Download - Delegation of AuthorityJISCdemo.ppt
-
7/28/2019 Delegation of AuthorityJISCdemo.ppt
1/23
21 June 2006 Copyright 2006 University of Kent 1
Delegation of Authority
(DyVOSE project)
David Chadwick
University of Kent
-
7/28/2019 Delegation of AuthorityJISCdemo.ppt
2/23
21 June 2006 Copyright 2006 University of Kent 2
What is Delegation of Authority?
Allowing someone to act on your behalf to
perform tasks (consume resources) that
are available to you
Delegator should be empowered to
delegate to anyone he needs to, subject to
certain organisation controls (i.e. the
organisations Delegation Policy)
-
7/28/2019 Delegation of AuthorityJISCdemo.ppt
3/23
21 June 2006 Copyright 2006 University of Kent 3
How do you delegate to others
today?
To enter your house and fetch something
If your house if locked?
To use your PC If it is protected by a username andpassword?
To withdraw money from your bank
account
Using an ATM?
-
7/28/2019 Delegation of AuthorityJISCdemo.ppt
4/23
21 June 2006 Copyright 2006 University of Kent 4
What is the problem with these
existing delegation mechanisms?
The other person usually masquerades as
you, or impersonates you
There is no control on what they can do
Anything you can do, they can do
-
7/28/2019 Delegation of AuthorityJISCdemo.ppt
5/23
21 June 2006 Copyright 2006 University of Kent 5
What is a better solution?
The delegate should act in his own name,
not in yours
Then a full audit trail can be kept of who did
what
The delegate should have limited authority
So that you can delegate a fraction of your
powers
-
7/28/2019 Delegation of AuthorityJISCdemo.ppt
6/23
21 June 2006 Copyright 2006 University of Kent 6
Resource
OwnerI authorise this Privilege Holder to use
this resource in the following ways
signed The Resource Owner
Privilege
Holder
I delegate authority to this End User
to use this resource in this limited way
signed The Privilege Holder
End User(Privilege
Holder)
Assigns
privilege to
Delegates privilege to
Can I use the
Resource
Assigning and Delegating
Privileges in Organisations
-
7/28/2019 Delegation of AuthorityJISCdemo.ppt
7/23
21 June 2006 Copyright 2006 University of Kent 7
Privilege Checking in Organisations
Please purchase thisproduct from company X
signed the End User
EndUser
(Privilege
Holder)
Privilege Verifier
Q. Is this user authorised
to purchase these goods?
Issues a
command
(Asserts
Privilege)
-
7/28/2019 Delegation of AuthorityJISCdemo.ppt
8/23
21 June 2006 Copyright 2006 University of Kent 8
Access Control Usually based on access control lists
This list of users can do these things Examples
Ed and Jake can read the exam results file on theKent University website
Jo and Zoe get 10% discount when electronicallyshopping at Tescos
PROBLEMS
You need to know the names of all the users Very difficult to scale to Internet proportions where
there are millions of users
-
7/28/2019 Delegation of AuthorityJISCdemo.ppt
9/23
21 June 2006 Copyright 2006 University of Kent 9
Role Based Access Control
Users are given roles (or attributes) Holders of attributes are given access
permissions
Examples
Ed and Jake are Students at Kent University Students at Kent University can read the exam
results file on the website
Jo and Zoe are Tesco Clubcard holders
Tesco Clubcard holders get 10% discount whenshopping electronically at Tescos
-
7/28/2019 Delegation of AuthorityJISCdemo.ppt
10/23
21 June 2006 Copyright 2006 University of Kent 10
Delegation of Authority with Role
Based Access Controls
Users who have attributes (or roles) candelegate these to other users
Users can also delegate subordinate roles
E.g. professor is superior to academic staff issuperior to PG student is superior to UGstudent
A professor can delegate the academic staffrole, or the PG student role or the UGstudent role so as to delegate partialprivileges
-
7/28/2019 Delegation of AuthorityJISCdemo.ppt
11/23
21 June 2006 Copyright 2006 University of Kent 11
Assigning Privileges Electronically
- using X.509 Attribute Certificates
Bill
Alice
Bob
SOA
AA
Issues
AC to
Issues
AC to
End
Entity
AC
Points to issuer
Points to
holder
SOA = Source of Authority
AA = Attribute Authority
An Attribute Certificate
is a digitally signed
electronic document that
says that this holder has
been given these
attributes by this issuer
-
7/28/2019 Delegation of AuthorityJISCdemo.ppt
12/23
21 June 2006 Copyright 2006 University of Kent 12
Main points of this system
Every delegated attribute (or role) is digitallysigned so that it cannot be tampered with oraltered
Each attribute certificate says who the delegator
and delegatee are (issuer and holder) Very secure way of delegating authority
BUT each user needs a digital signing key and
digital certificate How many of you have digital certificates and
signing keys?
