67
The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University www.list.gmu.edu

The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

  • Upload
    others

  • View
    0

  • Download
    0

Embed Size (px)

Citation preview

Page 1: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

The OM-AM Framework andRole-Based Access Control

Prof. Ravi SandhuGeorge Mason University

www.list.gmu.edu

Page 2: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

2© Ravi Sandhu 2000

AUTHORIZATION, TRUST AND RISK

u Information security is fundamentallyabout managing l authorization andl trust

so as to manage risk

Page 3: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

3© Ravi Sandhu 2000

THE OM-AM WAY

ObjectivesModel

ArchitectureMechanism

What?

How?

Assurance

Page 4: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

4© Ravi Sandhu 2000

LAYERS AND LAYERS

u Multics ringsu Layered abstractionsu Waterfall modelu Network protocol stacksu OM-AM

Page 5: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

5© Ravi Sandhu 2000

OM-AM AND MANDATORY ACCESSCONTROL (MAC)

What?

How?

No information leakageLattices (Bell-LaPadula)

Security kernelSecurity labels

Assurance

Page 6: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

6© Ravi Sandhu 2000

OM-AM AND DISCRETIONARYACCESS CONTROL (DAC)

What?

How?

Owner-based discretionnumerousnumerous

ACLs, Capabilities, etc

Assurance

Page 7: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

7© Ravi Sandhu 2000

OM-AM AND ROLE-BASED ACCESSCONTROL (RBAC)

What?

How?

Policy neutralRBAC96

user-pull, server-pull, etc.certificates, tickets, PACs, etc.

Assurance

Page 8: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

Role-Based Access ControlThe RBAC96 Model

Page 9: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

9© Ravi Sandhu 2000

ROLE-BASED ACCESSCONTROL (RBAC)

u A user’s permissions are determinedby the user’s rolesl rather than identity or clearancel roles can encode arbitrary attributes

u multi-facetedu ranges from very simple to very

sophisticated

Page 10: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

10© Ravi Sandhu 2000

RBAC SECURITYPRINCIPLES

u least privilegeu separation of dutiesu separation of administration and

accessu abstract operations

Page 11: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

11© Ravi Sandhu 2000

RBAC96IEEE Computer Feb. 1996

u Policy neutralu can be configured to do MAC

l roles simulate clearances (ESORICS 96)

u can be configured to do DACl roles simulate identity (RBAC98)

Page 12: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

12© Ravi Sandhu 2000

RBAC CONUNDRUM

u turn on all roles all the timeu turn on one role only at a timeu turn on a user-specified subset of

roles

Page 13: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

13© Ravi Sandhu 2000

RBAC96 FAMILY OFMODELS

RBAC0BASIC RBAC

RBAC3ROLE HIERARCHIES +

CONSTRAINTS

RBAC1ROLE

HIERARCHIES

RBAC2CONSTRAINTS

Page 14: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

14© Ravi Sandhu 2000

RBAC0

ROLES

USER-ROLEASSIGNMENT

PERMISSION-ROLEASSIGNMENT

USERS PERMISSIONS

... SESSIONS

Page 15: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

15© Ravi Sandhu 2000

PERMISSIONS

u Primitive permissionsl read, write, append, execute

u Abstract permissionsl credit, debit, inquiry

u System permissionsl auditor, operator, back-up operator

Page 16: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

16© Ravi Sandhu 2000

USERS

u Users arel human beings orl other active agents

u Each individual should be known asexactly one user

Page 17: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

17© Ravi Sandhu 2000

RBAC1

ROLES

USER-ROLEASSIGNMENT

PERMISSION-ROLEASSIGNMENT

USERS PERMISSIONS

... SESSIONS

ROLE HIERARCHIES

Page 18: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

18© Ravi Sandhu 2000

HIERARCHICAL ROLES

Health-Care Provider

Physician

Primary-CarePhysician

SpecialistPhysician

Page 19: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

19© Ravi Sandhu 2000

HIERARCHICAL ROLES

Engineer

HardwareEngineer

SoftwareEngineer

SupervisingEngineer

Page 20: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

20© Ravi Sandhu 2000

PRIVATE ROLES

Engineer

HardwareEngineer

SoftwareEngineer

SupervisingEngineer

HardwareEngineer’

SoftwareEngineer’

Page 21: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

21© Ravi Sandhu 2000

EXAMPLE ROLE HIERARCHY

Employee (E)

Engineering Department (ED)

Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Director (DIR)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1

Page 22: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

22© Ravi Sandhu 2000

EXAMPLE ROLE HIERARCHY

Employee (E)

Engineering Department (ED)

Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1

Page 23: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

23© Ravi Sandhu 2000

EXAMPLE ROLE HIERARCHY

Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Director (DIR)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1

