A Practical Access Control System for AttributeBased Messaging

1
A Practical Access Control System for
Attribute-Based Messaging
Rakesh Bobba, Omid Fatemieh, Fariba M. Khan,
Himanshu Khurana, and Carl A. Gunter
2
Motivation

• Attribute-based systems have desirable properties
• flexibility, privacy and intuitiveness
• Examples of Attribute-based systems include
• attribute-based access control (ABAC)
• attribute (meta-data)-based (data) search
• attribute-based trust negotiation
• Attribute-Based Messaging (ABM) brings these
  advantages to e-mail messaging
• supports targeted messaging
• via dynamic and transient groups
• reduces unwanted messages

3
ABM Scenarios

• Address all faculty going on sabbatical next term
• Address all the people working on security
  related projects in an organization
• Address all female CS graduate students who
  passed qualifying exams
• Address all TeraGrid system administrators
• Address doctors in the tri-state area who have
  expertise in a specific kind of surgical procedure

4
Challenges

• Access Control
• access to such a system should be carefully
  controlled
• potential for spam
• privacy of attributes
• Deployability
• system should be compatible with existing
  infrastructure
• Efficiency
• system should have comparable performance to
  regular e-mail

5
Enterprise ABM Architecture

• Ensuing Issues
• ABM address format
• Access policy specification and enforcement
• Attribute Database creation and maintenance

6
Enterprise ABM

• ABM address format
• logical expressions of attribute value pairs
• disjunctive normal form
• Access Policy
• access is based on the same attributes used to
  target messages
• attribute-based access control is employed
• XACML is used to specify access policies
• Suns XACML engine is used for policy decision
• Attribute Database
• all enterprises have attribute data about their
  users
• data spread over multiple, possibly disparate
  databases
• assume that this attribute data is available to
  ABM system
• information fabric , data services layer

7
Access Control Example

• ABM address
• ltaffiliationstudentgt and ltdepartmentcsgt and
  ltcoursecs118gt
• Senders attributes
• ltaffiliationfacultygt, ltcoursecs118gt,
  ltdepartmentcsgt
• Access Policy
• allow access to ltcoursecs118gt if (user
  satisfies) one of
• 1) ltaffiliationfacultygt and ltcoursecs118gt
• 2)ltaffiliationstaffgt and ltdesignationdirectorgt
  and ltdepartmentcsgt
• allow access to ltaffiliationstudentgt if (user
  satisfies) one of
• 1)ltaffiliationfacultygt
• 2)ltaffiliationstaffgt
• allow access to ltdepartmentcsgt if (user
  satisfies) one of
• 1)ltaffiliationfacultygt and ltdepartmentcsgt
• 2)ltaffiliationstaffgt and ltdepartmentcsgt and
  ltdesignationdirectorgt
• Decision
• allow

8
Deployability

• Use existing e-mail infrastructure (SMTP)
• address ABM messages to the ABM server (MUA) and
  add ABM address as a MIME attachment
• No modification to client
• use a web server to aid the sender in composing
  the ABM address via a thin client (web browser)
• E-mail like semantics
• policy specialization

9
Putting It All Together
PDP Suns XACML Engine
10
Security Analysis

• Problem
• need binding between senders identity and ABM
  address
• Solutions
• MTA configured with SMTP authentication
• with additional message specific check
• sender signs the message using SMIME

11
Experimental Setup

• Preliminary experiments
• Up to 60K users with 100 binary-valued attributes

12
Future Work

• Ongoing efforts
• implementation for multi-valued attributes
• extending ABM for inter-domain communication