Incorporating Off-Line Attribute Delegation into Hierarchical Group - - PowerPoint PPT Presentation

Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access Control

Daniel Servos

Western University London, Ontario dservos5@uwo.ca

1

Michael Bauer

Western University London, Ontario bauer@uwo.ca November 5th FPS 2019

2

Outline

Outline

• Outline
• Background
• Attribute Delegation Model
• Attribute Delegation Framework
• Conclusions

Background: The HGABAC Project

Background

4

HGABAC Project

HGABAC

Hierarchical group based formal model

• f ABAC

HGAA

System architecture and protocols to support real world use of HGABAC

ABAC Delegation Strategies

Set of potential strategies for incorporating delegation into ABAC models and architectures Group Membership Based Delegation Model Attribute Based Delegation Model HGABAC Administrative Model

Model governing the administration of attributes, users, etc. in HGABAC

Permission Based Delegation Model

Reference Implementation and Full Evaluation of Each Delegation Model

GURAG by Gupta and Sandhu, 2016

Sabahein et al., 2018

Servos et al., 2014 Servos et al., 2018 Servos et al., 2016 Servos et al., 2019 Future Work Future Work

Time

Background

5

HGABAC Project

HGABAC

Hierarchical group based formal model

• f ABAC

HGAA

System architecture and protocols to support real world use of HGABAC

ABAC Delegation Strategies

Set of potential strategies for incorporating delegation into ABAC models and architectures Group Membership Based Delegation Model Attribute Based Delegation Model HGABAC Administrative Model

Model governing the administration of attributes, users, etc. in HGABAC

Permission Based Delegation Model

Reference Implementation and Full Evaluation of Each Delegation Model

GURAG by Gupta and Sandhu, 2016

Sabahein et al., 2018

Servos et al., 2014 Servos et al., 2018 Servos et al., 2016 Servos et al., 2019 Future Work Future Work

Time

Hierarchical Group and Attribute-Based Access Control (2014)

• Formal attribute-based access control model.
• Introduces concepts of hierarchical user and object attribute

groups.

• Goals:

▪ Lightweight ▪ Easy to comprehend policies ▪ User and object groups to simplify administration ▪ Scalable ▪ Ability to emulate traditional models (MAC, DAC, RBAC)

• Shown to be capable of emulating MAC, DAC and RBAC.

Background

6

HGABAC Project

HGABAC

Hierarchical group based formal model

• f ABAC

HGAA

System architecture and protocols to support real world use of HGABAC

ABAC Delegation Strategies

Set of potential strategies for incorporating delegation into ABAC models and architectures Group Membership Based Delegation Model Attribute Based Delegation Model HGABAC Administrative Model

Model governing the administration of attributes, users, etc. in HGABAC

Permission Based Delegation Model

Reference Implementation and Full Evaluation of Each Delegation Model

GURAG by Gupta and Sandhu, 2016

Sabahein et al., 2018

Servos et al., 2014 Servos et al., 2018 Servos et al., 2016 Servos et al., 2019 Future Work Future Work

Time

Strategies for Incorporating Delegation into ABAC (2016)

• Details strategies for incorporating delegation into ABAC.
• Strategies formulated by evaluating each possible combination of

delegator, delegatee and delegatable access control component.

• Resulted in three potential families of strategies that share

common properties; Group Membership Delegation, Attribute Delegation and Permission Delegation.

Background

7

HGABAC Project

HGABAC

Hierarchical group based formal model

• f ABAC

HGAA

System architecture and protocols to support real world use of HGABAC

ABAC Delegation Strategies

Set of potential strategies for incorporating delegation into ABAC models and architectures Group Membership Based Delegation Model Attribute Based Delegation Model HGABAC Administrative Model

Model governing the administration of attributes, users, etc. in HGABAC

Permission Based Delegation Model

Reference Implementation and Full Evaluation of Each Delegation Model

GURAG by Gupta and Sandhu, 2016

Sabahein et al., 2018

Servos et al., 2014 Servos et al., 2018 Servos et al., 2016 Servos et al., 2019 Future Work Future Work

Time

Hierarchical Group Attribute Architecture (2018)

• System architecture and protocols for

implementing an HGABAC based system.

• Answers questions like; “Who assigns the

attributes?”, “How are attributes shared?”, “How is proof of attribute ownership given?”, and “where and how are policies evaluated?”

• Defines Attribute Certificate format, HGABAC

Namespace, and core services.

• Focus on “Off-Line” function (no dependence on

third party once attribute certificate issued).

