270 likes | 291 Views
A Unified Scheme for Resource Protection in Automated Trust Negotiation. Ting Yu and Marianne Winslett Presented by Korporn Panyim. Introduction. Traditionally, trust can be established based on identities Obtain local identities from system in order to access system services
E N D
A Unified Scheme for Resource Protection in Automated Trust Negotiation Ting Yu and Marianne Winslett Presented by Korporn Panyim
Introduction • Traditionally, trust can be established based on identities • Obtain local identities from system in order to access system services • Under assumption that entities in the system already known each other
Introduction(2) • On open system like Internet, strangers can make connection and establish trust together • Obviously, establishing trust based on ID is not a feasible approach • Parties may come from different security domain and often do not have any pre-existing relationship • Therefore, the properties of the participants will be most relevant • Employment status, group membership, citizenship, …
Introduction(3) • The approach of automated trust negotiation differs from traditional identity-based access control systems mainly in the following aspects: • Trust between two strangers is established based on parties’ properties. • Proven through disclosure of digital credentials. • Every party can define access control policies to control outsiders’ access to their sensitive resources. • Instead of a one-shot authorization and authentication, trust is established incrementally through a sequence of bilateral credential disclosures. • Less sensitive first. More sensitive disclosed later on as level of trust increase
Sensitive Policies and Their Protection Example 1: A web page’s access control policy states that in order to access documents of a project in the site, a requester should present an employee ID issued either by Microsoft or by IBM • “issued by Microsoft or by IBM” can be consider as a sensitive policy • One can infer that this project is a cooperative effort of the two companies
Sensitive Policies and Their Protection(2) Example 2: Coastal Bank’s loan application policy says that a loan applicant must be a customer of the bank who is not on the bank’s bad-customer list • One can learn from the policy who is on the bank’s bad customer list
Sensitive Policies and Their Protection(3) How to protect sensitive policies from unauthorized disclosure? • From the point of view of resource protection, sensitive policies are a type of resource that need to protect the same way as any other resources
Resource Protection Desiderata • A resource protection scheme that satisfies the following desiderata is desirable • Satisfaction-agreement • Two parties have the same understanding of the semantics of policies • When one party believes that a policy has been satisfied by disclosed credentials, the other party should believe the same • Otherwise, a dispute may arise even though the two parties negotiate trust in good faith • Example 2: Coastal Bank
Resource Protection Desiderata(2) • Protection of sensitive policies should be as powerful as protecting other kind of resource • The policy protection approach should allow fine-grained control of the protection applied to each part of a policy • Different parts of a policy may be sensitive in different ways • The resource protection scheme should decouple the protection of resource R and access control policy P • R’s accessibility should depend only on P’s satisfaction. Whether P is disclosed or not should not affect R’s accessibility
Resource Protection Desiderata(3) • Allow interoperability between negotiation strategies • A negotiation strategy suggests the next message that a party should send to the other negotiation participant • Two strategies are said to be interoperable if by adopting them respectively, two parties can always establish trust whenever their policies theoretically allow trust to be established • The resource protection scheme must allow variety of negotiation strategies to interoperate correctly with one another
Resource Protection Desiderata(4) • Allow a human friendly interface for policy capture and maintenance • Perfect policies are hard to write and will require update frequently
A Unified Scheme for Resource Protection(UniPro) • Provide a general-purpose way to protect sensitive access control policies during trust negotiation • Designing of UniPro is guided by a set of desiderata for protection of sensitive access control policies
Overview of UniPro • Policy definition: Pp • P is a policy unique ID • p is the content of the policy, denoted as content(P) • C is a credential • Given policy definition Pp and policy content p’ • we say a set C of credentials satisfies (p’)P if C satisfies (p’)(p) • Also, C satisfies (p’)P if C satisfies (p’)(p) • This definition allows policy IDs to appear in policy definitions
Overview of UniPro(2) • R : P denotes that P is the ID of the access control policy for resource R • A requester needs to disclose credentials that satisfy P in order to gain access to R • Each resource R is protected by exactly one policy (R : P) • (R : P) can be disclosed freely (just resource IDs) • Each policy ID P has exactly one policy definition Pp • Policies may have IDs true and false, their contents are always and never satisfied respectively • true means any requester can see its content • false means policy content should not be shown to anybody
Revisit Example 1 • A web page’s access control policy states that in order to access documents of a project in the site, a requester should present an employee ID issued either by Microsoft or by IBM • Access control policy for document R is R : P • P x.type = “Employee ID” P1 • P1 x.issue = “Microsoft” x.issuer = “IBM” • P : true and P1 : false • P1 contained sensitive information is protected • Satisfaction-agreement assumption holds in this situation
Revisit Example 2 • Coastal Bank’s loan application policy says that a loan applicant must be a customer of the bank who is not on the bank’s bad-customer list • Policy definition is P x.type = “Customer ID” x.issuer = “Coastal Bank” P1 • P1 x.ID BadCustomerList • P : true and P1 : false • P1 contained bad customer list is never been disclosed
Example 3 • McKinley Clinic makes its patient records available for online access. • Let R be Alice’s record. • To gain access to R, R’s policy states that a requester must either • present Alice’s patient ID for McKinley Clinic, • or present a California social worker license and a release-of-information credential issued to the requester by Alice.
