Prox-RBAC: A Proximity-based Spatially Aware RBAC Michael S. - - PowerPoint PPT Presentation

prox rbac a proximity based spatially aware rbac
SMART_READER_LITE
LIVE PREVIEW

Prox-RBAC: A Proximity-based Spatially Aware RBAC Michael S. - - PowerPoint PPT Presentation

Mar 14, 2023 22 likes •487 views

Prox-RBAC: A Proximity-based Spatially Aware RBAC Michael S. Kirkpatrick Maria Luisa Damiani Elisa Bertino 19 th ACM SIGSPATIAL International Conference on Advances in Geographic Information Systems (GIS) Chicago, IL, USA November 4, 2011

slide-1
SLIDE 1

Prox-RBAC: A Proximity-based Spatially Aware RBAC

Michael S. Kirkpatrick Maria Luisa Damiani Elisa Bertino 19th ACM SIGSPATIAL International Conference on Advances in Geographic Information Systems (GIS) Chicago, IL, USA November 4, 2011

Wednesday, November 9, 2011

slide-2
SLIDE 2
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Motivation

2

Wednesday, November 9, 2011

slide-3
SLIDE 3
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Motivation

2

Wednesday, November 9, 2011

slide-4
SLIDE 4
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Motivation

2

Wednesday, November 9, 2011

slide-5
SLIDE 5
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Motivation

  • GEO-RBAC augments access control with

spatial data

  • <Doctor, coffeeshop> vs. <Doctor, ER>
  • Spatial role based on requesting user’s location
  • Others’ locations have security implications
  • Separation of duty
  • Presence of unprivileged users (e.g., civilians)

3

Wednesday, November 9, 2011

slide-6
SLIDE 6
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Motivation

  • GEO-RBAC augments access control with

spatial data

  • <Doctor, coffeeshop> vs. <Doctor, ER>
  • Spatial role based on requesting user’s location
  • Others’ locations have security implications
  • Separation of duty
  • Presence of unprivileged users (e.g., civilians)

3

Wednesday, November 9, 2011

slide-7
SLIDE 7
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Key Issues

  • Space model
  • Language definition
  • Location integrity
  • Technological feasibility

4

Wednesday, November 9, 2011

slide-8
SLIDE 8
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Key Issues

  • Space model
  • Language definition
  • Location integrity
  • Technological feasibility

4

GIS Access Control Crypto Formal Methods/ Languages This talk

Wednesday, November 9, 2011

slide-9
SLIDE 9
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Space Model

5

Wednesday, November 9, 2011

slide-10
SLIDE 10
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Space Model

5

  • Indoor space model
  • Protected area (PA)
  • Entry points

Wednesday, November 9, 2011

slide-11
SLIDE 11
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Space Model

5

Wednesday, November 9, 2011

slide-12
SLIDE 12
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Space Model

6

Wednesday, November 9, 2011

slide-13
SLIDE 13
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Space Model

6

Wednesday, November 9, 2011

slide-14
SLIDE 14
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Space Model

6

Wednesday, November 9, 2011

slide-15
SLIDE 15
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Accessibility Graph

  • Directed multigraph
  • Nodes denote protected

areas

  • Edges denote entry points

7

Wednesday, November 9, 2011

slide-16
SLIDE 16
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Hierarchical Containment

  • Partial order pai ⊆ paj
  • s ∈ pai ⇒ s ∈ paj
  • Entry into pai requires presence in paj
  • pai ⊆ paj and pai ⊆ pak ⇒ paj ⊆ pak or pak ⊆ paj

8

Π Π Π Π Π

Wednesday, November 9, 2011

slide-17
SLIDE 17
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Parent Tree

9

  • Accessibility graph alone is

insufficient

  • Hierarchical space model
  • Typing of areas
  • Room, floor, suite, etc.
  • User locations are at finest

granularity

Wednesday, November 9, 2011

slide-18
SLIDE 18
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Authorized PAs

  • AuthPA(s)
  • PAs subject s is authorized to enter
  • pai ∈ AuthPA(s) implies Parent(pai) ∈ AuthPA(s)
  • If pai ∈ AuthPA(s) and pai only reachable from

sibling paj, then paj ∈ AuthPA(s)

10

Wednesday, November 9, 2011

slide-19
SLIDE 19
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Authorized PAs

  • AuthPA(s)
  • PAs subject s is authorized to enter
  • pai ∈ AuthPA(s) implies Parent(pai) ∈ AuthPA(s)
  • If pai ∈ AuthPA(s) and pai only reachable from

sibling paj, then paj ∈ AuthPA(s)

10

Wednesday, November 9, 2011

slide-20
SLIDE 20
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Authorized PAs