Background

8

HGABAC Project

HGABAC

Hierarchical group based formal model

• f ABAC

HGAA

System architecture and protocols to support real world use of HGABAC

ABAC Delegation Strategies

Set of potential strategies for incorporating delegation into ABAC models and architectures Group Membership Based Delegation Model Attribute Based Delegation Model HGABAC Administrative Model

Model governing the administration of attributes, users, etc. in HGABAC

Permission Based Delegation Model

Reference Implementation and Full Evaluation of Each Delegation Model

GURAG by Gupta and Sandhu, 2016

Sabahein et al., 2018

Servos et al., 2014 Servos et al., 2018 Servos et al., 2016 Servos et al., 2019 Future Work Future Work

Time

Work I am presenting today.

Incorporating Off-Line Attribute Delegation into HGABAC (2019)

• Current effort, to create formal delegation model for each strategy.
• Group Membership based model created by Sabahein et al.
• Presenting Attribute based model today.
• Permission based model still in development.

Background

9

HGABAC Project

HGABAC

Hierarchical group based formal model

• f ABAC

HGAA

System architecture and protocols to support real world use of HGABAC

ABAC Delegation Strategies

Set of potential strategies for incorporating delegation into ABAC models and architectures Group Membership Based Delegation Model Attribute Based Delegation Model HGABAC Administrative Model

Model governing the administration of attributes, users, etc. in HGABAC

Permission Based Delegation Model

Reference Implementation and Full Evaluation of Each Delegation Model

GURAG by Gupta and Sandhu, 2016

Sabahein et al., 2018

Servos et al., 2014 Servos et al., 2018 Servos et al., 2016 Servos et al., 2019 Future Work Future Work

Time

End Goal

End Goal for Delegation

• Formalization of each ABAC delegation model.
• Creation of reference implementation for each model.
• Full evaluation and comparison.

Attribute Delegation Model

Attribute Delegation Model

11

Attribute Delegation Example

Alice Bob Charlie Year: 4 Role: undergrad Department: CompSci Role: faculty Department: SoftEng Year: 3 Role: grad Department: SoftEng

Attribute Delegation Model

12

Attribute Delegation Example

Alice Bob Charlie Year: 4 Role: undergrad Department: CompSci Role: faculty Department: SoftEng Year: 3 Role: grad Department: SoftEng

Alice wishes to delegate her access to the CS student lounge to Charlie so he can pick up a textbook for her. The normal policy governing access is: Department = “CompSci” AND year >= 4

Attribute Delegation Model

13

Attribute Delegation Example

Alice Bob Charlie Year: 4 Role: undergrad Department: CompSci Role: faculty Department: SoftEng Year: 3 Role: grad Department: SoftEng Department: CompSci Year: 4

Attribute Delegation Model

14

Attribute Delegation Example

Alice Bob Charlie Year: 4 Role: undergrad Department: CompSci Role: faculty Department: SoftEng Year: 3 Role: grad Department: SoftEng Department: CompSci Year: 4 Direct att. set Department: CompSci Year: 4 Delegated set from Alice

Attribute Delegation Model

15

Attribute Delegation Example

Alice Bob Charlie Year: 4 Role: undergrad Department: CompSci Role: faculty Department: SoftEng Year: 3 Role: grad Department: SoftEng Direct att. set Department: CompSci Year: 4 Delegated set from Alice

Bob wishes to delegate his access to the faculty software engineering lab to Charlie while Bob is away temporarily. The normal policy governing access is: Department = “SoftEng” AND Role = “faculty”

Attribute Delegation Model

16

Attribute Delegation Example

Alice Bob Charlie Year: 4 Role: undergrad Department: CompSci Role: faculty Department: SoftEng Role: faculty Department: SoftEng Year: 3 Role: grad Department: SoftEng Direct att. set Department: CompSci Year: 4 Delegated set from Alice

Attribute Delegation Model

17

Attribute Delegation Example

Alice Bob Charlie Year: 4 Role: undergrad Department: CompSci Role: faculty Department: SoftEng Role: faculty Department: SoftEng Year: 3 Role: grad Department: SoftEng Direct att. set Department: CompSci Year: 4 Delegated set from Alice Role: faculty Department: SoftEng Delegated set from Bob

Attribute Delegation Model

18

Incorporating into HGABAC

User Attributes Object Attributes Users Objects User Groups Sessions

User Group Hierarchy User Group Assignment User Group Attribute Assignment User Attribute Assignment

Attribute Activation*

User Session

Policies

Operations

Permissions

Object Attribute Assignment

Object Groups

Object Group Assignment Object Group Attribute Assignment Object Group Hierarchy

Environment & Admin Attributes

Connection Attributes Delegated Attribute Set Can Delegate Delegated Delegator Delegatee

* Attribute activation is constrained to a subset of the users effective attribute set or a subset of a single delegated attribute set.

