access control in a distributed object environment using
play

Access Control in a Distributed Object Environment Using XML and - PowerPoint PPT Presentation

Apr 05, 2023 •708 likes •959 views

Access Control in a Distributed Object Environment Using XML and Roles Jason Crampton and Hemanth Khambhammettu Information Security Group Royal Holloway, University of London Introduction Overview What are we doing? Ensuring

  1. Access Control in a Distributed Object Environment Using XML and Roles Jason Crampton and Hemanth Khambhammettu Information Security Group Royal Holloway, University of London

  2. Introduction – Overview • What are we doing? – Ensuring that access to protected resources in a distributed computing environment is restricted to appropriately authenticated and authorised users • Why is it important? – Web services – Complex heterogeneous systems in large enterprises • How are we doing it? – An architecture for authentication and authorisation – Authorisation uses role-based techniques – Components of architecture integrated by XML schema ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  3. Introduction – Objectives • Modularity – Independence of authentication and authorisation mechanisms – Independence of authorisation enforcement point and authorisation decision point – Avoid bottlenecks at decision and enforcement points – Promote inter-operability, scalability and extensibility • Avoid reliance on third-party trust mechanisms • Support for audit and delegation ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  4. Introduction – Access control • Access control protects resources from users – Access control lists (ACLs) defined for protected resources (Windows 2000, IBM RACF) – A resource’s ACL consists of entries defining which users and groups can access the object – Often difficult to administer in large enterprise Read? Authenticated Reference Protected Resource User Monitor ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  5. Introduction – RBAC • Role-based access control – associates each user with a set of roles – and associates each role with a set of permissions • Hence each user is indirectly associated with a set of permissions • Roles may form a hierarchy reflecting organisational structure • Scales well and simplifies administration ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  6. Components of architecture • Authentication engine – Creates authentication tokens • Interface – Access control enforcement point – Assesses the validity of authentication tokens, session certificates and access requests • Session manager – Creates session certificates – Only processes requests from the interface – Maintains information about role hierarchy and user-role assignment • Authorisation engine – Access control decision point – Only processes requests from the interface – Maintains information about permission-role assignment ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  7. XML schema • Authentication tokens – Contain user identity, public key of user, delegation information, lifetime of token • Session certificates – Contain issuer information, user identity, public key of user, lifetime of certificate, roles assigned to user, delegation information • Interface requests – Access requests (forwarded to authorisation engine) – Session certificate requests (forwarded to session manager) ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  8. Session creation (1) • User presents credentials to authentication engine Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  9. Session creation (2) • Authentication engine generates public/private key pair and sends private key to user Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  10. Session creation (3) • Authentication engine generates authentication token and sends it to interface Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  11. Session creation (4) • Interface sends authentication token to session manager Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  12. Session creation (5) • Session manager creates session certificate, encrypts it and sends it to user Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  13. Making an access request (1) • User sends session certificate and digitally signed access request to interface Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  14. Making an access request (2) • Interface verifies signature on access request and forwards access request to authorisation engine Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  15. Making an access request (3) • Authorisation engine decides whether request should be granted and sends decision to interface Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  16. Making an access request (4) • Interface enforces decision by returning either a handle to the resource or an error message Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  17. Updating session certificates • A session certificate is a static binding of a user identity to a set of roles • Validity of session certificate is sensitive to – Changes to the user-role assignment relation – Changes in the structure of the hierarchy • A user u could have been issued with a session certificate containing a role r and then have his assignment to a role r revoked – Any subsequent request by u to use a permission p assigned to r should be denied by the system ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  18. Updating session certificates (1) • Session manager sends revised certificate to interface in response to changes in role hierarchy or user-role assignment Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  19. Updating session certificates (2) • User makes access request Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  20. Updating session certificates (3) • Interface verifies signature, substitutes new session certificate and forwards request to authorisation engine which returns decision Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  21. Updating session certificates (4) • Interface enforces decision and sends revised session certificate to user Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  22. Delegation • Our architecture allows users to delegate their privileges to other users (whom they trust) • The ability to delegate privileges is – determined by the authentication engine – defined in the authentication token • Delegation element in session certificate determines – whether the certificate can be delegated – constrains the number of delegation certificates that can be created ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  23. Conclusions • The architecture provides – mutual authentication for user and target system – role-based authorisation – dynamic re-issue of session certificates – delegation • Future work to include – separation of duty – inter-domain authorisation ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

