Presentation is loading. Please wait.

Presentation is loading. Please wait.

SECURING CYBERSPACE: THE OM-AM, RBAC AND PKI ROADMAP Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University

Published byChristian Stone Modified over 11 years ago

Similar presentations

Presentation on theme: "SECURING CYBERSPACE: THE OM-AM, RBAC AND PKI ROADMAP Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University"— Presentation transcript:

1 SECURING CYBERSPACE: THE OM-AM, RBAC AND PKI ROADMAP Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University sandhu@gmu.edu www.list.gmu.edu

2 2 © Ravi Sandhu 2000 INTERNET INSECURITY u Internet insecurity spreads at Internet speed l Morris worm of 1987 l Password sniffing attacks in 1994 l IP spoofing attacks in 1995 l Denial of service attacks in 1996 l Email borne viruses 1999 l Distributed denial of service attacks 2000 u Internet insecurity grows at super-Internet speed l security incidents are growing faster than the Internet (which has roughly doubled every year since 1988)

3 3 © Ravi Sandhu 2000 INTERNET INSECURITY u Its only going to get worse

4 4 © Ravi Sandhu 2000 INTERNET SECURITY u There are no clear cut boundaries in modern cyberspace l AOL-Microsoft instant messaging war of 1999 l Hotmail password bypass of 1999 l Ticketmaster deep web links l ebay versus auction aggregators

5 5 © Ravi Sandhu 2000 SECURITY OBJECTIVES INTEGRITY modification AVAILABILITY access CONFIDENTIALITY disclosure USAGE-CONTROL purpose

6 6 © Ravi Sandhu 2000 AUTHORIZATION, TRUST AND RISK u Information security is fundamentally about managing l authorization and l trust so as to manage risk

7 7 © Ravi Sandhu 2000 SECURITY DOCTRINE u Prevent u Detect u Correct u Accept

8 8 © Ravi Sandhu 2000 SECURITY DOCTRINE u absolute security is impossible does not mean absolute insecurity is acceptable u security is a journey not a destination

9 9 © Ravi Sandhu 2000 SOLUTIONS u OM-AM u RBAC u PKI u and others

10 10 © Ravi Sandhu 2000 THE OM-AM WAY Objectives Model Architecture Mechanism What? How? AssuranceAssurance

11 11 © Ravi Sandhu 2000 LAYERS AND LAYERS u Multics rings u Layered abstractions u Waterfall model u Network protocol stacks u OM-AM

12 12 © Ravi Sandhu 2000 OM-AM AND MANDATORY ACCESS CONTROL (MAC) What? How? No information leakage Lattices (Bell-LaPadula) Security kernel Security labels AssuranceAssurance

13 13 © Ravi Sandhu 2000 OM-AM AND DISCRETIONARY ACCESS CONTROL (DAC) What? How? Owner-based discretion numerous ACLs, Capabilities, etc AssuranceAssurance

14 14 © Ravi Sandhu 2000 OM-AM AND ROLE-BASED ACCESS CONTROL (RBAC) What? How? Policy neutral RBAC96 user-pull, server-pull, etc. certificates, tickets, PACs, etc. AssuranceAssurance

15 15 © Ravi Sandhu 2000 ROLE-BASED ACCESS CONTROL (RBAC) u A users permissions are determined by the users roles l rather than identity or clearance l roles can encode arbitrary attributes u multi-faceted u ranges from very simple to very sophisticated

16 16 © Ravi Sandhu 2000 RBAC SECURITY PRINCIPLES u least privilege u separation of duties u separation of administration and access u abstract operations

17 17 © Ravi Sandhu 2000 RBAC96 IEEE Computer Feb. 1996 u Policy neutral u can be configured to do MAC l roles simulate clearances (ESORICS 96) u can be configured to do DAC l roles simulate identity (RBAC98)

18 18 © Ravi Sandhu 2000 RBAC96 FAMILY OF MODELS RBAC0 BASIC RBAC RBAC3 ROLE HIERARCHIES + CONSTRAINTS RBAC1 ROLE HIERARCHIES RBAC2 CONSTRAINTS

