8cd8babdbcbde08f05babac56e33945b.ppt
- Количество слайдов: 22
Towards Usage Control Models: Beyond Traditional Access Control 7 th SACMAT, June 3, 2002 Jaehong Park and Ravi Sandhu Laboratory for Information Security Technology (LIST) George Mason University
Problem Statement n Need for persistent protection of digital information even after dissemination n Recent interest is driven by digital rights management (DRM). Access control and trust management have significant relevance to this problem. Develop a conceptual framework called Usage Control (UCON) for this problem that unifies Traditional Access Control, Trust Management and DRM 2
Related Research n Traditional Access Control n n Trust Management n n to protect computer/information resources by limiting known users’ actions or operations within a closed system. deals with authorization process in distributed systems environment for the access of unknown users Digital Rights Management n mainly focus on intellectual property rights protection 3
UCON Coverage n Protection Objectives n n Confidential information protection IPR protection Privacy protection Protection Architectures n n Server-side reference monitor Client-side reference monitor 4
Control Domain n n Control domain is an area of coverage where rights and usage of rights on digital objects are controlled. Control Domain usually facilitates a kind of reference monitors; n n n Server-side Reference Monitor (SRM) Client-side Reference Monitor (CRM) Server is who provides a digital object and client is who receives/uses the digital object. 5
Control Domain w/ Server-side Reference Monitor (SRM) n SRM n S n O Control domain w/ SRM facilitates a central means to control subject’s usage on objects of the domain on behalf of a provider subject. Subject can be either within same network /organization area or outside the area Digital information can be stored either centrally or locally. n S A Server System Control domain n n If DO can be saved at client side nonvolatile storage, it means the changes on the saved DO doesn’t have to be controlled (only server-side DO is valid) and freely allowed (bank statements). To be centrally controlled, DO always has to be stored at server-side storage. Access control and trust management belong here. 6
Control Domain w/ Client-side Reference Monitor (CRM) n n S n CRM O A Client System n O S No central control authority (SRM) exists. Client-side Reference Monitor (CRM) is to verify access on behalf of provider subject (ex. , author, dept, company, publisher, re-distributor) The control mechanism is likely to be a distributed one. Disseminated digital information can be stored either centrally or locally. n CRM Control domain n If a object is saved at local non-volatile storage, the changes on the object can be controlled (blocked or allowed) DRM belongs here. 7
UCON Model Components 8
Subjects and Objects n Subjects are entities associated with attributes, and hold and exercise certain rights on objects n n n Consumer, Provider, Identifiee subjects n n Attributes: identity, role, credit, membership, security level, etc. Subjects : user, process Identifiee subjects: identified subjects in digital objects that include their privacy-sensitive information. (patients in health care system). Objects n n Objects are entities that subjects hold usage rights on. associated with attributes, either by themselves or together with rights. Privacy non-sensitive vs. privacy sensitive objects Original vs. derivative objects n A derivative object is created in consequence of obtaining or exercising rights on an original object. (usage log, payment information, etc. ) 9
Rights M V 1 1 1 0 1 1 0 1 0 0 n A subject’s privilege on an object n n Rights R = {V, M} n n n V: view, M: modification Control C = {0, 1, } n n Delegation of rights is not covered here 0 : Closed to public, 1 : Open to public, : selective (controlled) 0 < < 1 : openness of control V = {v| v C}, M = {m| m C} Cmv = {(m, v)| m M, v V, m <= v, (1, 1) (m, v), (0, 0) (m, v)} Cmv = {(0, 1), (0, ), ( , 1), ( , )} 10
Rights (cont. ) n C (controlled) is most complicated to implement and 1 (open) will be easiest one. n C 0 C 1 n n C 01 : sample e-book C 0 : e-book/MP 3 distribution, digital library for member only C 1 : member-participated website C : patients information (only authorized doctors can see or update certain patients data) 11
