Scribd Logo
Upload

Welcome to Scribd!

  • Security #4

    Uploaded by

    abrar171
    9 views31 pages
    ITU-T Recommendation X.800 defines access control as follows: “The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner.”

    Original Title

    Security #4(1)

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    ITU-T Recommendation X.800 defines access control as follows: “The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner.”

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    9 views31 pages

    Security #4

    Uploaded by

    abrar171
    ITU-T Recommendation X.800 defines access control as follows: “The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner.”

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 31

    CHAPTER 4

    Access Control
    Objectives

    Access Control Subject, Object Discretionary


    Principle and Access Access Control
    Right

    Role-Base
    Access Control
    AccessControl

    ITUTRecommendationX.800definesaccesscontrol
    asfollows:
    Thepreventionofunauthorizeduseofaresource,
    includingthepreventionofuseofaresourceinan
    unauthorizedmanner.
    AccessControlPolicies
    AccessControlPolicies

    AccessControlPolicies:

    1DiscretionaryAccessControl(DAC)traditionalaccess
    controlpolicy:
    dependingontheidentityoftherequester
    2MandatoryAccessControl(MAC)therequirementofthe
    militarysecretinformation
    3RoleBasedAccessControl(RBAC)themostpopularone
    accordingtotherolesofaccessinthesystem.

    AccessControlRequirements
    Subject Entitycapableofaccessingobjects:
    typicallyheldaccountablefortheactionstheyinitiate
    oftenhavethreeclasses:
    owner,group,world

    Resourcetowhichaccessiscontrolled
    Object
    entityusedtocontainand/orreceive
    information
    Suchasrecords,files,databases
    describesthewayinwhichasubjectmay
    Access
    right accessanobject
    e.g.read,write,execute,delete,create,
    search
    DiscretionaryAccessControl(DAC)

    schemeinwhichanentitymayenableanotherentity
    toaccesssomeresource
    oftenprovidedusinganaccessmatrix
    AccessMatrix

    Consistof2DimensionalMatrix:

    onedimensionconsistsofidentifiedsubjectsthatmay
    attemptdataaccesstotheresources
    theotherdimensionliststheobjectsthatmaybeaccessed
    eachentryinthe
    matrixindicates
    theaccessrightsof Recourses'Dimension
    aparticularsubject
    foraparticular (Object)
    object

    UsersDimension
    (Subject)
    AccessMatrix

    AccessMatrixisimplementedinoneoftwoways:
    AccessControlListStructure
    AccessControlListStructure

    ConvenientandInconvenient(Advantage/
    Disadvantage):

    ACLsareusefultodeterminewhichuserhave
    theaccesstoaspecificrecourse.

    ACLsareuselessinmatterofdeterminingthe
    accessrightsavailableforaspecificuser.
    CapabilityListStructure
    CapabilityListStructure

    ConvenientandInconvenient(Advantage/
    Disadvantage):

    CapabilityTicketareusefultodeterminethe
    recourseavailableforaspecificuser.

    CapabilityTicketareuselessinmatterof
    determiningthelistofusersofaspecificObject
    (recourse)
    Authorizationtableforfiles

    Inordertocountermeasurethevulnerabilities
    ofusingtheACLs&Capabilitylist:

    - WemightusetheAuthorizationtable.
    - IfwesortitaccordingtotheSubject,wewill
    havealistoftherecoursesforeachuser.
    - Ifwesortitaccordingtotheresource(Object)
    wewillhavealistofusersforeachrecourse.
    Sort
    Sort
    accordingto
    accordingto
    Object
    subject
    ExtendedAccessControlMatrix
    Aaccessmatrix
    X(Object)

    S(subject)

    A[S1,F1]=Read
    AccessControlfunction

    Fromthefunctionalpointofview,separate
    accesscontrolmodelisassociatedwitheach
    typeofobject.

    Themodelevaluateeachrequestfroma
    subjecttoaccessanobject,todetermineifthe
    accesscontrolrightsisexistsornot.

    Inthismodeltheaccesscontrolisusingthe
    Triggersasfollowing:
    AccessControlfunction

    1. theSubjectS0willsendarequest(read,write..)
    forObjectX
    2. Thesystemwillgenerateamessagefortherequest
    (S0,,X)totheXObjectcontroller
    3. ThecontrollerwillchecktheAaccessmatrixinorder
    tocheckifisinA[S0,X]
    4. IfitsexistingintheAaccessmatrix,theprocesswill
    becompleted,andthepermeationwillbegiven.
    Ifnot,theaccesswillbedenied,andthealertwill
    triggertheprotectionviolationtodisplayawarning!
    ExampleOfRoleHierarchy

    TherolesofRBAC:
    1upperrolecan
    inheritalltheaccess
    rightofthelowerrole

    ProjectLeadhasallthe
    Accessrightsofwho?
    ExampleOfRoleHierarchy

    2morethantworolescan
    Inheritfromasubordinated
    Role

    ProductionEngineer&
    Qualityengineerboth
    areinheritedEngineer
    Accessrights.
    ExampleOfRoleHierarchy

    3inadditiontothatasetof
    differentrolesmightbe
    assigntotheProduction
    Engineersand
    theQualityEngineer
    4thatmeanstworolesare
    Nowoverlappingthesame
    Accessrights.

    You might also like