Computational Issues in Secure Interoperation

1. Computational Issues in Secure Interoperation Li gong & Xiaolei Qian Presented by: Saubhagya Joshi

2. focus • Principles of Secure Interoperation • Autonomy • Any access permitted within an individual system must also be permitted under secure interoperation • Security • Any access NOT permitted within individual system must also be denied under secure interoperation • This paper: • General secure interoperation problem is undecidable • Optimal solutions for secure interoperation is NP-complete • Complexity is reduced by composability in secure local interoperation

3. Background • From HRU model, given two systems G1, G2, interoperation F and access right r in G1 • Actions on objects: • create, delete, enter right, remove right • Can access right r be added to G1 where it did not previously exist? • General Secure Interoperation is Undecidable

4. Definitions • Secure System • A secure system is an access control list in the form of G = <V, A> where V is a set of entities and A is a binary relation “access” on V that is reflexive, transitive and antisymmetric. • Permitted Access • Permitted Access is a binary relation F on in=1 Vi where  (u, v)  F, u  Vi, v  Vj, and i  j.

5. Restricted Access • Permitted Access is a binary relation R on in=1 Vi where  (u, v)  R, u  Vi, v  Vj, and i  j. • In a federated system Q = <V’, A’> consisting of n subsystems where, • V = in=1 Vi and A’ = (in=1 Ai F) - R • Autonomy Principle • Ai remains legal in A’, ie (u,v)==Ai and (u,v)==A’ • Security Principle • Illegal access (u,v)=/=Ai and (u,v)=/=A’

6. Secure Interoperation • Given Gi =<Vi, Ai>, n = 1, …, n. Q = < in=1 Vi, B> is a secure interoperation if B  R = , and  u, v  Vi, (u, v)==Ai if and only if (u, v)==B.

7. Problem: Security Evaluation • Given Gi =<Vi, Ai>, I=1, …, n, permitted access F, and restricted access R. Is < in=1 Vi (in=1 Ai F) – R> a secure interoperation? • Security Evaluation is polynomial time.

8. If insecure, it can be made secure by: • Removing security violations by reducing F until interoperation is secure • Look for S  F such that C = in=1 Ai S) – R is secure • Trivial • Look for a secure solution that includes all other secure solutions • Find S  F such that C = in=1 Ai S) – R is secure, and, for any secure solution T, T  S. • Not possible all the time

9. a1 b1 a2 b2 a3 b3 • F = {(b3, a2),(a3, b2)} • S1 = (a3, b2) • S2 = (b3, a2) • F = S1 S2 • Look for solutions that cannot be expanded further • Find secure solution S  F such that, for any secure solution T, S  T.

10. E D c A C a d B F b • Maximize data sharing • Natural optimality measure • Arcs that cause problems • a and d • c and d • Solution • Remove d • Retain a and c

11. Problem: Maximum Secure Interoperation • Maximum secure interoperation is NP complete • Non-deterministic machine can guess solution at random and verify security and autonomy properties • Maximum access secure interoperation is NP complete • Simplified maximum-access secure interoperation is in polynomial-time • Graph is acyclic

12. Composability • Given secure local interoperation, is global interoperation secure? • Given system Gi = <Vi, Ai>, i = 0, 1, …, n, where Go is the master system, let Go-i = <Go, Gi, Fi> denote the local interoperation between Go and Gi with permitted Access set Fi, i = 1, …, n. The global system is given by: • G’ = < in=1 Vi, (in=1 Ai )  (in=1 Fi )>.

13. Gi a b Gi a b c c d Go Go • G’ is secure if and only if Go-i is secure, I = 1, …, n. CASE 1 CASE 2

14. Conclusion • Security of general interoperation is undecidable • Finding secure solution with optimality is NP-complete • Composability reduces complexity