Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authorizing Slice Creation How ABAC Coordinates Distributed Authorization Alefiya Hussain 1.

Published byClaribel Gilmore Modified over 8 years ago

Similar presentations

Presentation on theme: "Authorizing Slice Creation How ABAC Coordinates Distributed Authorization Alefiya Hussain 1."— Presentation transcript:

1 Authorizing Slice Creation How ABAC Coordinates Distributed Authorization Alefiya Hussain alefiya.hussain@sparta.com 1

2 TIED Joins GENI How does TIED get to know GENI users? Keeping local ABAC policy same (there are many other ways too) – Sharing known attributes – Discovery of partner policy changes – Coordinating with new partners 2

3 The Players TIED the resource owner provides equipment and establishes high-level policies for utilization 3 Alex the researcher received a GENI award and want to use the substrate for experiments

4 The Players TIED the resource owner provides equipment and establishes high-level policies for utilization 4 Alex the researcher received a GENI award and want to use the substrate for experiments GENI the coordinator/certifier asserts attributes for these new principals

5 The Players: GENI, TIED, Alex The GENI defines various attributes to manage groups of people Defines groups such as researchers, gradStudents, vendors…. And publishes facts about them Alex is a GENI researcher 5

6 The Players: GENI, TIED, Alex TIED learns about GENI’s facts and incorporates them into its local authorization policy So TIED publishes a fact All GENI researchers can create slices on TIED Thus it delegates some resource control to GENI 6

7 The Players: GENI, TIED, Alex Alex learns he needs to identify himself as a researcher to create a slice 7

8 ABAC Enables the Players TIED Slice Manager ABAC Alex: I want to create a slice? GENI.researcher  Alex TIED Local Policy: If you are a GENI researcher, you can create a slice. TIED.createSlice  GENI.researcher GENI GENI Welcome Package: A researcher credential is sent to Alex 8

9 ABAC Negotiation Grants Access TIED Slice Manager ABAC GENI.researcher  Alex TIED.createSlice  GENI.researcher 1.Sends request with cred+key. 2. ABAC constructs proof. Proof: TIED.createSlice  GENI.researcher  Alex Grants Access 9

10 Summary: Alex creates a slice GENI added Alex to the researcher attribute space TIED uses GENI’s credential (GENI.researcher) to authorize users to create slices 10

11 The GENI expands it’s attribute space Keeping local ABAC policy same – Sharing known attributes – Discovery of partner policy changes – Coordinating with new partners 11

12 The Players: GENI, TIED, Bob GENI decides gradStudents are also a kind of researcher So, GENI publishes a new fact All gradstudents are also researchers 12

13 The Players: GENI, TIED, Bob Policy at TIED does not change TIED.createSlice  GENI.researcher TIED is unaware of the change 13

14 The Players: GENI, TIED, Bob Bob identifies himself as a gradStudent to TIED 14

15 ABAC Enables the Players TIED Slice Manager ABAC 1.I want to create a slice? TIED.createSlice  GENI.researcher GENI Registry GENI.gradStudent  Bob GENI.researcher  GENI.gradStudent. 15

16 TIED discovers credentials TIED Slice Manager ABAC 1.I want to create a slice? TIED.createSlice  GENI.researcher GENI Registry 2. ABAC proof construction fails Proof: TIED.createSlice  GENI.researcher  ? GENI.gradStudent  Bob Need more information from GENI 16

17 TIED discovers credentials TIED Slice Manager ABAC 1.I want to create a slice? TIED.createSlice  GENI.resercher GENI Registry 2. ABAC proof construction fails 3. Is Bob a researcher? 4. I don’t know, but here are some relevant credentials GENI.researcher  GENI.gradStudent 5. ABAC constructs proof. Proof: TIED.createSlice  GENI.resercher GENI.researcher  GENI.gradStudent  Bob Grants Access 17

18 Summary: Bob creates the slice! No policy impact on the resource provider TIED, the resource provider, learned relevant information from the external certifiers 18

19 GENI Coordinates with the NSF 19 Keeping local ABAC policy same – Sharing know attributes – Discovery of partner policy changes, – Coordinating with new partners

20 Chloe wants to create a slice Chloe is a NSF NeTS FIND researcher 20

21 The Players: NSF, GENI, TIED, Chloe NSF makes each program initiative a principal – FIND, CISE NSF assigns each initiative a program attribute NSF.program  FIND Each initiative defines its own attribute space; specifically researcher attributes FIND.researcher  Chloe 21

