pki based access control with attribute
play

PKI based Access Control with Attribute on n users Application - PowerPoint PPT Presentation

Mar 03, 2023 •186 likes •407 views

Visibl Card issuing Unive Foreign users Card e rsity holder Metho intern Data element Stude Staff Guest Unive Unive Other ds al nts admin admin rsity rsity s admin istrati istrati users consol depen istrati on on

  1. Visibl Card issuing Unive Foreign users Card e rsity holder Metho intern Data element Stude Staff Guest Unive Unive Other ds al nt’s admin admin rsity rsity s admin istrati istrati users consol depen istrati on on idatio ding PKI based Access Control with Attribute on n users Application Profile (AP) cwr cwr cwr cwr r r r r r Card ID (CID) cr cr cr cr r r r Certificates for Data held on Smartcards Certificate card holder – encrypt (CHE) cwrv r cwr cwr rv Certificate card holder – sign (CHS) cwrv cwr cwr cwr rv Certificate card holder – auth (CHA) cwrv cwr cwr cwr rv Certificate Trust Center (CTC) cwrv cwr cwr cwr rv Lutz Suhrbier, Thomas Hildmann Date of Expire – Begin (DEB) cwr cwr cwr cwr r r r r r Date of Expire – End (DEE) cwr cwr cwr cwr r r r r r List of DES-Keys (DES) cw cw cw cw Technical University of Berlin AP CID CHE CHS CHA CTC DEB Card holder identification (OM) cr cr cr cr r r r c w r c r c w r v c w r v c w r v c w r v c w r p Research Center for Network and Multimedia Technology Status-group (PS) cwr cwr cwr cwr r r r Personal Identification Number (PIN) cw c c c w 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 PRZ / FSP-PV PIN Failure counter (FVZ) c c c c 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 Secret Key – encrypt (SKE) cwd cw cw d

  2. Content • Current problems – State of the art • An approach – Attribute certificates – Security level – Integration of security level into certificates • Implementation – Operating sequence : Data access • More advanced access control – Delegation of rights and credentials • Conclusion

  3. Current problems • State of the art – Access control using symmetric keys (common secret) – Problem of key-exchange (old known problems) – Only flat 1:1 mapping of permissions and keys – Keeping the keys secret – A compromise of a single key compromises the whole infrastructure – Can not be used on insecure terminals because of loosing the control of the key • How to realize access control using a public-key infrastructure?

  4. Visibl Card issuing Unive Foreign users Card e rsity holder Metho intern Data element Stude Staff Guest Unive Unive Other ds al nt’s admin admin rsity rsity s admin istrati istrati users consol depen istrati on on idatio ding on n users Application Profile (AP) cwr cwr cwr cwr r r r r r Card ID (CID) cr cr cr cr r r r Certificate card holder – encrypt (CHE) cwrv r cwr cwr rv Certificate card holder – sign (CHS) cwrv cwr cwr cwr rv Certificate card holder – auth (CHA) cwrv cwr cwr cwr rv Certificate Trust Center (CTC) cwrv cwr cwr cwr rv Date of Expire – Begin (DEB) cwr cwr cwr cwr r r r r r Date of Expire – End (DEE) cwr cwr cwr cwr r r r r r List of DES-Keys (DES) cw cw cw cw Card holder identification (OM) cr cr cr cr r r r Status-group (PS) cwr cwr cwr cwr r r r Personal Identification Number (PIN) cw c c c w PIN Failure counter (FVZ) c c c c Secret Key – encrypt (SKE) cwd cw cw d Secret Key – sign (SKS) cs c c c s Secret Key – auth (SKA) cwa cw cw cw a

  5. Attribute certificates • Attribute certificates are just like public-key certificates with the following differences: – Instead of a public-key they contain structured data which can be used for role, group, access control or other mappings. – An attribute certificate is a binding of attribute data to a subject. – A public-key certificate is a binding of a public-key to a subject. – Both are signed by a certification authority which guarantees the correctness of the binding.

