Attribute Certificates and Role Based Access Control Ganesh Godavari C Edward Chow 06222005 University of Colorado at Colorado Springs International Conference of Security and Management 2005 ID: 236318
Download Presentation The PPT/PDF document "Secure Information Sharing Using" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Secure Information Sharing UsingAttribute Certificates and Role Based Access Control
Ganesh Godavari, C. Edward Chow 06/22/2005University of Colorado at Colorado Springs
International Conference of Security and Management 2005Slide2
Introduction to Information Sharing
Information Sharing relates to the sharing of information between two or more entities.Synchronous Information Sharingreal-time communicationcollaboration in "same time-different place”Tools -- Instant messaging, Video conferencing ...Asynchronous Information SharingCollaboration in “different time-different place”
Tools -- Discussion boards, E-mail …Slide3
Introduction to Information Sharing
Steps for secure Information sharingAuthenticationUsername/password, pin #, X509 Certificates,AuthorizationGroup based authorization, role based authorization etcAccessSecure storage of Authorization policy is criticalAttribute Certificates (AC)Slide4
Secure Information Sharing
MotivationParadigm Shift “Need to Know” to “Need to Share”Incidents like 9/11, natural disasters relief.Organizations are intertwined more so now then ever.
Rapid deployment of a secure information sharing system for a multi-agency taskforce has become critical issue for homeland security and defense
Information Sharing relates to the sharing of information between multiple agencies or organization.Slide5
Role Based Access Control
USERS
ROLES
SESSIONS
operation
objects
PRMS
session_roles
user_session
User Assignment (UA)
Permission Assignment (PA)
many-to-many relationship
one-to-many relationship
Gives roles activated by the session
User is associated with a session
NIST study shows user’s role less likely to change and roles are tightly related to access rights to information.
File system operations: read, write and execute
DBMS operations: Insert, delete, append and updateSlide6
Attribute Certificates
AC’s Standardized in RFC-3281, “An Internet Attribute Certificate for Authorization”no public key like Public Key Certificate (PKC)used for storing short duration attributesRole, resource allocation, security clearance…AC in security
Strong identity of the holder is not required
access control specification
Non-repudiation of the attributes by the issuer
Privilege delegation, role allocation ….Slide7
Privilege Management Infrastructure (PMI)
Privilege Management InfrastructureSimilar to Public Key InfrastructureFunction is to specify the policy for the attribute certificate issuance and management
Concept
PKI entity
PMI entity
Certificate
Public Key
Certificate (PKC)
Attribute Certificate (AC)
Certificate issuer
Certification
Authority (CA)
Attribute Authority (AA)
Certificate user
Subject
Holder
Certificate
binding
Subject’s Name to
Public Key
Holder’s Name to
Privilege Attribute(s)
Revocation
Certificate
Revocation List
(CRL)
Attribute Certificate
Revocation List (ACRL)
Root of trust
Root CA or Trust
Anchor
Source of Authority (SOA)
Subordinate
Authority
Subordinate
Certification
Authority
Attribute Authority (AA)
Comparison of PKIs and PMIs
[chad2-02]Slide8
Issues with large multi-agency Information System
IssuesHow can we authenticate users belonging to multiple organization?Authorization policy specification encompassing multiple organizationsSolutionsX509 certificates for identification of usersAuthorization based on RBAC[] model
Security Administration can be a management nightmareSlide9
Context Free Grammar of Authorization Policy Specification
sisprivilegeset <role name> <privilegeset name>{ <privilege> := if ( <expression> ) do <action> <expression> := <term> | <term> && <expression> |
( <expression> ) | ! ( <expression> )
<term> := <factor> | <factor> || <term> | ( <term> )
<factor> := <variable operator value>
<operator> := > | >= | < | <= | == | != | #
