8/14/2019 Sac 1 Semantic Access Control
1/38
Semant ic Access ControlSemant ic Access Control
Mariemma Yage, Antonio Maa
Computer Science Department
University of Mlagae-mai l: [email protected]
8/14/2019 Sac 1 Semantic Access Control
2/38
AgendaAgenda
? Introduction? SAC, Semantic Access Control Model
? Semantic Integration of a PMI
? Example? Implementation
? Conclusions
? Future Work
8/14/2019 Sac 1 Semantic Access Control
3/38
AgendaAgenda
? Introduction
? SAC, Semantic Access Control Model
? Semantic Integration of a PMI
? Example? Implementation
? Conclusions
? Future Work
8/14/2019 Sac 1 Semantic Access Control
4/38
Traditional Access Control SchemesTraditional Access Control Schemes
DAC, Discret ionary Acc ess Con trol
Multi-user DBs Reduced number of previously known users. Changes are not frequent. Resources under a unique entity.
Control based on identity. Rules stating what a user can do or not.
8/14/2019 Sac 1 Semantic Access Control
5/38
Traditional Access Control SchemesTraditional Access Control Schemes
MAC, Mandatory Access Contro l
Military environments High number of users Linear and Static Hierarchical classification.
Control based on Security Levels. Rules established by a central authority. Definition of Security Levels Allocation of levels to resources and users
8/14/2019 Sac 1 Semantic Access Control
6/38
Traditional Access Control SchemesTraditional Access Control Schemes
RBAC, Role-based Ac cess Con trol
Business. Corporative Intranets. Hierarchical structures. Access Permissions depending on the user
position (role) in the hierarchy. Control based on roles played
Rules establishing permissions of access to roles. Allocation of roles to users.
8/14/2019 Sac 1 Semantic Access Control
7/38
Open and Distributed EnvironmentsOpen and Distributed Environments
?
Heterogeneity Open Access Control Scheme
?Interoperability Separation of the Responsibilities of Authorization and
Access Control
?Flexibility Independence of the Application Domain
?Scalability Completely Distributed Scheme
?Dynamism Adaptation transparently and automatically
8/14/2019 Sac 1 Semantic Access Control
8/38
AgendaAgenda
? Introduction? SAC, Semantic Access Control Model
Semantic Policy Language
? Semantic Integration of a PMI
? Example
? Implementation
? Conclusions
? Future Work
8/14/2019 Sac 1 Semantic Access Control
9/38
SemanticSemantic
ModellingModelling
Basis for a New AC ModelBasis for a New AC Model
Semantic Integration of Authorization andAccess Control Applications
Separation of responsibilities ofAuthorization andAccess Control is widely accepted as a Flexible andInteroperable Solution
SemanticSemantic
ModellingModelling
Access
ControlAuthorization
Entities
Semantic
Connection
8/14/2019 Sac 1 Semantic Access Control
10/38
SAC, Semantic Access ControlSAC, Semantic Access Control
? Schema based on theconcept of attribute
?Access based onsemantics
?No ambiguity in policies? Semantic Correction?Dynamic Allocation of
Policies?
Modularization? Parameterization?Reuse
?Mandatory PreviousSubscription
?Mandatory Identification? Previous Establishment
of Elements for thesupport of accesscontrol Users Hierarchy Roles
Groups SecurityClassification
...
AVOIDSAVOIDSPROVIDESPROVIDES
8/14/2019 Sac 1 Semantic Access Control
11/38
MechanismsMechanisms inin SPL,SPL, Semantic Policy LanguageSemantic Policy Language
?To reduce the AC policies definition complexity:
Modular i ty, Parameterisationand Abstract ion.
?Modularity in SPL implies:
The separation of specification in three parts: access control criteria
allocation of policies to resources
semantic information (properties about resources andcontext)
The abstraction of access control components
The ability to reuse these access controlcomponents
8/14/2019 Sac 1 Semantic Access Control
12/38
8/14/2019 Sac 1 Semantic Access Control
13/38
MetadataMetadata inin SPLSPL
?Metadata applied at different levels:
Semantic and contextual validation of access controlpolicies.
Dynamic policy allocation and instantiation.
Creation of policies
For the specification and acquisition of certification rules
Management of policies Any change in the authorization rules or the context is
detected and the consequences are revealed.
