Secure Information Sharing Using

Secure Information Sharing Using Secure Information Sharing Using - Start

2016-02-29 56K 56 0 0

Secure Information Sharing Using - Description

Attribute Certificates and Role Based Access Control. Ganesh Godavari, . C. Edward Chow . 06/22/2005. University of Colorado at Colorado Springs . International Conference of Security and Management 2005. ID: 236318 Download Presentation

Download Presentation

Secure Information Sharing Using




Download Presentation - The PPT/PDF document "Secure Information Sharing Using" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.



Presentations text content in Secure Information Sharing Using

Slide1

Secure Information Sharing UsingAttribute Certificates and Role Based Access Control

Ganesh Godavari, C. Edward Chow 06/22/2005University of Colorado at Colorado Springs

International Conference of Security and Management 2005

Slide2

Introduction to Information Sharing

Information Sharing relates to the sharing of information between two or more entities.

Synchronous Information Sharing

real-time communication

collaboration in "same time-different place”

Tools -- Instant messaging, Video conferencing ...

Asynchronous Information Sharing

Collaboration in “different time-different place”

Tools -- Discussion boards, E-mail …

Slide3

Introduction to Information Sharing

Steps for secure Information sharing

Authentication

Username/password, pin #, X509 Certificates,

Authorization

Group based authorization, role based authorization etc

Access

Secure storage of Authorization policy is critical

Attribute Certificates (AC)

Slide4

Secure Information Sharing

Motivation

Paradigm Shift “

Need to Know

to “

Need to Share

Incidents like 9/11, natural disasters relief.

Organizations are intertwined more so now then ever.

Rapid deployment of a secure information sharing system for a multi-agency taskforce has become critical issue for homeland security and defense

Information Sharing relates to the sharing of information between multiple agencies or organization.

Slide5

Role Based Access Control

USERS

ROLES

SESSIONS

operation

objects

PRMS

session_roles

user_session

User Assignment (UA)

Permission Assignment (PA)

many-to-many relationship

one-to-many relationship

Gives roles activated by the session

User is associated with a session

NIST study shows user’s role less likely to change and roles are tightly related to access rights to information.

File system operations: read, write and execute

DBMS operations: Insert, delete, append and update

Slide6

Attribute Certificates

AC’s

Standardized in RFC-3281, “An Internet Attribute Certificate for Authorization”

no public key like Public Key Certificate (PKC)

used for storing short duration attributes

Role, resource allocation, security clearance…

AC in security

Strong identity of the holder is not required

access control specification

Non-repudiation of the attributes by the issuer

Privilege delegation, role allocation ….

Slide7

Privilege Management Infrastructure (PMI)

Privilege Management InfrastructureSimilar to Public Key InfrastructureFunction is to specify the policy for the attribute certificate issuance and management

ConceptPKI entityPMI entityCertificatePublic Key Certificate (PKC)Attribute Certificate (AC)Certificate issuer CertificationAuthority (CA)Attribute Authority (AA)Certificate user SubjectHolderCertificatebinding Subject’s Name to Public KeyHolder’s Name to Privilege Attribute(s)Revocation CertificateRevocation List(CRL)Attribute CertificateRevocation List (ACRL)Root of trust Root CA or TrustAnchorSource of Authority (SOA)SubordinateAuthoritySubordinateCertificationAuthorityAttribute Authority (AA)

Comparison of PKIs and PMIs

[chad2-02]

Slide8

Issues with large multi-agency Information System

Issues

How can we authenticate users belonging to multiple organization?

Authorization policy specification encompassing multiple organizations

Solutions

X509 certificates for identification of users

Authorization based on RBAC

[]

model

Security Administration can be a management nightmare

Slide9

Context Free Grammar of Authorization Policy Specification

sisprivilegeset <role name> <privilegeset name>

{

<privilege> := if ( <expression> ) do <action>

<expression> := <term> | <term> && <expression> |

( <expression> ) | ! ( <expression> )

<term> := <factor> | <factor> || <term> | ( <term> )

