1 Dennis Kafura CS5204 Operating Systems Motivation Two remote interacting parties will disclosure information to each other only when each has established an appropriate level of trust in the other ID: 774885
Download Presentation The PPT/PDF document " Automatic Trust Negotiation" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Automatic Trust Negotiation
1
Dennis Kafura – CS5204 – Operating Systems
Slide2Motivation
Two remote interacting parties will disclosure information to each other only when each has established an appropriate level of trust in the other.ElementsRemote peersRequester (of a controlled resource)Controller (of a requested resource)Sensitive Informationdata/services requested by remote peercertificatescredentials: issued by trusted third party (e.g, affiliation)declarations: attributes describing peer (e.g., preferences)Negotiationbilateral, incremental exchange leading to an authorization decisionPoliciesdrives exchange sequence establish requirements for the disclosure of resourcesalternative policies may exist for the same resource
Dennis Kafura – CS5204 – Operating Systems
2
Slide3Negotiation Overview
Dennis Kafura – CS5204 – Operating Systems
3
Requestor
Policy Base
Controller
Policy Base
Resource request
Policies
Policies
Subject Profile
Subject Profile
Resource granted
Credentials
Credentials
Slide modified from:
http://www.ccs.neu.edu/home/ahchan/wsl/symposium/bertino.ppt
Slide4Trust-X Framework
Dennis Kafura – CS5204 – Operating Systems
4
certificates
disclosure policies
negotiation
engine
negotiation state
recorded similar
prior negotiations
Slide5Scenario
(A) Employees of
Corrier must provide company badge and ID card(B) Others must provide drivers license and credit card
Dennis Kafura – CS5204 – Operating Systems
5
Rental Car
Agency
Employees of
Corrier
Unknown
request
Policy
A
B
request
Slide6Disclosure Policy
Dennis Kafura – CS5204 – Operating Systems
6
{p1,…pn} ,
{ R DELIV }
{ R t1, …, tn}
precondition
rule
terms
resource
policy
P(C)
X(C)
certificate:
variable:
condition
attr
op
expr
pol
3
= ( {pol
2
} ,
Rental_Car
Credit_Card
(name=Rental_Car.name,
Rental_Car.ReturnDate
<
ExpirationDate));
If at least one precondition is met, R can be disclosed if the peer can satisfy the policy terms.
Slide7Policy for Scenario
Dennis Kafura – CS5204 – Operating Systems
7
Slide8Negotiation Process
Dennis Kafura – CS5204 – Operating Systems
8
Controller
Requestor
RESOURCE
DISCLOSURE
POLICY
EVALUATIONPHASE
Bilateral
disclosureof policies
INTRODUCTORY
PHASE
Preliminary
Informationexchange
CERTIFICATE
EXCHANGE
Actual credential
disclosure
Service request
Credential and or/Declaration
Disclosure policies
Service granted
Disclosure policies
Credential and/or Declaration
Slide modified from:
http://www.ccs.neu.edu/home/ahchan/wsl/symposium/bertino.ppt
Qualifications/preferences
Slide9Negotiation Process
Dennis Kafura – CS5204 – Operating Systems
9
Sequence
generation
phase
Three ways to build trust:
1. Trust tickets
2. Sequence prediction
3. Policy evaluation
Slide101. Trust Ticket
Allows for expedited processing of repeat(ed) requestsCertifies that parties have already successfully completed a negotiation for a given resourceIssued by each party to the other at the end of a successful negotiation for access to thatReused for subsequent request for that resourceElementsSequence of certificatesValidity timeSignature of issuer
Dennis Kafura – CS5204 – Operating Systems
10
Slide112. Sequence Generation
At the end of a successful negotiation for access to resource R, information about the sequence of peer credentials involved in the negotiation can be cachedIn a subsequent negotiation for resource R, the cached sequence can be retrieved and tested for applicabilityUseful in cases of repeated forms of negotiation with different parties
Dennis Kafura – CS5204 – Operating Systems
11
Slide123. Policy Evaluation
ProcessIncremental exchange of policies driven by the resources each party requires of the otherNo credentials are exchanged during this phaseBegins with initial request for access to resourceEnds whenOne party determines it cannot satisfy the policies of the other, orBoth parties believe/claim that they can each satisfy the other’s policiesElementsNegotiation tree – maintains the state of the negotiationLabels - determine subsequent credential exchange orderViews path through the negotiation tree trust sequence: a view where all policies are satisfied
Dennis Kafura – CS5204 – Operating Systems
12
Slide13Negotiation Tree
Dennis Kafura – CS5204 – Operating Systems
13
node: <resource, state, owner>
state: open or DELIVowner: RQ (requestor), CN (controller)
owner: CN
owner: RQ
owner: RQ
owner: CN
Slide14Example Negotiation Tree
Dennis Kafura – CS5204 – Operating Systems
14
Slide15Example Negotiation Tree
Dennis Kafura – CS5204 – Operating Systems
15
Slide16Example Negotiation Tree
Dennis Kafura – CS5204 – Operating Systems
16
Slide17Example Negotiation Tree
Dennis Kafura – CS5204 – Operating Systems
17
Slide18Example Negotiation Tree
Dennis Kafura – CS5204 – Operating Systems
18
Assume that
Certified_service
is not controlled by any policy
5
6
Slide19Repeated Nodes
link nodes referring to the same resource to avoid duplicating exchange/evaluation
Dennis Kafura – CS5204 – Operating Systems
19
Slide20Edge Labels
When the precondition for a policy, P, is satisfied, nodes corresponding to P can be added to the negotiation treeThe certificates satisfying the precondition policies are used to label the edges for the nodes corresponding to PThe edge labels denote the order of credential exchange
Dennis Kafura – CS5204 – Operating Systems
20