Upload
jamari-benham
View
219
Download
0
Tags:
Embed Size (px)
Citation preview
Decentralized Trust Management
Sandro Etalle
Jerry den Hartog
Organization
First lecture Introduction
Remaining classes treat DTM topics based on research papersNext week: Access Control ModelsThen: Rule based Trust Management Please check website for papers to read
Overview Why Trust Management ? Access Control Basics Delegation & Certificates in Access Control
Logic in Access Control Take-Grant models Safety problem Public key crypto, X.509 & PGP
Trust and Trust Management Rule base TM Reputation based TM
What is TM for ? Trust is needed to make decision on
interaction with other entityHow much value to put in the information you
get in this class.Give access to a resource
Decision has to be made with incomplete informationDo not know if all the information you get is
actually correct and state-of-the-art.Do not know how the resource will be used.
What is TM; how does it help you in your decision Two classes of TM systems.
Rule based systems: Trust in the role the entity plays You trust the information given in this class because it is
given by a teacher who has been assigned by the university and you trust that the university selects suitable teachers
You trust the university because it is a certified institution of higher learning.
You trust the certification body because it is appointed by the government …
Reputation Systems: You trust in the information because you have had earlier
classes from the teacher that were good and/or your friends tell you they had good classes from the teacher, or that their friends tell them they had good classes, etc.
More on this later first some basics: Access Control.
Controlling access to resources Restrict access to `authorized’ users Who decides ?
Authority on the resource Delegation
Who is authorized ? Policies; who should have access Who do I trust with the resource
Dynamicity Changes in indented users, policy, trust.
Course treats trust management and AC mechanisms
Access Control Matrix Captures the rights users have to resources Example:
Students may read grade list and read and run submitPaper
Teacher may read and write grade list and submitPaper So we are done ?
User GradeList SubmitPaper
Jerry rw rw
Joris r rx
Tim r rx
Access Control Storage & implementation: E.g. split in list, link to
resource (Access Control List), check before use Maintenance, Consistency:
Captures intended policy (how to check?) Rights not constant
who may change checks consistency
User GradeList SubmitPaper
Jerry rw rw
Joris r rx
Tim r rx
User SubmitPaper
Jerry rw
Joris rx
Tim rx
Role base access control(1)
Role (Similar to `group’) Teacher Student
Assign access rights to Roles and Roles to users Added Indirection makes for easier maintenance
Role GradeList
Teacher rw
Student r
Role Users
Teacher Jerry
Student Joris, Tim
1) RBAC treated in more detail next week.
Role dependency (Role Hierarchies)
Roles are not all independent:University EmployeeUniversity TeacherRole Hierarchies
Define roles in terms of other roles:Employee = Professor + Teacher +
Administrative Staff + Support StaffEmployee rights also granted to Professors.
Decentralized AC Different authorities at different locations
UT administrator does not control access to TU/e resources
Different Hierarchies for different locations In NL PhD student is subrole of Employee in US PhD student is subrole of Student
How to achieve access to distributed resources?TU/e student list, US student discount.
Delegation
Define your roles based on roles of other users: Jerry.StudentsInMyClass =
EducationOffice.RegisteredStudents2IF34
Trust Management Issue: I trust the education office to define the registered
student role. Education office may trust registration office to define
the student role EducationOffice.RegisteredStudents2IF34 =
RegistrationOffice.Student and WebServer.subscribed2IF34
Towards Rule based TM Can specify `trust rules’
Link roles in different HierarchiesDifficulty: Naming Conventions ( AIO – PhD
student ). More fine grained control Different Roles for different users/locations
Jerry.StudentsInMyClassSandro.StudentsInMyClassEducationOffice.RegisteredStudents2IF34
Why trust?
Trust needed for cooperation Cannot control behaviour of other people/systems
Base of trust Own experience and experience of others (reputation
based TM) Regulations Technical measures (see also next slide) Taking a risk (risk vs benefit analysis when possible).
`Good’ behaviour slowly enforces/builds trust `Bad’ behaviour quickly lowers trust
Why Trust (Cont.) ? Technical measures:
Create trust in the computation taking place elsewhere, e.g. on someone else’s PC, a piece of hardware in hands of another person.
Trusted computing platform: Hardware chip base chain of trust – chip checks signatures of programs to ensure they are not altered, can do essential computation steps.
Smartcards allow protecting information and applications from the holder of the device (such as Twente student card mentioned above).
