Introduction to Access Control and Trust Management

1
Introduction to Access Control and Trust
Management

• Daniel Trivellato

2
Outline

• Introduction to Access Control
• Discretionary and Mandatory Access Control
• Role-Based Access Control
• Distributed Trust Management
• Reputation-based TM
• Rule-based TM

3
Authentication vs. Access Control

• Authentication
• establishing who you are (of whether you possess
  a certain pseudonym)
• Access Control
• establishing if you have the right of doing a
  certain action
• Authentication is often necessary for access
  control

4
Outline

• Introduction to Access Control
• Discretionary and Mandatory Access Control
• Role-Based Access Control
• Distributed Trust Management
• Reputation-based TM
• Rule-based TM

5
Basics Subject, Object, Action

• Subjects
• Alice, Bob, Alices program
• Objects
• a file, the printer
• Actions
• read, write, execute, modify, send

6
Discretionary Access Control

• Goal prevent illegitimate access to resources
• Access is granted to users, or user groups
• Ownership Users have all the rights about the
  objects they create
• Delegation Users can grant the rights they have
  to others
• Users that have control can remove rights

7
DAC Models

• Take-grant model
• Lampson (1974)
• Graham-Denning (1972)
• Harrison-Rizzo-Ullman (1976)
• Griffiths-Wade (1976)
• Originator control (1989)

8
Lampsons Access Matrix

• Set of objects O
• Set of users U
• Access Matrix A (UxU and UxO)
• Entries are sets of allowed actions (read, write,
  call,)
• Plus owns for administration of rights
• flag for delegation right

9
Access Matrix - Example
File 1 File 2 File 3 Program 1
Alice owns read write read write
Bob read read write execute
Charlie read execute read
10
Mandatory Access Control

• Goal prevent illegitimate flow (leakage) of
  information
• Attach security labels to subjects and objects
• Users, processes are given a clearance
• Objects, resources are given a label
• Information can not flow to lower or incomparable
  security classes

11
MAC Example

• Bell-La Padula NO READ UP
• NO WRITE DOWN

SUBJECTS
OBJECTS
write
TS
TS
read
write
S
S
read
Information flow
write
C
C
read
write
read
U
U
12
Outline

• Introduction to Access Control
• Discretionary and Mandatory Access Control
• Role-Based Access Control
• Distributed Trust Management
• Reputation-based TM
• Rule-based TM

13
Role-Based Access Control

• Users are assigned to roles
• Roles are assigned rights

File 1 File 2 File 3 Program 1
Alice read, write read, write execute
Bob read read, write execute
Tester Programmer Group member
Alice x x
Bob x x
File 1 File 2 File 3 Program 1
Tester write read, write
Programmer read, write
Group member read execute
14
RBAC

• Roles can be hierarchical
• Rights are inherited

Project leader
Tester
Programmer
Project member
15
Outline

• Introduction to Access Control
• Discretionary and Mandatory Access Control
• Role-Based Access Control
• Distributed Trust Management
• Reputation-based TM
• Rule-based TM

16
Trust Management

• Typical access control mechanism
• TM alternative

shows
lookup
authorization
subject
ID
has
infers
authorization
subject
attributes
17
Distributed Trust Management

• Deals with authorizations in a distributed system
  (e.g., the Internet)
• need to interact with people you dont know
• 2 types of DTM
• Reputation-based TM
• Rule-based TM

18
Outline

• Introduction to Access Control
• Discretionary and Mandatory Access Control
• Role-Based Access Control
• Distributed Trust Management
• Reputation-based TM
• Rule-based TM

19
Reputation-based TM (concrete)

• community of cooks (200 people)
• to establish trust
• you ask your friends
• and friends of friends
• ...
• some recommendations are better than others
• you check the record (if any)
• after success trust increases

20
Reputation-based TM (virtual)

• eBay (hundreds of millions of users)

21
Reputation-based TM (virtual)

• Buyers and sellers rate each other after a
  transaction
• Positive (r(i,j) 1)
• Neutral (r(i,j) 0)
• Negative (r(i,j) -1)

22
Key features

• open system (different security domains)
• trust is a measure changes in time
• essential risk component
• recommendation based (NOT identity-based)
• peers are not continuously available
• Algorithms (e.g., EigenTrust)

23
Outline

• Introduction to Access Control
• Discretionary and Mandatory Access Control
• Role-Based Access Control
• Distributed Trust Management
• Reputation-based TM
• Rule-based TM

24
Rule-based TM (concrete)

• Bart is entitled to a discount
• If he is a student of the local university

25
Rule-based TM (virtual)

• When is Bart now entitled to a discount?