Authorization Rules, Conditions, and Obligations n Authorization Rules n a set of requirements that should be satisfied before allowing access to or use of digital objects n n n Conditions n A set of decision factors that the system should verify at authorization process along with authorization rules before allowing usage of rights on a digital object n n n Rights-related Authorization Rule (RAR) Obligation-related Authorization Rule (OAR) Dynamic condition (stateful) Static condition (stateless) Obligations n A list of mandatory requirements that a subject has to do to obtain or exercise rights on an object. 12
Authorizations in UCON n A 3: w/ cond + obligation n A 1: w/ condition A 2: w/ obligation n A 0: w/ authorization (RAR) n A 0: Traditional Authorizations (traditional access control, trust management, etc. ) belongs here. A 1: This provides finer-grained authorization. A 2: This can provide better enforcement on exercising usage rights for both provider and consumer sides. A 3: DRM’s authorization can be here. 13
A 0: w/ Rights-related Authorization Rule n n Subjects (S), objects (O) and objects with rights (O + R) can be associated with certain attributes (At). In UCON A 0, authorization process can be done in three ways based on the kinds of attributes used in authorization rules (AR). Case 1: R(S, O) = AR(At(S), At(O)) n Case 2: R(S, O) = AR(At(S), At(O + R)) n Case 3: R(S, O) = AR(At(S), At(O + R)) + AR(At(S), At(O)) R(S, O) means a set of authorized rights for S on O. n n 14
MAC, DAC, RBAC, DRM in A 0 n MAC policies in UCON Authorization n n DAC policies in UCON authorization n n R(S, O) = ACL/Capabilities(ID/group. ID(S), ID/group. ID(O)) RBAC in UCON authorization n n R(S, O) = Security. Property(security. Level(S), security. Level(O)) R(S, O) = Constraints(Role(S), Role(O + R)) R(S, O) = Constraints(Role(S), Role(Class(O) + R)) R(S, O) = Constraints(Role(S), Role(O + R)) + Constraints(ID/group. ID(S), ID/group. ID(O)) DRM authorization in UCON n R(S, O) = credit. Compare(Credit(S), Credit(O + R)) 15
A 1 Examples (w/ Conditions) n Conditions are used to restrict a location of usage, time period, frequency, etc. n n n In military system, officers can print certain documents to only on-site printer and during office hours. In digital library system, members can download certain e-books but they are allowed to read the books only on a machine with pre-defined cpu-id. In VOD service, children are allowed to watch one movie per day during daytime only. 16
A 2 Examples (w/ Obligations) n Obligations are what has to be fulfilled for authorizations. n n n In digital library system, users may have to read (click) license agreement or non-disclosure agreements before exercising usage rights. Users may have to provide usage log information after exercising usage rights. Anyone can download free e-books but he has to provide his personal information (by filling out a form). 17
A 3 Examples (w/ Conditions & Obligations) n A consolidated model n n Certain information can be read during office hour and usage log has to be reported. Conditions can be applied for either obligations or authorizations. n n In military, officers are allowed to read certain documents only on-site, but if it’s not office hour, they have to provide usage log information or fill out a access approval code. In digital library, anyone can download free e-books, but if it’s not on-site they have to pay $2 per download. 18
Three sides of UCON Model 19
Reverse UCON n n n n Exercising usage rights on a digital object may create another digital information object (derivative object) that also needs controls for the access to and usage on it (payment info, usage log). The usage control on this derivative object is reverse in its control direction (provider and consumer subjects are changed) and called reverse UCON and the rights called reverse rights. Furthermore, exercising reverse rights on this derivative object may also creates another derivative object and reverse rights on it. Controls and protections on rights and usage of rights on these derivative objects have been hardly recognized/discussed in literature. This is where privacy issues are raised. Adequate controls on derivative objects are required for better privacy treatment. UCON models include both ordinary and reverse UCON Example: MP 3 distribution 20
Reverse UCON Example 21
Conclusions and Future works n n UCON is a a generalized and unified framework that enables controlling usage of digital information for confidential information protection, intellectual property rights protection, and privacy protection in a systematic manner. UCON enables finer-grained controls on usage of digital information even after digital information is disseminated regardless of system (computer or network) environments. The details of the model have to be developed. Delegation and administration issues have to be studied. 22
8cd8babdbcbde08f05babac56e33945b.ppt