Recommend

Authentication in Distributed Systems Austen Barker Access Control Operation Object principal

Authentication in Distributed Systems Austen Barker Access Control Operation Object principal

Authentication in Distributed Systems Austen Barker Access Control Operation Object principal Reference monitor Challenges of a distributed system Autonomy : Path from principal to an object may be long and convoluted. Size : Usually much

304 views • 29 slides
Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

576 views • 21 slides
Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~# whoami Eric Biako Bsc. IT, CEH v9 Information security officer @ E-connecta Moderator @ https://legalhackmen.com IDOR ( Broken Access Control )

517 views • 12 slides
Large-Scale Systems: WebOS Access to geographically distributed data-dissemination and

Large-Scale Systems: WebOS Access to geographically distributed data-dissemination and

CPSC-662 Distributed Computing Object-Oriented Distributed Technology Large-Scale Systems: WebOS Access to geographically distributed data-dissemination and computing resources. Resource discovery, persistent storage, process control,

276 views • 5 slides
Distributed Object Transactions Outline Transaction Principles Concurrency Control

Distributed Object Transactions Outline Transaction Principles Concurrency Control

Distributed Object Transactions Outline Transaction Principles Concurrency Control Two-Phase Commit Protocol Services for Distributed Object Transactions CORBA Transaction Service Microsoft Transaction Service Java

285 views • 10 slides
Towards Standardization of Distributed Access Control Mario Lischka, Yukiko Endo Elena

Towards Standardization of Distributed Access Control Mario Lischka, Yukiko Endo Elena

Towards Standardization of Distributed Access Control Mario Lischka, Yukiko Endo Elena Torroglosa, Alejandro Prez, Antonio G. Skarmeta NEC Laboratories Europe University of Murcia Presentation at W3C Workshop on Access Control Application

555 views • 9 slides
A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and

A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and

A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and V. Sassone MyThS Meeting, Venice, June, 14th, 2004 A Distributed Calculus for Role-Based Access Control p.1/18 RBAC Why: Role-Based Access

613 views • 36 slides
Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of Access Control Discretionary acces control Mandatory access control Real systems: Unix Access Control Model Access control Access

817 views • 47 slides
Rewrite Specifications of Access Control Policies in Distributed Environments C. Bertolissi and

Rewrite Specifications of Access Control Policies in Distributed Environments C. Bertolissi and

Rewrite Specifications of Access Control Policies in Distributed Environments C. Bertolissi and M. Fernndez LIF , Marseille & Kings College London WTS2010, Nancy C. Bertolissi, M. Fernndez () Term rewriting for Access Control

1.04k views • 28 slides
Access Control for Smart Objects Access Control for Smart Objects Jan Janak, Hyunwoo Nam, Henning

Access Control for Smart Objects Access Control for Smart Objects Jan Janak, Hyunwoo Nam, Henning

IAB Workshop on Smart Object Security Paris, March 2012 Access Control for Smart Objects Access Control for Smart Objects Jan Janak, Hyunwoo Nam, Henning Schulzrinne I R T Columbia University Internet Real-Time Laboratory This work is

57 views • 5 slides
Cassandra: Distributed Access Control Policies with Tunable Expressiveness Moritz Y. Becker and

Cassandra: Distributed Access Control Policies with Tunable Expressiveness Moritz Y. Becker and

Cassandra: Distributed Access Control Policies with Tunable Expressiveness Moritz Y. Becker and Peter Sewell Computer Laboratory, University of Cambridge, U.K. Cassandra: Distributed Access Control Policies with Tunable Expressiveness p.

