decentralized trust management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html
TRANSCRIPT
Decentralized Trust Management
security1.win.tue.nl/~zannone/teaching/dtm09-10.html
Course Organization
Introduction
AC, DTM topics based on research papersNext week: Discretionary Access Control
Website: List of TopicsPapers to read
security1.win.tue.nl/~zannone/teaching/dtm09-10.html
The need for Data Protection Confidential data
Databases with essential business information
Private data EHR, RFID, OVchip, `Slimme meter’
Risks & Threats. News headlines: Justice demanded pictures ov-chipcard travelers Laptop with data 109.000 persons stolen Data hacked vacancy website used for phishing ...
The need for Trust
Decision on interaction with other entity:Value to give to information in this lecture.Give access to a resource.
Incomplete information Is the information correct, state-of-the-art?How will the resource be used?
Trust Management
Establishing trust in the digital world
Truster Trustee
Gives Trust Subjective, perceived probability
Claims/Shows Trustworthiness
Trust me I’m a
doctor
Controlling access to resources Who is trusted to do what with a resource
Subject, Action, Object
I’m BobBob May
Park
Access Control MatrixPolicy:
Students may read grade list and read and run submitPaper
Teacher may read and write grade list and submitPaper
So we are done ?
User GradeList SubmitPaper
Jerry rw rw
Joris r rx
Tim r rx
Controlling access to resources Enforcement, Implementation
Maintenance, Consistency Captures intended policy (how to check?) Dynamicity; Rights not constant
Specification, Policies Authority on the resource; Who decides?
Decentralized systems, Delegation. Conditions, Obligation, Purpose
Privacy Anonymity, attribute based AC
CENSORED
Access Control Lists
Enforcement & Maintenance
User GradeList SubmitPaper
Jerry rw rw
Joris r rx
Tim r rx
User SubmitPaper
Jerry rw
Joris rx
Tim rx
Role base access control(1)
Role (Similar to `group’) Teacher Student
Assign access rights to Roles and Roles to users Added Indirection makes for easier maintenance
Role GradeList
Teacher rw
Student r
Role Users
Teacher Jerry
Student Joris, Tim
1) RBAC treated in more detail in a later lecture.
Role dependency (Role Hierarchies)
Staff
Prof Lecturer
Scientific Financial
...
Legal
...
Staff may Enter BuildingStaff rights also granted to Professors
Decentralized AC
Different authorities at different locationsUT admin does not control TU/e resources
Different Hierarchies for different locations In NL PhD student is subrole of Employee in US PhD student is subrole of Student
Access control for distributed resources?TU/e student list, US student discount.
Delegation Define your roles based on roles of other users:
Jerry.StudentsInMyClass = EducationOffice.RegisteredStudents2IS25
Trust Management Issue: I trust education office to define registered student
role In turn education office may trust registration office
EducationOffice.RegisteredStudents2IS25 = RegistrationOffice.Student and WebServer.subscribed2IS25
Towards Rule based TM Can specify `trust rules’
Link roles in different HierarchiesDifficulty: Naming Conventions
e.g. AIO – PhD student
More fine grained control Different Roles for different users/locations
Jerry.StudentsInMyClassSandro.StudentsInMyClassEducationOffice.RegisteredStudents2IF34
Why trust?
Trust needed for cooperation Cannot control behaviour of other people/systems
Base of trust Own experience and experience of others Regulations Technical measures (see also next slide) Taking a risk (risk vs benefit analysis when possible)
`Good’ behaviour slowly enforces/builds trust `Bad’ behaviour quickly lowers trust
Why Trust (Cont.) ?
Trusting remote computationTrusted computing platform
Hardware chip base chain of trust – chip checks signatures of programs to ensure they are not altered, can do essential computation steps.
Smartcards protect information, applications from device holder
Trust Management
Main TM classes Rule based TM
E.g. based on Regulations Trusted parties can be exactly determined trust ~ formal relationship
Reputation based TM E.g. when based on behaviour, recommendations trust ~ subjective probability `correct’ behaviour
Trust me I’m a
doctor
Rule Based Trust Management
Example systemsRole based trust management (RT)SDKI/SPKI…
Example scenarioStudent at accredited university gets discount
Shop.Discount ← AccBody.Univ.Student
AccBody.Univ ← TUe
TUe.Student ← Alice
Rule Based Trust Management
Distributed, Open Each participant is authority, issues credentials Participants can join, leave
Delegation entrust credentials of others
Binary User either fully trusted or not trusted
Static trust level No change based on actions of the user
Reputation System Example E-bay transaction feedback system
Eigentrust: More advanced combination
Reputation Systems Scenario
Joint ordering to get bulk discount More participants = more savings Do have to show up when the book arrives Allow friends to join & recommend others
Alice joinsBob does not join but recommends CharlieCharlie does not join but recommends Dave...