Delegation Chain

Attribute Delegation Model

19

Incorporating into HGABAC

User Attributes Object Attributes Users Objects User Groups Sessions

User Group Hierarchy User Group Assignment User Group Attribute Assignment User Attribute Assignment

Attribute Activation*

User Session

Policies

Operations

Permissions

Object Attribute Assignment

Object Groups

Object Group Assignment Object Group Attribute Assignment Object Group Hierarchy

Environment & Admin Attributes

Connection Attributes Delegated Attribute Set Can Delegate Delegated Delegator Delegatee

* Attribute activation is constrained to a subset of the users effective attribute set or a subset of a single delegated attribute set.

Delegation Chain First constraint

• n delegation

Attribute Delegation Model

20

Incorporating into HGABAC

User Attributes Object Attributes Users Objects User Groups Sessions

User Group Hierarchy User Group Assignment User Group Attribute Assignment User Attribute Assignment

Attribute Activation*

User Session

Policies

Operations

Permissions

Object Attribute Assignment

Object Groups

Object Group Assignment Object Group Attribute Assignment Object Group Hierarchy

Environment & Admin Attributes

Connection Attributes Delegated Attribute Set Can Delegate Delegated Delegator Delegatee

* Attribute activation is constrained to a subset of the users effective attribute set or a subset of a single delegated attribute set.

Delegation Chain

• Each delegated attribute set is issued with

constraints in the form of a set of HGPL policies.

• If any policy in the set is not satisfied the

delegation is considered revoked.

• These policy constraints can include

environment, user and connection attributes.

• Examples:
• user.age > 18
• connection.ip = 192.168.1.1
• env.date <= Nov 7th 2019

Second constraint

• n delegation

Attribute Delegation Model

21

Incorporating into HGABAC

User Attributes Object Attributes Users Objects User Groups Sessions

User Group Hierarchy User Group Assignment User Group Attribute Assignment User Attribute Assignment

Attribute Activation*

User Session

Policies

Operations

Permissions

Object Attribute Assignment

Object Groups

Object Group Assignment Object Group Attribute Assignment Object Group Hierarchy

Environment & Admin Attributes

Connection Attributes Delegated Attribute Set Can Delegate Delegated Delegator Delegatee

* Attribute activation is constrained to a subset of the users effective attribute set or a subset of a single delegated attribute set.

Delegation Chain Third constraint

• n delegation

Attribute Delegation Model

22

Delegation Chain

Alice Year: 4 Role: undergrad Department: CompSci Charlie Department: CompSci Year: 4 Delegated set from Alice Department: CompSci Year: 4 Dave Department: CompSci Department: CompSci Delegated set from Alice->Charlie

Constraints on Subsequent Delegations:

• 1. Can’t have a depth deeper than that defined by the original

delegator.

• 2. Each subsequent delegated attribute set must be < the parent set.
• 3. Policy constraints on original delegation must be maintained or

strengthened.

Max Depth: 1 Max Depth: 0

date <= Nov 7th 2019 date <= Nov 7th 2019 AND time >= 8AM AND time <= 9PM

Attribute Delegation Framework

Attribute Delegation Framework

24

Attribute Delegation Framework

• Extended Hierarchical Group Attribute Architecture

(HGAA) to support Attribute Delegation.

• Main additions are to the Attribute Certificate format.
• HGAA Attribute Certificate:
• Cryptographically signed proof of a users attributes
• Issued by Attribute Authority
• Allow sharing attributes “Off-Line”

Attribute Delegation Framework

25

Attribute Certificate Extensions

Attribute Certificate (AC) / Delegated Attribute Certificate (DAC)

ACInformation+ ACIssuer ACHolder+ Attribute Attribute ACRevocationRules+ ACDelegationRules Extension Extension ACSignature+

Certificate Body [Part that is signed] NA Attributes NE Extensions

Number of Attributes (NA) Number of Extensions (NE)

Delegator Delegatee Signed by ACIssuer s private key

Attribute Delegation Framework

26

Attribute Certificate Extensions

For Delegated Attribute Certificates the issuer is the delegator and their UID would be placed here.

