towards standardization of
play

Towards Standardization of Distributed Access Control Mario - PowerPoint PPT Presentation

Towards Standardization of Distributed Access Control Mario Lischka, Yukiko Endo Elena Torroglosa, Alejandro Prez, Antonio G. Skarmeta NEC Laboratories Europe University of Murcia Presentation at W3C Workshop on Access Control Application


  1. Towards Standardization of Distributed Access Control Mario Lischka, Yukiko Endo Elena Torroglosa, Alejandro Pérez, Antonio G. Skarmeta NEC Laboratories Europe University of Murcia Presentation at W3C Workshop on Access Control Application Scenarios, 17./18. November 2009,Luxembourg

  2. Different type of policies  identified different kind of policies  control the privacy of the user's identity  his/her data, as well as  interoperation between different participants.  Decisions could not only be done locally, but have to be aligned with policies in other domains. Presentation at W3C Workshop , 17./18. Nov. 2009,Luxembourg 2

  3. Overview • Example • Important Aspects • Proposed Architecture • Extension to Policy Language • Complexity of Evaluation • Conclusion Presentation at W3C Workshop , 17./18. Nov. 2009,Luxembourg 3

  4. Example of Deductive Policies • Access to service provider requires • approval of included service • access to additional values Service Provider Operator Additional Service Access Control Access User’s Attribute Provider Control Attribute Provider Request Attribute Access Access Control Control  Decisions could not only be done locally, but have to be aligned with policies in other domains. Presentation at W3C Workshop , 17./18. Nov. 2009,Luxembourg Slide 4

  5. Important Aspects  Authoritative Domain as new structuring Autho. Domain A entity  Hierarchical requests: circular dependencies among Authoritative Domains have to be avoided  Abstraction: details about other policy of other domains are not required Autho. Domain C Autho. Domain B  Independent :definition of policies Policy Policy  Adaptive: Policies support dynamic Set B1 Policy Set B2 Set B3 references to other authoritative domains  Depending on Bridging: translation of local attribute names resource B2 refers to and value space into those of referred ones D or E  Transparency : location of the referred domain with respect to end-points is not Autho. Domain D explicitly required inside a policy Autho. Domain E  Confidentiality : internal details on the rules and the attributes leading to the decision can be kept confidential Presentation at W3C Workshop , 17./18. Nov. 2009,Luxembourg Slide 5

  6. Proposed Architecture Extension to the existing XACML architecture • Two new entities responsible for deducting • Attributes (DPIP) • Authorization request (DPDP) • Messages are an extension of XACML Presentation at W3C Workshop , 17./18. Nov. 2009,Luxembourg Slide 6

  7. Extension to XACML • Redefinition of PolicySet • Integration of distributed PolicyReference and local Policy through (new) combining algorithm Presentation at W3C Workshop , 17./18. Nov. 2009,Luxembourg Slide 7

  8. Complexity of the Evaluation • depending on combining algorithm • local policies could be evaluated first, avoiding referred requests • Initiate parallel evaluation (saving time) • referred request takes extra communication time • referred Domains are always unique at evaluation time (e.g, in contrast to Datalog) • Circular dependencies are avoided Complexity of the evaluation not changed compared to XACML Presentation at W3C Workshop , 17./18. Nov. 2009,Luxembourg 8

  9. Conclusion • Deductive policies could be used to bridge different domains • distribute decisions • access to remote attributes • Authoritative Domain provides a new abstraction level • avoiding undeciadability problem of Datalog • integration into existing XACML standard • extra communication costs, but no general increase of evaluation complexity • Application of Deductive Polices in various prototypes of the EU FP7 project SWIFT Presentation at W3C Workshop , 17./18. Nov. 2009,Luxembourg 9

Recommend


More recommend