Registry Coalition Service Registry (CSR) businessEntity businessService bindingTemplate UDDI:name UDDI:discovery URL UDDI:contacts UDDI:description UDDI:name UDDI:category bag UDDI:description UDDI:accessPoint UDDI:category bag UDDI:description UDDI:tModelInstanceDetails Resources listed in the CSR are searchable based on resource identifiers, name, keywords or category.

16 August 2005IFIP05-Warner, Atluri and Mukkamala 16 CSR is a UDDI-like Registry Coalition Service Registry (CSR) businessEntity businessService bindingTemplate UDDI:name UDDI:discovery URL UDDI:contacts UDDI:description UDDI:name UDDI:category bag UDDI:description UDDI:accessPoint UDDI:category bag UDDI:description UDDI:tModelInstanceDetails Provides network address of Coalition Access Point from which resource can be requested. Provides credential info and other access requirements

17 August 2005IFIP05-Warner, Atluri and Mukkamala 17 Network (e.g., Internet) Local User Interface Local Access Control (LAC) Credential to LAC Mapper Credential Filter Coalition Level Coalition Service Registry (CSR) Example – Resource request is made 〈 744, roberts, concept: disease type: data 〉 〈 744, (degree:MD, gender:M, location:Turkey, specialty: infectious disease), concept: disease type: data 〉 〈 744, (location:Turkey, specialty: infectious disease), Red_Cross_RID_730 〉

18 August 2005IFIP05-Warner, Atluri and Mukkamala 18 Network (e.g., Internet) Local User Interface Local Access Control (LAC) Credential to LAC Mapper Credential Filter Coalition Level Coalition Service Registry (CSR) Example – Obtain organizational assertion Doctors-Without-Borders CAP consults the CSR: to find the resource(s) (if it has not been located before) to obtain a valid organizational assertion (if it does not currently have one)

19 August 2005IFIP05-Warner, Atluri and Mukkamala 19 Tickets are SAML assertions Assertions are declarations of facts: Issuer ID and issuance timestamp Assertion ID Subject “Conditions” under which assertion is valid (e.g., validity period) CSR declares that organizational credentials were submitted and validated. Assertions can be digitally signed (and should be) Coalition Service Registry (CSR)

20 August 2005IFIP05-Warner, Atluri and Mukkamala 20 Example – Request send to provider’s CAP Network (e.g., Internet) Local User Interface Local Access Control (LAC) Credential to LAC Mapper Credential Filter Local User Interface Local Access Control (LAC) Credential to LAC Mapper Credential Filter Coalition Level Local Services (shared and private) 〈 744, Doctors Without Borders, Red Cross, SAML Assertion, Red_Cross_RID_730, (location:Turkey, specialty: infectious disease) 〉

21 August 2005IFIP05-Warner, Atluri and Mukkamala 21 Example – Provider evaluates request Network (e.g., Internet) Local User Interface Local Access Control (LAC) Credential to LAC Mapper Credential Filter Local User Interface Local Access Control (LAC) Credential to LAC Mapper Credential Filter Coalition Level Local Services (shared and private) 〈 744, Red_Cross_RID_730, (location:Turkey, specialty: infectious disease) 〉 Validates organizational credentials 〈 744, Red_Cross_RID_730 〉

22 August 2005IFIP05-Warner, Atluri and Mukkamala 22 Conclusions DCBAC automates translation of coalition level policies into subject-resource level. Depends upon credentials – both organizational level and user. Maps roles to credentials commonly held by members of the role. Uses a Coalition Service Registry so that ad-hoc coalitions can be formed simply by discovering resources that are needed. Can be built using currently available standard protocols – XACML, UDDI and SAML.

23 August 2005IFIP05-Warner, Atluri and Mukkamala 23 Ongoing Work Mapper – Details on mapping local policies to credentials submitted to ICISS 2005 Graph-based approach Strategies for inclusion of similar credentials Data mining of logs, local policies, and other security related data to obtain: Groupings of users with similar data requirements and attributes Groupings of resources Resolving semantic heterogeneity between policies and credential attributes.

24 August 2005IFIP05-Warner, Atluri and Mukkamala 24 DCBAC – Coalition Level Interacts with the coalition level at other coalition entities through the Coalition Access Point (CAP). Incoming: Processes requests by validating CSR ticket. Outgoing: Obtains ticket, appends to user request and forwards it to appropriate CAP. Local User Interface Local Access Control (LAC) Credential to LAC Mapper Credential Filter Coalition Level

25 August 2005IFIP05-Warner, Atluri and Mukkamala 25 DCBAC – Credential Filter Incoming Requests: Determines whether user credentials sent with request are adequate. Optionally, can downgrade or upgrade the credentials of users from specific entities. Outgoing Requests: Filters user credentials such that only those necessary to obtain access are sent. Local User Interface Local Access Control (LAC) Credential to LAC Mapper Credential Filter Coalition Level

26 August 2005IFIP05-Warner, Atluri and Mukkamala 26 DCBAC - Mapper Assumes RBAC local access control although this is not essential. Incoming – Compares user credentials to internal roles that have rights to requested resource. Outgoing – Determines role played by requester and retrieves credentials common to users playing that role. Local User Interface Local Access Control (LAC) Credential to LAC Mapper Credential Filter Coalition Level

27 August 2005IFIP05-Warner, Atluri and Mukkamala 27 DCBAC – LAC Enforces control on local services for both local and non-local requests. Local requests are received through the local user interface. External requests are received through the mapper. Local User Interface Local Access Control (LAC) Credential to LAC Mapper Credential Filter Coalition Level

Download ppt "A Credential-Based Approach for Facilitating Automatic, Secure Resource Sharing Among Ad-hoc Dynamic Coalitions Janice Warner and Vijayalakshmi Atluri."

Similar presentations

0 McLean, VA August 8, 2006 SOA, Semantics and Security.

0 McLean, VA August 8, 2006 SOA, Semantics and Security.
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Research Issues in Web Services CS 4244 Lecture Zaki Malik Department of Computer Science Virginia Tech

Research Issues in Web Services CS 4244 Lecture Zaki Malik Department of Computer Science Virginia Tech
NRL Security Architecture: A Web Services-Based Solution

NRL Security Architecture: A Web Services-Based Solution
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
A Unified Approach to Combat Counterfeiting: Use of the Digital Object Architecture and ITU-T Recommendation X.1255 Robert E. Kahn President & CEO CNRI,

A Unified Approach to Combat Counterfeiting: Use of the Digital Object Architecture and ITU-T Recommendation X.1255 Robert E. Kahn President & CEO CNRI,
UDDI v3.0 (Universal Description, Discovery and Integration)

UDDI v3.0 (Universal Description, Discovery and Integration)
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
High Performance Computing Course Notes 2007-2008 Grid Computing.

High Performance Computing Course Notes Grid Computing.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.

Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.
Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.

Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.
Using Digital Credentials On The World-Wide Web M. Winslett.

Using Digital Credentials On The World-Wide Web M. Winslett.
1 Using Certified Policies to Regulate E-Commerce Transactions Victoria Ungureanu Rutgers University.

1 Using Certified Policies to Regulate E-Commerce Transactions Victoria Ungureanu Rutgers University.

Similar presentations

Ads by Google