  6. Attribute Certificates vs. Public-Key Certificates attribute�certificate Public-key�certificate data data issuer issuer validity validity subject subject public-key attribute 1 attribute 2 signature signature

  7. We are using combined certificates attribute�certificate combined�certificate data data issuer issuer Public-key�certificate validity validity data subject subject issuer public-key attribute 1 validity attribute 2 subject attribute 1 public-key signature attribute 2 signature signature

  8. Security level AP CID CHE CHS CHA CTC DEB c w r c r c w r v c w r v c w r v c w r v c w r p 0 1 1 0 1 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 1 0 1 1 0 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 FV DEE DES OM PS PIN SKE SKS SKA Z c w r p c w e c r p c w r p c w c c w d c s c w a 0 1 1 0 0 0 0 0 1 0 0 1 1 0 0 0 0 0 0 0 0 1 0 0 0 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 09 08 07 06 05 04 03 02 01

  9. Visibl Card issuing Unive Foreign users Card e rsity holder Metho intern Data element Stude Staff Guest Unive Unive Other ds al nt’s admin admin rsity rsity s admin istrati istrati users consol depen istrati on on idatio ding on n users Application Profile (AP) cwr cwr cwr cwr r r r r r Card ID (CID) cr cr cr cr r r r Certificate card holder – encrypt (CHE) cwrv r cwr cwr rv Certificate card holder – sign (CHS) cwrv cwr cwr cwr rv Certificate card holder – auth (CHA) cwrv cwr cwr cwr rv Certificate Trust Center (CTC) cwrv cwr cwr cwr rv Date of Expire – Begin (DEB) cwr cwr cwr cwr r r r r r Date of Expire – End (DEE) cwr cwr cwr cwr r r r r r List of DES-Keys (DES) cw cw cw cw AP CID CHE CHS CHA CTC DEB Card holder identification (OM) cr cr cr cr r r r c w r c r c w r v c w r v c w r v c w r v c w r p Status-group (PS) cwr cwr cwr cwr r r r Personal Identification Number (PIN) cw c c c w 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 PIN Failure counter (FVZ) c c c c 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 Secret Key – encrypt (SKE) cwd cw cw d Secret Key – sign (SKS) cs c c c s Secret Key – auth (SKA) cwa cw cw cw a

  10. Integration of security level into certificates • Security level is a base64 encoded bitmap concatenated to the subject name – No extensions are needed to a standard X.509v3 certificate – Subject names are clear text fields and are human readable without any needed of additional software cn=reregistration.tu-berlin.de,�o=Technische� Universitaet Berlin,�c=DE,�sl=00000001fAngkH08

  11. Operating sequence : Data access 1:�(req,�rcert)�=�sym_decrypt(cryptreq,�skey) 2:�verify_cert(rcert,�CTC) 3:�rpubkey =�extract_public_key(rcert) 4:�verify_data(req,�rpubkey) 5:�seclevel =�extract_seclevel(rcert) 6:�return =�execute_req(req,�seclevel) 7:�signedreturn =�sign(return,�SKA) 8:�cryptreturn =�asym_encrypt(signedreturn,�rpubkey)

  12. 1. The foreign-university requires access to data elements Foreign getData(x) University Home Smartcard University

  13. 2: Generate random number and send to foreign- university Foreign University 2:�reqestForCredential(rnd) Home Smartcard University 1:�rnd =�randomize()

  14. 3: forwarding request for credential Foreign University reqestForCredential (rnd,�getData(x)) Home Smartcard University

  15. 4: home-university is proving the permission Foreign University 3:�cred Home Smartcard University 1:�checkPermission(getData(x)) 2:�cred =�signCredential (HomeCERT,�rnd,� getData(x))

  16. 5: foreign-university is sending credential to smartcard Foreign University cred Home Smartcard University

  17. 6: validate rnd, check signature and security level, encrypt and return Foreign University 3:�cryptreturn Home Smartcard University 1:�(HomeCERT,�getData(x))�=�checkSignature(req) 2:�**�the�data�access�algorithm�as�see�before�** cryptreturn =�asym_encrypt(signedreturn,�HomeCERT)

  18. 7: foreign-university is sending the encrypted values to the home-university Foreign University cryptreturn Home Smartcard University

  19. 8: home-university decrypts and re-encrypts for foreign- university Foreign 3:�funiCryptedSignedX University Home Smartcard University 1:�signedX =�decrypt(HomePRIV,�cryptreturn) 2:�funiCryptedSignedX =�encrypt(ForeignUniCERT,� signedX)

  20. Conclusion • Using combined attribute-/public-key-certificates enables a flexible and effective protection of data elements on smartcards. • This infrastructure was implemented successfully at Technical University of Berlin. • There are solutions for environments constituted by several organisations with different access rights.

  21. For contact and further information / discussion • Lutz Suhrbier http://www.prz.tu-berlin.de/~lusu/ • Thomas Hildmann http://www.prz.tu-berlin.de/~hildmann/ • German Homepage of the Project Campuskarte http://campuskarte.tu-berlin.de/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Strategies for Incorporating Delegation into Attribute-Based Access Control (ABAC) Sylvia L.