8/14/2019 Sac 1 Semantic Access Control
14/38
SAC,SAC, SemanticSemantic Access ControlAccess Control
?Attribute Certificate Based Approach.
? Supported by XML related technologies for metadata.
?Modular Language.
? Policy Composition.
? Parameterised Policies.
?Content-aware access control (content introspection).
?Means for the semantic integration of an external PMI. Authorization becomes interoperable.
8/14/2019 Sac 1 Semantic Access Control
15/38
AgendaAgenda
? Introduction? SAC, Semantic Access Control Model
? Semantic Integration of a PMI
?
Example? Implementation
? Conclusions
? Future Work
8/14/2019 Sac 1 Semantic Access Control
16/38
Semantic Integration of a PMISemantic Integration of a PMI
AuthenticationAuthentication
Personal Identity
AuthorizationAuthorization
Role, status, social-economic attributes
Who am I dealing with?Who am I dealing with? Is she a student of MlagaUniversity?
Is she a student of MlagaUniversity?Is the client an adult?
Is the client an adult?
Solution: Attribute Certificates
PUBLIC KEYPUBLIC KEYINFRASTRUCTUREINFRASTRUCTURE
PRIVILEGE MANAGEMENTPRIVILEGE MANAGEMENTINFRAESTRUCTUREINFRAESTRUCTURE
PKI: Certification Authority(CA)
Certificates only identity
PKI: Certification Authority
(CA)
Certificates only identityPMI: Source of Authorization (SOA)Certificates a set of semantically
related attributes
PMI: Source of Authorization (SOA)
Certificates a set of semanticallyrelated attributes
8/14/2019 Sac 1 Semantic Access Control
17/38
Semantic Integration of a PMISemantic Integration of a PMI
SOAD Model (Source of Authorization Descript ion)
?Describes the semantics of the certificatesissued by the SOA.
?Describes relationships among thecertificates
and between attributes certified by this SOA and otherssources of authorization.
?Helps to the specification of access criteria.
?Enables the semantic validation.
8/14/2019 Sac 1 Semantic Access Control
18/38
AgendaAgenda
? Introduction? SAC, Semantic Access Control Model
? Semantic Integration of a PMI
?
Example? Implementation
? Conclusions
? Future Work
8/14/2019 Sac 1 Semantic Access Control
19/38
Example: ACS DLExample: ACS DL
? Various Special Interest Groups (SIGs)
? ACS members can be members of the different SIGs, not
mandatory.
? ACS publishes journals and newsletters, directly or through the
SIGs.
? Newsletters can be accessed by the ACS members and also bypeople subscribed to them (ACS members or not).
? Journals can be accessed by users subscribed to them
independently they are members of the ACS or not.
? If the journal is published by an Special Interest Group, all the
members of that group can access that journal.
? An special subscription type called Portal grants access to every
publication in the digital library.
8/14/2019 Sac 1 Semantic Access Control
20/38
ExampleExample
s2
j1
n1
p
j2
n2
s1
nnn3
j3
a
jn
...
...
Role Hierarchy for the ACS Digital LibraryRole Hierarchy for the ACS Digital Library
A role foreach journal
A role foreach journal
A role for eachnewsletter
A role for eachnewsletter
SIG1 members can playj2 and j3 roles
SIG1 members can playj2 and j3 roles
A role forportal
A role forportal
A role forACS
A role forACS
Role structure must bepredefined
Role structure must bepredefined
8/14/2019 Sac 1 Semantic Access Control
21/38
Policy for JournalsPolicy for Journals
PublicationName
PublicationSOA
8/14/2019 Sac 1 Semantic Access Control
22/38
Allocation of Policy to ResourcesAllocation of Policy to Resources
Journal.xml
http://www.acs.org/
PublicationTypeJournal
Allocation of policy for journals(Journal.xml) to the ACSjournals
Allocation of policy for journals(Journal.xml) to the ACSjournals
PAS
PAS
8/14/2019 Sac 1 Semantic Access Control
23/38
Description of TOSEC journalsDescription of TOSEC journals
PublicationName
TOSEC
PublicationSOA
SIGSEC
PublicationType
Journal
http://www.acs.org/Journals/TOSEC/
Properties for theInstantiation
Properties for theInstantiation
SRR
SRR
8/14/2019 Sac 1 Semantic Access Control
24/38
Policy for the TOSEC journalPolicy for the TOSEC journal
8/14/2019 Sac 1 Semantic Access Control
25/38
Semantics of the AttributesSemantics of the Attributes
SIGSEC
SIGMember
SIGSEC
Subscription
SIGSECNewsLetter
Subscription
TOSEC
SOAD of the InterestGroup on Security
SOAD of the InterestGroup on Security
SOAD
SOAD
8/14/2019 Sac 1 Semantic Access Control
26/38
Semantics of the AttributesSemantics of the Attributes
SIGMemberSIGSEC
Implies
SubscriptionSIGSECNewsLetter
Subscription
TOSEC
To be a member of the SIG on Security, SIGSEC,
implies the subscription to the SIGSEC newsletters
To be a member of the SIG on Security, SIGSEC,
implies the subscription to the SIGSEC newsletters
SOA
D
SOA
D
and to theTOSEC journal
and to theTOSEC journal
8/14/2019 Sac 1 Semantic Access Control
27/38
Example ConclusionsExample Conclusions
?RBAC model presents problems to adapt to changes.
Administrative overload.
?No every problem is easily modelled using RBAC.
? The SAC model enables to express in a more naturaland simple way complex access control situations.
Simple, generic, reusable, dynamically instantiatedspecifications.
?
The semantic integration of external authorizationentities provides additional advantages to SAC.
8/14/2019 Sac 1 Semantic Access Control
28/38
AgendaAgenda
? Introduction? SAC, Semantic Access Control Model? Semantic Integration of a PMI
? Example
? Implementation Management Mechanisms in SAC Integration Mechanism of the PMI? Conclusions? Future Work
8/14/2019 Sac 1 Semantic Access Control
29/38
AdministrationAdministration
? One of the main objectives of the SAC model is the ease ofadministration.
Validation of the semantic and contextual correction.
Reuse of components.
Ease of implementation. Administrator Supporting tools.
Integrated environment with smart and visual edition,syntactic and semantic validation, control of changes, ...
Authorization Management.
SOADs Client
8/14/2019 Sac 1 Semantic Access Control
30/38
AdministrationAdministration
Results Information
SPL POLCIESPas & SRR
Policy Summary
Environment Window ofthe Policy Assistant
Environment Window ofthe Policy Assistant
8/14/2019 Sac 1 Semantic Access Control
31/38
AdministrationAdministration
Context Sensitive
Edition
Context Sensitive
Edition
Change ControlChange Control
8/14/2019 Sac 1 Semantic Access Control
32/38
Semantic Integration of PMISemantic Integration of PMI
?SOADs Management at the server andclient side
Publication / Localization History Caducity Edition on the Server and the Client side.
8/14/2019 Sac 1 Semantic Access Control
33/38
Semantic Integration of a PMISemantic Integration of a PMI
SOADs Management
System
SOADs Management
System
SOADs ClientSOADs Client
8/14/2019 Sac 1 Semantic Access Control
34/38
AgendaAgenda
? Introduction? SAC, Semantic Access Control Model
? Semantic Integration of a PMI
? Example
? Implementation
? Conclusions
? Future Work
8/14/2019 Sac 1 Semantic Access Control
35/38
ConclusionsConclusions
?Semantic Integration of Applications
of Authorization and Access Control.
?Access Control Model based on semantics ofthe contents and the application context.
?High level of Interoperability, Scalability,Flexibility, Adaptability, Applicability.
?Semantic Soundness.
?
Ease of Administration.?Avoids the registration phase.
8/14/2019 Sac 1 Semantic Access Control
36/38
AgendaAgenda
? Introduction? SAC, Semantic Access Control Model
? Semantic Integration of a PMI
? Example
? Implementation
? Conclusions
? Future Work
8/14/2019 Sac 1 Semantic Access Control
37/38
Future WorkFuture Work
? Delegation
To maintain the control over the delegationprocess.
Establish semantics of the delegation.
?
DRM Extension of SPL to express rights over digital
contents.
Inclusion of new DRM functions in the XSCDinfrastructure.
? Application of SAC to new environments.
8/14/2019 Sac 1 Semantic Access Control
38/38
Presented by: M ariemma YageComputer Science Department
Universi ty of Mlaga
e-mail : [email protected]
Semant ic Access Contro lSemant ic Access Contro l
Thank you for your attention ;Thank you for your attention ;--))
Top Related