Changes between Version 38 and Version 39 of TIEDABACDemo


Ignore:
Timestamp:
07/15/09 14:51:56 (10 years ago)
Author:
faber@isi.edu
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TIEDABACDemo

    v38 v39  
    11= ABAC Authorization Control Illustrative Example =
    22
    3 ABAC is an attribute-based authorization system that combines attributes using a simple reasoning system to provide authorization that
     3ABAC is an attribute-based trust management system that combines attributes using a simple reasoning system to provide authorization that
    44 * Expresses delegation and other authorization models efficiently and scalably
    55 * Allows access requesters and granters to control how much information they reveal
    6  * Provides auditing information that includes both the decision and reasoning behindit (the provenance)
     6 * Provides auditing information that includes both the decision and reasoning behind it (the provenance)
    77 * Supports multiple authentication frameworks as entry points into the attribute space
    88
     
    2525== The TIED Attribute Explorer ==
    2626
    27 The TIED attribute explorer is an application that represents the ABAC attribute interrelationships graphically.  Users can create attributes and rules from various principals and see how those credentials interact.  There is a graphical query engine that allows one to see which prinicpals have a given attribute and how they would prove it.
     27The TIED attribute explorer is an application that represents the ABAC attribute interrelationships graphically.  Users can create attributes and rules from various principals and see how those credentials interact.  There is a graphical query engine that allows one to see which prinicpals have a given attribute and how they can prove it.
    2828
    2929The explorer can generate credentials for a principal if it has that principal's key (in some format).  Credentials are changes by ABAC's negotiation protocols to secure access.  While this function makes the explorer useful as a simple attribute configuration tool, we do not suggest that it is reasonable to use for large scale attribute administration.  It is primarily a tool for  visualizing fairly simple relationships.
     
    5959[[Image(explorer2.png)]]
    6060
    61 Drawing that line creates a credential that says "Any principal that has the GENI.CTFadmin attribute has the GENI.CTFaccess attribute, signed GENI".  Notice that only the GENI principal can create such a credential: it controls the GENI.CTFaccess attribute, and any assignment of that attribute must be done by the controlling prinicpal
     61Drawing that line creates a credential that says "Any principal that has the GENI.CTFadmin attribute has the GENI.CTFaccess attribute, signed GENI".  More colloquially it says "the GENI principal asserts that CTFadminsitrators can access the CTF slice."  Notice that only the GENI principal can create such a credential and have it be accepted as valid: GENI controls the GENI.CTFaccess attribute, and any assignment of that attribute signed by a different principal is invalid on its face
    6262
    6363Any attribute reachable by following edges from principal to attribute is possessed by that principal.  Now the '''BBNAdmin''' principal has both the '''GENI.CTFadmin''' and '''GENI.CTFaccess''' attributes.
     
    9393 * Universities and other institutions want a role in deciding who to allow into the game
    9494
    95 In order to meet these roles, a natural system is for the ACM to designate certain representatives who can designate contestants on the ACM's behalf.  These representatives can choose contestants however they like.  By granting this power the ACM gives these entities the control they want, and minimizes its direct involvement.
     95In order to meet these goals, an intuitive system is for the ACM to designate certain representatives who can designate contestants on the ACM's behalf.  These representatives can choose contestants however they like.  By granting this power the ACM gives these entities the control they want, and minimizes its direct involvement.
    9696
    9797In ABAC, this is represented as a linked attribute.  In the explorer, one can create such a linked attribute in a way similar to creating a standard attribute.  Here the GENI principal creates such a rule that allows ACM representatives to designate contestants, all of whom will be granted the CTFaccess attribute.
     
    9999[[Image(explorer7.png)]]
    100100
    101 The wording for the credential is a little comples, but it says "Any principal that has a ''P''.'''CTFcontestant''' attribute where ''P'' that has the '''ACM.gamerep''' attribute has the '''GENI.CTFaccess''' attribute, signed GENI".  More simply, the ACM principal can designate representatives by giving them the '''ACM.CTFrep''' attribute; when those representatives give another principal their '''.CTFcontestant''' attribute, the principal with that attribute is given the '''GENI.CFTaccess''' attribute.  ACM representatives can grant access to the slice.
     101The wording for the credential is a little complex, but it says "Any principal that has a ''P''.'''CTFcontestant''' attribute where ''P'' that has the '''ACM.gamerep''' attribute has the '''GENI.CTFaccess''' attribute, signed GENI".  More simply, the ACM principal can designate representatives by giving them the '''ACM.CTFrep''' attribute; when those representatives give another principal their '''.CTFcontestant''' attribute, the principal with that attribute is given the '''GENI.CFTaccess''' attribute.  ACM representatives can grant access to the slice.
    102102
    103103An advantage of this is that it creates a new administrative group - ACM's game representatives - that can be useful in other contexts. For example, this same group of representatives can designate contestants for other competitions or other attributes relevant to the capture the flag contest without further changes by the ACM.  Delegating through individual ACM attributes would require continuing work by the ACM.
     
    167167[[Image(example15.png)]]
    168168
    169 While it sounds complex to say that the credentials reprsent the graph, the process of assembling the graph is trivial.  Each credential fits to the others in only one way.
     169While it sounds complex to say that the credentials represent the graph, the process of assembling the graph is trivial.  Each credential fits to the others in only one way.
    170170
    171171When faber receives the candidate graph, it can check the signatures of all the credentials and satisfy itself that the graph is well formed.  (It may need to find GENI's or ACM's public key, or the slice may have included them.)  Faber's only credential fits on the graph and establishes a path from faber to the '''GENI.CTFaccess''' credential.  Faber adds the credential to the message and returns it to the slice.  Once the slice confirms the signature, the two parties agree that faber can have access.
     
    177177The collaborative process is completely characterized by adding nodes to a graph in a simple manner.  Though the policies experessed by the system are complex, the process of validating any given prinicpal posses an attribute is very simple.
    178178
    179 Furthermore, both the rules and attributes are stored throughout the network.  The slide will be ignorant of the fairly complex rules that the UCLA principal has instituted until a principal from that university authorizes itself.  Note that credentials are simply signed statements (perhaps with a validity time).  So the slice can keep local rules from various domains and send larger initial graphs if it chooses to.
     179Furthermore, both the rules and attributes are distributes throughout the network.  The slide will be ignorant of the fairly complex rules that the UCLA principal has instituted until a principal from that university authorizes itself.  Note that credentials are simply signed statements (perhaps with a validity time).  So the slice can keep local rules from various domains and send larger initial graphs if it chooses to.
    180180
    181181If the environment is open, the GENI principal can simply publish the relevant credentials encoding its rules for CTF slice access.  Because each requester now knows the beginning of the graph, they are likely to be able to include the whole proof in their first request, removing a round trip time.