Strategies for Incorporating Delegation into Attribute-Based Access Control (ABAC) Sylvia L.

Strategies for Incorporating Delegation into Attribute-Based Access Control (ABAC) Sylvia L. Osborn Daniel Servos sylvia@csd.uwo.ca dservos5@uwo.ca Department of Computer Science The 9th International Symposium on Foundations & Practice

1.05k views • 75 slides
Development and deployment of integrated attribute based access control for collaboration

Development and deployment of integrated attribute based access control for collaboration

Development and deployment of integrated attribute based access control for collaboration Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications and user communities Virtual

368 views • 13 slides
HGABAC: Towards a Formal Model of Hierarchical Attribute-Based Access Control Sylvia L. Osborn

HGABAC: Towards a Formal Model of Hierarchical Attribute-Based Access Control Sylvia L. Osborn

HGABAC: Towards a Formal Model of Hierarchical Attribute-Based Access Control Sylvia L. Osborn Daniel Servos sylvia@csd.uwo.ca dservos5@uwo.ca Department of Computer Science The 7th International Symposium on Foundations & Practice of

1.05k views • 49 slides
Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access

Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access

Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access Control Daniel Servos Michael Bauer Western University Western University London, Ontario London, Ontario dservos5@uwo.ca bauer@uwo.ca November

511 views • 34 slides
Current Research and Open Problems in Attribute-Based Access Control Daniel Servos

Current Research and Open Problems in Attribute-Based Access Control Daniel Servos

Current Research and Open Problems in Attribute-Based Access Control Daniel Servos dservos5@uwo.ca Department of Computer Science Topics Survey/Proposal Daniel Servos TSP: ABAC February 10th 1 / 31 1. Talk Outline Outline 1 Background

1.23k views • 90 slides
Attribute-based Access Control Architectures with the eIDAS Protocols 21. SSR 2016 Frank

Attribute-based Access Control Architectures with the eIDAS Protocols 21. SSR 2016 Frank

Attribute-based Access Control Architectures with the eIDAS Protocols 21. SSR 2016 Frank Morgner (Bundesdruckerei) Paul Bastian (Bundesdruckerei) Marc Fischlin (TU Darmstadt) 13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1

404 views • 22 slides
Semantic Attribute-Based Access Control An overview of the existing approaches Hamed Arshad

Semantic Attribute-Based Access Control An overview of the existing approaches Hamed Arshad

Semantic Attribute-Based Access Control An overview of the existing approaches Hamed Arshad Department of Informatics University of Oslo March 2018 Hamed Arshad (UiO) SABAC March 2018 1 / 25 Table of Contents Introduction 1

1.17k views • 74 slides
PERMIS Role-Based Access Control Example System Presenter: Haiyan Cheng CS 6204, Spring 2005 1

PERMIS Role-Based Access Control Example System Presenter: Haiyan Cheng CS 6204, Spring 2005 1

PERMIS Role-Based Access Control Example System Presenter: Haiyan Cheng CS 6204, Spring 2005 1 PERMIS Review A role-based access control infrastructure Uses X.509 attribute certificate (AC) to store users roles All access

397 views • 8 slides
Why attribute-based signatures? The kind of authentication required in an attribute-based system

Why attribute-based signatures? The kind of authentication required in an attribute-based system

Attribute-Based Signatures Hemanta K. Maji Manoj Prabhakaran Mike Rosulek November 22, 2010 Abstract We introduce Attribute-Based Signatures (ABS) , a versatile primitive that allows a party to sign a message with fine-grained

864 views • 35 slides
Working Set- -Based Access Control for Based Access Control for Working Set Network File

Working Set- -Based Access Control for Based Access Control for Working Set Network File

Working Set- -Based Access Control for Based Access Control for Working Set Network File Systems Network File Systems Stephen Smaldone, Vinod Ganapathy, and Liviu Iftode DiscoLab - Department of Computer Science Rutgers, The State University

667 views • 23 slides
Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

576 views • 21 slides
Enumerated Authorization Policy Prosunjit Biswas, Ravi Sandhu and Ram Krishnan University of

Enumerated Authorization Policy Prosunjit Biswas, Ravi Sandhu and Ram Krishnan University of

Institute for Cyber Security Label-Based Access Control: An ABAC Model with Enumerated Authorization Policy Prosunjit Biswas, Ravi Sandhu and Ram Krishnan University of Texas at San Antonio 1 st Workshop on Attribute Based Access Control (ABAC

