Presentation is loading. Please wait.

Presentation is loading. Please wait.

D u k e S y s t e m s Accountability and Authorization GEC 12 Jeff Chase Duke University Thanks: NSF TC CNS-0910653.

Published byHilda O’Connor’ Modified over 9 years ago

Similar presentations

Presentation on theme: "D u k e S y s t e m s Accountability and Authorization GEC 12 Jeff Chase Duke University Thanks: NSF TC CNS-0910653."— Presentation transcript:

1 D u k e S y s t e m s Accountability and Authorization GEC 12 Jeff Chase Duke University Thanks: NSF TC CNS-0910653

2

3 Authorization with ABAC Client EServer A Request Command C on Object O authorization policiesattributes + capabilities Query A.C O  E? ABAC inference engine query context GEC-11 Auth Session

4 ABAC in Context trust anchors Client E context store operator Server A Request Command C on Object O Context transfer credential set user delegation authorization policiesattributes + capabilities Query A.C O  E? ABAC inference engine credential set for C A’s policies for O context store query context GEC-11 Auth Session

5 ABAC in ORCA Integration complete; policies checked out. Credential management: still “rough edges” Not yet in production. Client EServer A Request Command C on Object O Query A.C O  E? ABAC inference engine credential set for C A’s policies for O context store query context Direct-injected contexts from unspecified credential sources

6

7 ABAC in GENI ABAC is a powerful declarative representation that can capture the GENI authorization/trust model. It saves a lot of code, provides a rigorous foundation, and preserves flexibility for future innovation. It should be easy for users, although we need some better tools there. (E.g., to delegate rights.) Libabac “works off the shelf”. In progress: policies for safe operational deployment.

8 ABAC policies The basic mechanisms are in place: – Simple user certs issued by identity portal – Slice capabilities with delegation – Groups (projects) with flexible membership – Delegation of capabilities to groups – Trust structure: AM endorsements, etc. Some details to resolve: – Specific user/group attributes – Their use in resource allocation policy – Slice credentials in ABAC Open question: CH role

9 All is not sweetness and light But it’s based on signed credentials (certs). – And on X.509…. That presents challenges for which there is no perfect solution. And so there is: – Fear – Uncertainty – Doubt Image used without permission or right from 'Stories of the Gods and Heroes' by Sally Benson, 1940, Dial Press. Reprinted in Colliers Junior Classics, 'Legends of Long Ago', 1962.

10 Credential management Each principal possesses many certs. – Which ones are relevant to a given request? Where are they? Some of those certs are delegated. – Server needs even more certs to validate delegation chain. – Those certs belong to someone else. Server gets them…how? Credentials expire. – How to automate renewal? People change…and people lose their keys. – Revocation: how to do it fast and make it stick? – How to rebuild credentials with new keys? – How to keep the system safe in the real world?

11

12 Summary: what’s on the table 1.Policies for safe operational deployment 2.“Clearinghouse” (CH) role – Synchronous intermediary? – Credentialing authority? – How much does it know about: Users and groups? Powers of users and groups? 3.Credential management – Revocation, renewal, key rotation – Principal names vs. public keys Clearinghouse

13 A1. Every action that allocates a resource is taken with the public key of a registered GENI experimenter (E). Some GENI-authorized identity provider (I) knows the binding to an actual human (H) who can be punished. Given E, G*OC can determine H. Or at least GOC can determine I, which can determine H. A2. Every action that allocates or uses a resource is taken in the context of a slice (S). Given S, GOC can determine a human project leader who is accountable for S. A3. Every conforming AM logs all resource-related actions together with the public key E that took the action, and the slice S that was the context for the action. These logs are available to GOC. A4. Each GENI service publishes to the GOC all credentials that have been used by any E to take any action within GENI. From these credentials GOC can determine how and why E was authorized to take the action. A5. Various monitoring facilities record interesting events at various levels, and associate them with a slice S. These records are available to GOC.

14 A1. Experimenter accountability Every action that allocates a resource is taken with the public key of a registered GENI experimenter (E). Some GENI-authorized identity provider (I) knows the binding to an actual human (H). Given E, G*OC can determine H. Or at least GOC can determine I, which can determine H. GOC.registeredPrincipal E  H

15 A2. Group accountability Every action that allocates or uses a resource is taken in the context of a slice (S). Given S, GOC can determine a human project leader L who is accountable for S. GOC.PI(G) S  G

16 A3. GOC learns E and S Every conforming AM logs all resource- related actions together with the public key E that took the action, and the slice S that was the context for the action. These logs are available to GOC.

