Presentation is loading. Please wait.

Presentation is loading. Please wait.

INSTITUTE FOR CYBER SECURITY 1 Enforcement Architecture and Implementation Model for Group-Centric Information Sharing © Ravi Sandhu Ram Krishnan (George.

Published byLinda Lewis Modified over 8 years ago

Similar presentations

Presentation on theme: "INSTITUTE FOR CYBER SECURITY 1 Enforcement Architecture and Implementation Model for Group-Centric Information Sharing © Ravi Sandhu Ram Krishnan (George."— Presentation transcript:

1 INSTITUTE FOR CYBER SECURITY 1 Enforcement Architecture and Implementation Model for Group-Centric Information Sharing © Ravi Sandhu Ram Krishnan (George Mason University) Ravi Sandhu (Univ. of Texas at San Antonio)

2 INSTITUTE FOR CYBER SECURITY PEI Models: 3 Layers/5 Layers © Ravi Sandhu2

3 INSTITUTE FOR CYBER SECURITY A fundamental problem in cyber security  Share but protect Current approaches not satisfactory  Traditional models (MAC/DAC/RBAC) do not work  Recent approaches Proprietary systems for Enterprise Rights Management  Many solutions: IBM, CA, Oracle, Sun, Authentica, etc.  Interoperability is a major issue Many languages have been standardized  XrML, ODRL, XACML, etc. Primarily, dissemination or object centric © Ravi Sandhu3 Secure Information Sharing (SIS)

4 INSTITUTE FOR CYBER SECURITY Attach attributes and policies to objects  Objects are associated with sticky policies  Policy language standards such as XrML and ODRL provide sticky policies © Ravi Sandhu4 Dissemination Centric Sharing AliceBobCharlieJakeJohn Attribute + Policy Cloud Object Attribute + Policy Cloud Object Attribute + Policy Cloud Object Attribute + Policy Cloud Object Dissemination Chain with Sticky Policies on Objects Attribute Cloud

5 INSTITUTE FOR CYBER SECURITY Advocates bringing users & objects together in a group  In practice, co-exists with dissemination centric sharing © Ravi Sandhu5 Group-Centric Sharing (g-SIS) Never Group User Leave Current Group User Past Group User Join Never Group Object Remove Current Group Object Past Group Object Add Two useful metaphors  Secure Meeting/Document Room Users’ access may depend on their participation period E.g. Program committee meeting, Collaborative Product Development, Merger and Acquisition, etc.  Subscription Model Access to content may depend on when the subscription began E.g. Magazine Subscription, Secure Multicast, etc.

6 INSTITUTE FOR CYBER SECURITY © Ravi Sandhu6 g-SIS Policy Model GROUP Authz (S,O,R)? Join Leave AddRemove Users Objects

7 INSTITUTE FOR CYBER SECURITY Enforcement Model Objectives Allow offline access Assumes a Trusted Reference Monitor (TRM)  Resides on group user’s access machine  Enforces group policy  Synchronizes attributes periodically with server Objects available via Super-Distribution  Encrypt objects using group key and distribute  Other users with access to group key may access © Ravi Sandhu7

8 INSTITUTE FOR CYBER SECURITY g-SIS Architecture © Ravi Sandhu8 CC 5.2 Set Leave-TS (u) = Current Time 6.2 Update: a. Remove_TS (o) = Current Time b. ORL = ORL U {id, Add_TS (o), Remove_TS (o)} GA Group Users TRM … 3. Read Objects Non-Group User TRM 1.1 Request Join {AUTH = FALSE} 1.2 Authz Join {AUTH = TRUE} 1.4 Provision Credentials {id, Join_TS, Leave_TS, ORL, gKey, N} 1.3 User Join {AUTH=TRUE}, Integrity Evidence Object Cloud 2.1 Add Object o 2.2 Distribute o 4.1 Request Refresh 4.2 Update Attributes 5.1 Remove User (id) 6.1 Remove Object (o) Obtain Object o User Attributes: {id, Join-TS, Leave-TS, ORL, gKey} Object Attributes: {id, Add-TS} ORL: Object Revocation List gKey: Group Key Authz (s,o,r) -> Add-TS(o) > Join-TS(s) & Leave-TS(s) = NULL & o NotIn ORL