Example 3(2) • “California social worker license” is considered a sensitive constraint • Knowing that Alice’s record specifically allows access by social workers will help people infer that Alice may have a mental or emotional problem
Example 3(3) • Let R be Alice’s patient record • R : P • P P1P2 and P : true • Everyone can see there’re two ways to get to Alice’s record • P1 x.type = “patient ID” x.name = “Alice” x.issuer = “McKinley Clinic”, and P1 : true • Everyone can see that Alice can access her own records • P2 x.type = “Professional License” x.profession = “Social Worker” x.issuer = “State of California” y.type = “Medical Records Release” y.issuer = “Alice” y.institution = “McKinley Clinic” • Alice can also authorize social workers to look at her records
Example 3(4) • P2 : P3 • to prevent the inappropriate disclosure of P2content • P3 z.type = “Employee ID” z.issuer = “McKinley Clinic”, andP3 : true • Everyone can see that McKinley employees can see another way to access Alice’s records
UniPro Analysis • According to desiderata discussed before • In UniPro, the will be no disagreement between two parties over whether a policy has been satisfied • Both parties understand the semantics of the underlying policy language • A requester understand that because of some part of policy that have not been disclosed (showed only policy IDs), she will not always be able to tell whether the policy has been satisfied by the credentials she has disclosed
UniPro Analysis(2) • UniPro protects policies in the same way as other resources • Given resource’s policy, R : P, we cannot tell whether it’s a policy, a credential or a service • UniPro explicitly separates a policy’s satisfaction from its disclosure • No matter P has been disclosed or not, as long as P is satisfied, R can be accessed
Negotiation Strategies for UniPro • Strategies for trust establishment based on UniPro Protocol • Establish trust while protecting sensitive information • The UniPro protocol allows three types of disclosure: • Resource (service, credential or policy) • Policy IDs (R : P) • Relationship between a policy and a credential (a variable assignment) • In trust negotiation using UniPro protocol, every message that a party Alice sends is a set of the disclosures defined above • An empty message (failure message) indicates that a party has decided to terminate the negotiation
Overview of Trust Negotiation Process • Alice wants to access one of Bob’s resource • Alice sends a request for Bob’s resource R • Bob calls his negotiation strategy, then sends Alice the disclosure message it outputs • Alice receives message, call her strategy, and sends Bob the message suggest by her strategy • This process continues until: • Alice finally satisfies R’s policies and gain access to R • Or one party send an empty message to terminate the negotiation
Negotiation Strategies for UniPro(2) • In negotiation strategies for UniPro, there is a tradeoff between privacy and access (establishing trust) • UniPro allows portions of the content of a resource’s access control policy to be hidden from a requester • To protect privacy, a requester may not want to disclose all her credentials in an attempt to satisfy those hidden constraints • Trust establishment may fail because she cannot see the contents of a policy even though she may have the right credentials that will satisfy that policy
Negotiation Strategies for UniPro(3) Two strategies that work with UniPro policies: • Unified Eager Strategy • Send all safe disclosures to the other party • Does not carefully analyze what disclosures are useful for establishing trust • Strong interoperability can be achieved. (Tend to establish trust more than preserve privacy) • Unified Relevant Strategy • Analyze ongoing negotiation and try to identify disclosures that are relevant to the current negotiation • Does not try to satisfy undisclosed policies (Protocol may fail) • Only weak interoperability can be achieved. (Tend to preserve privacy more than establish trust)