INSTITUTE FOR CYBER SECURITY 1 Enforcement Architecture and Implementation Model for Group-Centric Information Sharing © Ravi Sandhu Ram Krishnan (George Mason University) Ravi Sandhu (Univ. of Texas at San Antonio)
INSTITUTE FOR CYBER SECURITY PEI Models: 3 Layers/5 Layers © Ravi Sandhu2
INSTITUTE FOR CYBER SECURITY A fundamental problem in cyber security Share but protect Current approaches not satisfactory Traditional models (MAC/DAC/RBAC) do not work Recent approaches Proprietary systems for Enterprise Rights Management Many solutions: IBM, CA, Oracle, Sun, Authentica, etc. Interoperability is a major issue Many languages have been standardized XrML, ODRL, XACML, etc. Primarily, dissemination or object centric © Ravi Sandhu3 Secure Information Sharing (SIS)
INSTITUTE FOR CYBER SECURITY Attach attributes and policies to objects Objects are associated with sticky policies Policy language standards such as XrML and ODRL provide sticky policies © Ravi Sandhu4 Dissemination Centric Sharing AliceBobCharlieJakeJohn Attribute + Policy Cloud Object Attribute + Policy Cloud Object Attribute + Policy Cloud Object Attribute + Policy Cloud Object Dissemination Chain with Sticky Policies on Objects Attribute Cloud
INSTITUTE FOR CYBER SECURITY Advocates bringing users & objects together in a group In practice, co-exists with dissemination centric sharing © Ravi Sandhu5 Group-Centric Sharing (g-SIS) Never Group User Leave Current Group User Past Group User Join Never Group Object Remove Current Group Object Past Group Object Add Two useful metaphors Secure Meeting/Document Room Users’ access may depend on their participation period E.g. Program committee meeting, Collaborative Product Development, Merger and Acquisition, etc. Subscription Model Access to content may depend on when the subscription began E.g. Magazine Subscription, Secure Multicast, etc.
INSTITUTE FOR CYBER SECURITY © Ravi Sandhu6 g-SIS Policy Model GROUP Authz (S,O,R)? Join Leave AddRemove Users Objects
INSTITUTE FOR CYBER SECURITY Enforcement Model Objectives Allow offline access Assumes a Trusted Reference Monitor (TRM) Resides on group user’s access machine Enforces group policy Synchronizes attributes periodically with server Objects available via Super-Distribution Encrypt objects using group key and distribute Other users with access to group key may access © Ravi Sandhu7
INSTITUTE FOR CYBER SECURITY g-SIS Architecture © Ravi Sandhu8 CC 5.2 Set Leave-TS (u) = Current Time 6.2 Update: a. Remove_TS (o) = Current Time b. ORL = ORL U {id, Add_TS (o), Remove_TS (o)} GA Group Users TRM … 3. Read Objects Non-Group User TRM 1.1 Request Join {AUTH = FALSE} 1.2 Authz Join {AUTH = TRUE} 1.4 Provision Credentials {id, Join_TS, Leave_TS, ORL, gKey, N} 1.3 User Join {AUTH=TRUE}, Integrity Evidence Object Cloud 2.1 Add Object o 2.2 Distribute o 4.1 Request Refresh 4.2 Update Attributes 5.1 Remove User (id) 6.1 Remove Object (o) Obtain Object o User Attributes: {id, Join-TS, Leave-TS, ORL, gKey} Object Attributes: {id, Add-TS} ORL: Object Revocation List gKey: Group Key Authz (s,o,r) -> Add-TS(o) > Join-TS(s) & Leave-TS(s) = NULL & o NotIn ORL
INSTITUTE FOR CYBER SECURITY Super Vs Micro-distribution in g-SIS Super-Distribution (SD) Single key for all group users Encrypt once, access where authorized Total offline access except periodic refresh times Micro-Distribution (MD) CC shares a key with each user in the group Initial access requires CC participation CC custom encrypts using key shared with user Subsequent accesses can be offline as allowed by TRM © Ravi Sandhu9 UserObject Cloud CCAuthor Add (C) Set Add_TS for o Distribute (C) Read o and Store C Locally Get (o) Provide (C) Super-Distribution in g-SISMicro-Distribution in g-SIS C = Enc (o, K) UserCCAuthor Encrypt o with key k1 shared with CC (C = Enc(o,k1))) Add (C) Dec (c, k1), Set Add_TS for o and Store Locally Encrypt o with key k2 shared with User (C’ = Enc (o, k2)) Get (o) Provide (C’) Store C’ Locally Dec (C’, k2)
INSTITUTE FOR CYBER SECURITY Super Vs Micro-Distribution (contd) © Ravi Sandhu10
INSTITUTE FOR CYBER SECURITY Protocols © Ravi Sandhu11
INSTITUTE FOR CYBER SECURITY Background (Trusted Computing) Trusted Computing An industry standard/alliance Proposed by Trusted Computing Group Basic premise Software alone cannot provide an adequate foundation for trust TCG proposes root of trust at the hardware level using a Trusted Platform Module or TPM © Ravi Sandhu12
INSTITUTE FOR CYBER SECURITY Background (TPM) Trusted storage for keys Encrypt user keys with a chain of keys Storage Root key (SRK) is stored in TPM & never exposed Trusted Capabilities Operations exposed by the TPM Guaranteed to be trust-worthy Platform Configuration Registers (PCR) Hardware registers used to store integrity of software (e.g. boot-chain) © Ravi Sandhu13
INSTITUTE FOR CYBER SECURITY Background (TPM Capabilities) Seal Data/Key coupled with a PCR value encrypted with SRK Unseal Data/Key will be decrypted by the TPM only if current PCR value matches that of PCR value in sealed blob CertifyKey Create a key pair Private key is sealed to a PCR value Public key signed by TPM only if Private part is non- migratable Private part available in the future only if future PCR value matches the PCR value at seal time Third parties can encrypt data with public key Data can be decrypted only under known PCR state Data cab be decrypted only using the same TPM that created the key (non-migratable) © Ravi Sandhu14
INSTITUTE FOR CYBER SECURITY Join (Authorization) © Ravi Sandhu15
INSTITUTE FOR CYBER SECURITY Join (Provisioning) © Ravi Sandhu16
INSTITUTE FOR CYBER SECURITY Object Add © Ravi Sandhu17
INSTITUTE FOR CYBER SECURITY Object Read © Ravi Sandhu18
INSTITUTE FOR CYBER SECURITY Attribute Refresh © Ravi Sandhu19
INSTITUTE FOR CYBER SECURITY Leave and Remove © Ravi Sandhu20 User Leave Object Remove
INSTITUTE FOR CYBER SECURITY Conclusion Group-Centric Vs Dissemination-Centric Sharing Super Vs Micro-Distribution approach in g-SIS g-SIS Architecture supports both SD and MD Offline access realizable due to Trusted Computing Future Work Investigate Implementation Model Read-Write Access Multiple Groups © Ravi Sandhu21