25
Oleksandr Bodriagov School of Computer Science and Communica9on KTH The Royal Ins9tute of Technology XACML, ABAC, Privacy preserving accesscontrols
Oleksandr Bodriagov
School of Computer Science and Communica9on KTH -‐ The Royal Ins9tute of Technology
XACML, ABAC, Privacy preserving access-‐controls
Well-‐known access-‐control models :
2
Role Based Access Control (RBAC)
AMribute-‐based Access control (ABAC)
Mandatory Access Control (MAC)
Discre9onary Access Control (DAC)
Discre9onary Access Control (DAC)
every object has an owner
ACL-‐based or capability-‐based
Typical examples: Linux and Windows
+ Scalable
-‐ uniformity of access for end-‐users with similar job func9ons could be diminished
-‐ 9me consuming and cumbersome in a large environment
Mandatory Access Control (MAC)
Image: hMp://oreilly.com/catalog/csb/chapter/fig.03.03.gif
Mandatory Access Control (MAC)
security policy is centrally controlled
security label of the subject, security label of an object, type of access Typical examples: Security-‐Enhanced Linux (SELinux), military
+ the chance for administra9ve error or social engineering is greatly reduced
-‐ administra9ve nightmare in a dynamic and evolving environment.
hMp://www.sans.org/reading_room/whitepapers/sysadmin/role-‐based-‐access-‐control-‐nist-‐solu9on_1270
Role-‐Based Access Control (RBAC)
Image: hMp://www.mariofrank.net/MarioFrank_files/RBAC_toy_exampleHiRes.bmp
Role-‐Based Access Control (RBAC)
security policy is centrally controlled
users, roles, permissions, opera9ons, and objects Typical examples: Solaris, SELinux
+ individual administra9on of accounts is greatly reduced
-‐ difficulty of se^ng up an ini9al role structure inflexibility in rapidly changing domains
hMp://www.sans.org/reading_room/whitepapers/sysadmin/role-‐based-‐access-‐control-‐nist-‐solu9on_1270
AMribute-‐based Access control (ABAC)
Image: hMp://seclab.web.cs.illinois.edu/wp-‐content/uploads/2011/03/abs.png
AMribute-‐based Access control (ABAC)
Subject has a set of aMributes
Rules specify condi9ons under which access is granted or denied
Typical examples: Web services, IBM 9voli
hMp://csrc.nist.gov/groups/SNS/rbac/documents/kuhn-‐coyne-‐weil-‐10.pdf
ABAC vs RBAC
hMp://csrc.nist.gov/groups/SNS/rbac/documents/kuhn-‐coyne-‐weil-‐10.pdf
Set up effort
administra0on and user permission review
RBAC Hard Easy
ABAC Easy Hard
XACML
hMps://www.oasis-‐open.org/commiMees/download.php/2713/Brief_Introduc9on_to_XACML.html
XACML = access control policy language. It provides a syntax (defined in XML) for managing access to resources.
PEP Protected resource
PDP
Request
Request Decision
XACML
hMps://hMp://docs.oasis-‐open.org/xacml/2.0/access_control-‐xacml-‐2.0-‐core-‐spec-‐os.pdf
Access control decision = f (a subject, a resource, and an ac0on, and their aMributes) A <Policy> contains a set of <Rule> elements, and a rule-‐combining algorithm A <Rule> contains: • a target (the set of subjects, resources, ac5ons and environments to which it applies) • an effect ("Permit" and "Deny") • a condi9on (refines the applicability of the rule beyond the predicates implied by its target)
hMps://hMp://docs.oasis-‐open.org/xacml/2.0/access_control-‐xacml-‐2.0-‐core-‐spec-‐os.pdf
hMps://hMp://docs.oasis-‐open.org/xacml/2.0/access_control-‐xacml-‐2.0-‐core-‐spec-‐os.pdf
XACML: request
Outsourced IT Economy of scale
Privacy-‐Preserving access control
Full control over data Privacy-‐preserving access control
Privacy-‐Preserving access control
The subject only learns whether or not access was granted The provider learns only access frequencies for individual resources
• Hidden policies • Hidden creden9als • Hidden access control decisions
Why it is important
Example: electronic health records EHRs in the Cloud: • Pa9ents and doctors can access informa9on whenever they want • Easy to make it available for someone else • In case of emergency, an emergency doctor can access all data
Drawback: Simple encryp9on of data does not stop provider from learning a lot of informa9on…
Can combine with: DAC, MAC, RBAC, ABAC Access to resources based on 9ckets = push sequence
Homomorphic cryptography Supported Access Control (HSAC)
PEP Protected resource
PDP
Request resource
{9cket}
Request 9cket 9cket
resource
TLS tunnel
Homomorphic container = general purpose CPU with random access memory that operates on encrypted inputs using encrypted programs and produces encrypted outputs. • Program should be encrypted at assembly 9me using the
public key of the owner.
• This machine program can model arbitrary func9ons.
• The homomorphic scheme allows injec9ng data into the memory image aker it was transferred to provider.
• Plaintext should be encrypted with the owner’s public key
Homomorphic cryptography Supported Access Control (HSAC)
PDP Homomorphic container
Ticket is cryptographically signed by PDP The subject has a private-‐public key pair used for encryp9on/decryp9on of homomorphic container If one uses the same keys for container, there is a risk to be iden9fied => for each request random pair.
Homomorphic cryptography Supported Access Control (HSAC)
creden0alsKpub , RIDKpub, Kpub
Kpub
Homomorphic cryptography Supported Access Control (HSAC)
Result = encrypted (Kpub) and signed 9cket. It should be extracted from the predetermined memory loca9on and sent back to the subject. The subject then gives it to PEP.
Homomorphic cryptography Supported Access Control (HSAC)
If PEP and PDP collude, they can link a resource to some AC creden9als But neither PEP nor PDP would be able to deduce for whom and because of which policies access was granted.
Homomorphic cryptography Supported Access Control (HSAC)
Advantages Disadvantages Strong protec9on against malicious adversary: can learn key Kpub and launch DoS
Has very high computa9onal complexity: simple integer addi9on takes a few minutes
Strong protec9on against the provider Strong protec9on against the subject
Q & A
24
SAML: security asser9on markup language
