pki based access control with attribute
play

PKI based Access Control with Attribute on n users Application - PowerPoint PPT Presentation

Mar 03, 2023 •186 likes •407 views

Visibl Card issuing Unive Foreign users Card e rsity holder Metho intern Data element Stude Staff Guest Unive Unive Other ds al nts admin admin rsity rsity s admin istrati istrati users consol depen istrati on on

  1. Visibl Card issuing Unive Foreign users Card e rsity holder Metho intern Data element Stude Staff Guest Unive Unive Other ds al nt’s admin admin rsity rsity s admin istrati istrati users consol depen istrati on on idatio ding PKI based Access Control with Attribute on n users Application Profile (AP) cwr cwr cwr cwr r r r r r Card ID (CID) cr cr cr cr r r r Certificates for Data held on Smartcards Certificate card holder – encrypt (CHE) cwrv r cwr cwr rv Certificate card holder – sign (CHS) cwrv cwr cwr cwr rv Certificate card holder – auth (CHA) cwrv cwr cwr cwr rv Certificate Trust Center (CTC) cwrv cwr cwr cwr rv Lutz Suhrbier, Thomas Hildmann Date of Expire – Begin (DEB) cwr cwr cwr cwr r r r r r Date of Expire – End (DEE) cwr cwr cwr cwr r r r r r List of DES-Keys (DES) cw cw cw cw Technical University of Berlin AP CID CHE CHS CHA CTC DEB Card holder identification (OM) cr cr cr cr r r r c w r c r c w r v c w r v c w r v c w r v c w r p Research Center for Network and Multimedia Technology Status-group (PS) cwr cwr cwr cwr r r r Personal Identification Number (PIN) cw c c c w 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 PRZ / FSP-PV PIN Failure counter (FVZ) c c c c 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 Secret Key – encrypt (SKE) cwd cw cw d

  2. Content • Current problems – State of the art • An approach – Attribute certificates – Security level – Integration of security level into certificates • Implementation – Operating sequence : Data access • More advanced access control – Delegation of rights and credentials • Conclusion

  3. Current problems • State of the art – Access control using symmetric keys (common secret) – Problem of key-exchange (old known problems) – Only flat 1:1 mapping of permissions and keys – Keeping the keys secret – A compromise of a single key compromises the whole infrastructure – Can not be used on insecure terminals because of loosing the control of the key • How to realize access control using a public-key infrastructure?

  4. Visibl Card issuing Unive Foreign users Card e rsity holder Metho intern Data element Stude Staff Guest Unive Unive Other ds al nt’s admin admin rsity rsity s admin istrati istrati users consol depen istrati on on idatio ding on n users Application Profile (AP) cwr cwr cwr cwr r r r r r Card ID (CID) cr cr cr cr r r r Certificate card holder – encrypt (CHE) cwrv r cwr cwr rv Certificate card holder – sign (CHS) cwrv cwr cwr cwr rv Certificate card holder – auth (CHA) cwrv cwr cwr cwr rv Certificate Trust Center (CTC) cwrv cwr cwr cwr rv Date of Expire – Begin (DEB) cwr cwr cwr cwr r r r r r Date of Expire – End (DEE) cwr cwr cwr cwr r r r r r List of DES-Keys (DES) cw cw cw cw Card holder identification (OM) cr cr cr cr r r r Status-group (PS) cwr cwr cwr cwr r r r Personal Identification Number (PIN) cw c c c w PIN Failure counter (FVZ) c c c c Secret Key – encrypt (SKE) cwd cw cw d Secret Key – sign (SKS) cs c c c s Secret Key – auth (SKA) cwa cw cw cw a

  5. Attribute certificates • Attribute certificates are just like public-key certificates with the following differences: – Instead of a public-key they contain structured data which can be used for role, group, access control or other mappings. – An attribute certificate is a binding of attribute data to a subject. – A public-key certificate is a binding of a public-key to a subject. – Both are signed by a certification authority which guarantees the correctness of the binding.

