230 likes | 419 Views
Using Attribute-Based Access Control to Enable Attribute-Based Messaging. Rakesh Bobba , Omid Fatemieh, Fariba Khan, Carl A. Gunter and Himanshu Khurana University of Illinois at Urbana-Champaign. To: faculty going on sabbatical. Introduction to ABM.
E N D
Using Attribute-Based Access Control to Enable Attribute-Based Messaging Rakesh Bobba, Omid Fatemieh, Fariba Khan, Carl A. Gunter and Himanshu Khurana University of Illinois at Urbana-Champaign
To: faculty going on sabbatical Introduction to ABM Attribute-Based Messaging (ABM): Targeting messages based on attributes. ACSAC 2006
Introduction to ABM Attribute-Based Messaging (ABM): Targeting messages based on attributes. Examples • Address all faculty going on sabbatical next term • Notify all female CS graduate students who passed qualifying exams of a scholarship opportunity ACSAC 2006
Why ABM? • Attribute-based systems have desirable properties • flexibility, privacy and intuitiveness • Attribute-Based Messaging (ABM) brings these advantages to e-mail messaging • enhances confidentiality by supporting targeted messaging • via dynamic and transient groups • enhances relevance of messages • by reducing unwanted messages ACSAC 2006
Challenges • Access Control • access to such a system should be carefully controlled • potential for spam • privacy of attributes • Deployability • system should be compatible with existing infrastructure • Efficiency • system should have comparable performance to regular e-mail ACSAC 2006
Policy Decision ABM Server E-mail MTA To: Managers Enterprise Architecture • Ensuing Issues • ABM Address Format, Client I/F • Access Control - policy specification and enforcement • Attribute Database creation and maintenance Attr. DB ACSAC 2006
Enterprise Architecture cont. • Attribute database • all enterprises have attribute data about their users • data spread over multiple, possibly disparate databases • assume that this attribute data is available to ABM system • “information fabric” , “data services layer” • ABM address format • logical expressions of attribute value pairs • disjunctive normal form ACSAC 2006
Access Control • Access Control Lists (ACLs) • difficult to manage ACSAC 2006
Access Control • Access Control Lists (ACLs) • difficult to manage • Role-Based Access Control (RBAC) • simplified management if roles already exist ACSAC 2006
Access Control • Access Control Lists (ACLs) • difficult to manage • Role-Based Access Control (RBAC) • simplified management if roles already exist • Attribute-Based Access Control (ABAC) • uses same attributes used to target messages • more flexible policies than with RBAC • Access policy • XACML is used to specify access policies • Sun’s XACML engine is used for policy decision ACSAC 2006
Access Control cont. • Problem • need policy per logical expression • policy explosion • Solution? • one policy per <attribute,value> ACSAC 2006
Deployability • Use existing e-mail infrastructure (SMTP) • address ABM messages to the ABM server (MUA) and add ABM address as a MIME attachment • No modification to client • use a web server to aid the sender in composing the ABM address via a thin client (web browser) • E-mail like semantics • policy specialization ACSAC 2006
AR1 Policy xml AR2 Web Server Windows IIS MTA AR4 AR3 PS7 Attribute DB MS SQL Server PS2 ABM Server PS8 Sender PS1 MS2 MS1 Putting It All Together PDP Sun’s XACML Engine Legend PS: Policy Specialization MS: Messaging AR: Address Resolution ACSAC 2006
Security Analysis • Problem • open to replay attacks • Solution • MTA configured with SMTP authentication • with additional message specific checks ACSAC 2006
Experimental Setup • Measured • latency over regular e-mail • with and without access control • latency of Policy Specialization • Setup • up to 60K users • 100 attributes in the system • 20% of attributes common to most users • 80% of attributes sparsely distributed ACSAC 2006
Results ACSAC 2006
Results Continued… Policy Specialization Latency ACSAC 2006
Other Considerations • Policy Administration • one policy per <attribute ,value> not per address • further be reduced to one policy per attribute • Privacy • of sender and receivers • of ABM address • Usability • user interfaces ACSAC 2006
Related Work • Technologies • List Servers • Customer Relationship Management (CRM) • Secure role-based messaging • WSEmail ACSAC 2006
Future Work • Inter-domain ABM • e.g., address doctors in the tri-state area who have expertise in a specific kind of surgical procedure • challenge – “attribute mapping” • application in ‘emergency communications’ • Encrypted ABM ACSAC 2006