Dynamically Authorized Role-Based Access Control for Secure Distributed Computation



Similar documents
Session Abstract by Edward A. Feustel Institute for Defense Analyses

Common Secure Interoperability Version 2 CSI v2

CS 356 Lecture 28 Internet Authentication. Spring 2013

Public Key Infrastructure

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

CSC/ECE 574 Computer and Network Security. What Is PKI. Certification Authorities (CA)

Physical/Logical Access Interoperability Working Group

How To Understand And Understand The Security Of A Key Infrastructure

TELSTRA RSS CA Subscriber Agreement (SA)

ITL BULLETIN FOR JULY Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance

Canadian Access Federation: Trust Assertion Document (TAD)

Lizenzbestimmungen für Windows Server 2003

Single Sign On In A CORBA-Based

Introduction to Computer Security

SIXTH WORKSHOP ON DISTRIBUTED OBJECTS and COMPONENTS SECURITY. March 18-21, Workshop Program

How to Secure a Groove Manager Web Site

Axway API Gateway. Version 7.4.1

Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 15.1

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Network Security. Mobin Javed. October 5, 2011

CICS Web Service Security. Anthony Papageorgiou IBM CICS Development March 13, 2012 Session: 10282

Oracle Fusion Middleware Oracle API Gateway OAuth User Guide 11g Release 2 ( )

Attribute. Server. Client (Browser)

Lecture 10 - Authentication

10/6/2015 PKI. What Is PKI. Certificates. Certification Authorities (CA) PKI Models. Certificates

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

WebLogic Server 7.0 Single Sign-On: An Overview

Lecture VII : Public Key Infrastructure (PKI)

The Cassandra System: Distributed Access Control Policies with Tunable Expressiveness : SPECIAL TOPICS IN MEDICAL

An Oracle White Paper Dec Oracle Access Management Security Token Service

Copyright 2013 wolfssl Inc. All rights reserved. 2

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

Configuring Notification for Business Glossary

Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University

Configuring Role-Based Access Control

PUBLIC-KEY CERTIFICATES

Identity in the Cloud Use Cases Version 1.0

XACML Profile for Role Based Access Control (RBAC)

Full Compliance Contents

Canadian Access Federation: Trust Assertion Document (TAD)

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

ITKwebcollege.ADMIN-Basics Fundamentals of Microsoft Windows Server

CERTIFICATION POLICY OF KIR for TRUSTED NON-QUALIFIED CERTIFICATES

MEN'S FASHION UK Items are ranked in order of popularity.

Access Control patient centric selective sharing Emergency Access Information Exchange

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

SGFS: Secure, Flexible, and Policy-based Global File Sharing

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Conclusion and Future Directions

Table of Contents. KITC use-case 11 June 2010 Copyright MIT-KC All Rights Reserved. Page 4 of 14

Module 2: Deploying and Managing Active Directory Certificate Services

CHAPTER - 3 WEB APPLICATION AND SECURITY

USER GUIDE. Lightweight Directory Access Protocol (LDAP) Schoolwires Centricity

CSE543 - Introduction to Computer and Network Security. Module: Public Key Infrastructure

Two patterns for web services security

Web Services Security Standards Forum. Dr. Phillip M. Hallam-Baker C.Eng. FBCS VeriSign Inc.

Security Digital Certificate Manager

Lecture 10 - Authentication

Security Digital Certificate Manager

Course: Fundamentals of Microsoft Server 2008 Active Directory

Chapter 8 A secure virtual web database environment

IONA Security Platform

OpenHRE Security Architecture. (DRAFT v0.5)

DIMACS Security & Cryptography Crash Course, Day 2 Public Key Infrastructure (PKI)

Grid Delegation Protocol

Securing VMware View Communication Channels with SSL Certificates TECHNICAL WHITE PAPER

Single-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps

Managing SSL Security

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

SSSD DNS Improvements in AD Environment

Web Services Security with SOAP Security Proxies

The IVE also supports using the following additional features with CA certificates:

Administering the Web Server (IIS) Role of Windows Server

REQUEST FOR INFORMATION. Identity and Access Management Administration Software RFI

TIBCO Spotfire Platform IT Brief

MICROSOFT SOFTWARE LICENSE TERMS MICROSOFT WINDOWS SERVER 2003 R2 STANDARD EDITION, ENTERPRISE EDITION, STANDARD x64 EDITION, ENTERPRISE x64 EDITION

VMware Identity Manager Integration with Active Directory Federation Services 2.0

Grid Security : Authentication and Authorization

Group Management Server User Guide

Administering Microsoft Exchange Server ; 5 Days, Instructor-led

Medical Claims Electronic Data Transfer DataLink Questions and Answers

Authentication Applications

Our Commitment to Your Security and Privacy

ACE Management Server Deployment Guide VMware ACE 2.0

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

WaveWare Technologies, Inc. We Deliver Information at the Speed of Light

Microsoft Solutions for Security and Compliance Microsoft Identity and Access Management Series

The Role of Federation in Identity Management

Understanding the differences in PIV, PIV-I, PIV-C August 23, 2010

ADMINISTERING MICROSOFT EXCHANGE SERVER 2016

About Contract Management

Cisco Prime Cable Provisioning 5.0

XACML and Access Management. A Business Case for Fine-Grained Authorization and Centralized Policy Management

Communications Management. 3ICT12 (with thanks to Prof. George Pavlou, University of Surrey)

