access control in a distributed object environment using
play

Access Control in a Distributed Object Environment Using XML and - PowerPoint PPT Presentation

Apr 05, 2023 •708 likes •959 views

Access Control in a Distributed Object Environment Using XML and Roles Jason Crampton and Hemanth Khambhammettu Information Security Group Royal Holloway, University of London Introduction Overview What are we doing? Ensuring

  1. Access Control in a Distributed Object Environment Using XML and Roles Jason Crampton and Hemanth Khambhammettu Information Security Group Royal Holloway, University of London

  2. Introduction – Overview • What are we doing? – Ensuring that access to protected resources in a distributed computing environment is restricted to appropriately authenticated and authorised users • Why is it important? – Web services – Complex heterogeneous systems in large enterprises • How are we doing it? – An architecture for authentication and authorisation – Authorisation uses role-based techniques – Components of architecture integrated by XML schema ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  3. Introduction – Objectives • Modularity – Independence of authentication and authorisation mechanisms – Independence of authorisation enforcement point and authorisation decision point – Avoid bottlenecks at decision and enforcement points – Promote inter-operability, scalability and extensibility • Avoid reliance on third-party trust mechanisms • Support for audit and delegation ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  4. Introduction – Access control • Access control protects resources from users – Access control lists (ACLs) defined for protected resources (Windows 2000, IBM RACF) – A resource’s ACL consists of entries defining which users and groups can access the object – Often difficult to administer in large enterprise Read? Authenticated Reference Protected Resource User Monitor ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  5. Introduction – RBAC • Role-based access control – associates each user with a set of roles – and associates each role with a set of permissions • Hence each user is indirectly associated with a set of permissions • Roles may form a hierarchy reflecting organisational structure • Scales well and simplifies administration ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  6. Components of architecture • Authentication engine – Creates authentication tokens • Interface – Access control enforcement point – Assesses the validity of authentication tokens, session certificates and access requests • Session manager – Creates session certificates – Only processes requests from the interface – Maintains information about role hierarchy and user-role assignment • Authorisation engine – Access control decision point – Only processes requests from the interface – Maintains information about permission-role assignment ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  7. XML schema • Authentication tokens – Contain user identity, public key of user, delegation information, lifetime of token • Session certificates – Contain issuer information, user identity, public key of user, lifetime of certificate, roles assigned to user, delegation information • Interface requests – Access requests (forwarded to authorisation engine) – Session certificate requests (forwarded to session manager) ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  8. Session creation (1) • User presents credentials to authentication engine Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  9. Session creation (2) • Authentication engine generates public/private key pair and sends private key to user Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  10. Session creation (3) • Authentication engine generates authentication token and sends it to interface Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  11. Session creation (4) • Interface sends authentication token to session manager Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  12. Session creation (5) • Session manager creates session certificate, encrypts it and sends it to user Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  13. Making an access request (1) • User sends session certificate and digitally signed access request to interface Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  14. Making an access request (2) • Interface verifies signature on access request and forwards access request to authorisation engine Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  15. Making an access request (3) • Authorisation engine decides whether request should be granted and sends decision to interface Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  16. Making an access request (4) • Interface enforces decision by returning either a handle to the resource or an error message Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  17. Updating session certificates • A session certificate is a static binding of a user identity to a set of roles • Validity of session certificate is sensitive to – Changes to the user-role assignment relation – Changes in the structure of the hierarchy • A user u could have been issued with a session certificate containing a role r and then have his assignment to a role r revoked – Any subsequent request by u to use a permission p assigned to r should be denied by the system ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  18. Updating session certificates (1) • Session manager sends revised certificate to interface in response to changes in role hierarchy or user-role assignment Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  19. Updating session certificates (2) • User makes access request Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  20. Updating session certificates (3) • Interface verifies signature, substitutes new session certificate and forwards request to authorisation engine which returns decision Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  21. Updating session certificates (4) • Interface enforces decision and sends revised session certificate to user Interface Session Manager User Authentication Authorisation Engine Engine ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  22. Delegation • Our architecture allows users to delegate their privileges to other users (whom they trust) • The ability to delegate privileges is – determined by the authentication engine – defined in the authentication token • Delegation element in session certificate determines – whether the certificate can be delegated – constrains the number of delegation certificates that can be created ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

  23. Conclusions • The architecture provides – mutual authentication for user and target system – role-based authorisation – dynamic re-issue of session certificates – delegation • Future work to include – separation of duty – inter-domain authorisation ISSA 2003 Access Control in a Distributed Environment Sandton, South Africa Jason Crampton & Hemanth Khambhammettu