19 19 © Ravi Sandhu 2000 RBAC0 ROLES USER-ROLE ASSIGNMENT PERMISSION-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS

20 20 © Ravi Sandhu 2000 RBAC1 ROLES USER-ROLE ASSIGNMENT PERMISSION-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE HIERARCHIES

21 21 © Ravi Sandhu 2000 HIERARCHICAL ROLES Health-Care Provider Physician Primary-Care Physician Specialist Physician

22 22 © Ravi Sandhu 2000 HIERARCHICAL ROLES Engineer Hardware Engineer Software Engineer Supervising Engineer

23 23 © Ravi Sandhu 2000 PRIVATE ROLES Engineer Hardware Engineer Software Engineer Supervising Engineer Hardware Engineer Software Engineer

24 24 © Ravi Sandhu 2000 EXAMPLE ROLE HIERARCHY Employee (E) Engineering Department (ED) Project Lead 1 (PL1) Engineer 1 (E1) Production 1 (P1) Quality 1 (Q1) Director (DIR) Project Lead 2 (PL2) Engineer 2 (E2) Production 2 (P2) Quality 2 (Q2) PROJECT 2PROJECT 1

25 25 © Ravi Sandhu 2000 EXAMPLE ROLE HIERARCHY Employee (E) Engineering Department (ED) Project Lead 1 (PL1) Engineer 1 (E1) Production 1 (P1) Quality 1 (Q1) Project Lead 2 (PL2) Engineer 2 (E2) Production 2 (P2) Quality 2 (Q2) PROJECT 2PROJECT 1

26 26 © Ravi Sandhu 2000 EXAMPLE ROLE HIERARCHY Project Lead 1 (PL1) Engineer 1 (E1) Production 1 (P1) Quality 1 (Q1) Director (DIR) Project Lead 2 (PL2) Engineer 2 (E2) Production 2 (P2) Quality 2 (Q2) PROJECT 2PROJECT 1

27 27 © Ravi Sandhu 2000 EXAMPLE ROLE HIERARCHY Project Lead 1 (PL1) Engineer 1 (E1) Production 1 (P1) Quality 1 (Q1) Project Lead 2 (PL2) Engineer 2 (E2) Production 2 (P2) Quality 2 (Q2) PROJECT 2PROJECT 1

28 28 © Ravi Sandhu 2000 RBAC3 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE HIERARCHIES CONSTRAINTS

29 29 © Ravi Sandhu 2000 CONSTRAINTS u Mutually Exclusive Roles l Static: The same individual can never hold both roles l Dynamic: The same individual can never activate both roles in the same context u Mutually Exclusive Permissions u Cardinality Constraints on User-Role Assignment u Cardinality Constraints on Permissions-Role Assignment

30 30 © Ravi Sandhu 2000 OM-AM AND ROLE-BASED ACCESS CONTROL (RBAC) What? How? Policy neutral RBAC96 user-pull, server-pull, etc. certificates, tickets, PACs, etc. AssuranceAssurance

31 31 © Ravi Sandhu 2000 CLIENT-SERVER SERVER-PULL ARCHITECTURE ClientServer Authorization Server Authentication Server

32 32 © Ravi Sandhu 2000 CLIENT-SERVER USER-PULL ARCHITECTURE ClientServer Authorization Server Authentication Server

33 33 © Ravi Sandhu 2000 CLIENT-SERVER PROXY OR THREE-TIER ClientServer Authorization Server Authentication Server

34 34 © Ravi Sandhu 2000 OM-AM AND ROLE-BASED ACCESS CONTROL (RBAC) What? How? Policy neutral RBAC96 user-pull, server-pull, etc. certificates, tickets, PACs, etc. AssuranceAssurance

35 35 © Ravi Sandhu 2000 Related Mechanisms u Cookies l in widespread current use for maintaining state of HTTP l becoming a standard l not secure u Public-Key Certificates (X.509) l support security on the Web based on PKI l standard l simply, bind users to keys l have the ability to be extended