  6. Attribute Certificates vs. Public-Key Certificates attribute�certificate Public-key�certificate data data issuer issuer validity validity subject subject public-key attribute 1 attribute 2 signature signature

  7. We are using combined certificates attribute�certificate combined�certificate data data issuer issuer Public-key�certificate validity validity data subject subject issuer public-key attribute 1 validity attribute 2 subject attribute 1 public-key signature attribute 2 signature signature

  8. Security level AP CID CHE CHS CHA CTC DEB c w r c r c w r v c w r v c w r v c w r v c w r p 0 1 1 0 1 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 1 0 1 1 0 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 FV DEE DES OM PS PIN SKE SKS SKA Z c w r p c w e c r p c w r p c w c c w d c s c w a 0 1 1 0 0 0 0 0 1 0 0 1 1 0 0 0 0 0 0 0 0 1 0 0 0 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 09 08 07 06 05 04 03 02 01

  9. Visibl Card issuing Unive Foreign users Card e rsity holder Metho intern Data element Stude Staff Guest Unive Unive Other ds al nt’s admin admin rsity rsity s admin istrati istrati users consol depen istrati on on idatio ding on n users Application Profile (AP) cwr cwr cwr cwr r r r r r Card ID (CID) cr cr cr cr r r r Certificate card holder – encrypt (CHE) cwrv r cwr cwr rv Certificate card holder – sign (CHS) cwrv cwr cwr cwr rv Certificate card holder – auth (CHA) cwrv cwr cwr cwr rv Certificate Trust Center (CTC) cwrv cwr cwr cwr rv Date of Expire – Begin (DEB) cwr cwr cwr cwr r r r r r Date of Expire – End (DEE) cwr cwr cwr cwr r r r r r List of DES-Keys (DES) cw cw cw cw AP CID CHE CHS CHA CTC DEB Card holder identification (OM) cr cr cr cr r r r c w r c r c w r v c w r v c w r v c w r v c w r p Status-group (PS) cwr cwr cwr cwr r r r Personal Identification Number (PIN) cw c c c w 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 PIN Failure counter (FVZ) c c c c 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 Secret Key – encrypt (SKE) cwd cw cw d Secret Key – sign (SKS) cs c c c s Secret Key – auth (SKA) cwa cw cw cw a

  10. Integration of security level into certificates • Security level is a base64 encoded bitmap concatenated to the subject name – No extensions are needed to a standard X.509v3 certificate – Subject names are clear text fields and are human readable without any needed of additional software cn=reregistration.tu-berlin.de,�o=Technische� Universitaet Berlin,�c=DE,�sl=00000001fAngkH08

  11. Operating sequence : Data access 1:�(req,�rcert)�=�sym_decrypt(cryptreq,�skey) 2:�verify_cert(rcert,�CTC) 3:�rpubkey =�extract_public_key(rcert) 4:�verify_data(req,�rpubkey) 5:�seclevel =�extract_seclevel(rcert) 6:�return =�execute_req(req,�seclevel) 7:�signedreturn =�sign(return,�SKA) 8:�cryptreturn =�asym_encrypt(signedreturn,�rpubkey)

  12. 1. The foreign-university requires access to data elements Foreign getData(x) University Home Smartcard University

  13. 2: Generate random number and send to foreign- university Foreign University 2:�reqestForCredential(rnd) Home Smartcard University 1:�rnd =�randomize()

  14. 3: forwarding request for credential Foreign University reqestForCredential (rnd,�getData(x)) Home Smartcard University

  15. 4: home-university is proving the permission Foreign University 3:�cred Home Smartcard University 1:�checkPermission(getData(x)) 2:�cred =�signCredential (HomeCERT,�rnd,� getData(x))

  16. 5: foreign-university is sending credential to smartcard Foreign University cred Home Smartcard University

  17. 6: validate rnd, check signature and security level, encrypt and return Foreign University 3:�cryptreturn Home Smartcard University 1:�(HomeCERT,�getData(x))�=�checkSignature(req) 2:�**�the�data�access�algorithm�as�see�before�** cryptreturn =�asym_encrypt(signedreturn,�HomeCERT)

  18. 7: foreign-university is sending the encrypted values to the home-university Foreign University cryptreturn Home Smartcard University

  19. 8: home-university decrypts and re-encrypts for foreign- university Foreign 3:�funiCryptedSignedX University Home Smartcard University 1:�signedX =�decrypt(HomePRIV,�cryptreturn) 2:�funiCryptedSignedX =�encrypt(ForeignUniCERT,� signedX)

  20. Conclusion • Using combined attribute-/public-key-certificates enables a flexible and effective protection of data elements on smartcards. • This infrastructure was implemented successfully at Technical University of Berlin. • There are solutions for environments constituted by several organisations with different access rights.