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Authentication in Distributed Systems Austen Barker Access Control Operation Object principal

Authentication in Distributed Systems Austen Barker Access Control Operation Object principal

Authentication in Distributed Systems Austen Barker Access Control Operation Object principal Reference monitor Challenges of a distributed system Autonomy : Path from principal to an object may be long and convoluted. Size : Usually much

304 views • 29 slides
Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

576 views • 21 slides
Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~# whoami Eric Biako Bsc. IT, CEH v9 Information security officer @ E-connecta Moderator @ https://legalhackmen.com IDOR ( Broken Access Control )

517 views • 12 slides
Large-Scale Systems: WebOS Access to geographically distributed data-dissemination and

Large-Scale Systems: WebOS Access to geographically distributed data-dissemination and

CPSC-662 Distributed Computing Object-Oriented Distributed Technology Large-Scale Systems: WebOS Access to geographically distributed data-dissemination and computing resources. Resource discovery, persistent storage, process control,

276 views • 5 slides
Distributed Object Transactions Outline Transaction Principles Concurrency Control

Distributed Object Transactions Outline Transaction Principles Concurrency Control

Distributed Object Transactions Outline Transaction Principles Concurrency Control Two-Phase Commit Protocol Services for Distributed Object Transactions CORBA Transaction Service Microsoft Transaction Service Java

285 views • 10 slides
Towards Standardization of Distributed Access Control Mario Lischka, Yukiko Endo Elena

Towards Standardization of Distributed Access Control Mario Lischka, Yukiko Endo Elena

Towards Standardization of Distributed Access Control Mario Lischka, Yukiko Endo Elena Torroglosa, Alejandro Prez, Antonio G. Skarmeta NEC Laboratories Europe University of Murcia Presentation at W3C Workshop on Access Control Application

555 views • 9 slides
A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and

A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and

A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and V. Sassone MyThS Meeting, Venice, June, 14th, 2004 A Distributed Calculus for Role-Based Access Control p.1/18 RBAC Why: Role-Based Access

613 views • 36 slides
Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of Access Control Discretionary acces control Mandatory access control Real systems: Unix Access Control Model Access control Access

817 views • 47 slides
Rewrite Specifications of Access Control Policies in Distributed Environments C. Bertolissi and

Rewrite Specifications of Access Control Policies in Distributed Environments C. Bertolissi and

Rewrite Specifications of Access Control Policies in Distributed Environments C. Bertolissi and M. Fernndez LIF , Marseille & Kings College London WTS2010, Nancy C. Bertolissi, M. Fernndez () Term rewriting for Access Control

1.04k views • 28 slides
Access Control for Smart Objects Access Control for Smart Objects Jan Janak, Hyunwoo Nam, Henning

Access Control for Smart Objects Access Control for Smart Objects Jan Janak, Hyunwoo Nam, Henning

IAB Workshop on Smart Object Security Paris, March 2012 Access Control for Smart Objects Access Control for Smart Objects Jan Janak, Hyunwoo Nam, Henning Schulzrinne I R T Columbia University Internet Real-Time Laboratory This work is

57 views • 5 slides
Cassandra: Distributed Access Control Policies with Tunable Expressiveness Moritz Y. Becker and

Cassandra: Distributed Access Control Policies with Tunable Expressiveness Moritz Y. Becker and

Cassandra: Distributed Access Control Policies with Tunable Expressiveness Moritz Y. Becker and Peter Sewell Computer Laboratory, University of Cambridge, U.K. Cassandra: Distributed Access Control Policies with Tunable Expressiveness p.

1.44k views • 20 slides
Meta-policies for Distributed Role-based Access Control Andrs Belokosztolszki, Ken Moody

Meta-policies for Distributed Role-based Access Control Andrs Belokosztolszki, Ken Moody

Meta-policies for Distributed Role-based Access Control Andrs Belokosztolszki, Ken Moody {ab374,km}@cl.cam.ac.uk University of Cambridge, Computer Laboratory, OPERA Policy 2002 1 Outline Role-Based Access Control OASIS

480 views • 14 slides
Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control? How Is Access Determined? Who Determines Access? Forms of Access Control SELinux Booleans iptables File Access Control Lists Apache Access Control

711 views • 36 slides
Medium Access Control for Distributed Systems Faeze Heydaryan Joint work with Yanru Tang

Medium Access Control for Distributed Systems Faeze Heydaryan Joint work with Yanru Tang

Medium Access Control for Distributed Systems Faeze Heydaryan Joint work with Yanru Tang Committee members: Prof. Rockey Luo Prof. Liuqing Yang Prof. Ali Pezeshki Prof. Haonan Wang Coordinated vs Distributed Communication Distributed