36 36 © Ravi Sandhu 2000 Cookies

37 37 © Ravi Sandhu 2000 Security Threats to Cookies u Cookies are not secure l No authentication l No integrity l No confidentiality u can be easily attacked by l Network Security Threats l End-System Threats l Cookie Harvesting Threats

38 38 © Ravi Sandhu 2000 How to Use Secure Cookies

39 39 © Ravi Sandhu 2000 Secure Cookies on the Web

40 40 © Ravi Sandhu 2000 Applications of Secure Cookies u User Authentication u Electronic Transaction u Pay-Per-Access u Attribute-based Access Control

41 41 © Ravi Sandhu 2000 X.509 Certificate u Digitally signed by a certificate authority l to confirm the information in the certificate belongs to the holder of the corresponding private key u Contents l version, serial number, subject, validity period, issuer, optional fields (v2) l subjects public key and algorithm info. l extension fields (v3) l digital signature of CA u Binding users to keys u Certificate Revocation List (CRL)

42 42 © Ravi Sandhu 2000 X.509 Certificate

43 43 © Ravi Sandhu 2000 Smart Certificates u Short-Lived Lifetime l More secure n typical validity period for X.509 is months (years) n the longer-lived certificates have a higher probability of being attacked –users may leave copies of the corresponding keys behind l No Certificate Revocation List (CRL) n supports simple and less expensive PKI

44 44 © Ravi Sandhu 2000 Smart Certificates u Containing Attributes Securely l Web servers can use secure attributes for their purposes l Each authority has independent control on the corresponding information n basic certificate (containing identity information) n each attribute can be added, changed, revoked, or re-issued by the appropriate authority –e.g., role, credit card number, clearance, etc.

45 45 © Ravi Sandhu 2000 Applications of Smart Certificates u Very similar to applications of secure cookies

46 46 © Ravi Sandhu 2000 THE OM-AM WAY Objectives Model Architecture Mechanism What? How? AssuranceAssurance

47 47 © Ravi Sandhu 2000 INTERNET INSECURITY u Its only going to get worse u But security is a fun and profitable business and will get more so

Download ppt "SECURING CYBERSPACE: THE OM-AM, RBAC AND PKI ROADMAP Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University"

Similar presentations

Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.

Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.
Variations of the Turing Machine

Variations of the Turing Machine
AP STUDY SESSION 2.

AP STUDY SESSION 2.
1

1
Cyber-Identity, Authority and Trust in an Uncertain World

Cyber-Identity, Authority and Trust in an Uncertain World
Cyber-Identity, Authority and Trust in an Uncertain World

Cyber-Identity, Authority and Trust in an Uncertain World
Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University www.list.gmu.edu.

Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University
© 2004-5 Ravi Sandhu www.list.gmu.edu Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology.

© Ravi Sandhu Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology.
© 2004 Ravi Sandhu www.list.gmu.edu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.

© 2004 Ravi Sandhu Role-Based Access Control Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.
INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.

INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.
Role-Based Access Control Prof. Ravi Sandhu George Mason University and NSD Security SACMAT 2003.

Role-Based Access Control Prof. Ravi Sandhu George Mason University and NSD Security SACMAT 2003.
ARBAC99 (Model for Administration of Roles)

ARBAC99 (Model for Administration of Roles)
Ravi Sandhu Venkata Bhamidipati

Ravi Sandhu Venkata Bhamidipati
© 2006 Ravi Sandhu www.list.gmu.edu Secure Information Sharing Enabled by Trusted Computing and PEI * Models Ravi Sandhu (George Mason University and TriCipher)

© 2006 Ravi Sandhu Secure Information Sharing Enabled by Trusted Computing and PEI * Models Ravi Sandhu (George Mason University and TriCipher)
ARBAC 97 (ADMINISTRATIVE RBAC)

ARBAC 97 (ADMINISTRATIVE RBAC)
Role Activation Hierarchies Ravi Sandhu George Mason University.

Role Activation Hierarchies Ravi Sandhu George Mason University.
Logical Model and Specification of Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University.

Logical Model and Specification of Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University.
ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.

ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.

Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.
Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.

Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.

Similar presentations

Ads by Google