  21. For contact and further information / discussion • Lutz Suhrbier http://www.prz.tu-berlin.de/~lusu/ • Thomas Hildmann http://www.prz.tu-berlin.de/~hildmann/ • German Homepage of the Project Campuskarte http://campuskarte.tu-berlin.de/

Recommend

Strategies for Incorporating Delegation into Attribute-Based Access Control (ABAC) Sylvia L.

Strategies for Incorporating Delegation into Attribute-Based Access Control (ABAC) Sylvia L.

Strategies for Incorporating Delegation into Attribute-Based Access Control (ABAC) Sylvia L. Osborn Daniel Servos sylvia@csd.uwo.ca dservos5@uwo.ca Department of Computer Science The 9th International Symposium on Foundations & Practice

1.05k views • 75 slides
Development and deployment of integrated attribute based access control for collaboration

Development and deployment of integrated attribute based access control for collaboration

Development and deployment of integrated attribute based access control for collaboration Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications and user communities Virtual

368 views • 13 slides
HGABAC: Towards a Formal Model of Hierarchical Attribute-Based Access Control Sylvia L. Osborn

HGABAC: Towards a Formal Model of Hierarchical Attribute-Based Access Control Sylvia L. Osborn

HGABAC: Towards a Formal Model of Hierarchical Attribute-Based Access Control Sylvia L. Osborn Daniel Servos sylvia@csd.uwo.ca dservos5@uwo.ca Department of Computer Science The 7th International Symposium on Foundations & Practice of

1.05k views • 49 slides
Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access

Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access

Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access Control Daniel Servos Michael Bauer Western University Western University London, Ontario London, Ontario dservos5@uwo.ca bauer@uwo.ca November

511 views • 34 slides
Current Research and Open Problems in Attribute-Based Access Control Daniel Servos

Current Research and Open Problems in Attribute-Based Access Control Daniel Servos

Current Research and Open Problems in Attribute-Based Access Control Daniel Servos dservos5@uwo.ca Department of Computer Science Topics Survey/Proposal Daniel Servos TSP: ABAC February 10th 1 / 31 1. Talk Outline Outline 1 Background

1.23k views • 90 slides
Attribute-based Access Control Architectures with the eIDAS Protocols 21. SSR 2016 Frank

Attribute-based Access Control Architectures with the eIDAS Protocols 21. SSR 2016 Frank

Attribute-based Access Control Architectures with the eIDAS Protocols 21. SSR 2016 Frank Morgner (Bundesdruckerei) Paul Bastian (Bundesdruckerei) Marc Fischlin (TU Darmstadt) 13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1

404 views • 22 slides
Semantic Attribute-Based Access Control An overview of the existing approaches Hamed Arshad

Semantic Attribute-Based Access Control An overview of the existing approaches Hamed Arshad

Semantic Attribute-Based Access Control An overview of the existing approaches Hamed Arshad Department of Informatics University of Oslo March 2018 Hamed Arshad (UiO) SABAC March 2018 1 / 25 Table of Contents Introduction 1

1.17k views • 74 slides
PERMIS Role-Based Access Control Example System Presenter: Haiyan Cheng CS 6204, Spring 2005 1

PERMIS Role-Based Access Control Example System Presenter: Haiyan Cheng CS 6204, Spring 2005 1

PERMIS Role-Based Access Control Example System Presenter: Haiyan Cheng CS 6204, Spring 2005 1 PERMIS Review A role-based access control infrastructure Uses X.509 attribute certificate (AC) to store users roles All access

397 views • 8 slides
Why attribute-based signatures? The kind of authentication required in an attribute-based system

Why attribute-based signatures? The kind of authentication required in an attribute-based system

Attribute-Based Signatures Hemanta K. Maji Manoj Prabhakaran Mike Rosulek November 22, 2010 Abstract We introduce Attribute-Based Signatures (ABS) , a versatile primitive that allows a party to sign a message with fine-grained

864 views • 35 slides
Working Set- -Based Access Control for Based Access Control for Working Set Network File

Working Set- -Based Access Control for Based Access Control for Working Set Network File

Working Set- -Based Access Control for Based Access Control for Working Set Network File Systems Network File Systems Stephen Smaldone, Vinod Ganapathy, and Liviu Iftode DiscoLab - Department of Computer Science Rutgers, The State University