<factor> := <variable operator value>

<operator> := > | >= | < | <= | == | != | #

<action> := grantAccess | rejectAccess |

acquirePrivileges <privilegeset Name> |

contact <authorization server>

}

#: regular expression string matching operator

Slide10

RBAC specification format

<?xml version="1.0" encoding="utf-8" standalone="yes"?>

<!--===== SIS request example =====-->

<sis>

<Role>administrator</Role>

<Group>Info Share</Group>

<OU>UCCS</OU>

</sis>

Slide11

Example – File Access Specification

Privilege specification for administrator

File access control specification

sisprivilegeset administrator filematch {

if ( ( url # “/etc/passwd” ) && ( requestAction # “get” ) ) do grantAccess

# user accounts protection from get and post requests by administrator

if ( ( url # “*~*/private/” ) && ( requestAction # “get” ) ) do rejectAccess

if ( ( url # “*~*/private/” ) && ( requestAction # “post” ) ) do rejectAccess

:

}

#: matching operator (A # B: if A contains B)

Slide12

SIS system overview

authorize

Administration

Tool

Server

RBAC

Policy

file

User

Access Control

Decision and

Enforcement

Engine

PKC

User Role

Specification

AC

Authenticate

Mail Server

Database

Instant Msg

Server

Web Server

Create/Change/

Revoke Attribute Certificates

(ACDE)

Slide13

Access Control and Decision Enforcement

Slide14

Setup CA

The coordinator of the task force from multiple agencies set up a rootCA-MA (root CA for Multiple Agencies).

Each agency requests a certificate to be signed by rootCA-MA.

Each agency issues a new PKC to each user in its organization involved in the task force.

At each server which providing secure information sharing service for this task force, add the rootCA-MA information into CABundle (file containing list of valid CA's).

Each client/user installs the certificate in the local browser or application's.

Slide15

Choices for storing AC’s

A user's AC can be stored

central repository of the taskforce

with the agency's local administrator have control only over the AC's of the users belonging to that agency

locally at each agency that defines his role within that agency

user's privileges are the result of the association of the user with a particular agency

user's privileges are revoked

all the agencies must be notified

Prevent unauthorized access

Trust relationship between organizations determines where the AC's are stored

Slide16

Setup PMI

Our approach

Store all the user privileges in the organization the user originally belongs to

Check user's privileges on every attempt to access the resources

Setup PMI

The coordinator of the task force signs the AC’s of the members.

Agency members AC’s are distributed and installed on the LDAP server of the agency.

web servers and shared applications query the PMI for authorization and access control

Slide17

Implementation

Apache (v 1.3.31) + Mod_SSL(v 2.8.18-1.3.31) + openSSL (v 0.9.7d)

We modified mod_auth_ldap with AC based ACDE

OpenLDAP (v 2.0.27-8)

Attribute Certificate's attribute definitions was added to inetorg-person.schema

OpenSSL libraries used for generating X509 certificates

we created AC generation utility using OpenSSL

For validation we use Markus Lorch’s code

We created PKC generation utility based on EXPECT

Slide18

SIS Test-bed

Server

LDAP AccessTime (ms)

AC retrieval/validation (ms)sis-nissc54.6296.88sis-connecticut51.8493.77sis-newjersey51.1993.31

PerformanceAccess Time from a client at sis-canada

All Machines

Pentium-III, 500 MHz

256 MB RAM

Redhat Linux-2.4.20-6

Slide19

Conclusions

Developed efficient procedures and tools to set up Public Key Infrastructure for authentication and Privilege Management Infrastructure for authorization.

Created a multi-agency SIS test bed based on LDAP and web servers.

OpenLDAP servers were enhanced to accept attribute certificates.

LDAP module of the apache web server was extended to achieve secure web access.

Slide20

PKC vs. AC

PKC binds a subject (DN) to a public keyAC's binds permission (attributes) to an entity

Version

Serial Number

Signature ID

Subject

Issuer

Validity Period

Subject Public Key Info

Extension’s

S

i

g

n

a

t

u

r

e

Version

Serial Number

Signature ID

Holder

Issuer

Validity Period

Attributes

Extensions

S

i

g

n

a

t

u

r

e

Public Key Certificate

(

PKC

)

Attribute Certificate

(

AC

)


About DocSlides
DocSlides allows users to easily upload and share presentations, PDF documents, and images.Share your documents with the world , watch,share and upload any time you want. How can you benefit from using DocSlides? DocSlides consists documents from individuals and organizations on topics ranging from technology and business to travel, health, and education. Find and search for what interests you, and learn from people and more. You can also download DocSlides to read or reference later.