secure information sharing using attribute certificates and role based access control
DESCRIPTION
International Conference of Security and Management 2005. Secure Information Sharing Using Attribute Certificates and Role Based Access Control. Ganesh Godavari, C. Edward Chow 06/22/2005 University of Colorado at Colorado Springs . Introduction to Information Sharing. - PowerPoint PPT PresentationTRANSCRIPT
Secure Information Sharing UsingAttribute Certificates and Role Based Access Control
Ganesh Godavari, C. Edward Chow
06/22/2005
University of Colorado at Colorado Springs
International Conference of Security and Management 2005
Introduction to Information Sharing
Information Sharing relates to the sharing of information between two or more entities.
Synchronous Information Sharing real-time communication collaboration in "same time-different place” Tools -- Instant messaging, Video conferencing ...
Asynchronous Information Sharing Collaboration in “different time-different place” Tools -- Discussion boards, E-mail …
Introduction to Information Sharing
Steps for secure Information sharing Authentication
Username/password, pin #, X509 Certificates, Authorization
Group based authorization, role based authorization etc Access
Secure storage of Authorization policy is critical Attribute Certificates (AC)
Secure Information Sharing Motivation
Paradigm Shift “Need to Know” to “Need to Share” Incidents like 9/11, natural disasters relief. Organizations are intertwined more so now then ever.
Rapid deployment of a secure information sharing system for a multi-agency taskforce has become critical issue for homeland security and defense
Information Sharing relates to the sharing of information between multiple agencies or organization.
Role Based Access Control
USERS ROLES
SESSIONS
operation objects
PRMS
session_rolesuser_session
User Assignment (UA)
Permission Assignment (PA)
many-to-many relationship
one-to-many relationship
Gives roles activated by the session
User is associated with a session
NIST study shows user’s role less likely to change and roles are tightly related to access rights to information.
File system operations: read, write and executeDBMS operations: Insert, delete, append and update
Attribute Certificates AC’s
Standardized in RFC-3281, “An Internet Attribute Certificate for Authorization”
no public key like Public Key Certificate (PKC) used for storing short duration attributes
Role, resource allocation, security clearance… AC in security
Strong identity of the holder is not required access control specification
Non-repudiation of the attributes by the issuer Privilege delegation, role allocation ….
Privilege Management Infrastructure (PMI) Privilege
Management Infrastructure Similar to Public
Key Infrastructure Function is to
specify the policy for the attribute certificate issuance and management
Concept PKI entity PMI entityCertificate Public Key
Certificate (PKC)Attribute Certificate
(AC)
Certificate issuer
CertificationAuthority (CA)
Attribute Authority (AA)
Certificate user Subject Holder
Certificatebinding
Subject’s Name to Public Key
Holder’s Name to Privilege Attribute(s)
Revocation CertificateRevocation List(CRL)
Attribute CertificateRevocation List
(ACRL)
Root of trust Root CA or TrustAnchor
Source of Authority (SOA)
SubordinateAuthority
SubordinateCertificationAuthority
Attribute Authority (AA)
Comparison of PKIs and PMIs [chad2-02]
Issues with large multi-agency Information System Issues
How can we authenticate users belonging to multiple organization?
Authorization policy specification encompassing multiple organizations
Solutions X509 certificates for identification of users Authorization based on RBAC[] model
Security Administration can be a management nightmare
Context Free Grammar of Authorization Policy Specification
sisprivilegeset <role name> <privilegeset name>{
<privilege> := if ( <expression> ) do <action><expression> := <term> | <term> && <expression> |
( <expression> ) | ! ( <expression> )<term> := <factor> | <factor> || <term> | ( <term> )<factor> := <variable operator value><operator> := > | >= | < | <= | == | != | #<action> := grantAccess | rejectAccess |
acquirePrivileges <privilegeset Name> |
contact <authorization server>}#: regular expression string matching operator
RBAC specification format<?xml version="1.0" encoding="utf-8" standalone="yes"?><!--===== SIS request example =====--><sis> <Role>administrator</Role> <Group>Info Share</Group> <OU>UCCS</OU></sis>
Example – File Access Specification Privilege specification for administrator File access control specificationsisprivilegeset administrator filematch {
if ( ( url # “/etc/passwd” ) && ( requestAction # “get” ) ) do grantAccess
# user accounts protection from get and post requests by administrator
if ( ( url # “*~*/private/” ) && ( requestAction # “get” ) ) do rejectAccess
if ( ( url # “*~*/private/” ) && ( requestAction # “post” ) ) do rejectAccess
:}#: matching operator (A # B: if A contains B)
SIS system overview
authorize
Administration Tool Server
RBACPolicy
file
UserAccess Control Decision and Enforcement
Engine
PKC
User RoleSpecification
AC
Authenticate
Mail Server
Database Instant Msg
ServerWeb Server
Create/Change/Revoke Attribute Certificates
(ACDE)
Access Control and Decision Enforcement
Request fromthe WebBrowser
Apache SISModule
SSLRequest
Forbidden
Get Common Name(CN), Organization
(O) from Clientcertficate
Ldap Server
Query LdapServer getAttribute
Certificate(s)
ValidateAttribute
Certificate
Forbidden
haveprivileges ?
