1 / 28

Type Based Distributed Access Control

Type Based Distributed Access Control. Dominic Duggan Stevens Institute of Technology Joint work with Tom Chothia (Stevens) and Jan Vitek (Purdue). Motivation. Our aim is to use types to place conditions on how data may be distributed. Consider a computer with public and private data:.

pavel
Download Presentation

Type Based Distributed Access Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Type Based Distributed Access Control Dominic Duggan Stevens Institute of Technology Joint work with Tom Chothia (Stevens) and Jan Vitek (Purdue) D. Duggan

  2. Motivation • Our aim is to use types to place conditions on how data may be distributed. • Consider a computer with public and private data: D. Duggan

  3. Talk outline • Review: Decentralized Label Model (DLM) • Local Access Control • Key Based Decentralized Label Model (KDLM) • Distributed Access Control and Cryptography • Formal Semantics • Jeddak: A Language with Distributed Access Control • Conclusions and Further Work D. Duggan

  4. Local Access Control • Local Access Control restricts access to data. • Any read or write attempts are dynamically checked. • There are no restrictions on authorized copies of data. D. Duggan

  5. Decentralized Label Model (DLM) • Program variable x • Has typeint • Has label with policies • Bob : {bob, jane, mike} • Mary : {bob, jane, mary} • Is accessible by bob and jane • Access control checked by type checking D. Duggan

  6. DLM • Data is protected by its type. • Each attempt to copy data is statically checked at compile time. • Copies of data have the same type and hence the same protection. • Data sent outside the type checked area is no longer protected. D. Duggan

  7. Declassification in the DLM • Data has type {L1, L2, L3} int • L1 = bob : { bob, jane } • L2 = mary : { bob, jane, mary } • L3 = jane : { jane, tim} • Only Jane can access data • L3  jane : { jane, tim, bob} • Now Jane and Bob can access the data Jane Bob Mary Tim D. Duggan

  8. Talk outline • Review: Decentralized Label Model (DLM) • Local Access Control • Key Based Decentralized Label Model (KDLM) • Distributed Access Control and Cryptography • Formal Semantics • Jeddak: A Language with Distributed Access Control • Conclusions and Further Work D. Duggan

  9. Application Communication Security Communication Security Communication Communication Network Minimize the Trusted Computing Base DLM KDLM Application Protocol Network D. Duggan

  10. KDLM • As with the DLM data is protected by its type. • But the data can also be protected by encryption. • Encryption protects data leaving the trusted area. • Keys are protected in the same way as data. D. Duggan

  11. KDLM Bob Alice Eve D. Duggan

  12. KDLM: Connecting Keys and Access Restrictions • Key names have policies (ACLs) • K has policy: Joe : {Jane, Mike, Sam} • Public-private key pair for key name • Private key protected by access restrictions • Labels are sets of key names • Access restricted to intersection of policies (ACLs) D. Duggan

  13. B A B A KDLM: Declassifying Encrypted Data Alice Bob A D. Duggan

  14. K3 K1 Declassification in the KDLM K3 has policy jane : {jane } K2 has policy:mary : {bob,jane,mary} Jane creates certificate for Bob: K1 declassifies K3 K1 has policy: bob : {bob, jane} Bob Jane K3 K1 K2 K1 K2 Mary {K1, K2, K3} Encrypted(int) K2 D. Duggan

  15. Declassification Certificates Key & Policy: K : skey[ bob : {mary,sam,bob} ] Label: {K1, K2, … ,Kn} Labelled Type: T{K1, K2, …,Kn} Declassification Cert Types: K1 declassifies K2 K1K2 D. Duggan

  16. Talk outline • Review: Decentralized Label Model (DLM) • Local Access Control • Key Based Decentralized Label Model (KDLM) • Distributed Access Control and Cryptography • Formal Semantics • Jeddak: A Language with Distributed Access Control • Conclusions and Further Work D. Duggan

  17. Arities, Kinds A ::= Prin A ::= SKeyF[P:{P1…Pk}] A ::= IKeyF[P:{P1…Pk}] A::= Type Flags F ::= Virtual F ::= Actual Key names, Principals, Types K,P,T ::= k, p, t K,P,T ::= DecKeyK K,P,T ::= EncKeyK K,P,T ::= AuthKeyK K,P,T ::= SignKeyK K,P,T ::= K1 reclassifies K2 K,P,T ::= E{LT} K,P,T ::= S{LT} K,P,T ::= ChanLT K,P,T ::= t:A LT L ::= {K1,…,Km} LT ::= [T]L1,L2 Kinds, Types, Labels D. Duggan

  18. E ::= newKey k:A {e} E ::= newKey k:A (a+:LT1, a-:LT2) {e} E ::= reclassifyCertK1,K2() E ::= reclassifyCertK1,K2(e) E ::= chainK1,K2,K3(e1,e2) E ::= encryptK(e1,….,ek,e) E ::= decryptK1,K2(e1,…,ek,e) E ::= signK1,K2(e1,…,ek,e) E ::= authK(e1,…,ek,e) E ::= x, y, z, w E ::= a, b, c, n E ::= new(n:LT){e} E ::= fork{e} E ::= send(e1,e2) E ::= receive(a) E ::= reclassifyK1,K2(e1,e2) E ::= packt:ALT(K,e) E ::= unpack e1 to k:A(x:LT){e2} Expressions D. Duggan

  19. Types, Principals, Key Names type skey[P:{P1…Pk}] prin decKeyK K encKeyK P int k- 3 k+

  20. Key Names • Basically names of policies P:{P1,…,Pk} • Exist at the type level • May be: • Actual, i.e., associated public-private key pair at run-time • Virtual, i.e., only compile-time D. Duggan

  21. Why Key-Based DLM? • Suppose we added reclassification certs to DLM e1 has label {Joe:{Mary,Sue}} e2 has label {Joe:{Mary,Sue}} • Joe can declassify e1’s label: declassify ({Joe:{Mary,Sue,Sam}}, e1) • Suppose Joe issues certificate: Joe:{Mary,Sue,Sam} declassifies Joes:{Mary,Sue} • Then e2 can also be declassified! D. Duggan

  22. Why Key-Based DLM? • Some form of structural equivalence/inclusion on labels is still needed e1 has label L1 e2 has label L2 e ? e1 : e2 has label L1 L2 • Who would own result label if it was named? D. Duggan

  23. Talk outline • Review: Decentralized Label Model (DLM) • Local Access Control • Key Based Decentralized Label Model (KDLM) • Distributed Access Control and Cryptography • Formal Semantics • Jeddak: A Language with Distributed Access Control • Conclusions and Further Work D. Duggan

  24. Jeddak • Extends Java with • Principals • Key names • Labels and policies D. Duggan

  25. Talk outline • Review: Decentralized Label Model (DLM) • Local Access Control • Key Based Decentralized Label Model (KDLM) • Distributed Access Control and Cryptography • Formal Semantics • Jeddak: A Language with Distributed Access Control • Conclusions and Further Work D. Duggan

  26. Summary • KDLM for Distributed Access Control • Benefit of Type-Based Approach: Access Checking at compile-time • Lightweight access control for accountable systems • Extended to “compile-time” crypto D. Duggan

  27. Related Work • Information flow and type systems • Denning • Volpano and Smith • Pottier (Flow Caml) • Information flow and access control • Stoughton • Heintze and Riecke, • Myers, Liskov (DLM) • Myers, Zdancewic (JIF) • Banerjee and Naumann • Types and security protocols • Abadi • Gordon and Jeffreys • Pierce and Li • Duggan (Crypto Types) D. Duggan

  28. Questions? D. Duggan

More Related