Using AttributeBased Access Control to Enable AttributeBased Messaging - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Using AttributeBased Access Control to Enable AttributeBased Messaging

Description:

system should be compatible with existing infrastructure. Efficiency ... xml. ABM Server. Web Server. Windows IIS. MTA. PS1. PS8. PS2. AR2. AR1. AR3. PS7. AR4 ... – PowerPoint PPT presentation

Number of Views:135
Avg rating:3.0/5.0
Slides: 22
Provided by: rbo9
Category:

less

Transcript and Presenter's Notes

Title: Using AttributeBased Access Control to Enable AttributeBased Messaging


1
Using Attribute-Based Access Control to Enable
Attribute-Based Messaging
Rakesh Bobba, Omid Fatemieh, Fariba Khan, Carl A.
Gunter and Himanshu Khurana University of
Illinois at Urbana-Champaign
2
Introduction to ABM
  • Attribute-Based Messaging (ABM) Targeting
    messages based on attributes.

3
Introduction to ABM
  • Attribute-Based Messaging (ABM) Targeting
    messages based on attributes.
  • Examples
  • Address all faculty going on sabbatical next term
  • Notify all female CS graduate students who passed
    qualifying exams of a scholarship opportunity

4
Why ABM?
  • Attribute-based systems have desirable properties
  • flexibility, privacy and intuitiveness
  • Attribute-Based Messaging (ABM) brings these
    advantages to e-mail messaging
  • enhances confidentiality by supporting targeted
    messaging
  • via dynamic and transient groups
  • enhances relevance of messages
  • by reducing unwanted messages

5
Challenges
  • Access Control
  • access to such a system should be carefully
    controlled
  • potential for spam
  • privacy of attributes
  • Deployability
  • system should be compatible with existing
    infrastructure
  • Efficiency
  • system should have comparable performance to
    regular e-mail

6
Enterprise Architecture
  • Ensuing Issues
  • ABM Address Format, Client I/F
  • Access Control - policy specification and
    enforcement
  • Attribute Database creation and maintenance

Attr. DB
7
Enterprise Architecture cont.
  • Attribute database
  • all enterprises have attribute data about their
    users
  • data spread over multiple, possibly disparate
    databases
  • assume that this attribute data is available to
    ABM system
  • information fabric , data services layer
  • ABM address format
  • logical expressions of attribute value pairs
  • disjunctive normal form

8
Access Control
  • Access Control Lists (ACLs)
  • difficult to manage

9
Access Control
  • Access Control Lists (ACLs)
  • difficult to manage
  • Role-Based Access Control (RBAC)
  • simplified management if roles already exist

10
Access Control
  • Access Control Lists (ACLs)
  • difficult to manage
  • Role-Based Access Control (RBAC)
  • simplified management if roles already exist
  • Attribute-Based Access Control (ABAC)
  • uses same attributes used to target messages
  • more flexible policies than with RBAC
  • Access policy
  • XACML is used to specify access policies
  • Suns XACML engine is used for policy decision

11
Access Control cont.
  • Problem
  • need policy per logical expression
  • policy explosion
  • Solution?
  • one policy per ltattribute,valuegt

12
Deployability
  • Use existing e-mail infrastructure (SMTP)
  • address ABM messages to the ABM server (MUA) and
    add ABM address as a MIME attachment
  • No modification to client
  • use a web server to aid the sender in composing
    the ABM address via a thin client (web browser)
  • E-mail like semantics
  • policy specialization

13
Putting It All Together
PDP Suns XACML Engine
Legend PS Policy Specialization MS
Messaging AR Address Resolution
14
Security Analysis
  • Problem
  • open to replay attacks
  • Solution
  • MTA configured with SMTP authentication
  • with additional message specific checks

15
Experimental Setup
  • Measured
  • latency over regular e-mail
  • with and without access control
  • latency of Policy Specialization
  • Setup
  • up to 60K users
  • 100 attributes in the system
  • 20 of attributes common to most users
  • 80 of attributes sparsely distributed

16
Results
17
Results Continued
Policy Specialization Latency
18
Other Considerations
  • Policy Administration
  • one policy per ltattribute ,valuegt not per address
  • further be reduced to one policy per attribute
  • Privacy
  • of sender and receivers
  • of ABM address
  • Usability
  • user interfaces

19
Related Work
  • Technologies
  • List Servers
  • Customer Relationship Management (CRM)
  • Secure role-based messaging
  • WSEmail

20
Future Work
  • Inter-domain ABM
  • e.g., address doctors in the tri-state area who
    have expertise in a specific kind of surgical
    procedure
  • challenge attribute mapping
  • application in emergency communications
  • Encrypted ABM

21
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com