463.

7 Attribute-Based Security Systems

Fariba Khan University of Illinois
With a!esh Bobba" #mid $atemieh" Arindam %han" &arl 'unter" (imanshu %hurana" and )ano* +rabha!aran

Attribute-Based Security Systems

Aim, e-.lain and illustrate attribute-based security systems as an alternative to /classic0 access control and encry.tion Such systems
Im.rove mana1ement and formali2ation 3nable ne4 middle4are and a..lications

#ur illustration is based on Attribute-Based )essa1in1 5AB)6.

AB) &once.t
AB) sends email to .arties described in terms of a collection of attributes. Similar to a listserv" but reci.ients are determined dynamically usin1 one or more enter.rise databases An AB) address is a database 8uery. 3-, female 1rad students in en1ineerin1 4ho have .assed their 8ualifyin1 e-ams

Advanta1es
Efficiency, .eo.le 4ho do not need an email do not receive it
3-, all of the faculty on sabbatical

Exclusivity, sensitive messa1es can tar1et more limited 1rou.s

3-, all tenured faculty servin1 on conflict of interest committees

Intensionality, often easier to describe reci.ients than list them

3-, Smith9s attendin1 and orderin1 .hysicians

@esi1n &hallen1es
Access Control, on 4hat attributes should a .arty be allo4ed to route:
3-, All faculty 4ho ma!e more than ;<=>">>>?year

Encryption, if the senders do not !no4 their s.ecific reci.ients" ho4 can they encry.t endto-end: Privacy, 4hat should the sender and reci.ient be allo4ed to learn:

Im.lementation" Use" and )ana1ement &hallen1es

Intero.eration 4ith e-istin1 systems

Webmail easiest Aim to 4or! 4ith e-istin1 )ail User A1ents 5)UAs6 or )ail Aransfer A1ents 5)AAs6 A..lication inte1ration may be necessary

3fficiency of
Access control decisions 3ncry.tion and !ey 1eneration

+olicies must be easy to mana1e and use

A..roach
Attribute-Based Access &ontrol 5ABA&6 for access decisions
/+olicy s.eciali2ation0 .rovides attributes that can be used for routin1

Attribute-Based 3ncry.tion 5AB36

Be4 .ublic !ey system .rovides e-actly 4hat is needed for end-to-end confidentiality

&om.arison
(o4 does /attribute-based0 security differ from other a..roaches: Access &ontrol Cists 5A&Cs6 and ca.abilities. ole-Based Access &ontrol 5 BA&6
A role is a bundle of .rivile1es Activate a role 4ithin a session to .erform a tas! ole hierarchies aid role definitions )ust establish and mana1e roles

Illustration, / eflective0 @atabase Access &ontrol

Alice

@atabase
eflective Access +olicy

A&C

ABA&
)any established ideas for ho4 to use attributes in A&
F.=>E attribute certificates Attributes in dynamic to!ens as in Shibboleth )uch im.licit use in a..lication servers

Be4 a..roaches under e-.loration

Attribute-based A&)s Arust ne1otiation Aransaction @atalo1 5used in our

@BA& desi1n6

ABA& in +ractice
Established Under Investigation

)ulti-Cevel Security 5)CS6 for military a..lications F.=>E attribute certificates Attributes in dynamic to!ens as in Shibboleth )uch im.licit use in a..lication servers

Attribute-based ACMs rust negotiation ransaction !atalog "used in our #!$AC design%

AB3
&i.herte-t +olicy AB3 5&+-AB36 Attributes are re.resented as strin1s
Ay.es are boolean" enumerated" and numerical ran1e

Attribute Authority 5AA6 issues individual .rivate !eys for attributes of each user 3ncry.t usin1 /access structure0 and .ublic .arameters for attributes of readers +rotects a1ainst collusion

AB) Addresses
Addresses are dis*unctive normal forms Citerals assert e8ualities or ine8ualities 3-, 55+osition G $aculty6 and 5Salary H <=>>>>66 @efines

delivery .olicy

AB) Access &ontrol

+olicy s.eciali2ation, rules use ABA& to determine attributes a .arty can use in an address
Sendin1 rules Iattr" valH ,- cond

Any address can be formed 4ith allo4ed attributes Ahe sendin1 rules collectively define the

address authori2ation .olicy

AB) 3ncry.tion
AA issues !eys usin1 the enter.rise database
Ahe /$aculty0 attribute has a !ey #ne attribute is for e-.iry

@is*unctive normal forms define the

encry.tion .olicy

(i1h Cevel Architecture

)ail Server J)AAK

AB) Server

User

Web Server

+olicy @ecision +oint J+@+K

Attribute Authority JAAK

@atabase
<6

+rotocol Ste.s
Ahe .rotocols for the AB) system are 1iven in terms of three /.aths0 +olicy s.eciali2ation .ath )essa1in1 and address resolution .ath Attribute !eyin1 .ath

+olicy S.eciali2ation +ath

+S6 +S= +SD +S7

+@+
+S< +S7 +S4 +S3

Authentication Sender +olicy S.eciali2ation 5+S6 +ath, Server <. Authenticate User
7. 3. 4. =. 6. 7. User Info. 5I@6 User Info. 5I@6 User Attributes User I@ and Attributes outable Attributes outable Attributes

