Unified Identity for Access Control Carl Ellison 7 April 2011 IDtrust.

Slides:



Advertisements
Similar presentations
Chapter 14 – Authentication Applications
Advertisements

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Managing User, Computer and Group Accounts
Access Control Chapter 3 Part 3 Pages 209 to 227.
Intel Labs Improvements on Conventional PKI Wisdom Carl M. Ellison Sr. Security Architect Corporate Technology Group Intel Corporation 1 st PKI Workshop:
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Access Control Methodologies
Lecture 23 Internet Authentication Applications
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Active Directory: Final Solution to Enterprise System Integration
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.
Namespaces in SPKI Carl M. Ellison Intel Architecture Labs
Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
WebFTS as a first WLCG/HEP FIM pilot
Naming Names in computer systems are used to share resources, to uniquely identify entities, to refer to locations and so on. An important issue with naming.
Security Management.
Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Understanding Active Directory
Chapter 7 WORKING WITH GROUPS.
Guide to Operating System Security Chapter 5 File, Directory, and Shared Resource Security.
(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.
Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
Masud Hasan Secue VS Hushmail Project 2.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Identity Management Report By Jean Carreon and Marlon Gonzales.
Chapter 7: WORKING WITH GROUPS
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
IOS110 Introduction to Operating Systems using Windows Session 8 1.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Module 7 Active Directory and Account Management.
Bridge Certification Architecture A Brief Demo by Tim Sigmon and Yuji Shinozaki June, 2000.
Digital Signatures A Brief Overview by Tim Sigmon April, 2001.
Key Management. Session and Interchange Keys  Key management – distribution of cryptographic keys, mechanisms used to bind an identity to a key, and.
Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.
DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.
Chapter 10: Rights, User, and Group Administration.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.
Session 8 Windows Platform Dina Alkhoudari. Learning Objectives Read Only Domain Controller Active Directory Certificate Service Group Policy.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.
Privilege Management Chapter 22.
Computer Security: Principles and Practice
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Adding Distributed Trust Management to Shibboleth Srinivasan Iyer Sai Chaitanya.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Planning an Active Directory Deployment Lesson 1.
This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.
Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Lesson 4: Configuring File and Share Access
Cryptography and Network Security
Active Directory and Group Policy
Active Directory Administration
(ITI310) SESSIONS 6-7-8: Active Directory.
Active Directory Administration
CE Operating Systems Lecture 21
Presentation transcript:

Unified Identity for Access Control Carl Ellison 7 April 2011 IDtrust

Trust Insiders 2

Instruct Outsiders This electronic message contains information from the law firm of _________. The contents may be privileged and confidential and are intended for the use of the intended addressee(s) only. If you are not an intended addressee, note that any disclosure, copying, distribution, or use of the contents of this message is prohibited. If you have received this in error, please delete this message and any attachments and contact me at __________.com. 3

Enforcement by Technical Means Specific access control: – Account login – Session with cached ID(s) – ACLs on files Simple ACL, one per file – List of IDs of those permitted to access the file – If one of your cached IDs matches one on the ACL then you get access. 4

Simple ACL 5

... 6

Simple ACL... N M Work = bNM b=30 sec; N=5e4; M=3e5; Work  man-yrs 7

Add Named Group... N M Work = b(N+M) b=30 sec; N=5e4; M=3e5; Work  73 man-wks 8

Directory Inheritance... N M Work = b(N+1) b=30 sec; N=5e4; M=3e5; Work  10 man-wks 9

Machinery To Do ACLs and Groups 10 Security IDs (SIDs) Implemented within the OS Each OS does it differently, but I’ll use a subset of Windows™ as the example here – It is very common. – It includes both group definitions and directory inheritance.

Group Definition in Windows™ Today SID = (Domain ID, Relative ID) = (D, R) – Each SID has a printable name, local to the Domain, but we don’t deal with that here. Same SID format for individuals and groups ACL is list of SIDs; Group is a list of SIDs Groups are defined in Active Directory™ by: – “(D, R 1 ) is member of (D, R 2 )” – only a domain administrator of D may make or delete that definition. 11

Multiple Projects... 12

Equivalent Graph Same graph, but fewer links, so less cost.