26
Bart is entitled to a discount

• If he is a student of any accredited University.
• But perhaps also
• If he is an employee of any governmental
  organization
• If he is a member of the library club
• If he is a veteran
• .
• Too many to mention
• Which problems does this raise?
• Scalability
• Knowing where and what to search

27
Reputation vs. Rules

• open system (different security domains)
• trust is a measure changes in time
• risk-based
• no delegation
• recommendation based (NOT identity-based)
• peers are not continuously available
• scalability

• open system (different security domains)
• trust is boolean less time-dependent
• no risk
• delegation
• rule (credential) based (NOT identity-based)
• peers are not continuously available
• scalability

28
Credentials

• A credential is a statement
• Signed by the issuer
• about a subject
• Containing info about the subject
• Requirements
• Unforgeable (!)
• Verifiable (that it belongs to the subject asking
  for the service)
• Signed (e.g. X509)

29
Credential Chains
Bart
TU/e
Is student of
Accreditation Bureau
Is accredited by
Shop
Is accepted by

• We have a chain of credentials
• The subject of one is the issuer of the other one

30
Languages for TM

• A good language for TM must be able to express
• Decentralized attributes
• Delegation of attribute authority
• Inference of attributes
• Attribute fields (e.g., age)
• Attribute-based delegation of authority

31
Decentralized Attributes

• An entity asserts that another entity has a
  certain attribute
• e.g., student(TU/e,Alice)
• The TU/e asserts that Alice is a student
• Issuer TU/e
• Subject Alice
• Where is it stored?

32
Delegation of Attribute Authority

• An entity delegates (i.e. trusts) the authority
  over an attribute to another entity
• e.g., student(DSA,X) ? student(TU/e,X)
• The Dutch Students Association considers as
  students all the students of the TU/e
• Operationally anyone showing a TU/e student
  credential can get a student credential from the
  DSA
• Issuers DSA, TU/e
• Subject X

33
Inference of Attributes

• An entity uses one attribute to make inferences
  about another attribute
• e.g., employee(TU/e,X) ? professor(TU/e,X)
• The TU/e asserts that every TU/e professor is
  also a TU/e employee

34
Attribute Fields

• Credentials may carry field values
• e.g. student(DSA,Alice,universityTU/e)
• Field values can be used to infer additional
  attributes and for conditional delegation
• e.g. ccard(VISA,X) ? client(ABN,X,creditY)
  AND Y gt 2000
• VISA releases credit cards only to ABN clients
  with more than 2000 in their account

35
Attribute-based Delegation of Authority

• An entity may delegate the authority to another
  entity depending on its attributes
• e.g. ccard(VISA,X) ? client(Y,X) AND
  certified(EB,Y)
• VISA releases a credit card only to clients of
  banks which are certified by the European Bank
• By doing so, VISA does not need to explicitly
  mention all the banks which are trusted
• VISA trusts EBs opinion about banks

36
Credential Storage

• Every credential can be stored by its issuer, its
  subject, or a third party
• When we try to build a credential chain, we must
  be able to retrieve the appropriate credentials
• Credential chain discovery algorithms suggest
  storage schemas according to which credentials
  are retrieved
• RT backward and forward search algorithm
• TuLiP
• POLIPO

37
In the next lecture

• The POLIPO framework
• a rule-based TM language
• a reputation system
• an algorithm for credential chain discovery

38
Thank you for your attention!
Questions?
n.zannone_at_tue.nl d.trivellato_at_tue.nl