9 INSTITUTE FOR CYBER SECURITY Super Vs Micro-distribution in g-SIS Super-Distribution (SD)  Single key for all group users  Encrypt once, access where authorized  Total offline access except periodic refresh times Micro-Distribution (MD)  CC shares a key with each user in the group  Initial access requires CC participation CC custom encrypts using key shared with user  Subsequent accesses can be offline as allowed by TRM © Ravi Sandhu9 UserObject Cloud CCAuthor Add (C) Set Add_TS for o Distribute (C) Read o and Store C Locally Get (o) Provide (C) Super-Distribution in g-SISMicro-Distribution in g-SIS C = Enc (o, K) UserCCAuthor Encrypt o with key k1 shared with CC (C = Enc(o,k1))) Add (C) Dec (c, k1), Set Add_TS for o and Store Locally Encrypt o with key k2 shared with User (C’ = Enc (o, k2)) Get (o) Provide (C’) Store C’ Locally Dec (C’, k2)

10 INSTITUTE FOR CYBER SECURITY Super Vs Micro-Distribution (contd) © Ravi Sandhu10

11 INSTITUTE FOR CYBER SECURITY Protocols © Ravi Sandhu11

12 INSTITUTE FOR CYBER SECURITY Background (Trusted Computing) Trusted Computing  An industry standard/alliance Proposed by Trusted Computing Group  Basic premise Software alone cannot provide an adequate foundation for trust  TCG proposes root of trust at the hardware level using a Trusted Platform Module or TPM © Ravi Sandhu12

13 INSTITUTE FOR CYBER SECURITY Background (TPM) Trusted storage for keys  Encrypt user keys with a chain of keys  Storage Root key (SRK) is stored in TPM & never exposed Trusted Capabilities  Operations exposed by the TPM  Guaranteed to be trust-worthy Platform Configuration Registers (PCR)  Hardware registers used to store integrity of software (e.g. boot-chain) © Ravi Sandhu13

14 INSTITUTE FOR CYBER SECURITY Background (TPM Capabilities) Seal  Data/Key coupled with a PCR value encrypted with SRK Unseal  Data/Key will be decrypted by the TPM only if current PCR value matches that of PCR value in sealed blob CertifyKey  Create a key pair  Private key is sealed to a PCR value  Public key signed by TPM only if Private part is non- migratable  Private part available in the future only if future PCR value matches the PCR value at seal time  Third parties can encrypt data with public key Data can be decrypted only under known PCR state Data cab be decrypted only using the same TPM that created the key (non-migratable) © Ravi Sandhu14

15 INSTITUTE FOR CYBER SECURITY Join (Authorization) © Ravi Sandhu15

16 INSTITUTE FOR CYBER SECURITY Join (Provisioning) © Ravi Sandhu16

17 INSTITUTE FOR CYBER SECURITY Object Add © Ravi Sandhu17

18 INSTITUTE FOR CYBER SECURITY Object Read © Ravi Sandhu18

19 INSTITUTE FOR CYBER SECURITY Attribute Refresh © Ravi Sandhu19

20 INSTITUTE FOR CYBER SECURITY Leave and Remove © Ravi Sandhu20 User Leave Object Remove

21 INSTITUTE FOR CYBER SECURITY Conclusion Group-Centric Vs Dissemination-Centric Sharing Super Vs Micro-Distribution approach in g-SIS g-SIS Architecture supports both SD and MD Offline access realizable due to Trusted Computing Future Work  Investigate Implementation Model  Read-Write Access  Multiple Groups © Ravi Sandhu21

Download ppt "INSTITUTE FOR CYBER SECURITY 1 Enforcement Architecture and Implementation Model for Group-Centric Information Sharing © Ravi Sandhu Ram Krishnan (George."