22 The Players: NSF, GENI, TIED, Chloe GENI and NSF negotiate and decide to treat all NSF program researchers as GENI researchers GENI publishes a new fact All NSF program researchers are also GENI researchers This is expressed as a linked credential GENI.researcher  NSF.program.researcher 22

23 The Players: NSF, GENI, TIED, Chloe TIED has no policy changes Chloe identifies herself as a FIND researcher to TIED 23

24 ABAC Enables the Access TIED Slice Manager ABAC FIND.researcher  Chloe NSF.program  FIND TIED.createSlice  GENI.researcher NSF 1.I want to create a slice? 2. ABAC proof construction fails Proof: TIED.createSlice  GENI.researcher  ? FIND.researcher  Chloe NSF.program  FIND Need more information from GENI 24

25 ABAC Enables the Access TIED Slice Manager ABAC TIED.createSlice  GENI.researcher GENI 1.I want to create a slice? 2. ABAC proof construction fails 3. Do you know the NSF? 4. Yes, here are some relevant credentials GENI.researcher  NSF.program.researcher 5. ABAC constructs proof. Proof: TIED.createSlice  GENI.resercher  NSF.program.researcher; NSF.program  FIND; FIND.researcer  Chloe Grants Access 25

26 Summary ABAC can expresses complex relationships between principals – Through principal delegation – Through attribute-based delegation Local policy at the resource provider need not change Many entities can coordinate complex policy End user is insulated from policy details 26

Download ppt "Authorizing Slice Creation How ABAC Coordinates Distributed Authorization Alefiya Hussain 1."

Similar presentations

INDIANAUNIVERSITYINDIANAUNIVERSITY GENI Global Environment for Network Innovation James Williams Director – International Networking Director – Operational.

INDIANAUNIVERSITYINDIANAUNIVERSITY GENI Global Environment for Network Innovation James Williams Director – International Networking Director – Operational.
The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.

The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.
The Challenges of CORBA Security It is important to understand that [CORBAsecurity] is only a (powerful) security toolbox and not the solution to all security.

The Challenges of CORBA Security It is important to understand that [CORBAsecurity] is only a (powerful) security toolbox and not the solution to all security.
BRAUNTON BMX CLUB The Role of the Secretary / Go-Ride contact The Secretary/Go-Ride Contact is the principal administrator for the club. This is a pivotal.

BRAUNTON BMX CLUB The Role of the Secretary / Go-Ride contact The Secretary/Go-Ride Contact is the principal administrator for the club. This is a pivotal.
D u k e S y s t e m s Some tutorial slides on ABAC Jeff Chase Duke University.

D u k e S y s t e m s Some tutorial slides on ABAC Jeff Chase Duke University.
Sponsored by the National Science Foundation 1 Activities this trimester 0.5 revision of Operational Security Plan Independently (from GPO) developing.

Sponsored by the National Science Foundation 1 Activities this trimester 0.5 revision of Operational Security Plan Independently (from GPO) developing.
Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.

Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
D u k e S y s t e m s Authorization Framework: Status Jeff Chase Duke University.

D u k e S y s t e m s Authorization Framework: Status Jeff Chase Duke University.
Information Sciences Institute Internet and Networked Systems Managing Security Policies for Federated Cyberinfrastructure Stephen Schwab, John Wroclawski.

Information Sciences Institute Internet and Networked Systems Managing Security Policies for Federated Cyberinfrastructure Stephen Schwab, John Wroclawski.
1 Authentication Trustworthiness The Next Stage in Identity-Based Access and Security Tom Board, NUIT.

1 Authentication Trustworthiness The Next Stage in Identity-Based Access and Security Tom Board, NUIT.
Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.

Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.

Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
C++ fundamentals.

C++ fundamentals.
Introduction to UDDI From: OASIS, Introduction to UDDI: Important Features and Functional Concepts.

Introduction to UDDI From: OASIS, Introduction to UDDI: Important Features and Functional Concepts.
D u k e S y s t e m s Accountability and Authorization GEC 12 Jeff Chase Duke University Thanks: NSF TC CNS-0910653.

D u k e S y s t e m s Accountability and Authorization GEC 12 Jeff Chase Duke University Thanks: NSF TC CNS
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Similar presentations

Ads by Google