Presentation is loading. Please wait.

Presentation is loading. Please wait.

By Jyh-haw yeh Department of Computer Science Boise State University.

Published byAsher Winterton Modified over 9 years ago

Similar presentations

Presentation on theme: "By Jyh-haw yeh Department of Computer Science Boise State University."— Presentation transcript:

1 By Jyh-haw yeh Department of Computer Science Boise State University

2 Access Control Controlling data accesses within a networked enterprise, based on security needs.  Define access control policy  User authentication  Policy enforcement mechanisms  Data transmission through networks

3 Identity-Based Access Control (IBAC)  Authentication is based on user’s identity, rather than network connection port.  User identity/job duty, time and location of connection – define a set of security groups  Different groups have different access privileges on objects.  Each object has an access control list (ACL) as an enforcing mechanism.

4 Deficiency Observation of IBAC  Security groups have no relationship among them – require duplicate administrative work (See Figure 1)  Use different keys for authentication (master key) and authorization (session key).  Require a new session key for each access session.  Session key generation and distribution may slow down performance.

5 Administrative Work Figure 1: HIBAC versus IBAC (a) Privilege assignment (b) User assignment (c) ACL for an Object IBAC HIBAC G1 G2 G3 G1 G2 G3 G1 G2 G3 G1 G2 G1: P G2: P G3: P

6 Hierarchical Identity-Based Access Control (HIBAC)  Define Security groups to have a hierarchical privilege-inheritance relationship.  A group A inherits privileges from a group B if A is located higher than B in the hierarchy.  A single mechanism, hierarchical key assignment, for authentication and authorization.

7 HIBAC, continue… Why hierarchical?  Reduce administrative work.  Simplify authentication and authorization logics – single hierarchical key V.S. master & session keys  The hierarchical key can also be used for data encryption during transmission.

8 A Walk through Example  A xyz company defines 6 security groups, based on job duty, time and location of network connection.  CEO, Finance (FIN), Human Resource (HR), Employee (E), Employee Restricted (ER) and Guest (G).  Table 1 specifies the access right assignment.  Form a hierarchical policy (See Figure 2).

9 A Walk through Example Table 1: Access right assignment in a xyz company Identity/dutyLocationTimeSecurity Group GuestPublicWorking hrsG GuestPublicNon-working hrsNo access GuestOfficeAllNo access EmployeePublicAllER EmployeeOfficeAllE FinancePublicAllER FinanceOfficeAllFIN Human resourcePublicAllER Human resourceOfficeAllHR CEOPublicAllER CEOOfficeAllCEO

10 A Walk through Example Figure 2: Hierarchical policy and it’s hierarchical key assignment CEO: K1 / \ FIN: K2 HR: K3 \ / E: K4 | ER: K5 | G: K6

11 A Walk through Example Authentication:  Alice has it’s own hierarchical key, say K2.  Alice login networks through an authentication (AE) server. Challenge-and-response between Alice’s machine and AE server.  Alice uses K2 (or K5, if public location) to encrypt response to server – prove the security group FIN (or ER) she belongs to.

12 A Walk through Example Authentication:  After authentication, AE server create a signed proof P to Alice and authorization (AO) server.  The proof P may contain AE signature Security group Freshness data Optional data: identity, location and time

13 A Walk through Example Authorization:  Alice makes an access request to AO server, with P attached.  AO server verifies P and thus authenticate Alice.  Based on P, AO server either grants or denies the access.

14 A Walk through Example Data transmission:  If AO server grants access to Alice, AO server can use either K2 or K5 to encrypt data and transmits it to Alice.  Upon receiving data, Alice uses either K2 or K5 to decrypt data.

15 Research Challenges  Design issues:  Guidelines for defining a hierarchical policy  session key vs. hierarchical key  Minimum contents of P  Prevent the re-use of P – freshness data, revocation of P  Figure 1 shows the advantage of reducing administrative work in HIBAC – need quantitative measurement.

16 Research Challenges  The walk through example show the simple logic for authentication and authorization processes in HIBAC – need an event-driven simulation to measure the system performance, in terms of increased control messages and storage.  Investigate any unnoticed security vulnerability of the new system.

Download ppt "By Jyh-haw yeh Department of Computer Science Boise State University."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
SCSC 455 Computer Security

SCSC 455 Computer Security
Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Fundamentals of Information Systems Security.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Fundamentals of Information Systems Security.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.

Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Access Control Methodologies

Access Control Methodologies
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Information Security Policies and Standards

Information Security Policies and Standards
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
Security Management.

Security Management.

Similar presentations

Ads by Google