Page 24: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

24© Ravi Sandhu 2000

EXAMPLE ROLE HIERARCHY

Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1

Page 25: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

25© Ravi Sandhu 2000

RBAC3

ROLES

USER-ROLEASSIGNMENT

PERMISSIONS-ROLEASSIGNMENT

USERS PERMISSIONS

... SESSIONS

ROLE HIERARCHIES

CONSTRAINTS

Page 26: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

26© Ravi Sandhu 2000

CONSTRAINTS

u Mutually Exclusive Rolesl Static Exclusion: The same individual

can never hold both rolesl Dynamic Exclusion: The same

individual can never hold both roles inthe same context

Page 27: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

27© Ravi Sandhu 2000

CONSTRAINTS

u Mutually Exclusive Permissionsl Static Exclusion: The same role should

never be assigned both permissionsl Dynamic Exclusion: The same role can

never hold both permissions in thesame context

Page 28: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

28© Ravi Sandhu 2000

CONSTRAINTS

u Cardinality Constraints on User-RoleAssignmentl At most k users can belong to the rolel At least k users must belong to the rolel Exactly k users must belong to the role

Page 29: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

29© Ravi Sandhu 2000

CONSTRAINTS

u Cardinality Constraints onPermissions-Role Assignmentl At most k roles can get the permissionl At least k roles must get the permissionl Exactly k roles must get the permission

Page 30: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

Administrative RBACARBAC97

Page 31: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

31© Ravi Sandhu 2000

SCALE AND RATE OFCHANGE

u roles: 100s or 1000su users: 1000s or 10,000s or moreu Frequent changes to

l user-role assignmentl permission-role assignment

u Less frequent changes forl role hierarchy

Page 32: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

32© Ravi Sandhu 2000

ADMINISTRATIVE RBAC

ROLES

USERS

PERMISSIONS

...

ADMINROLES

ADMINPERMISSIONS

CAN-MANAGE

Page 33: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

33© Ravi Sandhu 2000

ARBAC97 DECENTRALIZES

u user-role assignment (URA97)u permission-role assignment (PRA97)u role-role hierarchy

n groups or user-only roles (extend URA97)n abilities or permission-only roles (extend PRA97)n UP-roles or user-and-permission roles (RRA97)

Page 34: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

34© Ravi Sandhu 2000

EXAMPLE ROLE HIERARCHY

Employee (E)

Engineering Department (ED)

Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Director (DIR)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1

Page 35: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

35© Ravi Sandhu 2000

EXAMPLE ADMINISTRATIVEROLE HIERARCHY

Senior Security Officer (SSO)

Department Security Officer (DSO)

Project SecurityOfficer 1 (PSO1)

Project SecurityOfficer 2 (PSO2)

Page 36: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

36© Ravi Sandhu 2000

URA97 GRANT MODEL:can-assign

ARole Prereq Role Role RangePSO1 ED [E1,PL1)PSO2 ED [E2,PL2)DSO ED (ED,DIR)SSO E [ED,ED]SSO ED (ED,DIR]

Page 37: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

37© Ravi Sandhu 2000

URA97 GRANT MODEL :can-assign

ARole Prereq Cond Role RangePSO1 ED [E1,E1]PSO1 ED & ¬ P1 [Q1,Q1]PSO1 ED & ¬ Q1 [P1,P1]PSO2 ED [E2,E2]PSO2 ED & ¬ P2 [Q2,Q2]PSO2 ED & ¬ Q2 [P2,P2]

Page 38: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

38© Ravi Sandhu 2000

URA97 REVOKE MODEL :can-revoke

ARole Role RangePSO1 [E1,PL1)PSO2 [E2,PL2)DSO (ED,DIR)SSO [ED,DIR]

Page 39: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

39© Ravi Sandhu 2000

URA97 REVOKE MODEL

u WEAK REVOCATIONl revokes explicit membership in a rolel independent of who did the assignment

u STRONG REVOCATIONl revokes explicit membership in a role and its

seniorsl authorized only if corresponding weak

revokes are authorized

Page 40: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

40© Ravi Sandhu 2000

PERMISSION-ROLEASSIGNMENT

u dual of user-role assignmentu can-assign-permission

can-revoke-permissionu weak revoke strong revoke (propagates down)

Page 41: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

41© Ravi Sandhu 2000

PERMISSION-ROLE ASSIGNMENTCAN-ASSIGN-PERMISSION

ARole Prereq Cond Role RangePSO1 PL1 [E1,PL1)PSO2 PL2 [E2,PL2)DSO E1 ∨∨ E2 [ED,ED]SSO PL1 ∨∨ PL2 [ED,ED]SSO ED [E,E]

Page 42: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

42© Ravi Sandhu 2000

PERMISSION-ROLE ASSIGNMENTCAN-REVOKE-PERMISSION

ARole Role RangePSO1 [E1,PL1]PSO2 [E2,PL2]DSO (ED,DIR)SSO [ED,DIR]

Page 43: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

43© Ravi Sandhu 2000

ARBAC97 DECENTRALIZES

u user-role assignment (URA97)u permission-role assignment (PRA97)u role-role hierarchy

n groups or user-only roles (extend URA97)n abilities or permission-only roles (extend PRA97)n UP-roles or user-and-permission roles (RRA97)

Page 44: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

44© Ravi Sandhu 2000

Range Definitions

Range

Create Range

Encap. Range

AuthorityRange

Page 45: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

RBAC ARCHITECTURES

Page 46: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

46© Ravi Sandhu 2000

OM-AM AND ROLE-BASED ACCESSCONTROL (RBAC)

What?

How?

Policy neutralRBAC96

user-pull, server-pull, etc.certificates, tickets, PACs, etc.

Assurance

Page 47: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

47© Ravi Sandhu 2000

CLASS I SYSTEMSENFORCEMENT ARCHITECTURE

Client Server

Page 48: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

48© Ravi Sandhu 2000

CLASS I SYSTEMSADMINISTRATION ARCHITECTURE

AdministrativeClient

Server2

Server1

ServerN

AuthorizationCenter

Page 49: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

49© Ravi Sandhu 2000

CLASS II SYSTEMSSERVER-PULL

Client Server

AuthorizationServer

AuthenticationServer

Page 50: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

50© Ravi Sandhu 2000

CLASS II SYSTEMSUSER-PULL

Client Server

AuthorizationServer

AuthenticationServer

Page 51: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

51© Ravi Sandhu 2000

CLASS II SYSTEMSPROXY-BASED SYSTEMS

Client ServerProxy

AuthenticationServer

AuthorizationServer

Page 52: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

52© Ravi Sandhu 2000

RBAC MECHANISMS

u These architectures can besupported by means ofl X.509 certificatesl Secure cookiesl Etc.

u Different links can be protected bydifferent means

Page 53: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

53© Ravi Sandhu 2000

Related Technologies

u Cookiesl in widespread current use for maintaining

state of HTTPl becoming standardl not secure

u Public-Key Certificates (X.509)l support security on the Web based on PKIl standardl simply, bind users to keysl have the ability to be extended

Page 54: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

54© Ravi Sandhu 2000

Cookies

Page 55: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

55© Ravi Sandhu 2000

Security Threats to Cookies

u Cookies are not securel No authenticationl No integrityl No confidentiality

u can be easily attacked byl Network Security Threatsl End-System Threatsl Cookie Harvesting Threats

Page 56: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

56© Ravi Sandhu 2000

Secure Cookies on the Web

Page 57: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

57© Ravi Sandhu 2000

A Set of Secure Cookies

Page 58: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

58© Ravi Sandhu 2000

How to Use Secure Cookies

Page 59: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

59© Ravi Sandhu 2000

X.509 Certificate

u Digitally signed by a certificate authorityl to confirm the information in the certificate

belongs to the holder of the correspondingprivate key

u Contentsl version, serial number, subject, validity period,

issuer, optional fields (v2)l subject’s public key and algorithm info.l extension fields (v3)l digital signature of CA

u Binding users to keysu Certificate Revocation List (CRL)

Page 60: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

60© Ravi Sandhu 2000

X.509 Certificate

Page 61: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

61© Ravi Sandhu 2000

Smart Certificates

u Short-Lived Lifetimel More secure

n typical validity period for X.509 is months(years)

n users may leave copies of the correspondingkeys behind

n the longer-lived certificates have a higherprobability of being attacked

l No Certificate Revocation List (CRL)n simple and less expensive PKI

Page 62: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

62© Ravi Sandhu 2000

Smart Certificates

u Containing Attributes Securelyl Web servers can use secure attributes for their

purposesl Each authority has independent control on the

corresponding informationn basic certificate (containing identity information)n each attribute can be added, changed, revoked, or re-

issued by the appropriate authority– e.g., role, credit card number, clearance, etc.

l Short-lived certificate can remove CRLs

Page 63: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

63© Ravi Sandhu 2000

Separate CAs in a Certificate

Page 64: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

64© Ravi Sandhu 2000

Smart Certificates

u Postdated Certificatesl The certificate becomes valid at some time in

the futurel possible to make a smart certificate valid for a

set of durationl supports convenience

u Confidentialityl Sensitive information can be

n encrypted in smart certificates– e.g. passwords, credit card numbers, etc.

Page 65: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

65© Ravi Sandhu 2000

A Smart Certificate

Page 66: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

66© Ravi Sandhu 2000

Applications of Smart Certificates

u On-Duty Controlu Compatible with X.509u User Authenticationu Electronic Transactionu Eliminating Single-Point Failureu Pay-per-Accessu Attribute-based Access Control

Page 67: The OM-AM Framework and Role-Based Access Control · 2018-09-27 · The OM-AM Framework and Role-Based Access Control Prof. Ravi Sandhu George Mason University . edu

67© Ravi Sandhu 2000

OM-AM AND ROLE-BASED ACCESSCONTROL (RBAC)

What?

How?

Policy neutralRBAC96

user-pull, server-pull, etc.certificates, tickets, PACs, etc.

Assurance