Groups as Org Chart Nested named groups allow us to capture the relevant levels of an org chart, for example: – Software Developers Core Operating System – File system – Scheduler – Crypto Shell – Explorer – Control Panel It is often easier to express policies in terms of those org chart groups rather than individuals. If we want RBAC, we can express roles as SIDs, using the group machinery. 14

Scopes On the resource side, we can also lump files together in groups of resources, called scopes – This can be done with directories, if all files are on one machine, with propagation of ACLs down the directory structure. – If the files span multiple machines, then scopes can be defined using the group mechanism, as we show in our examples here. 15

Groups and Scopes... GroupsScopes 16

Pretty Good Stuff 17 With the machinery we have today, we get SIDs for IDs, groups, roles and scopes. Groups and scopes can be nested as deeply as we want. We can represent an org chart with nested groups. We can represent a project hierarchy of files with nested scopes. So, what’s the problem?

Multiple Organizations... 18

Crossing Organization Boundaries... 19

Crossing Organization Boundaries... 20

Crossing Organization Boundaries... 21

Crossing Organization Boundaries... 22

Crossing Organization Boundaries... 23

Crossing Organization Boundaries

Crossing Organization Boundaries... 25

Group Definition – Review SID = (Domain ID, Relative ID) = (D, R) D is a globally unique ID; R is unique within D Same format SIDs for individuals and groups. ACL is list of SIDs; Group is a list of SIDs Groups are defined in Active Directory™ today by: – “(D, R 1 ) is member of (D, R 2 ) says D” 26

Extended Group Definition SID = (D, R), as before D is a globally unique ID or a public key Group membership is defined by: – “(D 1, R 1 ) is a member of (D 2, R 2 ) says D 2 ” When Ds differ, we express the red links from that graph. – The administrator of D 2 has the responsibility for making or deleting that definition. – If D 2 is a public key, then “says D 2 ” is a digital signature and this group membership statement can be a certificate or SAML token. 27

Extensions With just what we’ve presented so far, we get what we need most – efficient and secure groups, roles and attributes across organization boundaries, without anything special for federation. However, there are other extensions that are easy to provide in this scheme: – Attribute-value pairs – Root stores, cross-certification and bridges – Group definition expressions with , , , etc. 28

Attribute, Value Pairs Giving a user an attribute A and value V makes her a member of a group of all users who have attribute A and value V. Like all other names, A should be a SID: (D, R) So, generalize the SID – From (D, R) – To (D, R, V) which stands for (A, V) = ((D, R), V) We can say, for example: – “(K S ) is a member of (K CA, Eva) says K CA ” – “(K CA, Eva) is a member of (K 1, Age, 15) says K 1 ” – “((K 1, Age) < 21) is a member of (K 2, Minor) says K 2 ” – This user’s SIDs include: (K S ), (K CA, Eva), (K 1,Age,15),(K 2,Minor) 29

Notation Summary Use “  ” to mean “is a member of” Let (D, R) mean (D, R, *) Let (D) mean (D, *) D can be a public key, so we can write: – (K, R, V) – (K, R) – (K) “(K S )  (K DoD, Clearance, SECRET) says K DoD ” 30

Root Stores and Bridge CAs X.509 gives us “(K S )  (K CA,DN) says K CA ” But, we don’t define groups with: – “(K CA, DN)  (D, R) says D” Instead, we say: – “DN  (D, R) says D” To capture this behavior in our notation, we have to create the symbol  and say: – “( , DN)  (D, R) says D” – where  means “some K in the local root store or descended from the store by a chain of CA certificates or cross-certificates” This introduces vulnerabilities (cf., the Comodo RA attack) but matches current practice. 31

Group Definition Expressions Groups defined as above are of the form: – Group = SID 1  SID 2  SID 3  …  SID N Groups can be defined by other expressions: –  as well as  – “(K 1, R 1 )  (K 2, R 2 )  (K 3, R 3 ) says K 3 ” 32

Good News, Bad News The good news is that none of this (except possibly group definition expressions) requires anything new in protocols or over-the-wire data structures. – Claims-based IDPs should be able to handle all this. The bad news is that none of this is achievable merely by defining a new protocol or wire data structure. This requires changes inside an OS, file server or PDP. 33

Not covered in these slides (for time) but the designs exist Level of Assurance – Applied at each node and edge in the graph – Carried by an attribute for use in access decisions Human readable names Human interface tools Certificate chain discovery Authorization decision logic – We’re just providing the material for that decision. 34

Feedback and Discussion Welcome Send any comments or questions to: – and/or – (sometimes drops mail) 35

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.