667 views • 23 slides
Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

576 views • 21 slides
Enumerated Authorization Policy Prosunjit Biswas, Ravi Sandhu and Ram Krishnan University of

Enumerated Authorization Policy Prosunjit Biswas, Ravi Sandhu and Ram Krishnan University of

Institute for Cyber Security Label-Based Access Control: An ABAC Model with Enumerated Authorization Policy Prosunjit Biswas, Ravi Sandhu and Ram Krishnan University of Texas at San Antonio 1 st Workshop on Attribute Based Access Control (ABAC

469 views • 26 slides
Access Control Enforcement Access Control Enforcement for Conversation- -based based for

Access Control Enforcement Access Control Enforcement for Conversation- -based based for

The Cyber Center The Cyber Center Access Control Enforcement Access Control Enforcement for Conversation- -based based for Conversation Web Services Web Services Massimo Mecella * Mourad Ouzzani Univ. Roma LA SAPIENZA, Italy Purdue

375 views • 26 slides
Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of Access Control Discretionary acces control Mandatory access control Real systems: Unix Access Control Model Access control Access

817 views • 47 slides
Role-based access control Role-based access control 1 RBAC: Motivations Complexity of

Role-based access control Role-based access control 1 RBAC: Motivations Complexity of

Role-based access control Role-based access control 1 RBAC: Motivations Complexity of security administration p y y For large number of subjects and objects, the number of authorizations can become extremely large For dynamic

536 views • 51 slides
Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control Introduction to Computer Security Access control, contd Announcements intermission Stephen McCamant Capability-based access control University

380 views • 7 slides
Overview Access control lists Capability lists Locks and keys Rings-based

Overview Access control lists Capability lists Locks and keys Rings-based

Overview Access control lists Capability lists Locks and keys Rings-based access control Propagated access control lists May 31, 2005 ECS 235, Computer and Information Slide #1 Security Access Control Lists Columns

1.24k views • 80 slides
Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control? How Is Access Determined? Who Determines Access? Forms of Access Control SELinux Booleans iptables File Access Control Lists Apache Access Control

711 views • 36 slides
Role-Based Access Control Corban Rivera CS 6204, Spring 2005 1 Trusted Computer System

Role-Based Access Control Corban Rivera CS 6204, Spring 2005 1 Trusted Computer System

Role-Based Access Control Corban Rivera CS 6204, Spring 2005 1 Trusted Computer System Evaluation Criteria (TCSEC) Background MAC Mandatory Access Control Firm security levels DAC Discretionary Access Control Access

240 views • 6 slides
Outline Multilevel and mandatory access control CSci 5271 Capability-based access control

Outline Multilevel and mandatory access control CSci 5271 Capability-based access control

Outline Multilevel and mandatory access control CSci 5271 Capability-based access control Introduction to Computer Security Announcements intermission Day 11: OS security: higher assurance Stephen McCamant OS trust and assurance University

303 views • 9 slides
Language-Based Access Control and Safety Language-based access control is impossible in a

Language-Based Access Control and Safety Language-based access control is impossible in a

Language-Based Access Control and Safety Language-based access control is impossible in a programming language that is not memory safe. Without memory safety, there is no way to guarantee separation of memory used by different program

413 views • 30 slides
1 General Access Control General Access Control Control of access to memory relatively easy:

1 General Access Control General Access Control Control of access to memory relatively easy:

Role of Access Control Before closing back doors we need to close front doors Access control: determines access to files & processes in OS Fall 2008 We will return to these themes throughout the course Fall 2008 CS

512 views • 6 slides
Meta-policies for Distributed Role-based Access Control Andrs Belokosztolszki, Ken Moody

Meta-policies for Distributed Role-based Access Control Andrs Belokosztolszki, Ken Moody

Meta-policies for Distributed Role-based Access Control Andrs Belokosztolszki, Ken Moody {ab374,km}@cl.cam.ac.uk University of Cambridge, Computer Laboratory, OPERA Policy 2002 1 Outline Role-Based Access Control OASIS

480 views • 14 slides
A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and

A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and

A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and V. Sassone MyThS Meeting, Venice, June, 14th, 2004 A Distributed Calculus for Role-Based Access Control p.1/18 RBAC Why: Role-Based Access

613 views • 36 slides

More recommend