210 likes | 223 Views
This paper discusses the challenges in cyber security and presents a group-centric information sharing model. It explores the use of sticky policies, dissemination-centric sharing, and the g-SIS policy model. The paper also introduces the concepts of super-distribution and micro-distribution in information sharing.
E N D
Enforcement Architecture and Implementation Model for Group-Centric Information Sharing Ram Krishnan (George Mason University) Ravi Sandhu (Univ. of Texas at San Antonio)
Secure Information Sharing (SIS) • A fundamental problem in cyber security • Share but protect • Current approaches not satisfactory • Traditional models (MAC/DAC/RBAC) do not work • Recent approaches • Proprietary systems for Enterprise Rights Management • Many solutions: IBM, CA, Oracle, Sun, Authentica, etc. • Interoperability is a major issue • Many languages have been standardized • XrML, ODRL, XACML, etc. • Primarily, dissemination or object centric
Dissemination Centric Sharing • Attach attributes and policies to objects • Objects are associated with sticky policies • Policy language standards such as XrML and ODRL provide sticky policies Attribute + Policy Cloud Attribute + Policy Cloud Attribute + Policy Cloud Attribute + Policy Cloud Object Object Object Object Alice Bob Charlie Jake John Attribute Cloud Attribute Cloud Attribute Cloud Attribute Cloud Attribute Cloud Dissemination Chain with Sticky Policies on Objects
Group-Centric Sharing (g-SIS) • Advocates bringing users & objects together in a group • In practice, co-exists with dissemination centric sharing Join Add Never Group User Current Group User Past Group User Never Group Object Current Group Object Past Group Object Join Add Remove Leave • Two useful metaphors • Secure Meeting/Document Room • Users’ access may depend on their participation period • E.g. Program committee meeting, Collaborative Product Development, Merger and Acquisition, etc. • Subscription Model • Access to content may depend on when the subscription began • E.g. Magazine Subscription, Secure Multicast, etc.
g-SIS Policy Model Users Leave Join GROUP Authz (S,O,R)? Add Remove Objects
Enforcement Model Objectives • Allow offline access • Assumes a Trusted Reference Monitor (TRM) • Resides on group user’s access machine • Enforces group policy • Synchronizes attributes periodically with server • Objects available via Super-Distribution • Encrypt objects using group key and distribute • Other users with access to group key may access
g-SIS Architecture 6.2 Update: a. Remove_TS (o) = Current Time b. ORL = ORL U {id, Add_TS (o), Remove_TS (o)} 5.2 Set Leave-TS (u) = Current Time Object Cloud 2.2 Distribute o 1.3 User Join CC {AUTH=TRUE}, Integrity Evidence 2.1 Add Object o Obtain Object o 1.4 Provision Credentials 5.1 Remove User (id) 6.1 Remove Object (o) {id, Join_TS, Leave_TS, ORL, gKey, N} 3. Read Objects 4.1 Request Refresh 4.2 Update Attributes 1.1 Request Join {AUTH = FALSE} Group Users … Non-Group User GA TRM TRM TRM TRM 1.2 Authz Join {AUTH = TRUE} User Attributes: {id, Join-TS, Leave-TS, ORL, gKey} Object Attributes: {id, Add-TS} • ORL: Object Revocation List • gKey: Group Key Authz (s,o,r) -> Add-TS(o) > Join-TS(s) & Leave-TS(s) = NULL & o NotIn ORL
Super Vs Micro-distribution in g-SIS • Super-Distribution (SD) • Single key for all group users • Encrypt once, access where authorized • Total offline access except periodic refresh times • Micro-Distribution (MD) • CC shares a key with each user in the group • Initial access requires CC participation • CC custom encrypts using key shared with user • Subsequent accesses can be offline as allowed by TRM Super-Distribution in g-SIS Micro-Distribution in g-SIS User Object Cloud CC Author User CC Author Add (C) Encrypt o with key k1 shared with CC (C = Enc(o,k1))) C = Enc (o, K) Add (C) Dec (c, k1), Set Add_TS for o and Store Locally Distribute (C) Set Add_TS for o Get (o) Get (o) Provide (C’) Encrypt o with key k2 shared with User (C’ = Enc (o, k2)) Provide (C) Store C’ Locally Read o and Store C Locally Dec (C’, k2)
Background (Trusted Computing) • Trusted Computing • An industry standard/alliance • Proposed by Trusted Computing Group • Basic premise • Software alone cannot provide an adequate foundation for trust • TCG proposes root of trust at the hardware level using a Trusted Platform Module or TPM
Background (TPM) • Trusted storage for keys • Encrypt user keys with a chain of keys • Storage Root key (SRK) is stored in TPM & never exposed • Trusted Capabilities • Operations exposed by the TPM • Guaranteed to be trust-worthy • Platform Configuration Registers (PCR) • Hardware registers used to store integrity of software (e.g. boot-chain)
Background (TPM Capabilities) • Seal • Data/Key coupled with a PCR value encrypted with SRK • Unseal • Data/Key will be decrypted by the TPM only if current PCR value matches that of PCR value in sealed blob • CertifyKey • Create a key pair • Private key is sealed to a PCR value • Public key signed by TPM only if Private part is non-migratable • Private part available in the future only if future PCR value matches the PCR value at seal time • Third parties can encrypt data with public key • Data can be decrypted only under known PCR state • Data cab be decrypted only using the same TPM that created the key (non-migratable)
Leave and Remove User Leave Object Remove
Conclusion • Group-Centric Vs Dissemination-Centric Sharing • Super Vs Micro-Distribution approach in g-SIS • g-SIS Architecture supports both SD and MD • Offline access realizable due to Trusted Computing • Future Work • Investigate Implementation Model • Read-Write Access • Multiple Groups