Attribute-Based Access Control. Stephen Schwab and Jay Jacobs. SPARTA ISSO Security Research Division (d.b.a. Cobham Analytic Solutions)



Similar documents
A System for Interactive Authorization for Business Processes for Web Services

Getting Started. Visit the website at

White Paper: Security and Agility in the API Economy. Optimizing and securing your APIs with ViewDS Identity Solutions and Layer 7

The BCA Contract Management System

Federation Proxy for Cross Domain Identity Federation

OpenHRE Security Architecture. (DRAFT v0.5)

Conclusion and Future Directions

Extended RBAC Based Design and Implementation for a Secure Data Warehouse

Role Based Encryption with Efficient Access Control in Cloud Storage

CLOUD SERVICE LEVEL AGREEMENTS Meeting Customer and Provider needs

1 st Symposium on Colossal Data and Networking (CDAN-2016) March 18-19, 2016 Medicaps Group of Institutions, Indore, India

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN better health cover shouldn t hurt

The Top 5 Federated Single Sign-On Scenarios

Cryptography and Network Security Chapter 14. Key Distribution. Key Management and Distribution. Key Distribution Task 4/19/2010

An Introduction to Trust Negotiation

API Management: Powered by SOA Software Dedicated Cloud

Security challenges for internet technologies on mobile devices

CLOUD-HOSTED PROXY BASED COLLABORATION IN MULTI- CLOUD COMPUTING ENVIRONMENTS WITH ABAC METHODS

and Deployment Roadmap for Satellite Ground Systems

Cryptography and Network Security Chapter 14

Distributed Attribute Based Encryption for Patient Health Record Security under Clouds

Analysis of Different Access Control Mechanism in Cloud

Providing Access Permissions to Legitimate Users by Using Attribute Based Encryption Techniques In Cloud

Service-Oriented Architectures

Identity Management for Interoperable Health Information Exchanges

The Future of Access Control: Attributes, Automation and Adaptation

REQUEST FOR INFORMATION. Identity and Access Management Administration Software RFI

Definition of SOA. Capgemini University Technology Services School Capgemini - All rights reserved November 2006 SOA for Software Architects/ 2

INFOWAY EHRI PRIVACY & SECURITY CONCEPTUAL ARCHITECTURE V1.1

Concepts and Architecture of the Grid. Summary of Grid 2, Chapter 4

Digital Policy Management Framework for Attribute-Based Access Control

Secure Role-Based Access Control on Encrypted Data in Cloud Storage using Raspberry PI

Software Defined Exchange (SDX) and Software Defined Infrastructure Exchange (SDIX) Vision and Architecture

NStreamAware: Real-Time Visual Analytics for Data Streams to Enhance Situational Awareness

Programming Assignments for Graduate Students using GENI

Access Control Framework of Personal Cloud based on XACML

Enhanced Privacy ID (EPID) Ernie Brickell and Jiangtao Li Intel Corporation

3rd International Symposium on Big Data and Cloud Computing Challenges (ISBCC-2016) March 10-11, 2016 VIT University, Chennai, India

NSW Government Standard Approach to Information Architecture. December 2013 v.1.0

Multi Tenancy Access Control Using Cloud Service in MVC

Strategies for the implementation of a Public Key Authentication Framework (PKAF) in Australia

IBM WebSphere Application Server

OPEN DATA CENTER ALLIANCE USAGE Model: Software as a Service (SaaS) Interoperability Rev 1.0

Peer to Peer Settlement for Next Generation IP Networks Using the ETSI OSP Protocol (ETSI TS ) for Cascading Peering Settlements

SAML:The Cross-Domain SSO Use Case

A Conceptual Technique for Modelling Security as a Service in Service Oriented Distributed Systems

Identity Management with midpoint. Radovan Semančík FOSDEM, January 2016

IBM Software Group. Deliver effective governance for identity and access management.

Top Ten Security and Privacy Challenges for Big Data and Smartgrids. Arnab Roy Fujitsu Laboratories of America

Introduction to Computer Security

SP A Framework for Designing Cryptographic Key Management Systems. 5/25/2012 Lunch and Learn Scott Shorter

Security Models: Past, Present and Future

Exploring ADSS Server Signing Services

IaaS Cloud Architectures: Virtualized Data Centers to Federated Cloud Infrastructures

Privileged Identity Management

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Electronic Submission of Medical Documentation (esmd) CDA Digital Signatures. January 8, 2013

Technical. Overview. ~ a ~ irods version 4.x

Agent-Based Cloud Broker Architecture for Distributed Access Control

Chapter 2 Taxonomy and Classification of Access Control Models for Cloud Environments

Peer-to-Peer Computing

OmniStar Exceptional GMS Functionality. Comparison with Industry Best Practice Functionality

Service Virtualization: Managing Change in a Service-Oriented Architecture

Cloud Federations in Contrail

Digital Business Platform for SAP

NIST s Guide to Secure Web Services

A Survey Study on Monitoring Service for Grid

Lofan Abrams Data Services for Big Data Session # 2987

Oracle Real Time Decisions

Complying with PCI Data Security

Oracle SOA Suite: The Evaluation from 10g to 11g

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

Designing and Experimenting with Data Center Architectures. Aditya Akella UW-Madison