554 views • 27 slides
Object-Oriented Distributed Technology Objects Objects in Distributed Systems

Object-Oriented Distributed Technology Objects Objects in Distributed Systems

CPSC-662 Distributed Computing Object-Oriented Distributed Technology Object-Oriented Distributed Technology Objects Objects in Distributed Systems Requirements of Multi-User Applications Reading: Coulouris: Distributed

317 views • 4 slides
Access Control Dr. John Yoon How do you know yours? Finding about you and the system $ who

Access Control Dr. John Yoon How do you know yours? Finding about you and the system $ who

Advanced Linux File Permission Access Control Dr. John Yoon How do you know yours? Finding about you and the system $ who $ hostname $ whoami $ uname $ id $ date $ ps -aux Environment Variables Environment Settings of a

530 views • 25 slides
REMOTE PROCEDURE CALLS Steve Vinoski Basho Technologies, Cambridge, MA USA @stevevinoski,

REMOTE PROCEDURE CALLS Steve Vinoski Basho Technologies, Cambridge, MA USA @stevevinoski,

MYTHBUSTING REMOTE PROCEDURE CALLS Steve Vinoski Basho Technologies, Cambridge, MA USA @stevevinoski, vinoski@ieee.org, http://steve.vinoski.net/ Monday, October 1, 12 Remote Procedure Call Monday, October 1, 12 Remote Procedure Call

1.78k views • 143 slides
D ISTRIBUTED S YSTEMS [COMP9243] In a Non-Distributed System: Two approaches to communication:

D ISTRIBUTED S YSTEMS [COMP9243] In a Non-Distributed System: Two approaches to communication:

D ISTRIBUTED S YSTEMS [COMP9243] In a Non-Distributed System: Two approaches to communication: Lecture 4: Communication Shared memory Slide 1 Slide 3 Communication in a Distributed System Shared memory vs message passing

697 views • 12 slides
Welcome! CS1000 Explorations in Computing Department of Computer Science Michigan Technological

Welcome! CS1000 Explorations in Computing Department of Computer Science Michigan Technological

Welcome! CS1000 Explorations in Computing Department of Computer Science Michigan Technological University Dr. Nilufer Onder Fall 2015 Fisher 139 Outline Information about me Tips to connect with faculty Course information

783 views • 34 slides
Distributed Systems Lecturer: Justin Pearson justin@docs.uu.se . Slide 1 Recommended text

Distributed Systems Lecturer: Justin Pearson justin@docs.uu.se . Slide 1 Recommended text

Distributed Systems Lecture 1 1 Distributed Systems Lecturer: Justin Pearson justin@docs.uu.se . Slide 1 Recommended text book: Distributed Systems Concepts and Design , Coulouris, Dollimore and Kindberg. Addison and Wesley.

595 views • 12 slides
Distributed Databases Chapter 22, Part B Database Management Systems, 2 nd Edition. R.

Distributed Databases Chapter 22, Part B Database Management Systems, 2 nd Edition. R.

Distributed Databases Chapter 22, Part B Database Management Systems, 2 nd Edition. R. Ramakrishnan and Johannes Gehrke 1 Introduction Data is stored at several sites, each managed by a DBMS that can run independently. Distributed Data

467 views • 11 slides
DISTRIBUTED DATABASES CHAPTER 25 LECTURE OVERVIEW What are distributed databases?

DISTRIBUTED DATABASES CHAPTER 25 LECTURE OVERVIEW What are distributed databases?

DISTRIBUTED DATABASES CHAPTER 25 LECTURE OVERVIEW What are distributed databases? Transparency and autonomy Fragmentation, allocation, replication Homogeneous vs. heterogeneous DDBMS Distributed transaction

1.27k views • 15 slides
Course Content Database Management Systems Introduction Database Design Theory

Course Content Database Management Systems Introduction Database Design Theory

Course Content Database Management Systems Introduction Database Design Theory Query Processing and Optimisation Winter 2003 Concurrency Control CMPUT 391: Parallel & Distributed Databases Data Base Recovery and

564 views • 10 slides
Introduction to Distributed Systems Material adapted from Distributed Systems: Concepts &

Introduction to Distributed Systems Material adapted from Distributed Systems: Concepts &

Introduction to Distributed Systems Material adapted from Distributed Systems: Concepts & Design , George Coulouris, et al. and Engineering Distributed Objects , Wolfgang Emmerich Outline What is a Distributed System? Examples of

565 views • 18 slides

More recommend