Secure Context-sensitive
Authorization
Kazuhiro Minami and David Kotz
Dartmouth College
Context-sensitive Authorization
I cannot
verify your
identity.
Request
Guest Speaker
Projector
Smart Meeting Room
Context-sensitive Authorization
Location
Sensor
Location
Information
Request
Guest Speaker
Projector
Smart Meeting Room
Since you are in the
room, I authorize you
to control me.
Centralized Approach
Requester
Information
Servers
Request
Authorization
Query
Resource
Authorization
Server
Context
Information
Location
Server
Role
Server
Granting
Decision
Integrity
(make correct decisions)
Confidentiality
(not to disclose confidential
information)
Smart Room Scenario
Speaker
Request
Projector
Location Query
Location Server
Access Point
Query
WIFI Location
Server
GPS Coordinate
Query
GPS Location
Server
Distributed
Rule-based Authorization
Authorization
Query
Authorization
Query
Sub-Proof Host A
Tree
Logical
Query
Proof Tree
Central server
Sub-Proof
Tree
Host B
Sub-Proof
Tree
Host C
Goals
• Confidentiality
– Preserve each principal’s
confidentiality policies
• Integrity
– Each principal receives a proof that
satisfies its integrity policies
• Scalability
– Offload work from a central server
Outline
•
•
•
•
•
Rule-based authorization
Security model
Distributed query processing
Enforcement algorithm
Summary
Rule-based Authorization
?grant(Bob,
projector)
Inference
Engine
Proof
Tree
Rules
grant(P, projector)  location(P, room112)
location(P,L)  owner(P,D)  location(D,L)
Facts
owner(Bob, badge15)
location(badge15, room112)
Knowledge Base
Authorization Server
Example Proof Tree
?grant(Bob, projector)
grant(Bob)  location(Bob, meeting_room)
location(Bob,meeting_room)  owner(Bob, badge15) 
location(badge15, room112))
owner(Bob, badge15)
location(badge15, room112)
Example Proof Tree
?grant(Bob, projector)
grant(Bob)  location(Bob, meeting_room)
location(Bob,meeting_room)  owner(Bob, badge15) 
location(badge15, room112))
owner(Bob, badge15)
location(badge15, room112)
Security Model
Resource
Authorization Policies / Facts
Confidentiality / Integrity Policies
Security Model
Integrity Policies
trust(location(P,L))
= {Dave}
Confidentiality Policies
?location
(Bob, room112)
TRUE
grant(P, projector)
 location(P, room112)
Host A (Alice)
acl(location(P,L)) = {Alice}
acl(owner(P,D)) = {Dave}
location(P,L)
 owner(P,D)location(D,L)
owner(Bob, pda15)
location(pda15, room112)
Host B (Dave)
Assumptions
• Policies apply only to facts
– Each principal issues a query to a principal
that satisfies its integrity policies
• Integrity policies are public knowledge
• Public key infrastructure is available
Outline
•
•
•
•
•
Rule-based authorization
Security model
Distributed query processing
Enforcement algorithm
Summary
Architectural Overview
Host
Use
r
Request
Authorization
Query
Resource
Logical
Query
Host
Host
Host
Host
Host
Decomposition of Proof Tree
Query
• A handler principal
only returns a query
result (true or false)
Principal p0
T0
q0
n0
p1
T1
n1
q1
p2
T2
Decomposition of Proof Tree
Query
• All the nodes except
for the root node are
not disclosed.
Principal p0
T0
q0
n0
p1
T1
n1
q1
p2
T2
Enforcement of Confidentiality
Policies
Query
• A handler principal
chooses a receiver
principal from its
upstream principals.
Principal p0
T0
q0
n0K0
p1
T1
K0
q1
p2
acl(q1) = {p0 }
Confidentiality policy
K0
T2
Enforcement of Confidentiality
Policies
Query
• A handler principal
chooses a receiver
principal from its
upstream principals.
Principal p0
T0
q0
n0
p1
T1
K0
q1
p2
acl(q1) = {p0 }
Confidentiality policy
K0
T2
Outline
•
•
•
•
•
Rule-based authorization
Security model
Distributed query processing
Enforcement algorithm
Summary
Enforcement Algorithm
p0
q0
p1
q1
p2
q2
p3
Enforcement Algorithm
p0
q0
p1
q1
p2
q2
p3
acl(q2) = {p0,p1}
Security Policies
Enforcement Algorithm
p0
q0
p1
q1
p2
q2
p3
acl(q2) = {p0,p1}
Security Policies
Enforcement Algorithm
q3
p0
q0
(p0,(pf4)K0)
TRUE
p1
q1
p2
(p1,((pf4)(pf5))K1)
q2
p3
(p1, ( (pf4)(pf5))K1))
p4
pf4 
(P0, (TRUE)K0)
q4
p5
pf5 
(P1, (TRUE)K1)
Enforcement Algorithm
q3
p0
q0
p1
(p0,(pf3)K0)
pf5 cannot be
decrypted!
q1
(p1,(pf3)K1)
p2
q2
p3
pf3 
(p0, ( (pf4)(pf5))K0))
p4
pf4 
(P0, (TRUE)K0)
p5
pf5 
(P1, (TRUE)K1)
Attack by Colluding
Principals
p4
(q1,[p0,p1])
(q0, [p0])
p0
p1
p2
p3
p5
Attack by Colluding
Principals
p4
(q0, [p0])
p0
(q1,[p1,p0])
p1
p2
p3
p5
Attack by Colluding
Principals
p4
(q0, [p0])
p0
(q1,[p1,p0])
p1
(q2,[p1,p0,p2])
p2
p3
p5
Attack by Colluding
Principals
q3
(q1,[p1,p0])
(q0, [p0])
p0
p1
(p1,((pf4)(pf5)))
q2’s result is
FALSE
(q2,[p1,p0,p2])
p2
p3
(p0, ((pf4)(pf5))))
acl(q2) = {p0}
Security Policies
p4
pf4 
(P0, (TRUE)K0)
q4
p5
pf5 
(P1, (FALSE)K1)
Related Work
• Rule-based Authorization
– Cerberus [Al-Muhtadi, Ranganathan, Cambell,
Mickunas] PerCom 2003
– [Myles, Friday, Davies] IEEE Pervasive Computing
2003
• Role-based Access Control
– Generalized RBAC [Covington, Ahamad,
Srinivasan] SACMAT 2001
– OASIS [Bacon, Moody, Yao] SACMAT 2002
• Trust Management System
– SD3 [Jim] IEEE S&P 2001
Summary
• Distributed authorization system that
addresses the issue of confidential rules and
facts
• Proof decomposition based on integrity
policies
• Recursive encryption facilitates information
sharing among principals
• Future work includes the evaluation of the
performance and scalability
Questions
Trusted Proof Tree
• A handler principal only returns a proof
subtree that satisfies the querier’s
integrity policies
Query
Querier
Proof
Handler
Trusted Proof Tree
• A handler principal only returns a proof
subtree that satisfies the querier’s
integrity policies
Query
Querier
Proof
Handler
Trusted Proof Tree
• A handler principal only returns a proof
subtree that satisfies the querier’s
integrity policies
Query
Querier
Proof
Handler
First-Responder Scenario
First
Request
Responder
Situation
Monitor
Server
Integrity
Role Membership Query
Role Server of
Incident Management
System
Role membership
query
Responder
Assistance
Role Server of
Fire Department
Confidentiality
Location Query
Location
Server
Current Status and Future Work
• Prototype implementation based on XProlog
• Evaluation of the performance and scalability
• User feedback mechanism