<action> := grantAccess | rejectAccess |
acquirePrivileges <privilegeset Name> |
contact <authorization server>
}
#: regular expression string matching operatorSlide10
RBAC specification format
<?xml version="1.0" encoding="utf-8" standalone="yes"?><!--===== SIS request example =====--><sis> <Role>administrator</Role> <Group>Info Share</Group>
<OU>UCCS</OU>
</sis>Slide11
Example – File Access Specification
Privilege specification for administratorFile access control specificationsisprivilegeset administrator filematch { if ( ( url # “/etc/passwd” ) && ( requestAction # “get” ) ) do grantAccess# user accounts protection from get and post requests by administrator
if ( ( url # “*~*/private/” ) && ( requestAction # “get” ) ) do rejectAccess
if ( ( url # “*~*/private/” ) && ( requestAction # “post” ) ) do rejectAccess
:
}
#: matching operator (A # B: if A contains B)Slide12
SIS system overview
authorize
Administration
Tool
Server
RBAC
Policy
file
User
Access Control
Decision and
Enforcement
Engine
PKC
User Role
Specification
AC
Authenticate
Mail Server
Database
Instant Msg
Server
Web Server
Create/Change/
Revoke Attribute Certificates
(ACDE)Slide13
Access Control and Decision EnforcementSlide14
Setup CA
The coordinator of the task force from multiple agencies set up a rootCA-MA (root CA for Multiple Agencies).Each agency requests a certificate to be signed by rootCA-MA.Each agency issues a new PKC to each user in its organization involved in the task force.At each server which providing secure information sharing service for this task force, add the rootCA-MA information into CABundle (file containing list of valid CA's).Each client/user installs the certificate in the local browser or application's.Slide15
Choices for storing AC’s
A user's AC can be storedcentral repository of the taskforcewith the agency's local administrator have control only over the AC's of the users belonging to that agencylocally at each agency that defines his role within that agencyuser's privileges are the result of the association of the user with a particular agencyuser's privileges are revokedall the agencies must be notified
Prevent unauthorized access
Trust relationship between organizations determines where the AC's are storedSlide16
Setup PMIOur approach
Store all the user privileges in the organization the user originally belongs to Check user's privileges on every attempt to access the resourcesSetup PMIThe coordinator of the task force signs the AC’s of the members.Agency members AC’s are distributed and installed on the LDAP server of the agency.web servers and shared applications query the PMI for authorization and access controlSlide17
Implementation
Apache (v 1.3.31) + Mod_SSL(v 2.8.18-1.3.31) + openSSL (v 0.9.7d)We modified mod_auth_ldap with AC based ACDEOpenLDAP (v 2.0.27-8)Attribute Certificate's attribute definitions was added to inetorg-person.schemaOpenSSL libraries used for generating X509 certificateswe created AC generation utility using OpenSSL
For validation we use Markus Lorch’s code
We created PKC generation utility based on EXPECTSlide18
SIS Test-bed
Server
LDAP AccessTime (ms)
AC retrieval/validation (ms)
sis-nissc
54.62
96.88
sis-connecticut
51.84
93.77
sis-newjersey
51.19
93.31
Performance
Access Time from a client at sis-canada
All Machines
Pentium-III, 500 MHz
256 MB RAM
Redhat Linux-2.4.20-6Slide19
Conclusions
Developed efficient procedures and tools to set up Public Key Infrastructure for authentication and Privilege Management Infrastructure for authorization.Created a multi-agency SIS test bed based on LDAP and web servers. OpenLDAP servers were enhanced to accept attribute certificates.
LDAP module of the apache web server was extended to achieve secure web access.Slide20
PKC vs. AC
PKC binds a subject (DN) to a public keyAC's binds permission (attributes) to an entity
Version
Serial Number
Signature ID
Subject
Issuer
Validity Period
Subject Public Key Info
Extension’s
S
i
g
n
a
t
u
r
e
Version
Serial Number
Signature ID
Holder
Issuer
Validity Period
Attributes
Extensions
S
i
g
n
a
t
u
r
e
Public Key Certificate
(
PKC
)
Attribute Certificate(AC)