Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authorization. Authorization: Two Meanings Determining permission Is principal P permitted to perform action A on object U? Adding permission P is now.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Authorization. Authorization: Two Meanings Determining permission Is principal P permitted to perform action A on object U? Adding permission P is now."— Presentation transcript:

1 Authorization

2 Authorization: Two Meanings Determining permission Is principal P permitted to perform action A on object U? Adding permission P is now permitted to perform action A on object U In this course, we use the first sense

3 Access Control Who is permitted to perform which actions on what objects? Access Control Matrix (ACM) Columns indexed by principal Rows indexed by objects Elements are arrays of permissions indexed by action In practice, ACMs are abstract objects

4 Instantiations of ACMs Access Control Lists (ACLs) For each object, list principals and actions permitted on that object Corresponds to rows of ACM Example: Kerberos admin system

5 Instantiations of ACMs Capabilities For each principal, list objects and actions permitted for that principal Corresponds to columns of ACM Example: Kerberos restricted proxies The Unix file system is an example of…?

6 Problems Permissions may need to be determined dynamically Time System load Relationship with other objects Security status of host

7 Problems Distributed nature of systems may aggravate this ACLs need to be replicated or centralized Capabilities don’t, but they’re harder to revoke Approaches GAA Agent-based authorization

8 Agent-Based Authorization When object created on a host H, agent Q created along with it Agents distributed to clients Either directly, or through agent server Client on host G instantiates agent for principal P, submits it to H as Q/P@G

9 Agent-Based Authorization Relieves scaling issues with ACLs Q is typically mobile code and data Needs to be integrity-protected May be confidentiality-protected Agent environment on H must be trusted

10 Revocation in Agent-Based Systems Timeout-based Harder for malicious agents Hosts must send RCLs to other hosts and/or principals Must maintain their own RCL to restrict or deny incoming agents

Download ppt "Authorization. Authorization: Two Meanings Determining permission Is principal P permitted to perform action A on object U? Adding permission P is now."

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Access Control 1. Given Credit Where It Is Due Most of the lecture notes are based on slides by Dr. Daniel M. Zimmerman at CALTECH Some slides are from.

Access Control 1. Given Credit Where It Is Due Most of the lecture notes are based on slides by Dr. Daniel M. Zimmerman at CALTECH Some slides are from.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Decentralized User Authentication in a Global File System Max Meisterhans - Seminar in Distributed Computing WS 05/06.

Decentralized User Authentication in a Global File System Max Meisterhans - Seminar in Distributed Computing WS 05/06.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.

Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.
Prime’ Senior Project. Presentation Outline What is Our Project? Problem Definition What does our system do? How does the system work? Implementation.

Prime’ Senior Project. Presentation Outline What is Our Project? Problem Definition What does our system do? How does the system work? Implementation.
A RELOAD Usage for Distributed Conference Control (DisCo) – update – draft-knauf-p2psip-disco-00 draft-knauf-p2psip-disco-00 Alexander Knauf, Gabriel Hege,

A RELOAD Usage for Distributed Conference Control (DisCo) – update – draft-knauf-p2psip-disco-00 draft-knauf-p2psip-disco-00 Alexander Knauf, Gabriel Hege,
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
8.2 Discretionary Access Control Models Weiling Li.

8.2 Discretionary Access Control Models Weiling Li.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Building Global HEP Systems on Kerberos Matt Crawford Fermilab Computer Security.

Building Global HEP Systems on Kerberos Matt Crawford Fermilab Computer Security.
 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.

 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.
 Authentication o Something you know (password) o Something you have (smartcard) o Something about you (iris scan)  Password authentication o To protect.

 Authentication o Something you know (password) o Something you have (smartcard) o Something about you (iris scan)  Password authentication o To protect.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
19: Protection1 PROTECTION Protection is the mechanism for controlling access to computer resources. Security concerns the physical integrity of the system.

19: Protection1 PROTECTION Protection is the mechanism for controlling access to computer resources. Security concerns the physical integrity of the system.
Application Layer At long last we can ask the question - how does the user interface with the network?

Application Layer At long last we can ask the question - how does the user interface with the network?
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Similar presentations

Ads by Google