Reputation Based TM
Main properties Distributed, Open
Each participant is an authority Issues its own recommendations/feedback.
Delegation Place trust in the recommendations of others.
Multilevel and dynamic trust level level of trust actions influences the level of trust
Common features TM classes
Combine info from different sources trust sources providing information
Openness; Anyone can join or leave the system issue credentials/recommendations
Other participants decide on their value
Differences TM classes Role of risk:
In rule based systems certificates state factsReputation systems include intrinsic risk;
reputation does not give any guarantees.
(“ In het verleden behaalde resultaten geven geen garantie voor de toekomst ”)
Yes / No verses numerical. Reputation changes with actions;
level of trust is dynamic.
Back to specification of access rights
AC matrix snapshot for single location TM meant to link locations
Policies to capture `rules’ Rules underlie the permissions in AC matrixDerive, Update, Maintain permissionsE.g. Logic in access control
Logic in Access Control
Express AC rules with logical formulas:Rights expressed by predicates:
may-access(p,o,r):
principle p has access right r to object o
Basic rules can also be expressed: may-access(p,o,Wr) → may-access(p,o,Rd)
write access implies read access
Different ways to generalize this principle
Logic in Access Control (2)
Complications of distributed systems Often used construct: `SAYS’
for stating requests for delegation, e.g. p says may-access(q,o,r)
p says may-access(q,o,r)=>( may-access(p,o,r) => may-access(q,o,r))
Expressing the intended policy
AC matrix not expressive enough e.g. no rules
Just add anything you can think of ?
Limit on expressiveness Illustrate with Take-grant model
Take-Grant model
Directed graph represents AC matrix. Edge Role -- Object labeled with right (e.g. read/write)
Delegation rights added Edge between Roles: can take/may grant rights
Changes in response to delegation actions Rules for changing graph
Take-Grant Model example
File
R,W
Alice Bobt
File
R,W
Alice Bobt
R,W
Example of an application of the Take-rule; Bob takes Alice’s read/write permission
Safety problem
Can subject obtain a right? Given delegation rules, initial permissions: can a given permission can be granted ?
Decidable in linear time if delegation rules fixed to Take-grant model [Jone76].
Undecidable in general (details next week) Not possible to create algorithm
Takes as input set of rules and starting configuration Always stops with the correct decision. (Equivalent to the Turing halting problem.)
Implications Undecidability of safety shows limits; AC policy language cannot be too expressive
Efficiently decide whether uses have a right Check safety properties before granting right Complexity in understanding
Difficulty: find AC specification mechanism
simple to understand effectively computable sufficiently expressive
Implementation: Certificates Proof that you are a member of a role
Student card issued by registration office
More generally: Binding of properties to an identity (public key) signed by the cerfitication authority (i.e. issuer of the role student).
Proof that a role is defined in a given way Education office can issue a single certificate stating
EducationOffice.RegisteredStudents2IF34 = RegistrationOffice.Student and WebServer.subscribed2IF34
rather than given a different certificate to each student
Using Certificates
Use a chain of certificates to proof role membershipStudent card to proof studentconfirmation from webserver to show
registeredcertificate of education office to show
registration policy (Automatic) Chain discovery can be difficult
who stores certificateswhere to look for certificates
PKI & certificate systems PKI
Public key cryptosystem, e.g. RSA Certificate links public key to identity. Trust based on authority that signs
Trusted roots predefined in web browser trust by numbers (PGP)
examples of PKI/certificate based systems: X.509 – Certificates bind a public key to a name(string) SPKI: PKI with focus on authorization (rather than
authentication), binding properties directly to public keys Kerberos: Single sign on system; the user gets a `ticket’ for use
of a service. Ticket is a form of certificate PGP: Often used for encryption and signing of email. No central
CAs for distribution of public keys.
Conclusions Basics of decentralized trust management
Distributed access control Delegation control
Remaining Lectures treat Access Control Privacy Policies Rule based Trust Management Reputation Systems Applications of TM Systems
Please check papers, info at: security1.win.tue.nl/~zannone/teaching/dtm09-10.html
Recommended Reading
Decentralized Trust Management, M. Blaze et al. the PolicyMaker trust management system.comparison with X.509 and PGP.
Formal Models for Computer Security, C. LandwehrOverview of classical data security notions and
systems
The End