Janice Warner and Vijayalakshmi Atluri Rutgers University

A Credential-Based Approach for Facilitating Automatic, Secure Resource Sharing Among

Ad-hoc Dynamic Coalitions

Janice Warner and Vijayalakshmi Atluri

Rutgers University

Ravi Mukkamala

Old Dominion University

August 2005

August 2005 IFIP05-Warner, Atluri and Mukkamala

2

Coalition Resource Sharing• Dynamic and Ad-hoc – members may leave and new

members may join• Examples:

• Natural Disaster: government agencies, non-government organizations and private organizations may share data about victims, supplies and logistics.

• Homeland Security: Information collected by various governmental agencies shared for comprehensive data mining

• Virtual Enterprises: Collaboration between companies


3

Current Approaches to Resource Sharing• Form teams (workgroups) comprising of users from all coalition

entities Problems: not viable and scalable - may result in delays• User ids given to each external member of the coalition and

access control is provisioned on these ids.Problem: administratively burdensome; requires explicit revocation upon coalition or user termination

• Single access id provided to each external coalition entityProblem: Fine-grained access control is not possible

• Resources are copied to external coalition memberProblem: Updates are difficult and may result in uncontrolled sharing


4

Outline

• Motivation

• What is needed

• CBAC Model

• DCBAC Model

• Conclusions and Future Work


5

Resource Sharing among Coalitions

• Typically, the policies for sharing are stated at the coalition level

• Example – The Red Cross and Doctors without Borders will work together to investigate the spread of infectious diseases in the wake of a natural disaster.

• Enforcing coalition-level security policies requires transforming them to implementation level

• Example - Dr. Roberts of Doctors without Borders can access reports on the spread of infectious diseases in Turkey.


6

Our Preliminary Solution (presented at ICDCIT04)

• A formal model comprising of three levels (user-object, role, coalition levels)

• Enables handshaking of relevant information by appropriate levels of the agencies

• Allows distributed access control – control remains in the hands of the resource owner


7

role segment user-object request

Layered CBAC Model

User-Object Level

RoleLevel

CoalitionLevel

user-object request

role segment user-object request

Entity ADrs-w/o-Borders

Entity BRed Cross

User-Object Level

RoleLevel

CoalitionLevel

user-object request

coalition segment role segment user-object request

=roberts, concept:disease, type: data

= doctor (location: Turkey, specialty: immunology) concept:disease, type: data

= 555444555, DB99, RC11, doctor (location: Turkey, specialty: immunology) concept: disease, type: data

= doctor (location: Turkey, specialty: immunology) concept:disease, type: data

=RID799, RID223


8

Limitations of CBAC Model

• Coalitions need to have high level agreements in place before there is a flow of information:

• Coalition entities know what is available and how to find it.

• Coalition entity ids are pre-assigned.

• Credentials requirements are union of all associated with role that has access to requested object.


9

Dynamic Coalition-Based Access Control Model (DCBAC)

• Dynamic because:• Employs a Coalition Service Registry (CSR) where

shared resources and coalition level policies are publicized

Agreements do not need to established between coalition partners beforehand

• Computes credentials needed by external user from local access control policies through Mapper layer.

Coalition access control policy determined through transformation of local access control policy


10

Principals of DCBAC

• Existing access control mechanisms within each coalition entity remain intact.

• Access rights are granted to subjects only if they belong to an organization recognized by the coalition.

• Subjects of a coalition entity must have credentials with attribute values comparable to those of local subjects.


11

Network (e.g., Internet)Network (e.g., Internet)

DCBAC Architecture

Local User Interface

Local AccessControl (LAC)

Credential toLAC Mapper

Credential Filter




Credential Filter

Coalition Level Coalition Level

Local Services(shared and private)


CoalitionService Registry

(CSR)

CoalitionAccess Point

(CAP)


12

Example Emergency Management Scenario

International Red Cross makes available its Emergency Response IS subject to:

Organization Level Policy:Must be member of a non-profit, certified, relief organization.

Individual Policy: Access is restricted to information concerning the emergency site in which they are currently working.

Policy Based on LAC Mapping:Credentials must be comparable with those of internal users.


13

Coalition Service Registry

• Similar to UDDI Web Service Registry• Advertises resources that coalition entities make

available• Describes interface to resources• Describes credentials needed to access resources

• Verifies organizational-level credentials• Issues a “ticket” which can be submitted by

individuals in authenticated organization with request to access a specific resource.


(CSR)


14

CSR is a UDDI-like Registry CoalitionService Registry

(CSR)

businessEntity

businessService

bindingTemplate

UDDI:name

UDDI:discovery URL

UDDI:contacts

UDDI:description

UDDI:name

UDDI:category bag

UDDI:description

UDDI:accessPoint

UDDI:category bag

UDDI:description

UDDI:tModelInstanceDetails


15


(CSR)

businessEntity

businessService

bindingTemplate

UDDI:name

UDDI:discovery URL

UDDI:contacts

UDDI:description

UDDI:name

UDDI:category bag

UDDI:description

UDDI:accessPoint

UDDI:category bag

UDDI:description


Resources listed in the CSRare searchable based on resource identifiers, name,keywords or category.


16


(CSR)

businessEntity

businessService

bindingTemplate

UDDI:name

UDDI:discovery URL

UDDI:contacts

UDDI:description

UDDI:name

UDDI:category bag

UDDI:description

UDDI:accessPoint

UDDI:category bag

UDDI:description


Provides network addressof Coalition Access Pointfrom which resource canbe requested.

Provides credential info and other access requirements


17





Credential Filter

Coalition LevelCoalition

Service Registry(CSR)

Example – Resource request is made

〈 744, roberts, concept: disease type: data 〉

〈 744, (degree:MD, gender:M, location:Turkey, specialty: infectious disease), concept: disease type: data 〉

〈 744, (location:Turkey, specialty: infectious disease), Red_Cross_RID_730〉


18





Credential Filter

Coalition LevelCoalition

Service Registry(CSR)

Example – Obtain organizational assertion

Doctors-Without-Borders CAP consults the CSR:• to find the resource(s) (if it has not been located before)• to obtain a valid organizational assertion (if it does not currently have one)


19

Tickets are SAML assertions

• Assertions are declarations of facts:• Issuer ID and issuance timestamp• Assertion ID• Subject• “Conditions” under which assertion is valid (e.g.,

validity period)

• CSR declares that organizational credentials were submitted and validated.

• Assertions can be digitally signed (and should be)


(CSR)


20

Example – Request send to provider’s CAP





Credential Filter




Credential Filter

Coalition Level

Coalition Level


〈 744, Doctors Without Borders, Red Cross, SAML Assertion, Red_Cross_RID_730, (location:Turkey, specialty: infectious disease) 〉


21

Example – Provider evaluates request





Credential Filter




Credential Filter

Coalition Level Coalition Level


〈 744, Red_Cross_RID_730, (location:Turkey, specialty: infectious disease) 〉

Validates organizational credentials

〈 744, Red_Cross_RID_730〉


22

Conclusions• DCBAC automates translation of coalition level

policies into subject-resource level.• Depends upon credentials – both organizational level and

user.• Maps roles to credentials commonly held by members of

the role.

• Uses a Coalition Service Registry so that ad-hoc coalitions can be formed simply by discovering resources that are needed.

• Can be built using currently available standard protocols – XACML, UDDI and SAML.


23

Ongoing Work• Mapper – Details on mapping local policies to

credentials submitted to ICISS 2005• Graph-based approach• Strategies for inclusion of similar credentials

• Data mining of logs, local policies, and other security related data to obtain:

• Groupings of users with similar data requirements and attributes

• Groupings of resources

• Resolving semantic heterogeneity between policies and credential attributes.


24

DCBAC – Coalition Level

• Interacts with the coalition level at other coalition entities through the Coalition Access Point (CAP).

• Incoming: Processes requests by validating CSR ticket.

• Outgoing: Obtains ticket, appends to user request and forwards it to appropriate CAP.




Credential Filter

Coalition Level


25

DCBAC – Credential Filter

• Incoming Requests:• Determines whether user credentials sent

with request are adequate.• Optionally, can downgrade or upgrade the

credentials of users from specific entities.

• Outgoing Requests:• Filters user credentials such that only

those necessary to obtain access are sent.




Credential Filter

Coalition Level


26

DCBAC - Mapper

• Assumes RBAC local access control although this is not essential.

• Incoming – Compares user credentials to internal roles that have rights to requested resource.

• Outgoing – Determines role played by requester and retrieves credentials common to users playing that role.




Credential Filter

Coalition Level


27

DCBAC – LAC

• Enforces control on local services for both local and non-local requests.

• Local requests are received through the local user interface.

• External requests are received through the mapper.




Credential Filter

Coalition Level

Documents

Janice Warner and Vijayalakshmi Atluri Rutgers University