380 likes | 556 Views
Secure Context-sensitive Authorization. Kazuhiro Minami and David Kotz Dartmouth College. Request. Guest Speaker. Context-sensitive Authorization. I cannot verify your identity. Projector. Smart Meeting Room. Location Sensor. Location Information. Request.
E N D
Secure Context-sensitive Authorization Kazuhiro Minami and David Kotz Dartmouth College
Request Guest Speaker Context-sensitive Authorization I cannot verify your identity. Projector Smart Meeting Room
Location Sensor Location Information Request Context-sensitive Authorization Since you are in the room, I authorize you to control me. Projector Guest Speaker Smart Meeting Room
Request Context Information Authorization Query Granting Decision Integrity (make correct decisions) Confidentiality (not to disclose confidential information) Centralized Approach Requester Information Servers Location Server Authorization Server Role Server Resource
Smart Room Scenario Request Speaker Projector Location Query Location Server Access Point Query GPS Coordinate Query GPS Location Server WIFI Location Server
Authorization Query Sub-Proof Tree Host A Logical Query Sub-Proof Tree Sub-Proof Tree Host B Host C Distributed Rule-based Authorization Authorization Query Proof Tree Central server
Goals • Confidentiality • Preserve each principal’s confidentiality policies • Integrity • Each principal receives a proof that satisfies its integrity policies • Scalability • Offload work from a central server
Outline • Rule-based authorization • Security model • Distributed query processing • Enforcement algorithm • Summary
?grant(Bob, projector) Proof Tree Rule-based Authorization Inference Engine grant(P, projector) location(P, room112) location(P,L) owner(P,D) location(D,L) Rules owner(Bob, badge15) location(badge15, room112) Facts Knowledge Base Authorization Server
Example Proof Tree ?grant(Bob, projector) grant(Bob) location(Bob, meeting_room) location(Bob,meeting_room) owner(Bob, badge15) location(badge15, room112)) owner(Bob, badge15) location(badge15, room112)
Example Proof Tree ?grant(Bob, projector) grant(Bob) location(Bob, meeting_room) location(Bob,meeting_room) owner(Bob, badge15) location(badge15, room112)) owner(Bob, badge15) location(badge15, room112)
Confidentiality / Integrity Policies Security Model Resource Authorization Policies / Facts
Integrity Policies Confidentiality Policies acl(location(P,L)) = {Alice} acl(owner(P,D)) = {Dave} trust(location(P,L)) = {Dave} ?location (Bob, room112) TRUE Security Model location(P,L) owner(P,D)location(D,L) owner(Bob, pda15) location(pda15, room112) grant(P, projector) location(P, room112) Host A (Alice) Host B (Dave)
Assumptions • Policies apply only to facts • Each principal issues a query to a principal that satisfies its integrity policies • Integrity policies are public knowledge • Public key infrastructure is available
Outline • Rule-based authorization • Security model • Distributed query processing • Enforcement algorithm • Summary
Host Host Logical Query Host Host Host Architectural Overview User Request Authorization Query Host Resource
q0 q1 Decomposition of Proof Tree Query Principal p0 • A handler principal only returns a query result (true or false) T0 n0 p1 T1 n1 p2 T2
Decomposition of Proof Tree Query Principal p0 • All the nodes except for the root node are not disclosed. T0 n0 q0 p1 T1 n1 q1 p2 T2
K0 K0 K0 Enforcement of Confidentiality Policies Query Principal p0 • A handler principal chooses a receiver principal from its upstream principals. T0 n0 q0 p1 T1 q1 p2 T2 acl(q1) = {p0 } Confidentiality policy
K0 K0 Enforcement of Confidentiality Policies Query Principal p0 • A handler principal chooses a receiver principal from its upstream principals. T0 n0 q0 p1 T1 q1 p2 T2 acl(q1) = {p0 } Confidentiality policy
Outline • Rule-based authorization • Security model • Distributed query processing • Enforcement algorithm • Summary
q0 q1 q2 Enforcement Algorithm p0 p1 p2 p3
acl(q2) = {p0,p1} Security Policies Enforcement Algorithm q0 q1 q2 p0 p1 p2 p3
acl(q2) = {p0,p1} Security Policies Enforcement Algorithm q0 q1 q2 p0 p1 p2 p3
q3 p0 pf4 (P0, (TRUE)K0) p4 p5 p0 q4 (p0,(pf4)K0) (p1,((pf4)(pf5))K1) (p1, ((pf4)(pf5))K1)) pf5 (P1, (TRUE)K1) Enforcement Algorithm q0 q1 q2 p1 p2 p3 TRUE
q3 pf4 (P0, (TRUE)K0) p1 p4 p5 (p0,(pf3)K0) (p1,(pf3)K1) pf3 (p0, ((pf4)(pf5))K0)) p1 pf5 (P1, (TRUE)K1) Enforcement Algorithm q0 q1 q2 p0 p2 p3 pf5 cannot be decrypted!
p0 p4 p5 p0 p0 Attack by Colluding Principals (q0, [p0]) (q1,[p0,p1]) p1 p2 p3
p0 p4 p5 p0 p0 Attack by Colluding Principals (q0, [p0]) (q1,[p1,p0]) p1 p2 p3
p0 p4 p5 p0 p0 Attack by Colluding Principals (q0, [p0]) (q1,[p1,p0]) (q2,[p1,p0,p2]) p1 p2 p3
q3 p0 pf4 (P0, (TRUE)K0) p5 p4 p0 p0 q4 (p1,((pf4)(pf5))) (p0, ((pf4)(pf5)))) pf5 (P1, (FALSE)K1) Attack by Colluding Principals (q0, [p0]) (q1,[p1,p0]) (q2,[p1,p0,p2]) p1 p2 p3 q2’s result is FALSE acl(q2) = {p0} Security Policies
Related Work • Rule-based Authorization • Cerberus [Al-Muhtadi, Ranganathan, Cambell, Mickunas] PerCom 2003 • [Myles, Friday, Davies] IEEE Pervasive Computing 2003 • Role-based Access Control • Generalized RBAC [Covington, Ahamad, Srinivasan] SACMAT 2001 • OASIS [Bacon, Moody, Yao] SACMAT 2002 • Trust Management System • SD3 [Jim] IEEE S&P 2001
Summary • Distributed authorization system that addresses the issue of confidential rules and facts • Proof decomposition based on integrity policies • Recursive encryption facilitates information sharing among principals • Future work includes the evaluation of the performance and scalability
Trusted Proof Tree • A handler principal only returns a proof subtree that satisfies the querier’s integrity policies Querier Query Proof Handler
Trusted Proof Tree • A handler principal only returns a proof subtree that satisfies the querier’s integrity policies Querier Query Proof Handler
Trusted Proof Tree • A handler principal only returns a proof subtree that satisfies the querier’s integrity policies Querier Query Proof Handler
Integrity Confidentiality First-Responder Scenario First Responder Situation Monitor Server Request Role Membership Query Role Server of Incident Management System Role membership query Location Query Responder Assistance Location Server Role Server of Fire Department
Current Status and Future Work • Prototype implementation based on XProlog • Evaluation of the performance and scalability • User feedback mechanism