Date post: | 14-Dec-2015 |
Category: |
Documents |
Upload: | johnathan-gibson |
View: | 224 times |
Download: | 2 times |
1
Secure Group Collaboration in an Open Environment
May, 2006
Zhengyi Le
DEVLAB, Dartmouth College
2
What are Group Collaboration Systems?
Group collaboration application
Lecturer Program Coordinator
SecretaryAudience B
Audience A
A Group Collaboration System provides two services:
● Group administration → Create a group→ Maintain a group→ Destroy a group
● Data sharing→ Access to data→ Store data→ Transmit data
3
What are Open Environments ?
A Group Collaboration System runs in such environments where entities are diverse and autonomous
● Diverse : →a stranger should be allowed to join a collaboration if he is qualified.
●Autonomous→ an entity is self-motivated and self-governed.
Group collaboration application
Lecturer Program Coordinator
SecretaryAudience B
Audience AAlice
Dartmouth
BobUniv. of NH
Carlo Hanover High School
Othercollaboration applications
4
Our Goals and Approaches
• Goals:1. Allowing qualified strangers to join a collaboration.2. Removing the need for a server and a central
administration.3. Giving users privacy they can control and security
they can understand.
• Approaches– introduce Automated Trust Negotiation (ATN)
(serve Goal 1).– use p2p solutions (serve Goal 2).– adopt human readable and writable policies to
protect data (serve Goal 3).
5
Examples of Existing Work
Roles Policies Centralized Enrollment
Open-Xchange
eGroup-Ware
2
(adm, user)
fixed C adm
Groove 4 fixed C & D adm & invite
NGC
[Ellision and Dohrmann 03]
3 fixed D adm & invite
GCS
[Nita-Rotaru and Li’s 04]
Many
(3+n)
dynamic C Not given
6
Background : Automated Trust Negotiation (ATN) [William Winsborough et al. 2000]
• ATN helps two strangers build mutual trust through exchanging certificates. A simple example:
• Alice is an AIDS patient with a credential to prove it.• DHMC is a hospital, which is offering a free on-line service to AIDS
patients who are US citizens. DHMC is also a certified hospital which protects patients’ privacy very well (HIPAA).
Alice
P1: CAIDS CHIPAA
P2: Ccitizen True
DHMC
Pa: R CAIDS Ccitizen
Pb: CHIPAA True
req R
req CAIDS Ccitizen
Ccitizen, counter req CHIPAA
CHIPAA
R (succeed)
CAIDS
Details in approach (1)
7
• When a stranger asks to join, it is not always feasible to apply Automatic Trust Negotiation (ATN) straightforwardly into collaboration systems.
– Reason: ATN handles only two-party cases while in collaborations there are many entities. It will be very inefficient if the stranger performs 1-to-1 trust negotiations with every existing member.
– Our approach: take advantage of the implication of trust relationships among Roles.
Details in approach (1)
8
• Where does the existing RT family not work– RT: role-based trust management.– In the RT, roles are determined by and belong to a single party.– RT doesn’t describe the requirements of assigning a role. – We add RTA to the RT family to do this.
[Zhengyi Le et al. SecPerU05]• “A” stands for role assignment
Details in approach (1)
Invitation
Yes or No
I personally know her. She is another lecturer
we want.
I am interested in joining this group. But I know nobody there.
Req to join
Perform ATN
Yes, Pending, or No
Group collaboration application
Lecturer Program Coordinator
SecretaryAudience B
Audience A
Professor
• Why use role-based approach ?– The roles imply some
existing trust relationship
– A role could be viewed as an integration of some attributes
9
• Our observation: there are three different kinds of requirements:
• Attribute requirement
• Identity requirement
• Majority requirement
• RTA (1)Attribute requirementR (A1 V V Ai) Λ (Ai+1V V Aj) Λ
Ai A
A is the set of all the types of attribute certificates.
e.g.