Administration Challenges

UCS. Amazing tools suite in CORBA world

Introduction to SAML

Midterm Solutions. ECT 582, Prof. Robin Burke Winter 2004 Take home: due 2/4/2004 NO LATE EXAMS ACCEPTED

Public Key Infrastructure for a Higher Education Environment

Transcription:

Dynamically Authorized Role-Based Access Control for Secure Distributed Computation CORBA CSIv2 in Action C. Joncheng Kuo & Polar Humenn Center for Systems Assurance Syracuse University March 20, 2002

Terminology RBAC: Role-Based Access Control CSIv2: Common Secure Interoperability Version 2 ATLAS: Authorization Token Layer Acquisition Service Copyright 2002 Center for Systems Assurance 2

Outline CSIv2 and RBAC Role authorization Role administration Example: secure computation system Conclusions Copyright 2002 Center for Systems Assurance 3

What is in CSIv2? CSIv2 defines the Security Attribute Service protocol, which provides: Identity Assertion: Allows a client to claim to make a CORBA request on behalf of an identity other than its authenticated principal. Authorization Service: Transfers a client s authorization data to a target. Copyright 2002 Center for Systems Assurance 4

Our Approach: Use CSIv2 to Do Role-Based Access Control A client uses a CSIv2 Identity Token to claim to be in a role. I am in Role R. Why should I believe in it? Client Client as R Target Copyright 2002 Center for Systems Assurance 5

Role Authorization We use a role certificate to grant a principal the right to act in particular roles. Elements of a role certificate: Subject: to whom roles are granted. Issuer: the issuer of a certificate. Validity period: the valid time of a certificate. Roles: a list of roles granted to the subject. Authorization domain: in which a certificate is accepted. Copyright 2002 Center for Systems Assurance 6

Role Administration We use a Role Authority (RA) to issue role certificates. ATLAS RA RA grants Alice [ R ] in domain D Authorization Domain D grant_role (Alice,R) Target Bob Copyright 2002 Center for Systems Assurance 7

The Use of Role Certificates A client uses an ATLAS object to retrieve role certificates. ATLAS RA Alice as R RA grants Alice [ R ] in domain D RA grants Alice [ R ] in domain D Authorization Domain D Alice Alice as R RA grants Alice [ R ] in domain D Target Copyright 2002 Center for Systems Assurance 8

A Secure Computation System Business Logic A large simulation is partitioned into distributed objects, called Computational Units (CU). Each CU has four neighbors: east, west, south, north. CUs exchange specific boundaries with specific neighbors. CU1 CU2 CU3 CU4 CU5 Copyright 2002 Center for Systems Assurance 9

Interface of a CU Each CU provides four operations on its interface for its neighbors to retrieve data. getnorthboundary() getwestboundary() CU geteastboundary() getsouthboundary() Copyright 2002 Center for Systems Assurance 10

Access Control Policy of a CU Each CU models its neighbors as roles and defines its access control policy according to the business logic of the application: east_neighbor cando [ geteastboundary ] west_neighbor cando [ getwestboundary ] south_neighbor cando [ getsouthboundary ] north_neighbor cando [ getnorthboundary ] anyone cando [ allocate ] owner cando [ release, setneighbor, calculate,... ] Copyright 2002 Center for Systems Assurance 11

Allocating a CU CU administers its own authorization domain. ATLAS RA Alice Alice no certificate Alice allocate RA grants Alice [owner] in domain CU Authorization Domain CU CU grant_role (Alice,owner) Copyright 2002 Center for Systems Assurance 12

Configuring a CU The owner of a CU configures the business of the CU. ATLAS RA grants Alice [owner] in domain CU RA Alice Alice as owner RA grants Alice [owner] in domain CU Alice as owner RA grants CU2 [west_ neighbor] in domain CU Authorization Domain CU RA grants Alice setneighbor ( west_neigbor,cu2) CU grant_role (CU2,west_ neighbor) Copyright 2002 Center for Systems Assurance 13

Business of a CU The west neighbor access the west boundary. CU2 CU2 as west_neighbor RA grants CU2 [west_ neighbor] in domain CU ATLAS CU2 as west_neighbor getwestboundary RA grants CU2 [west_ neighbor] in domain CU Authorization Domain CU RA grants CU2 RA grants Alice [owner] in domain CU CU RA Access allowed Copyright 2002 Center for Systems Assurance 14

Highlights Access control policy specifies permissions (as allowed operations) with respect to roles, not individual principals. Access control policy closely follows the static business logic of a CU. Copyright 2002 Center for Systems Assurance 15

Experimental Implementation Implemented at Center for Systems Assurance at Syracuse University Using: ORBAsec SL3 from Adiron, LLC ORBacus from IONA JCSI from Wedgetail for Kerberos isasilk from IAIK for SSL J2SDK from Javasoft Copyright 2002 Center for Systems Assurance 16

Potential Problems Revocation of Role Certificates CUs need to revoke role certificates when released. Can be done by means of various cost Certificate Revocation Lists (expensive) Unique Authorization Domain Names that are coordinated with the CU. (less expensive) Not yet thoroughly investigated. Copyright 2002 Center for Systems Assurance 17

Conclusion The CORBA standards CSIv2 and ATLAS are effective in implementing RBAC in a dynamic fashion. Copyright 2002 Center for Systems Assurance 18

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information