Key Algorithm Public Key

[Format Based on Key Algorithm]

Issuer UID Issuer Name

[OPTIONAL]

Service URL

[OPTIONAL]

Public Key Size (PK) Key Algorithm Size (KA) Issuer UID Size (UID) Issuer Name Size (N) Service URL Size (U)

2 Bytes PK Bytes KA Bytes UID Bytes N Bytes U Bytes

ACIssuer Attribute

Attribute ID Size (ID) Attribute Value Size (V) Attribute Name Size (N) Extension Size (E)

2 Bytes

Attr. Type

1 Byte

Attribute ID Extension

[Format Based on Extension, OPTIONAL]

Attribute Value

[String Encoded, OPTIONAL]

Attribute Name

[OPTIONAL] ID Bytes V Bytes N Bytes E Bytes E Bytes

Delegator UID Size (DID) Delegator UID [OPTIONAL]

1 Byte 2 Bytes DID Bytes For Delegated Attribute Certificates the Service URL (if provided) is for the Root Attribute Authority Value of 0 if there is no delegator UID provided (e.g. if this attribute is not delegated). Value of 0 if attribute can not be delegated, value of 255 if no limit on depth, otherwise value is original max depth.

Can Delegate & Max Depth

Delegator

Attribute Delegation Framework

27

Attribute Certificate Extensions

Extension

[Format Based on Extension, OPTIONAL]

ACDelegationRules

Extension Size (E)

2 Bytes E Bytes

Number of Rules (R) Delegation Rule Delegation Rule

R Rules 2 Bytes

DACDelegationRule

Policy Size (P)

2 Bytes

HGPLv2 Policy

P Bytes

Attribute Delegation Framework

28

Attribute Certificate Extensions

Extension

[Format Based on Extension, OPTIONAL]

Extension ID

ID Bytes

ACExtension

Extension ID Size (ID) Extension Size (E)

2 Bytes E Bytes

Literal String: "ext:UToUAttDelv1"

ID Bytes 16 Bytes 1 Byte

Root Authority ID Size (AuthID)

2 Bytes

Root Authority ID

AuthID Bytes

Number of Certificates in Chain (C) Certificate Serial Certificate Serial

C Serials

Serial Size (S)

1 Byte 2 Bytes

Serial [Little-Endian Encoded Number]

S Bytes

DACCertificateSerial

Each Delegated Attribute Certificate should have exactly one instance of ACExtension with these values.

Depth

In order from Root Authority to current certificate.

Attribute Delegation Framework

29

Delegated Certificate Chain

Superset or same delegation rules Subset or same attributes Superset or same delegation rules Subset or same attributes

Attribute Certificate

ACInformation ACIssuer ACHolder

Attribute Attribute

ACRevocationRules ACDelegationRules

Extension Extension

ACSignature

NA Attributes NE Extensions

NA NE

Delegated Attribute Certificate #1

ACInformation ACIssuer ACHolder

Attribute Attribute

ACRevocationRules ACDelegationRules

Other Extension Other Extension

ACSignature

NA Attributes NE - 1 Extensions

NA NE User-to-User Attribute Delegation Extension Issues first certificate to ACHolder Authority is ACIssuer Signs first certificate Delegated certificate is signed by ACHolder (delegator) Delegated certificate is signed by ACHolder (delegator) Serial included in certificate chain Root Attribute Authority Serial included in certificate chain

Delegated Attribute Certificate #2

ACInformation ACIssuer ACHolder

Attribute Attribute

ACRevocationRules ACDelegationRules

Other Extension Other Extension

ACSignature

NA Attributes NE - 1 Extensions

NA NE User-to-User Attribute Delegation Extension

Attribute Delegation Framework

30

Delegation Revocation

• Revocation can happen in one of three ways:
• Policy constraints are no longer satisfied
• Certificate expires
• Certificate added to revocation list (optional

feature)

• Revocations are cascading but not live:
• If parent certificate in chain is revoked, all

descendants are as well.

• Revocation is evaluated only when certificate is

validated (maybe no feedback to issuer/delegator).

Conclusions & Future Work

Conclusions & Future Work

32

Conclusions

• First model of User-to-User Attribute Delegation.
• Extensions to HGABAC and HGAA to support Attribute

Delegation.

• Backwards compatible update to Attribute Certificate

format.

• Support for “off-Line” authentication and policy

evaluation.

Conclusions & Future Work

33

Directions for Future Work

For Attribute Delegation:

• Explore using “Can Receive” relation in place of “Can

Delegate” in current model.

• More thorough evaluation: formal validation and

experimental evaluation.

• Useability and user comprehension issues.

For ABAC delegation strategies:

• Formalization of permission delegation model.
• Reference implementation of each delegation model.
• Full evaluation and comparison of each strategy.

Thank You

34

Thank You for Listening!

Past papers and slides related to the HGABAC project can be found on my website:

http://cs1.ca