Professional Documents
Culture Documents
Authorization
Authorization
Brian Garback
Research Issues
Authentication
who are you?
quantification of trust levels
Mobile devices
what capabilities do you have?
can wireless be as secure as wired?
Authorization
given who you are, what can you do?
how do we control privileges?
Federation
how can trust be shared?
how to cross trust domain boundaries?
Itinerary
History of Access Control
Role-Based AC
Context-Based AC
Context-Aware AC
Permission Based Delegation Model
Authorization Specifications
CAAC WS-Policy Implementation
XACML
SAML
Specification-Level Goals
Access Control
History
RBAC
CBAC
CAAC
PBDM
Role-Based Access Control
What is “context”?
Circumstances in which an event occurs
Context
CT is an element of CS
OP is a logical operator in set {>, , , , , =}
VALUE is a specific value of CT
Definition 3: Authorization Policy
Clause 1 …… Clause n
condition …… condition
context type
A predicate of
context
implementation Evaluated by
2004 Security Infrastructure
Quick Review
assigned granted
RBAC User Role Permission
Context
CAAC:
dynamic specification and dynamic enforcement
of arbitrary access rules
separation of context implementation and the
main business logic of target applications.
Permission Based Delegation Model
PBDM0 Summary:
Multi-step temporal delegation
Two role types:
Regular Roles (RR)
Temporary Delegation
Roles (DTR)
Multi-step delegation and
revocation
Drawbacks:
1. No delegation limitations (risky)
2. No role-hierarchy
PBDM0 > RBDM
PBDM0 Summary:
Multi-step temporal delegation
Two role types:
Regular Roles (RR)
Temporary Delegation Roles (DTR)
Multi-step delegation and revocation
Drawbacks:
1. No admin delegation limitations (risky)
2. No role-hierarchy
PBDM1
Role-layers:
1. Regular Roles (RR)
cannot be delegated to other roles or users
RBDM:
Ambiguity btw admin
and delegation
PBDM:
supports role and
permission level
delegation
Partial revocation is
also possible
Authorization
Specifications
WS-Policy
XACML
SAML
Policy Specification
Security policies must be exchangeable across
domains
Hospital Pharmacy
Send presc
r ip t io n
o l i c y r e sponse
P
Requested License
i p t i o n a c ce pted
Pre sc r
Policy Specification
<wsp:Policy>
<wsp:AppliesTo>
<wsa:EndpointReference>
<wsa:DataType>PatientRecord</wsa:DataType>
<wsa:AccessType>Delete</wsa:AccessType>
<wsa:Permission>DeletePatientRecord</wsa:Permission>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wsse:SubjectToken wsp:Usage="Required">
<wsse:TokenType>Medical Records Staff</wsse:TokenType>
</wsse:SubjectToken>
<wsp:OneOrMore wsp:Usage="Required">
<wsp:All>
<wsse:ContextToken wsp:Usage="wsp:GreatThan“ wsp:Preference="T(password)">
<wsse:ContextType>Trust Level</wsse:ContextType>
</wsse:ContextToken>
</wsp:All>
</wsp:OneOrMore>
XACML
Reconciles
Multiple policies
Multiple rules per policy
Multiple control decisions
Use a combining algorithm to combine multiple
decisions into a single decision
Use standard or customized algorithms
Policy Combining Algorithms—used by PolicySet
Rule Combining Algorithms—used by Policy
XACML – Policy Evaluation
SAML
Authentication Attribute Authorization
Assertion Assertion Decision
Assertion
System Application
Policy Enforcement
Entity Request
Point
Some common information in all
assertions
Issuer and issuance timestamp
Assertion ID
Subject
Name plus the security domain
Optional subject confirmation, e.g. public key
“Conditions” under which assertion is valid
SAML clients must reject assertions containing
unsupported conditions
Special kind of condition: assertion validity period
Additional “advice”
E.g., to explain how the assertion was made
Authentication assertion
An issuing authority asserts that:
subject S
was authenticated by means M
at time T
<saml:Assertion
MajorVersion=“1” MinorVersion=“0”
AssertionID=“128.9.167.32.12345678”
Issuer=“University of Virginia“
IssueInstant=“2003-12-03T10:02:00Z”>
<saml:Conditions
NotBefore=“2003-12-03T10:00:00Z”
NotAfter=“2003-12-03T10:05:00Z” />
<saml:AuthenticationStatement
AuthenticationMethod=“password”
AuthenticationInstant=“2003-12-
03T10:02:00Z”>
<saml:Subject>
<saml:NameIdentifier
SecurityDomain=“virginia.edu”
Name=“jim” />
</saml:Subject>
</saml:AuthenticationStatement>
</saml:Assertion>
Attribute assertion
<saml:Assertion …>
<saml:Conditions …/>
<saml:AuthorizationStatement
Decision=“Permit”
Resource=“http://www.amazon.com/purchase.htm”>
<saml:Subject>
<saml:NameIdentifier
SecurityDomain=“virginia.edu”
Name=“jim” />
</saml:Subject>
</saml:AuthorizationStatement>
</saml:Assertion>
SAML conceptual model
Policy Policy Policy
SAML
Authentication Attribute Authorization
Assertion Assertion Decision
Assertion
System Application
Policy Enforcement
Entity Request
Point
XACML & SAML
XACML & SAML are counterparts
XACML handles the access control policies and decisions
SAML handles the actual communication of authentication
and authorization requests and responses
E.g.
SAML used to assert authentication and authorization
attributes
XACML uses these assertions and evaluates the policies to
come to a decision
Research Questions
Dynamic interfaces per permission/role
Permission management for subobjects
Secondary role issues:
Constrained hierarchical roles
Permission-level constrained delegation
Revocation
Delegation extensions to XACML & SAML
Provide an access control interface