Sassa Otenko

Adding support to XACML for multi-domain user to user dynamic delegation of authority

We describe adding support for dynamic delegation of authority (DOA) between users in multiple administrative domains, to the XACML model for authorisation decision making. DOA is enacted via the issuing of credentials from one user to another, and follows the role based access control model. We present the problems and requirements that such a delegation model demands, the policy elements that are necessary to control the delegation chains and a description of the architected solution. We propose a new conceptual entity called the credential validation service (CVS) to work alongside the XACML PDP. We describe our implementation of the CVS and present performance measurements for validating delegated chains of credentials.

Adding support to XACML for dynamic delegation of authority in multiple domains

In this paper we describe how we have added support for dynamic delegation of authority that is enacted via the issuing of credentials from one user to another, to the XACML model for authorisation decision making. Initially we present the problems and requirements that such a model demands, considering that multiple domains will typically be involved. We then describe our architected solution based on the XACML conceptual and data flow models. We also present at a conceptual level the policy elements that are necessary to support this model of dynamic delegation of authority. Given that these policy elements are significantly different to those of the existing XACML policy, we propose a new conceptual entity called the Credential Validation Service (CVS), to work alongside the XACML PDP in the authorisation decision making. Finally we present an overview of our first specification of such a policy and its implementation in the corresponding CVS.

Using SAML to Link the Globus Toolkit to the Permis Authorisation Infrastructure

In this article the new trend in authorisation decision making will be described, using the Security Assertions Mark up Language (SAML). We then present an overview of the Globus Toolkit (GT), used in Grid computing environments, and highlight its authorisation requirements. We then introduce the PERMIS authorisation infrastructure and describe how it has been adapted to support SAML so that it can be deployed to make authorisation decisions for GTversion 3.3.

Multi-session Separation of Duties (MSoD) for RBAC

Separation of duties (SoD) is a key security requirement for many business and information systems. Role based access controls (RBAC) is a relatively new paradigm for protecting information systems. In the ANSI standard RBAC model both static and dynamic SoD are defined. However, static SoD policies assume that the system has full control over the assignment of all roles to users, whilst dynamic SoD policies assume that conflicts of interest can only arise during the simultaneous activation of a users roles. Unfortunately neither of these assumptions hold true in dynamic virtual organisations (VOs), or in business processes that span multiple user sessions, or where users only partially disclose their roles at each session. In this paper we propose multi-session SoD (MSoD) policies for business processes which include multiple tasks enacted by multiple users over many user access control sessions. We explore the means to define MSoD policies in RBAC via multi-session mutually exclusive roles (MMER) and multi-session mutually exclusive privileges (MMEP). We propose an approach to expressing MSoD policies in XML and enforcing MSoD policies in a policy controlled RBAC infrastructure. Finally, we describe how we have implemented MSoD policies in the PERMIS privilege management infrastructure.

Obligations for Role Based Access Control

Role based access control has been widely researched in security critical systems. Conventional role based access control is a passive model, which makes authorization decisions on requests, and the authorization decisions contain only information about whether the corresponding requests are authorised or denied. One of the potential improvements for role based access control is the augmentation of obligations, where obligations are tasks and requirements to be fulfilled before, after or together with the enforcement of the authorization decisions. This paper conducts a literature review of role based access control and obligation related research, and proposes a design for the augmentation of obligations in the context of the RBAC standard. The design is then validated by implementation in the PERMIS RBAC authorization infrastructure. The paper also discusses the possible nondeterminism caused by overlapping authorisations.

Distributed key management for secure role based messaging

Secure role based messaging (SRBM) augments messaging systems with role oriented communication in a secure manner. Role occupants can sign and decrypt messages on behalf of roles. This paper identifies the requirements of SRBM and recognises the need for: distributed key shares, fast membership revocation, mandatory security controls and detection of identity spoofing. A shared RSA scheme is constructed. RSA keys are shared and distributed to role occupants and role gate keepers. Role occupants and role gate keepers must cooperate together to use the key shares to sign and decrypt the messages. Role occupant signatures can be verified by an audit service. SRBM system architecture is developed to show the security related performance of the proposed scheme, which also demonstrates the implementation of fast membership revocation, mandatory security control and prevention of spoofing. It is shown that the proposed scheme has successfully coupled distributed security with mandatory security controls to realize secure role based messaging.

A heterogeneous network access service based on PERMIS and SAML

The expansion of inter-organizational scenarios based on different authorization schemes involves the development of integration solutions allowing different authorization domains to share, in some way, protected resources. This paper analyzes different emerging technologies. On the one hand, we have two XML-based standards, the SAML standard, which is being widely accepted as a language to express and exchange authorization data, and the XACML standard, which constitutes a promising framework for access control policies. On the other hand, PERMIS is a trust management system for X.509 attribute certificates and includes a powerful authorization decision engine governed by the PERMIS XML policy. This paper presents a sample scenario where domains using these technologies can be integrated allowing, for example, the use of attribute certificates in a SAML environment and the utilization of the PERMIS authorization engine to decide about the disclosure or concealment of attributes. In order to design this scenario we have based our work on a Credential Conversion Service (CCS) which is able to convert ACs into SAML attributes, and a User Attribute Manager (UAM) which controls the disclosure of credentials. These modules are governed by policies defining the conversion process (the Conversion Policy) and the disclosure of attributes (the Disclosure Policy).

Achieving fine‐grained access control in virtual organizations

In a virtual organization environment, where services and data are provided and shared among organizations from different administrative domains and protected with dissimilar security policies and measures, there is a need for a flexible authentication framework that supports the use of various authentication methods and tokens. The authentication strengths derived from the authentication methods and tokens should be incorporated into an access‐control decision‐making process, so that more sensitive resources are available only to users authenticated with stronger methods. This paper reports our on‐going efforts in designing and implementing such a framework to facilitate multi‐level and multi‐factor adaptive authentication and authentication strength linked fine‐grained access control. The proof‐of‐concept prototype is designed and implemented in the Shibboleth and PERMIS infrastructures, which specifies protocols to federate authentication and authorization information and provides a policy‐driven, role‐based, access‐control decision‐making capability. Copyright