1. Introduction. 2. Background Cloud computing in a nutshell

Transcription:

March 18, 2010 Attribute-Based Access Control Stephen Schwab and Jay Jacobs SPARTA ISSO Security Research Division (d.b.a. Cobham Analytic Solutions)

Topics ABAC Usage and Features RT 0 Credentials Delegation Examples ABAC Architecture Credential Formats Discovery Policy Integration Summary Summary 1

ABAC Usage 2

ABAC Features Designed specifically for heterogeneous, distributed computing environments, Attribute- Based Access Control (ABAC) extends RBAC with the following features: 1. Decentralized attributes 2. Delegation of attribute authority 3. Inference of attributes 4. Attribute delegation of attribute authority 5. Sensitivity of credentials 6. Trust negotiation provenance ABAC relies on the RT family of languages described in Ninghui Li, John C. Mitchell, and William H. Winsborough. Design of a role-based trust management framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, May 2002.

RT 0 Credentials RT credentials have two parts: The left hand side contains the required attributed role and the right hand side contains the subject, which can be an entity or an attributed role. Type 1: A.r 1 S Type 2: A.r 1 B.r 2 Type 3: A.r 1 B.r 2.r 3 Type 4: A.r 1 B.r 2 C.r 3 (simple member) (simple inclusion) (linking inclusion) (intersection inclusion) RT credentials support union with multiple credentials as shown with the credential examples above.

Delegation Examples Emulab.researcher Robert (1) Emulab.researcher Utah.gradOfficer.gradStudent (2) Utah.gradOfficer James (3) James.gradStudent Ann (4)

ABAC High-level View Policy Initialization: 1. Create the identity certificates and private keys needed for an ABAC policy. 2. Generate ABAC credentials using the private key(s) of the issuer(s). 3. Add the identity certificates needed for a negotiation. 4. Add the issuer based credentials to the service-side negotiator (or discovery service) 5. Add the subject credentials to the requestor-side negotiator. Policy Enforcement: 1. Decision control points issue an access request based on local policy. 2. Peer negotiators exchange messages until a decision is reached. 3. The decision is returned to the access mediator 6

Credential Examples

Discovery How does an ABAC negotiator get the correct set of credentials from the subject and issuer to make a decision? What is the simple way to begin with a centralized solution where everything is stored at the Utah clearinghouse? What is the scalable implementation that we want to consider for the future? Credential discovery appears straight forward and is needed for credential integrity if not distributed a priori. ABAC currently uses standard X.509 identity certificates. For ABAC credential discovery, indexing of credentials must be available for forward searching and backward searching. Service providers use the backward search, while subjects need to forward search. Index by issuer is useful for revocation and auditing but not strictly needed for discovery. Discovery will be needed for scalability of non-sensitive credentials.

Policy What is ABAC policy? Policy in ABAC is the set of credentials used by two negotiators to complete a negotiation. It may also include acknowledgement (ack) policy, which defines sensitive credentials and the roles required for their release during a negotiation. We need to define policy for GENI and each aggregate or component manager joining the ProtoGENI cluster. Ack policy is not immediately necessary, but as more users and applications projects are added to the GENI environment, some sensitive credentials should be anticipated. Is it initially necessary to refine roles beyond users and administrator? We are currently looking for application layer examples!

Integration Summary What does ABAC need added to ProtoGENI for reference implementation use? ProtoGENI Features ABAC Features Current Uses X.509 identity certificates Supports simple member credentials Signs XML credentials Current Uses X.509 identity certificates Has extendable credential format X.509v2 attribute certificates Needed Supports simple inclusion credentials Supports linking inclusion credentials Credential searching for discovery service Needed Use-case policy examples Discovery client for clearinghouse Identity certificates Signed Credentials (non-sensitive)

Extra Slides

Credential Integrity To ensure integrity all entities (issuers and subjects) require a key pair for: digital signatures secure communications Issuers use their private keys to sign credentials. Credential creation requires an RT credential and the issuer s private key. Credential verification occurs during an ABAC negotiation. The signed RT credential is provided through the negotiation dynamically or at initialization. The issuer s public key can be distributed manually a priori or dynamically at run-time. Signed credentials can be given to the subject (the current ProtoGENI model) or discovered dynamically by the resource provider. Issuer s Private Key Signed Credential Unsigned Credential Verified Credential Issuer s Public Key

Peer Communications 13

Draft Policy Workflow Comments Slice authorities generate/remove slice credentials when slices are created/destroyed. Designated authorities can be delegated on a per slice or global basis. Designated authorities also include ProtoGENI agreements (i.e. sliver locales, groups, etc.) Slice Authority Deisgnated Authority Questions Can the clearinghouse restrict credentials? (Not needed for discovery) What flexibility does the slice authority need? What is the current mechanism for transferring credentials in ProtoGENI between the owner and signatory? Where does the Emulab certificate generator fit into this? Policy Authority Publicly discoverable credentials Clearinghouse

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information