Similar presentations

INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University.

INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University.
INSTITUTE FOR CYBER SECURITY 1 The ASCAA * Principles Applied to Usage Control Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.

INSTITUTE FOR CYBER SECURITY 1 The ASCAA * Principles Applied to Usage Control Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010

1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security: How to Get There Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.

INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security: How to Get There Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010

1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
Peer-to-Peer Access Control Architecture Using Trusted Computing Technology Ravi Sandhu and Xinwen Zhang George Mason University SACMAT05, June 1--3, 2005,

Peer-to-Peer Access Control Architecture Using Trusted Computing Technology Ravi Sandhu and Xinwen Zhang George Mason University SACMAT05, June 1--3, 2005,
1 PEI Models towards Scalable, Usable and High-assurance Information Sharing Ram Krishnan Laboratory for Information Security Technology George Mason University.

1 PEI Models towards Scalable, Usable and High-assurance Information Sharing Ram Krishnan Laboratory for Information Security Technology George Mason University.
Towards Secure Information Sharing Models for Community Cyber Security Ravi Sandhu, Ram Krishnan and Gregory B. White Institute for Cyber Security University.

Towards Secure Information Sharing Models for Community Cyber Security Ravi Sandhu, Ram Krishnan and Gregory B. White Institute for Cyber Security University.
INSTITUTE FOR CYBER SECURITY 1 The PEI Framework for Application-Centric Security Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for.

INSTITUTE FOR CYBER SECURITY 1 The PEI Framework for Application-Centric Security Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for.
Stale-Safe Security Properties for Secure Information Sharing Ram Krishnan (GMU) Jianwei Niu (UT San Antonio) Ravi Sandhu (UT San Antonio) William Winsborough.

Stale-Safe Security Properties for Secure Information Sharing Ram Krishnan (GMU) Jianwei Niu (UT San Antonio) Ravi Sandhu (UT San Antonio) William Winsborough.
© 2006 Ravi Sandhu www.list.gmu.edu Secure Information Sharing Enabled by Trusted Computing and PEI * Models Ravi Sandhu (George Mason University and TriCipher)

© 2006 Ravi Sandhu Secure Information Sharing Enabled by Trusted Computing and PEI * Models Ravi Sandhu (George Mason University and TriCipher)
© 2006 Ravi Sandhu www.list.gmu.edu Cyber-Identity, Authority and Trust Systems Prof. Ravi Sandhu Professor of Information Security and Assurance Director,

© 2006 Ravi Sandhu Cyber-Identity, Authority and Trust Systems Prof. Ravi Sandhu Professor of Information Security and Assurance Director,
Cobalt: Separating content distribution from authorization in distributed file systems Kaushik Veeraraghavan Andrew Myrick Jason Flinn University of Michigan.

Cobalt: Separating content distribution from authorization in distributed file systems Kaushik Veeraraghavan Andrew Myrick Jason Flinn University of Michigan.
Vpn-info.com.

Vpn-info.com.
1 The Future of Cyber Security Prof. Ravi Sandhu Executive Director and Endowed Chair © Ravi Sandhu.

1 The Future of Cyber Security Prof. Ravi Sandhu Executive Director and Endowed Chair © Ravi Sandhu.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.
Ram Krishnan PhD Candidate Dissertation Directors: Dr. Ravi Sandhu and Dr. Daniel Menascé Group-Centric Secure Information Sharing Models Dissertation.

Ram Krishnan PhD Candidate Dissertation Directors: Dr. Ravi Sandhu and Dr. Daniel Menascé Group-Centric Secure Information Sharing Models Dissertation.
1 The Data and Application Security and Privacy (DASPY) Challenge Prof. Ravi Sandhu Executive Director and Endowed Chair 11/11/11

1 The Data and Application Security and Privacy (DASPY) Challenge Prof. Ravi Sandhu Executive Director and Endowed Chair 11/11/11
1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.

1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

Similar presentations

Ads by Google