Xem mẫu
7. Using Trust
for Role-BasedAccess Control (RBAC)
Prof. Bharat Bhargava
Center for Education and Research in Information Assurance and Security (CERIAS) and
Department of Computer Sciences Purdue University
http://www.cs.purdue.edu/people/bb bb@cs.purdue.edu
Collaborators in the RAID Lab (http://raidlab.cs.purdue.edu): Prof. Leszek Lilien (former Post Doc) Dr. Yuhui Zhong (former Ph.D. Student)
This research is supported by CERIAS and NSF grants from IIS and ANIR.
1 --- 12/11/15 11:45 AM
Using Trust for RoleBased Access Control Outline
1) Access Control in Open Systems
2) Proposed Access Control Architecture 2.1) Basics
2.2) RBAC & TERM server 3) TERM server
3.1) Basic
3.2) Evidence Model 3.3) Architecture
a) Credential Management (CM) b) Evidence Evaluation (EE)
c) Role Assignment (RA)
d) Trust Information Management (TIM) 3.4) Prototype TERM server
2 --- 12/11/15 11:45 AM
1) Access Control in Open Systems (1)
Open environment (like WWW, WiFi networks) User who may not be known in advance
Still must determine the permission set for an unknown user
Common approach:
Grant access based on user’s properties demonstrated by digital credentials
Problems with credentials
Holding credentials does not assure user trustworthiness
Evidence provided by different credential issuers should not be uniformly trusted (apply “degrees of trust”)
3 --- 12/11/15 11:45 AM
1) Access Control in Open Systems (2)
A solution for problems with credentials:
Trust should be used by access control mechanisms To limit granting privileges to potentially harmful users
How to establish trust ?
In particular with “newcomer” devices
What do we need to know about a pervasive device, in order to make a trust decision?
Using trust for attribute-based access control
Identity-based access control is inadequate in open environments (e.g., vulnerable to masquerading)
Multi-dimensional attribute set to determine trust level
4 --- 12/11/15 11:45 AM
2.1) Proposed Access Control Architecture - Basics
Authorized Users
Other Users
Access Control Mechanism
Information System
Authorized Users
Validated credentials (first-hand experience and second-hand
recommendations)
AND
Trust based on history of cooperative and legitimate behavior
Other Users
Lack of required credentials
OR
Lack of trust resulting from history of non-cooperative or malicious
behavior
5 --- 12/11/15 11:45 AM
...
- tailieumienphi.vn
nguon tai.lieu . vn