AB) Server

@atabase

)essa1in1 and Address esolution +ath

A 7

eceivers
)S4 )S3

A <

+@+

)S7 )S<

A 4

A 3

)AA Messaging "M&% Path' <. Send 5AB)6 messa1e 5S)A+6 Sender 7. Botify AB) (ost 3. eceive 5AB)6 messa1es 5S)A+6 4. Send resolved messa1es Address #esolution "A#% Path' =. User I@ and Authori2ation 6. +olicy @ecision 7. AB) Address

AB) Server

@atabase

Attribute %eyin1 +ath

A%= )S4

)AA @atabase

A%3

eceiver
A%4 A%7 Attribute Keying "AK% Path' <. User Info. 5I@6 7. User Info. 5I@6 3. User Attributes 4. User Secret %ey =. @ecry.ted 3mail

A%<

AA

3fficiency Analysis
)easure costs on each .ath and try to estimate latencies for mid-si2e enter.rises )ust con*ecture the attributes and ty.es of .olicies that 4ill be used Im.lementation uses the &+-AB3 library JBethencourt Sahai Watters >7K.

'rammar for @elivery and Address Authori2ation ules

+olicy S.eciali2ation Aime

Address esolution Aime - @B

elational @atabase @B Si2e 5Bo. of Users6 6>% 4=% 3>% <=% Av1 Cist Si2e 3=< 7E6 <6D 77 Address esolution Aime )ean E=L &onf. Interval 5ms6 With Access &ontrol 5<D>" 3=E6 5<=3" 3E=6 5<37" 7776 5E>" <766 Without Access &ontrol 5E7" 7376 5D7" 7636 564" <366 537" 466

Address esolution Aime - F@B

F)C @atabase @B Si2e 5Bo. of Users6 6>% 4=% 3>% <=% Av1 Cist Si2e 7ED 46E 7E< <74 Address esolution Aime )ean E=L &onf. Interval 5ms6 With Access &ontrol 56<44" 7E646 53E7>" 47=>6 577D3" 376>6 573>7" 7D4E6 Without Access &ontrol 5=776" 73>66 53=DE" 44==6 57=E3" 3<=76 57>3D" 767D6

3ncry.tion Aime

Bumber of elational Citerals > > < Bumber of 38uality Citerals 7 3 4 = 6 >.>=s >.>7s >.>Es >.<7s >.<4s >.<7s 7 <.=3s <.==s <.=7s <.=Es <.6<s <.6=s <.66s 4 3.>>s 3.>=s 3.>Ds 3.>Es 3.<7s 3.<6s 3.<7s 6 4.4Es 4.=6s 4.=6s 4.6>s 4.6<s 4.64s 4.63s

@ecry.tion times avera1ed 3=7ms.

%ey 'eneration Aime

Number of Boolean Attributes 0 0 1 Number of Numeric al Attribute s 2 3 4 5 6 0.86s 1.67s 2.44s 3.26s 4.05s 4.87s 1 0.05s 0.87s 1.68s 2.48s 3.28s 4.07s 4.89s 2 0.07s 0.88s 1.69s 2.49s 3.29s 4.09s 4.92s 3 0.10s 0.90s 1.70s 2.52s 3.32s 4.12s 4 0.12s 0.93s 1.73s 2.54s 3.34s 5 0.20 0.95s 1.76s 2.57s 3.35s 6 0.17s 0.97s 1.78s

AA Scalability

Bo. of Users 5Ahousands6

Str?Bum 3>?<> 74?D <D?6

Windo4 of Mulnerability

Security and +rivacy Analysis

3nforcement of .olicies
S?)I)3 to authenticate sender to AB) server Mulnerability 4indo4s, could let delivery be a subset of encry.tion

&om.onent com.romise and collusion

)AA or AB) server &lients

+rivacy
What should senders and receivers !no4:

elated Wor!
Attribute-Based Addressin1 for &ustomer elation )ana1ement J(offmann (urley EEK ole-Based )essa1in1 J&had4ic! et al >4K ABA& for trust mana1ement and credentialbased access control AB3 for im.osin1 access controls on e-ternal systems

eference for Ahis Aal!

Attribute-Based )essa1in1, Access &ontrol and &onfidentiality" a!esh Bobba" #mid $atemieh" $ariba %han" Arindam %han" &arl A. 'unter" (imanshu %hurana" and )ano* +rabha!aran. Ao a..ear in A&) Aransactions on Information and Systems Security 5AISS3&6.

#ther Wor! on ABA& in Illinois Security Cab

ABA& for SS feeds a..lied to &@& health alerts eflective @atabase &ontrol 5 @BA&6 a..lied to access control for hos.ital information systems &om.ilin1 FA&)C .olicies for @BA& JNahid'(#<< K 'oo1le /Attribute Based Security and )essa1in10 for more htt. ,??seclab.illinois.edu?4eb?.ro*ects?6<-attribute-based-me

&onclusions
3mail messa1in1 based on attributes collected from an enter.rise database is feasible and de.loyable for mid-si2e enter.rises. Access control .olicies and encry.tion are mana1eable usin1 attribute-based security mechanisms. Inter-enter.rise AB) 4ill 4or! best 4ith a multi-authority AB3 techni8ueO

@iscussions
@esi1n &hallen1es for Arinity ? (I3
Access control" encry.tion" .rivacy: