decentralized trust management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html
TRANSCRIPT
![Page 1: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/1.jpg)
Decentralized Trust Management
security1.win.tue.nl/~zannone/teaching/dtm09-10.html
![Page 2: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/2.jpg)
Course Organization
Introduction
AC, DTM topics based on research papersNext week: Discretionary Access Control
Website: List of TopicsPapers to read
security1.win.tue.nl/~zannone/teaching/dtm09-10.html
![Page 3: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/3.jpg)
The need for Data Protection Confidential data
Databases with essential business information
Private data EHR, RFID, OVchip, `Slimme meter’
Risks & Threats. News headlines: Justice demanded pictures ov-chipcard travelers Laptop with data 109.000 persons stolen Data hacked vacancy website used for phishing ...
![Page 4: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/4.jpg)
The need for Trust
Decision on interaction with other entity:Value to give to information in this lecture.Give access to a resource.
Incomplete information Is the information correct, state-of-the-art?How will the resource be used?
![Page 5: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/5.jpg)
Trust Management
Establishing trust in the digital world
Truster Trustee
Gives Trust Subjective, perceived probability
Claims/Shows Trustworthiness
Trust me I’m a
doctor
![Page 6: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/6.jpg)
Controlling access to resources Who is trusted to do what with a resource
Subject, Action, Object
I’m BobBob May
Park
![Page 7: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/7.jpg)
Access Control MatrixPolicy:
Students may read grade list and read and run submitPaper
Teacher may read and write grade list and submitPaper
So we are done ?
User GradeList SubmitPaper
Jerry rw rw
Joris r rx
Tim r rx
![Page 8: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/8.jpg)
Controlling access to resources Enforcement, Implementation
Maintenance, Consistency Captures intended policy (how to check?) Dynamicity; Rights not constant
Specification, Policies Authority on the resource; Who decides?
Decentralized systems, Delegation. Conditions, Obligation, Purpose
Privacy Anonymity, attribute based AC
CENSORED
![Page 9: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/9.jpg)
Access Control Lists
Enforcement & Maintenance
User GradeList SubmitPaper
Jerry rw rw
Joris r rx
Tim r rx
User SubmitPaper
Jerry rw
Joris rx
Tim rx
![Page 10: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/10.jpg)
Role base access control(1)
Role (Similar to `group’) Teacher Student
Assign access rights to Roles and Roles to users Added Indirection makes for easier maintenance
Role GradeList
Teacher rw
Student r
Role Users
Teacher Jerry
Student Joris, Tim
1) RBAC treated in more detail in a later lecture.
![Page 11: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/11.jpg)
Role dependency (Role Hierarchies)
Staff
Prof Lecturer
Scientific Financial
...
Legal
...
Staff may Enter BuildingStaff rights also granted to Professors
![Page 12: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/12.jpg)
Decentralized AC
Different authorities at different locationsUT admin does not control TU/e resources
Different Hierarchies for different locations In NL PhD student is subrole of Employee in US PhD student is subrole of Student
Access control for distributed resources?TU/e student list, US student discount.
![Page 13: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/13.jpg)
Delegation Define your roles based on roles of other users:
Jerry.StudentsInMyClass = EducationOffice.RegisteredStudents2IS25
Trust Management Issue: I trust education office to define registered student
role In turn education office may trust registration office
EducationOffice.RegisteredStudents2IS25 = RegistrationOffice.Student and WebServer.subscribed2IS25
![Page 14: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/14.jpg)
Towards Rule based TM Can specify `trust rules’
Link roles in different HierarchiesDifficulty: Naming Conventions
e.g. AIO – PhD student
More fine grained control Different Roles for different users/locations
Jerry.StudentsInMyClassSandro.StudentsInMyClassEducationOffice.RegisteredStudents2IF34
![Page 15: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/15.jpg)
Why trust?
Trust needed for cooperation Cannot control behaviour of other people/systems
Base of trust Own experience and experience of others Regulations Technical measures (see also next slide) Taking a risk (risk vs benefit analysis when possible)
`Good’ behaviour slowly enforces/builds trust `Bad’ behaviour quickly lowers trust
![Page 16: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/16.jpg)
Why Trust (Cont.) ?
Trusting remote computationTrusted computing platform
Hardware chip base chain of trust – chip checks signatures of programs to ensure they are not altered, can do essential computation steps.
Smartcards protect information, applications from device holder
![Page 17: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/17.jpg)
Trust Management
Main TM classes Rule based TM
E.g. based on Regulations Trusted parties can be exactly determined trust ~ formal relationship
Reputation based TM E.g. when based on behaviour, recommendations trust ~ subjective probability `correct’ behaviour
Trust me I’m a
doctor
![Page 18: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/18.jpg)
Rule Based Trust Management
Example systemsRole based trust management (RT)SDKI/SPKI…
Example scenarioStudent at accredited university gets discount
Shop.Discount ← AccBody.Univ.Student
AccBody.Univ ← TUe
TUe.Student ← Alice
![Page 19: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/19.jpg)
Rule Based Trust Management
Distributed, Open Each participant is authority, issues credentials Participants can join, leave
Delegation entrust credentials of others
Binary User either fully trusted or not trusted
Static trust level No change based on actions of the user
![Page 20: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/20.jpg)
Reputation System Example E-bay transaction feedback system
Eigentrust: More advanced combination
![Page 21: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/21.jpg)
Reputation Systems Scenario
Joint ordering to get bulk discount More participants = more savings Do have to show up when the book arrives Allow friends to join & recommend others
Alice joinsBob does not join but recommends CharlieCharlie does not join but recommends Dave...
![Page 22: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/22.jpg)
Reputation Based TM
Main properties Distributed, Open
Each participant is an authority Issues its own recommendations/feedback.
Delegation Place trust in the recommendations of others.
Multilevel and dynamic trust level level of trust actions influences the level of trust
![Page 23: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/23.jpg)
Common features TM classes
Combine info from different sources trust sources providing information
Openness; Anyone can join or leave the system issue credentials/recommendations
Other participants decide on their value
![Page 24: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/24.jpg)
Differences TM classes Role of risk:
In rule based systems certificates state factsReputation systems include intrinsic risk;
reputation does not give any guarantees.
(“ In het verleden behaalde resultaten geven geen garantie voor de toekomst ”)
Yes / No verses numerical. Reputation changes with actions;
level of trust is dynamic.
![Page 25: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/25.jpg)
Back to specification of access rights
AC matrix snapshot for single location TM meant to link locations
Policies to capture `rules’ Rules underlie the permissions in AC matrixDerive, Update, Maintain permissionsE.g. Logic in access control
![Page 26: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/26.jpg)
Logic in Access Control
Express AC rules with logical formulas:Rights expressed by predicates:
may-access(p,o,r):
principle p has access right r to object o
Basic rules can also be expressed: may-access(p,o,Wr) → may-access(p,o,Rd)
write access implies read access
Different ways to generalize this principle
![Page 27: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/27.jpg)
Logic in Access Control (2)
Complications of distributed systems Often used construct: `SAYS’
for stating requests for delegation, e.g. p says may-access(q,o,r)
p says may-access(q,o,r)=>( may-access(p,o,r) => may-access(q,o,r))
![Page 28: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/28.jpg)
Expressing the intended policy
AC matrix not expressive enough e.g. no rules
Just add anything you can think of ?
Limit on expressiveness Illustrate with Take-grant model
![Page 29: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/29.jpg)
Take-Grant model
Directed graph represents AC matrix. Edge Role -- Object labeled with right (e.g. read/write)
Delegation rights added Edge between Roles: can take/may grant rights
Changes in response to delegation actions Rules for changing graph
![Page 30: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/30.jpg)
Take-Grant Model example
File
R,W
Alice Bobt
File
R,W
Alice Bobt
R,W
Example of an application of the Take-rule; Bob takes Alice’s read/write permission
![Page 31: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/31.jpg)
Safety problem
Can subject obtain a right? Given delegation rules, initial permissions: can a given permission can be granted ?
Decidable in linear time if delegation rules fixed to Take-grant model [Jone76].
Undecidable in general (details next week) Not possible to create algorithm
Takes as input set of rules and starting configuration Always stops with the correct decision. (Equivalent to the Turing halting problem.)
![Page 32: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/32.jpg)
Implications Undecidability of safety shows limits; AC policy language cannot be too expressive
Efficiently decide whether uses have a right Check safety properties before granting right Complexity in understanding
Difficulty: find AC specification mechanism
simple to understand effectively computable sufficiently expressive
![Page 33: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/33.jpg)
Implementation: Certificates Proof that you are a member of a role
Student card issued by registration office
More generally: Binding of properties to an identity (public key) signed by the cerfitication authority (i.e. issuer of the role student).
Proof that a role is defined in a given way Education office can issue a single certificate stating
EducationOffice.RegisteredStudents2IF34 = RegistrationOffice.Student and WebServer.subscribed2IF34
rather than given a different certificate to each student
![Page 34: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/34.jpg)
Using Certificates
Use a chain of certificates to proof role membershipStudent card to proof studentconfirmation from webserver to show
registeredcertificate of education office to show
registration policy (Automatic) Chain discovery can be difficult
who stores certificateswhere to look for certificates
![Page 35: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/35.jpg)
PKI & certificate systems PKI
Public key cryptosystem, e.g. RSA Certificate links public key to identity. Trust based on authority that signs
Trusted roots predefined in web browser trust by numbers (PGP)
examples of PKI/certificate based systems: X.509 – Certificates bind a public key to a name(string) SPKI: PKI with focus on authorization (rather than
authentication), binding properties directly to public keys Kerberos: Single sign on system; the user gets a `ticket’ for use
of a service. Ticket is a form of certificate PGP: Often used for encryption and signing of email. No central
CAs for distribution of public keys.
![Page 36: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/36.jpg)
Conclusions Basics of decentralized trust management
Distributed access control Delegation control
Remaining Lectures treat Access Control Privacy Policies Rule based Trust Management Reputation Systems Applications of TM Systems
Please check papers, info at: security1.win.tue.nl/~zannone/teaching/dtm09-10.html
![Page 37: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/37.jpg)
Recommended Reading
Decentralized Trust Management, M. Blaze et al. the PolicyMaker trust management system.comparison with X.509 and PGP.
Formal Models for Computer Security, C. LandwehrOverview of classical data security notions and
systems
![Page 38: Decentralized Trust Management security1.win.tue.nl/~zannon e/teaching/dtm09-10.html](https://reader036.vdocuments.site/reader036/viewer/2022062804/5697bf981a28abf838c911dc/html5/thumbnails/38.jpg)
The End