17 CH: Auditing and Accountability AM  Asynchronous event feeds  Signed and timestamped  Delay < 1 minute (?)  Report all resource actions  Is this enough? Event reports Policy compliance and early warning Policing and enforcement

18 A4. GOC learns all delegations Each GENI service publishes to the GOC all credentials that have been used by any E to take any action within GENI. From these credentials GOC can determine how and why E was authorized to take the action.

19 CH: Credentialing AM Identity Portal Actor Registry Slice Authority  Endorse AMs, SAs, IdPs  Issue user credentials  Groups (“projects)  Execute agreements etc.  Is this enough? credentials login Slice request

20 Summary and a look ahead Signed security assertions enable decentralization – Essential CH functions distill down to credentialing. Problem: we need Big Brother, at least for now. – Solution: event logs and registeredPrincipal – But Big Brother needs the certs to identify other accountable parties. – And Big Brother is nervous about PKI… Proposal: public always-on credential store – Cert query  context – Short-term caching, configurable TTL – Refresh for renewal – “Poisoning” for revocation

21

22 Clearinghouse (CH): Position summary GPO requires strong central control over GENI in the near term. Even so, the architecture should enable a transition to decentralized deployments in the future. Consider CH functions separately. Focus on safety. Resource management is wide open  see ORCA. Other essential functions are “easy” given a strong core for identity and trust (off-the-shelf). Operational concerns for credential management (e.g., revoke/renew) are the crucial focus.

23 Sponsored by the National Science Foundation 23 “Clearinghouse” has always been a shorthand for “that which manages federation”. Standard issue BBN napkin Chip Elliott @ GEC4

24 Clearinghouse Functions A. Auditing and accountability GOC receives event logs (audit trails) distributed by pub/sub. Avoid central authorization services where we can. B. Brokering requests and allocations Resource quotas/caps, sharing policies: rarely discussed in GENI. ORCA uses ticket-granting brokers. Central authorization services are useful here! C. Credentialing users and services Federated identity (e.g., Shib) + ABAC credentials D. Discovery/Directory of resources/services Dissemination: non-essential, cannot subvert system  replaceable and “easy” to build scalable implementations

Download ppt "D u k e S y s t e m s Accountability and Authorization GEC 12 Jeff Chase Duke University Thanks: NSF TC CNS-0910653."

Similar presentations

GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
W3C Workshop on Web Services Mark Nottingham

W3C Workshop on Web Services Mark Nottingham
D u k e S y s t e m s Some tutorial slides on ABAC Jeff Chase Duke University.

D u k e S y s t e m s Some tutorial slides on ABAC Jeff Chase Duke University.
Sponsored by the National Science Foundation 1 Activities this trimester 0.5 revision of Operational Security Plan Independently (from GPO) developing.

Sponsored by the National Science Foundation 1 Activities this trimester 0.5 revision of Operational Security Plan Independently (from GPO) developing.
Sponsored by the National Science Foundation Campus Policies for the GENI Clearinghouse and Portal Sarah Edwards, GPO March 20, 2013.

Sponsored by the National Science Foundation Campus Policies for the GENI Clearinghouse and Portal Sarah Edwards, GPO March 20, 2013.
D u k e S y s t e m s Authorization Framework: Status Jeff Chase Duke University.

D u k e S y s t e m s Authorization Framework: Status Jeff Chase Duke University.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Information Sciences Institute Internet and Networked Systems Managing Security Policies for Federated Cyberinfrastructure Stephen Schwab, John Wroclawski.

Information Sciences Institute Internet and Networked Systems Managing Security Policies for Federated Cyberinfrastructure Stephen Schwab, John Wroclawski.
Securing the Broker Pattern Patrick Morrison 12/08/2005.

Securing the Broker Pattern Patrick Morrison 12/08/2005.
Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.

Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.

6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
DB-19: OpenEdge® Authentication Without the _User Table

DB-19: OpenEdge® Authentication Without the _User Table
D u k e S y s t e m s Building the GENI Federation with ABAC: Going Deeper Jeff Chase Duke University Thanks: NSF TC CNS-0910653.

D u k e S y s t e m s Building the GENI Federation with ABAC: Going Deeper Jeff Chase Duke University Thanks: NSF TC CNS
OnTimeMeasure Integration with Gush Prasad Calyam, Ph.D. (PI) Tony Zhu (Software Programmer) Alex Berryman (REU Student) GEC10 Selected.

OnTimeMeasure Integration with Gush Prasad Calyam, Ph.D. (PI) Tony Zhu (Software Programmer) Alex Berryman (REU Student) GEC10 Selected.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Digital Object Architecture

Digital Object Architecture

Similar presentations

Ads by Google