  • AuthPA(s)
  • PAs subject s is authorized to enter
  • pai ∈ AuthPA(s) implies Parent(pai) ∈ AuthPA(s)
  • If pai ∈ AuthPA(s) and pai only reachable from

sibling paj, then paj ∈ AuthPA(s)

10

Wednesday, November 9, 2011

slide-21
SLIDE 21
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Policy Language

11

Wednesday, November 9, 2011

slide-22
SLIDE 22
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Policy Language

11

  • Relative constraint clause
  • Continuity of usage
  • Timeout constraint

at_least 1 supervisor in Room 100 while (at_most 0 civilians in this.room) while (...) timeout 1 minute

Wednesday, November 9, 2011

slide-23
SLIDE 23
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Policy Language

11

  • Relative constraint clause
  • Continuity of usage
  • Timeout constraint

at_least 1 supervisor in Room 100 while (at_most 0 civilians in this.room) while (...) timeout 1 minute

Any topological relationship

Wednesday, November 9, 2011

slide-24
SLIDE 24
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Policy Language

11

  • Relative constraint clause
  • Continuity of usage
  • Timeout constraint

at_least 1 supervisor in Room 100 while (at_most 0 civilians in this.room) while (...) timeout 1 minute

Wednesday, November 9, 2011

slide-25
SLIDE 25
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Policy Language

11

  • Relative constraint clause
  • Continuity of usage
  • Timeout constraint

at_least 1 supervisor in Room 100 while (at_most 0 civilians in this.room) while (...) timeout 1 minute

Wednesday, November 9, 2011

slide-26
SLIDE 26
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Policy Language

11

  • Relative constraint clause
  • Continuity of usage
  • Timeout constraint

at_least 1 supervisor in Room 100 while (at_most 0 civilians in this.room) while (...) timeout 1 minute

Wednesday, November 9, 2011

slide-27
SLIDE 27
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Semantics

12

Wednesday, November 9, 2011

slide-28
SLIDE 28
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Semantics

12

User is in the PA, authorized to enter role

Wednesday, November 9, 2011

slide-29
SLIDE 29
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Semantics

12

Other users also satisfy constraints

Wednesday, November 9, 2011

slide-30
SLIDE 30
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Semantics

12

... Access stopped when others move

Wednesday, November 9, 2011

slide-31
SLIDE 31
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Enforcement

13

AS

LD LD LD LD LD LD LD LD LD

Wednesday, November 9, 2011

slide-32
SLIDE 32
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Enforcement

13

AS

LD LD LD LD LD LD LD LD LD

Proof of location

Wednesday, November 9, 2011

slide-33
SLIDE 33
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Enforcement

13

AS

LD LD LD LD LD LD LD LD LD

Proof + credentials

Wednesday, November 9, 2011

slide-34
SLIDE 34
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Request Protocol

14

Wednesday, November 9, 2011

slide-35
SLIDE 35
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Request Protocol

14

Bind the user to the location at the time

Wednesday, November 9, 2011

slide-36
SLIDE 36
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Request Protocol

14

Send request and signed commitment

Wednesday, November 9, 2011

slide-37
SLIDE 37
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Request Protocol

14

Prove commitment matches

Wednesday, November 9, 2011

slide-38
SLIDE 38
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Implementation

  • Cryptographic protocols
  • Feige-Fiat-Shamir proves identity in ZK
  • Pedersen commitment binds user
  • SHA-256, AES, RSA, DSA for hash, encrypt, sign
  • NFC for proximity control
  • Must connect twice

15

Wednesday, November 9, 2011

slide-39
SLIDE 39
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Implementation

16

AS

LD LD

Wednesday, November 9, 2011

slide-40
SLIDE 40
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Implementation

16

AS

LD LD

Wednesday, November 9, 2011

slide-41
SLIDE 41
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Implementation

16

AS

LD LD

Wednesday, November 9, 2011

slide-42
SLIDE 42
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Implementation

16

AS

LD LD

Wednesday, November 9, 2011

slide-43
SLIDE 43
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Implementation

16

AS

LD LD

Wednesday, November 9, 2011

slide-44
SLIDE 44
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Future Work

  • Formal notion of proximity
  • Reconcile Prox-RBAC with GEO-RBAC
  • Alternative movement monitoring
  • Location privacy

17

Wednesday, November 9, 2011

slide-45
SLIDE 45
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011

Acknowledgments

18

This work has been partially supported by Sypris Electronics and by the MURI award FA9550-08-1-0265 from the Air Force Office of Scientific Research.

Wednesday, November 9, 2011

slide-46
SLIDE 46
  • M. S. Kirkpatrick, M. L. Damiani, E. Bertino

Prox-RBAC: A Proximity-based Spatially Aware RBAC ACM GIS 2011 19

Thanks!

Wednesday, November 9, 2011