Forbidden ServeRequest
No
No
No Yes
Setup CA The coordinator of the task force from multiple
agencies set up a rootCA-MA (root CA for Multiple Agencies). Each agency requests a certificate to be signed by
rootCA-MA. Each agency issues a new PKC to each user in its
organization involved in the task force. At each server which providing secure information
sharing service for this task force, add the rootCA-MA information into CABundle (file containing list of valid CA's).
Each client/user installs the certificate in the local browser or application's.
Choices for storing AC’s A user's AC can be stored
central repository of the taskforce with the agency's local administrator have control only over
the AC's of the users belonging to that agency locally at each agency that defines his role within that
agency user's privileges are the result of the association of the
user with a particular agency user's privileges are revoked
all the agencies must be notified Prevent unauthorized access
Trust relationship between organizations determines where the AC's are stored
Setup PMI
Our approach Store all the user privileges in the organization the
user originally belongs to Check user's privileges on every attempt to access
the resources Setup PMI
The coordinator of the task force signs the AC’s of the members. Agency members AC’s are distributed and installed on the LDAP
server of the agency. web servers and shared applications query the PMI for
authorization and access control
Implementation Apache (v 1.3.31) + Mod_SSL(v 2.8.18-1.3.31) +
openSSL (v 0.9.7d) We modified mod_auth_ldap with AC based ACDE
OpenLDAP (v 2.0.27-8) Attribute Certificate's attribute definitions was added
to inetorg-person.schema OpenSSL libraries used for generating X509 certificates we created AC generation utility using OpenSSL
For validation we use Markus Lorch’s code We created PKC generation utility based on EXPECT
alpha-sis-connecticut
InternetInternet
Internet
Web Server
LDAP Server
sis-nissc
LDAP Server
sis-c
onne
cticu
t
Internet
alpha-sis-nissc
PKC
LDAP Server
sis-canada
LDAP Server
sis-newjersy
subject "/C=US/…./O=dc=sis-nissc,dc=edu/OU=ou=Research,OU=coordinateExercise/CN=alpha-sis-nissc/[email protected]
SIS Test-bed
Server LDAP AccessTime (ms) AC retrieval/validation (ms)
sis-nissc 54.62 96.88sis-connecticut 51.84 93.77
sis-newjersey 51.19 93.31
PerformanceAccess Time from a client at sis-canada
All Machines• Pentium-III, 500 MHz• 256 MB RAM• Redhat Linux-2.4.20-6
Conclusions 1. Developed efficient procedures and tools to set
up Public Key Infrastructure for authentication and Privilege Management Infrastructure for authorization.
2. Created a multi-agency SIS test bed based on LDAP and web servers.
3. OpenLDAP servers were enhanced to accept attribute certificates.
4. LDAP module of the apache web server was extended to achieve secure web access.
PKC vs. AC
PKC binds a subject (DN) to a public key AC's binds permission (attributes) to an entity
Version
Serial Number
Signature ID
Subject
Issuer
Validity Period
Subject Public Key Info
Extension’s
Sig
na
ture
Version
Serial Number
Signature ID
Holder
Issuer
Validity Period
Attributes
Extensions
Sig
na
ture
Public Key Certificate
( PKC )Attribute Certificate
(AC )