1.44k views • 20 slides
Meta-policies for Distributed Role-based Access Control Andrs Belokosztolszki, Ken Moody

Meta-policies for Distributed Role-based Access Control Andrs Belokosztolszki, Ken Moody

Meta-policies for Distributed Role-based Access Control Andrs Belokosztolszki, Ken Moody {ab374,km}@cl.cam.ac.uk University of Cambridge, Computer Laboratory, OPERA Policy 2002 1 Outline Role-Based Access Control OASIS

480 views • 14 slides
Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control? How Is Access Determined? Who Determines Access? Forms of Access Control SELinux Booleans iptables File Access Control Lists Apache Access Control

711 views • 36 slides
Medium Access Control for Distributed Systems Faeze Heydaryan Joint work with Yanru Tang

Medium Access Control for Distributed Systems Faeze Heydaryan Joint work with Yanru Tang

Medium Access Control for Distributed Systems Faeze Heydaryan Joint work with Yanru Tang Committee members: Prof. Rockey Luo Prof. Liuqing Yang Prof. Ali Pezeshki Prof. Haonan Wang Coordinated vs Distributed Communication Distributed

554 views • 27 slides
Object-Oriented Distributed Technology Objects Objects in Distributed Systems

Object-Oriented Distributed Technology Objects Objects in Distributed Systems

CPSC-662 Distributed Computing Object-Oriented Distributed Technology Object-Oriented Distributed Technology Objects Objects in Distributed Systems Requirements of Multi-User Applications Reading: Coulouris: Distributed

317 views • 4 slides
Access Control Dr. John Yoon How do you know yours? Finding about you and the system $ who

Access Control Dr. John Yoon How do you know yours? Finding about you and the system $ who

Advanced Linux File Permission Access Control Dr. John Yoon How do you know yours? Finding about you and the system $ who $ hostname $ whoami $ uname $ id $ date $ ps -aux Environment Variables Environment Settings of a

530 views • 25 slides
1 General Access Control General Access Control Control of access to memory relatively easy:

1 General Access Control General Access Control Control of access to memory relatively easy:

Role of Access Control Before closing back doors we need to close front doors Access control: determines access to files & processes in OS Fall 2008 We will return to these themes throughout the course Fall 2008 CS

512 views • 6 slides
Remote distributed objects Data and operations encapsulated in an object Operations implemented

Remote distributed objects Data and operations encapsulated in an object Operations implemented

Distributed Object-Based Systems Architecture Remote distributed objects Data and operations encapsulated in an object Operations implemented as methods grouped into interfaces Object offers only its interface to clients Object server is

894 views • 57 slides
SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing residents / staff access to site areas Main entrance Vehicle entrances Pedestrian entrances Gate / Barrier entrance Bin / Bike / Refuge

336 views • 14 slides
Incremental Cost Consensus Algorithm in a Smart Grid Environment Y3.F.C1 Distributed Control of

Incremental Cost Consensus Algorithm in a Smart Grid Environment Y3.F.C1 Distributed Control of

Incremental Cost Consensus Algorithm in a Smart Grid Environment Y3.F.C1 Distributed Control of FREEDM System Ziang Zhang PI: Dr. Mo-Yuen Chow Department of Electrical and Computer Engineering North Carolina State University Raleigh, North

710 views • 33 slides
Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs Access Control Administration Accountability Chapter 2 Access Control Models Identification and Authentication Methods Lecturer:

708 views • 9 slides
A4: Insecure Direct Object References A4 Insecure Direct Object References General

A4: Insecure Direct Object References A4 Insecure Direct Object References General

A4: Insecure Direct Object References A4 Insecure Direct Object References General problem: Unrestricted Access A4: Data not properly protected A7: Functions not properly protected Examples Presentation-layer access control

506 views • 27 slides
Why team theory and distributed control? Many control tasks are naturally distributed, i.e. many

Why team theory and distributed control? Many control tasks are naturally distributed, i.e. many

Why team theory and distributed control? Many control tasks are naturally distributed, i.e. many controllers are supposed to work together in a team. G2 Vehicle dynamics Linear quadratic theory for distributed control G7 G14 G3

181 views • 4 slides
Using XACML for access control in Social Networks Anna Carreras, Eva Rodrguez, Jaime Delgado

Using XACML for access control in Social Networks Anna Carreras, Eva Rodrguez, Jaime Delgado

Using XACML for access control in Social Networks Anna Carreras, Eva Rodrguez, Jaime Delgado Distributed Multimedia Applications Group (DMAG) Universitat Politcnica de Catalunya (UPC) W3C Workshop on Access Control Application Scenarios

712 views • 24 slides

More recommend