Trust Management
Main TM classes Rule based TM
E.g. when based on Regulations Trusted parties can be positively identified
Reputation based TM E.g. when based on behaviour, recommendations trust ~ subjective probability `correct’ behaviour
Rule Based Trust Management
Example systems Role based trust management (RT) SDKI/SPKI …
Example scenario “Student at accredited university gets discount”
Shop.Discount ← AccBody.Univ.Student
AccBody.Univ ← UT
UT.student ← Alice
Rule Based Trust Management
Distributed, Open Each participant is authority, issues credentials Participants can join, leave
Delegation entrust credentials of others
Binary User either fully trusted or not trusted
Static trust level No change based on actions of the user
Reputation System Example
E-bay transaction feedback system
Recommendation Systems
Example systems E-bay transaction feedback system Eigentrust
Example scenario “Users with good recommendations can buy a book” Joint ordering action to get bulk discount More participants means more savings They do have to show up when the book arrives Allow friends to join and/or recommend others to join
Alice joins, Bob does not join but does recommend Charlie.
Reputation Based Trust Management
Main properties Distributed, Open
Each participant is an authority Issues its own recommendations/feedback.
Delegation Place trust in the recommendations of others.
Multilevel and dynamic trust level level of trust actions influences the level of trust
Common features Rule based TM – Reputation Systems Combine info from different sources
trust sources providing information Openness; Anyone can
join or leave the system issue credentials/recommendations
Up to the other participants to decide trustworthiness of such credentials.
Differences Rule based TM – Reputation Systems Role of risk:
In rule based systems certificates state facts.Reputation systems include intrinsic risk;reputation does not give any guarantees. (“In het verleden behaalde resultaten geven
geen garantie voor de toekomst”). Yes/No verses numerical. Reputation changes with actions; trust
value is dynamic.
Back to specification of access rights
How to express and enforce a policy?AC matrix captures only a snapshot for single
locationAlso need to express `rules’ that lead to these
rights and how to update permissions. E.g. Logic in access control Delegation, Trust management
Logic in Access Control Express access control rules with logical
formulas:Rights expressed by predicates:
may-access(p,o,r): principle p has access right r to object o.
Basic rules can also be expressed: may-access(p,o,Wr) => may-access(p,o,Rd)
i.e. write access implies read access
Different ways to generalize this principle
Logic in Access Control (2)
Complications of distributed systems Often used construct SAYS
for stating requests for delegation, e.g. p says may-access(q,o,r)
p says may-access(q,o,r)=>( may-access(p,o,r) => may-access(q,o,r))
Expressing the intended policy
AC matrix model not expressive enough e.g. no rules
Extend and make as strong as possible?Example: Take-grant model
Graph model adds delegation rules
Take-Grant model
Use a directed graph to represent the Access control matrix.Edge between Role and Object labeled with
right (e.g. read/write)Edge between Roles: relationship between
roles; can takes rights of /may grants rights to.Rules for adding and edges and nodes to the
graph.
Take-Grant Model example
File
R,W
Alice Bobt
File
R,W
Alice Bobt
R,W
Example of an application of the Take-rule; Bob takes Alices read/write permission
Safety problem
Can subject obtain a right? Given delegation rules, initial permissions: can a given permission can be granted ?
Undecidable in general Not possible to create algorithm
Takes as input set of rules and starting configuration Always stops with the correct decision. (Equivalent to the Turing halting problem.)
Decidable in linear time if set of delegation rules fixed to Take-grant model [Jone76].
Implications Undecidability of safety shows limits; AC policy language cannot be to expressive
Efficiently decide whether uses have a right Check safety properties before granting right Complexity in understanding
Difficulty: find AC specification mechanism
simple to understand effectively computable sufficiently expressive
Implementation: Certificates Proof that you are a member of a role
Student card issued by registration office
More generally: Binding of properties to an identity (public key) signed by the cerfitication authority (i.e. issuer of the role student).
Proof that a role is defined in a given way Education office can issue a single certificate stating
EducationOffice.RegisteredStudents2IF34 = RegistrationOffice.Student and WebServer.subscribed2IF34
rather than given a different certificate to each student
Using Certificates
Use a chain of certificates to proof role membershipStudent card to proof studentconfirmation from webserver to show
registeredcertificate of education office to show
registration policy (Automatic) Chain discovery can be difficult
who stores certificateswhere to look for certificates
Examples of PKI & certificate systems Public key crypto
Certificate links public key to identity. May be signed by certificate authority; trust based on trust in CA
(Webbrouwers) or by other users; trust by numbers (PGP). (PKI->C.),examples of PKI/certificate based systems: X.509 – Certificates bind a public key to a name(string) SPKI: PKI with focus on authorization (rather than
authentication), binding properties directly to public keys. Kerberos: Single sign on system; the user gets a `ticket’ for use
of a service. Ticket is a form of certificate. PGP: Often used for encryption and signing of email. No central
CAs for distribution of public keys.
Conclusions
Basics of decentralized trust management Distributed access control Delegation control
Next week; more detailed discussion of Access control models Please read the papers, see
http://www.win.tue.nl/~setalle/dtm/index.html
Recommended Reading
Decentralized Trust Management, M. Blaze et al. the PolicyMaker trust management system.comparison with X.509 and PGP.
Formal Models for Computer Security, C. LandwehrOverview of classical data security notions and
systems