Changes between Version 38 and Version 39 of TIEDABACDemo
- Timestamp:
- 07/15/09 14:51:56 (15 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
TIEDABACDemo
v38 v39 1 1 = ABAC Authorization Control Illustrative Example = 2 2 3 ABAC is an attribute-based authorizationsystem that combines attributes using a simple reasoning system to provide authorization that3 ABAC is an attribute-based trust management system that combines attributes using a simple reasoning system to provide authorization that 4 4 * Expresses delegation and other authorization models efficiently and scalably 5 5 * Allows access requesters and granters to control how much information they reveal 6 * Provides auditing information that includes both the decision and reasoning behind it (the provenance)6 * Provides auditing information that includes both the decision and reasoning behind it (the provenance) 7 7 * Supports multiple authentication frameworks as entry points into the attribute space 8 8 … … 25 25 == The TIED Attribute Explorer == 26 26 27 The TIED attribute explorer is an application that represents the ABAC attribute interrelationships graphically. Users can create attributes and rules from various principals and see how those credentials interact. There is a graphical query engine that allows one to see which prinicpals have a given attribute and how they wouldprove it.27 The TIED attribute explorer is an application that represents the ABAC attribute interrelationships graphically. Users can create attributes and rules from various principals and see how those credentials interact. There is a graphical query engine that allows one to see which prinicpals have a given attribute and how they can prove it. 28 28 29 29 The explorer can generate credentials for a principal if it has that principal's key (in some format). Credentials are changes by ABAC's negotiation protocols to secure access. While this function makes the explorer useful as a simple attribute configuration tool, we do not suggest that it is reasonable to use for large scale attribute administration. It is primarily a tool for visualizing fairly simple relationships. … … 59 59 [[Image(explorer2.png)]] 60 60 61 Drawing that line creates a credential that says "Any principal that has the GENI.CTFadmin attribute has the GENI.CTFaccess attribute, signed GENI". Notice that only the GENI principal can create such a credential: it controls the GENI.CTFaccess attribute, and any assignment of that attribute must be done by the controlling prinicpal.61 Drawing that line creates a credential that says "Any principal that has the GENI.CTFadmin attribute has the GENI.CTFaccess attribute, signed GENI". More colloquially it says "the GENI principal asserts that CTFadminsitrators can access the CTF slice." Notice that only the GENI principal can create such a credential and have it be accepted as valid: GENI controls the GENI.CTFaccess attribute, and any assignment of that attribute signed by a different principal is invalid on its face. 62 62 63 63 Any attribute reachable by following edges from principal to attribute is possessed by that principal. Now the '''BBNAdmin''' principal has both the '''GENI.CTFadmin''' and '''GENI.CTFaccess''' attributes. … … 93 93 * Universities and other institutions want a role in deciding who to allow into the game 94 94 95 In order to meet these roles, a naturalsystem is for the ACM to designate certain representatives who can designate contestants on the ACM's behalf. These representatives can choose contestants however they like. By granting this power the ACM gives these entities the control they want, and minimizes its direct involvement.95 In order to meet these goals, an intuitive system is for the ACM to designate certain representatives who can designate contestants on the ACM's behalf. These representatives can choose contestants however they like. By granting this power the ACM gives these entities the control they want, and minimizes its direct involvement. 96 96 97 97 In ABAC, this is represented as a linked attribute. In the explorer, one can create such a linked attribute in a way similar to creating a standard attribute. Here the GENI principal creates such a rule that allows ACM representatives to designate contestants, all of whom will be granted the CTFaccess attribute. … … 99 99 [[Image(explorer7.png)]] 100 100 101 The wording for the credential is a little comple s, but it says "Any principal that has a ''P''.'''CTFcontestant''' attribute where ''P'' that has the '''ACM.gamerep''' attribute has the '''GENI.CTFaccess''' attribute, signed GENI". More simply, the ACM principal can designate representatives by giving them the '''ACM.CTFrep''' attribute; when those representatives give another principal their '''.CTFcontestant''' attribute, the principal with that attribute is given the '''GENI.CFTaccess''' attribute. ACM representatives can grant access to the slice.101 The wording for the credential is a little complex, but it says "Any principal that has a ''P''.'''CTFcontestant''' attribute where ''P'' that has the '''ACM.gamerep''' attribute has the '''GENI.CTFaccess''' attribute, signed GENI". More simply, the ACM principal can designate representatives by giving them the '''ACM.CTFrep''' attribute; when those representatives give another principal their '''.CTFcontestant''' attribute, the principal with that attribute is given the '''GENI.CFTaccess''' attribute. ACM representatives can grant access to the slice. 102 102 103 103 An advantage of this is that it creates a new administrative group - ACM's game representatives - that can be useful in other contexts. For example, this same group of representatives can designate contestants for other competitions or other attributes relevant to the capture the flag contest without further changes by the ACM. Delegating through individual ACM attributes would require continuing work by the ACM. … … 167 167 [[Image(example15.png)]] 168 168 169 While it sounds complex to say that the credentials repr sent the graph, the process of assembling the graph is trivial. Each credential fits to the others in only one way.169 While it sounds complex to say that the credentials represent the graph, the process of assembling the graph is trivial. Each credential fits to the others in only one way. 170 170 171 171 When faber receives the candidate graph, it can check the signatures of all the credentials and satisfy itself that the graph is well formed. (It may need to find GENI's or ACM's public key, or the slice may have included them.) Faber's only credential fits on the graph and establishes a path from faber to the '''GENI.CTFaccess''' credential. Faber adds the credential to the message and returns it to the slice. Once the slice confirms the signature, the two parties agree that faber can have access. … … 177 177 The collaborative process is completely characterized by adding nodes to a graph in a simple manner. Though the policies experessed by the system are complex, the process of validating any given prinicpal posses an attribute is very simple. 178 178 179 Furthermore, both the rules and attributes are storedthroughout the network. The slide will be ignorant of the fairly complex rules that the UCLA principal has instituted until a principal from that university authorizes itself. Note that credentials are simply signed statements (perhaps with a validity time). So the slice can keep local rules from various domains and send larger initial graphs if it chooses to.179 Furthermore, both the rules and attributes are distributes throughout the network. The slide will be ignorant of the fairly complex rules that the UCLA principal has instituted until a principal from that university authorizes itself. Note that credentials are simply signed statements (perhaps with a validity time). So the slice can keep local rules from various domains and send larger initial graphs if it chooses to. 180 180 181 181 If the environment is open, the GENI principal can simply publish the relevant credentials encoding its rules for CTF slice access. Because each requester now knows the beginning of the graph, they are likely to be able to include the whole proof in their first request, removing a round trip time.