RManager (AMBA V ADBA ) Λ AAge>30
Details in approach (1)
10
Real World Digital World
True name X.509, or PGP identity certificate
Anonym temporary X.509 certificate with pseudonyms, or
SPKI certificate.
Proxy name SDSI certificate, or
X.509 proxy certificate
• RTA (2)Identity requirementR I.i– I.i {truename, anonym, proxyname}
– Why do we support these three kinds of different identities?• In open environments, entities are independent and autonomous. • They define their own privacy and make decisions whether to join. • If we support only one kind of identity, we will lose some potential
opportunity of collaborations.
Details in approach (1)
11
• RTA (3)Majority requirement
R (α1R1 V V αiRi ) Λ (αi+1Ri+1 V V αjRj ) Λ α i [0,1] is the percentage of approvals from a specific role.
For example:
RChairman (50%RProf V 50%Rgrad) Λ 50%Rtrustee
Details in approach (1)
12
Group Profile (shared data)------------------- Group name Mission description Join requirements Current time A list of members (with their hierarchical or latticed roles) A list of files (and associated policies)
Private Profile (private data)-------------------- Memberships Personal certificates (and associated policies) Files (and associated policies) Local strategies
Group Profile has two parts:
Publicly accessible part Selectively accessible part
Details in approach (2)
Group Profile (shared data)------------------- Group name Mission description Join requirements Current time A list of members →
Alice (Lecturer)Bob (TA)Carlo (Student)
A list of files → final exam (lecturer only) grades (lecturer and TA) HW (all)
13
• OC disseminates group profiles in a p2p fashion with two modes.
Passive mode– Every on-line entity passively receives group profile from its
neighbor entities. In other words, every entity sends out its group profile to others periodically. The receiving party decides to accept or discard according to the timestamp and the version.
Active mode– An entity can actively send a request of updating its group
profile to its neighbor entities. This is the complementary mechanism for the passive mode because an entity might show up at any time and then disconnect after several seconds.
Details in approach (2)
14
• Group members write policies to assign roles, e.g.– RManager (AMBA V ADBA ) Λ AAge>30
– R truename
– RChairman (50%RProf V 50%Rgrad) Λ 50%Rtrustee
• Users (members or not) write policies to protect their own data (files, credentials, resources),e.g. for a AIDS patient
– P1: CAIDS CHIPAA
– P2: Ccitizen True
Details in approach (3)
15
• Proactive RSA in majority requirementsDetails in approach (3)
RSA:n = p*q(n) = (p-1)*(q-1)e is relatively prime to (n)d = e-1 mod (n) -------------------------------Md mod n = CCe mod n = M
Proactive RSA: [Frankel et al crypto97]
d = Σ di
------------------------------Π Mdi = MΣdi = Md (mod n)Ce mod n = M
• For example:
RProf 70%Rtrustee – Generate an RSA key pair and distribute the private key shares among trustees and
no one knows the entire private key. [Gilboa crypto99]– Only a subset (over 70%) of trustees can generate a valid complete signature for that
public key. – Using this method our program can automatically collect votes and assign roles to
applicant according to the majority policy.
Another example: RProf 100%Rtrustee (there are only two trustees)
Two-party Mediated RSA: [zhengyi Le et al in progress]
d = du0 + ds0
dui = dui-1 + rdsi = dsi-1 – r------------------------------Mdui * Mdsi = Md (mod n)Ce mod n = M
16
Current Status of Our On-going Project
• Any entities can log on to OC with any names they want.
• Collaborative groups can be created by any entity and are propagated in a P2P fashion.
current collaborativegroups
current online peersin OC
17Group operations Role operations File operations
Current Status of Our On-going Project● OC currently supports simple operations on groups, roles and shared files.
18
Current Status of Our On-going Project
• OC supports simple roles. Currently, in order to obtain a role, the peer node needs to get the role password.
• OC supports file sharing in a P2P fashion. We are implementing role based policies to secure file propagation.
4 roles in CS25 Groupa shared file among CS25