469 views • 26 slides
Access Control Enforcement Access Control Enforcement for Conversation- -based based for

Access Control Enforcement Access Control Enforcement for Conversation- -based based for

The Cyber Center The Cyber Center Access Control Enforcement Access Control Enforcement for Conversation- -based based for Conversation Web Services Web Services Massimo Mecella * Mourad Ouzzani Univ. Roma LA SAPIENZA, Italy Purdue

375 views • 26 slides
Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of Access Control Discretionary acces control Mandatory access control Real systems: Unix Access Control Model Access control Access

817 views • 47 slides
Role-based access control Role-based access control 1 RBAC: Motivations Complexity of

Role-based access control Role-based access control 1 RBAC: Motivations Complexity of

Role-based access control Role-based access control 1 RBAC: Motivations Complexity of security administration p y y For large number of subjects and objects, the number of authorizations can become extremely large For dynamic

536 views • 51 slides
Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control Introduction to Computer Security Access control, contd Announcements intermission Stephen McCamant Capability-based access control University

380 views • 7 slides
Aim Increase the value of the public health practitioner professional workforce Objectives

Aim Increase the value of the public health practitioner professional workforce Objectives

Aim Increase the value of the public health practitioner professional workforce Objectives Sharing the importance and value of public health practitioners from an employers perspective Recognising assessors and verifiers as the

626 views • 6 slides
Mobile Communications Mobile Communications Security Types of Attacks 802.11 Security

Mobile Communications Mobile Communications Security Types of Attacks 802.11 Security

Mobile Communications Mobile Communications Security Types of Attacks 802.11 Security Access Control Lists Access Control Lists GSM Security GSM Security WEP Authentication WPA/WPA2 Encryption 802.1X/EAP

536 views • 43 slides
Update on Security Policy David Kelsey (RAL) 7 Mar 2010 Security Workshop @ ISGC 2010,

Update on Security Policy David Kelsey (RAL) 7 Mar 2010 Security Workshop @ ISGC 2010,

Update on Security Policy David Kelsey (RAL) 7 Mar 2010 Security Workshop @ ISGC 2010, Taipei david.kelsey at stfc.ac.uk Overview Why do we need security policies? Joint Security Policy Group (JSPG) Some history

408 views • 28 slides
Netherlands Eric Lambermon EPCCS-Councilmeeting Stratford Upon Avon December 6, 2017

Netherlands Eric Lambermon EPCCS-Councilmeeting Stratford Upon Avon December 6, 2017

Netherlands Eric Lambermon EPCCS-Councilmeeting Stratford Upon Avon December 6, 2017 Demografics Population: 17.000.000 500 people per km 2 landsurface 9200 General Practitioners 1850 patients per GP 3-year training

309 views • 7 slides
Introduction to the course Information Security Daniel Bosk Department of Information Systems

Introduction to the course Information Security Daniel Bosk Department of Information Systems

Scope and aims Course structure and content overview Course content Assessment Introduction to the course Information Security Daniel Bosk Department of Information Systems and Technology Mid Sweden University, Sundsvall School of

801 views • 29 slides
AE Technical Changes Industry Liaison Team The Pensions Regulator The information we provide is

AE Technical Changes Industry Liaison Team The Pensions Regulator The information we provide is

AE Technical Changes Industry Liaison Team The Pensions Regulator The information we provide is for guidance only and should not be taken as a definitive interpretation of the law. DM2537711 v6 This presentation remains the property of The

305 views • 18 slides
SWEN 262 Engineering of Software Subsystems Noun & Verb Analysis Nouns & Verbs

SWEN 262 Engineering of Software Subsystems Noun & Verb Analysis Nouns & Verbs

SWEN 262 Engineering of Software Subsystems Noun & Verb Analysis Nouns & Verbs Breaking a large problem down into a class structure is referred to as class decomposition . Analyzing the nouns and verbs in the problem

395 views • 20 slides
Ne Next G Gener eration on A ACO Model el Benefit Enhancement April 19, 2016 Age genda

Ne Next G Gener eration on A ACO Model el Benefit Enhancement April 19, 2016 Age genda

Ne Next G Gener eration on A ACO Model el Benefit Enhancement April 19, 2016 Age genda Benefit Enhancement Timeline Next Generation ACO Entities Participating Providers Preferred Providers Coordinated Care Reward

638 views • 22 slides

More recommend