-
7/28/2019 Delegation of AuthorityJISCdemo.ppt
13/23
21 June 2006 Copyright 2006 University of Kent 13
Bill
Alice
Bob
SOA
AA
End
Entity
Issues
AC to
Issues
AC to
Delegation
Issuing
Service (DIS)
IssuesAC to
AC
Points to issuer
Points to
holder
Points to Issued On
Behalf Of
The Delegation Issuing Service
-
7/28/2019 Delegation of AuthorityJISCdemo.ppt
14/23
21 June 2006 Copyright 2006 University of Kent 14
Advantages of the Delegation
Issuing Service
Users dont need to have signing keys since theDIS signs the Attribute Certificates on theirbehalf
The DIS keeps a central record (audit trail) ofwho has delegated what to whom
The DIS has a Delegation Policy to control whocan delegate what to whom
The process of privilege checking is veryefficient since all ACs are issued by the DIS (andnot by lots of different users)
-
7/28/2019 Delegation of AuthorityJISCdemo.ppt
15/23
21 June 2006 Copyright 2006 University of Kent 15
LDAP
server
Authenticate
the User
DIS
IssueACWeb service
interfacepublishAC
PERMIS Decision
Engine
Sign
AC
Request
Authorisation
Delegation
Policy
Our DIS System
-
7/28/2019 Delegation of AuthorityJISCdemo.ppt
16/23
21 June 2006 Copyright 2006 University of Kent 16
The Delegation of Authority Demo Public web page
Secure web page only available to users withResearcher role
Role Hierarchy
Anyone with Admin or Researcher role can
delegate Researcher role to anyone else in Staff
domain
-
7/28/2019 Delegation of AuthorityJISCdemo.ppt
17/23
21 June 2006 Copyright 2006 University of Kent 17
Delegation Demo (cont)
Simon is already a researcher Simon would like to delegate to Sarah to
access his resource
Simon accesses the Delegation IssuingService and assigns the Researcher role to
Sarah
Sarah can now access the resource Simon then revokes the researcher role
Sarah no longer has access
-
7/28/2019 Delegation of AuthorityJISCdemo.ppt
18/23
21 June 2006 Copyright 2006 University of Kent 18
-
7/28/2019 Delegation of AuthorityJISCdemo.ppt
19/23
21 June 2006 Copyright 2006 University of Kent 19
-
7/28/2019 Delegation of AuthorityJISCdemo.ppt
20/23
21 June 2006 Copyright 2006 University of Kent 20
-
7/28/2019 Delegation of AuthorityJISCdemo.ppt
21/23
21 June 2006 Copyright 2006 University of Kent 21
-
7/28/2019 Delegation of AuthorityJISCdemo.ppt
22/23
21 June 2006 Copyright 2006 University of Kent 22
-
7/28/2019 Delegation of AuthorityJISCdemo.ppt
23/23
21 June 2006 Copyright 2006 University of Kent 23