Abstract
Attribute-based access control (ABAC) systems typically enforce pre-authorization, whereby an access decision is made once prior to granting or denying access. This decision utilizes multiple components: subject’s, object’s and environment’s attribute values as well as the authorization policy. Here, we assume that the policy, object and environment attribute values are known with high assurance while subject attributes are collected incrementally from multiple attribute authorities. This incremental assembly with differing validity periods for subject attribute values creates potential for inconsistency leading to incorrect access decisions. This problem was studied in context of trust negotiation systems by Lee and Winslett (LW), who define four different notions of consistency which are partially ordered in strictness. In this paper, we propose an alternate set of five consistency levels, also partially ordered in increasing strictness. Three of our levels are equivalent to counterparts in LW. The third LW level is differentiated by receive time, to which we are agnostic. Our fifth and highest level is new in that it utilizes request time which is not recognized in LW. We define the formal specification of each of our consistency levels and identify the properties guaranteed by each level. We discuss implication of these consistency levels in different practical scenarios and compare our work with related previous research.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Credential lifetimes can range widely from months to seconds. For very short-lived credentials revocation checks may not be useful. For simplicity we consider that for a short lived credential there is an implicit and successful revocation check at its start. Thus we can uniformly assume there is at least one revocation check by the relying party for each credential that it uses in making an access decision. For long-lived credentials there should be at least one revocation check after start time.
- 2.
Note that start and end times are determined by the AA, while revocation check times are determined by relying party actions.
- 3.
In a risk-based approach it may be acceptable to use expired/revoked credentials, but general use is not recommended.
References
Housley, R., et al.: Internet X. 509 public key infrastructure certificate and CRL profile. Technical report (1998)
Iskander, M.K., et al.: Enforcing policy and data consistency of cloud transactions. In: ICDCSW. IEEE (2011)
Kortesniemi, Y., Sarela, M.: Survey of certificate usage in distributed access control. J. Comput. Secur. 44, 16–32 (2014)
Krishnan, R., Niu, J., Sandhu, R., Winsborough, W.H.: Stale-safe security properties for group-based secure information sharing. In: FMSE. ACM (2008)
Krishnan, R., Sandhu, R.: Authorization policy specification and enforcement for group-centric secure information sharing. In: ICISS. Springer (2011)
Lee, A.J., Minami, K., Borisov, N.: Confidentiality-preserving distributed proofs of conjunctive queries. In: ASIACCS. ACM (2009)
Lee, A.J., Minami, K., Winslett, M.: Lightweight consistency enforcement schemes for distributed proofs with hidden subtrees. In: SACMAT. ACM (2007)
Lee, A.J., Winslett, M.: Safety and consistency in policy-based authorization systems. In: CCS. ACM (2006)
Lee, A.J., Winslett, M.: Enforcing safety and consistency constraints in policy-based authorization systems. In: TISSEC. ACM (2008)
Lee, A.J., Yu, T.: Towards quantitative analysis of proofs of authorization: applications, framework, and techniques. In: CSF. IEEE (2010)
OASIS: Security assertion markup language (SAML) v2.0 (2005)
Paci, F., et al.: ACConv–an access control model for conversational web services. In: TWEB. ACM (2011)
Park, J., Sandhu, R.: The UCON\(_{ABC}\) usage control model. In: TISSEC. ACM (2004)
Peisert, S., et al.: Turtles all the way down: a clean-slate, ground-up, first-principles approach to secure systems. In: New Security Paradigms Workshop (2012)
RFC6749: The OAuth 2.0 authorization framework (2012)
Squicciarini, A.C., et al.: Identity-based long running negotiations. In: DIM. ACM (2008)
Steen, M.V., Tanenbaum, A.S.: Distributed Systems (2017)
Tsankov, P., et al.: Fail-secure access control. In: CCS. ACM (2014)
Acknowledgement
This work is partially supported by NSF CREST Grant HRD-1736209 and DoD ARL Grant W911NF-15-1-0518.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix: Proof of Consistency Levels Equivalencies
A Appendix: Proof of Consistency Levels Equivalencies
We prove our claim of equivalent levels with LW model in this section. One of the distinctions is inequality of decision time with revocation check time, since we believe these two timestamps cannot be exactly the same, as the decision has to happen after revocation checks.
1.1 A.1 Incremental Levels Equivalency
As seen in Sect. 4.1, for every relevant credential in our incremental level, there is at least one point before the decision time, at which that credential has been found to be valid. The incremental level in LW model is satisfied if and only if every credential to be valid at its receive time as follows.
This could be simplified as follows: \( start _{i} \le receive _i \le revocation \text{- } check _i \le end _{i}\). So, there is at least one point in time (receive time) at which every relevant credential has found to be valid, which matches with our incremental level. Moreover, this revocation check at the receive time could be considered as the latest validation. Then, we need to show revocation check in LW happens before the decision time, same as its counterpart in our model. Although the decision time has not been considered explicitly in LW model, revocation checks obviously happen before the decision time, since the receive time could not occur later than decision time. So, the proof is complete.
1.2 A.2 Internal Levels Equivalency
Authors in LW define a view as internal consistent providing all relevant credentials satisfy the following conditions:
Above conditions could be arranged as follows:
Based on our internal specification in Sect. 4.2, all conditions are the same except the last two conditions stated in LW model, which aim to provide an overlap between lifetime intervals of all relevant credentials in the view. Lifetime overlap has been provided in our model through \(\max _{\forall c_{i} \in V_{DP}^{P,t_d}}{ start _{i}} < \min _{\forall c_{j} \in V_{DP}^{P,t_d}}{ end _{j}}\). Another distinction is the explicit consideration of decision time after all revocation checks. Even though this has not been stated in LW model, it is impossible to take revocation checks after the decision time into account while making decision, since it needs prediction of future states of credentials.
1.3 A.3 Interval Levels Equivalency
To prove equality of the properties provided by both interval levels in our work and LW model, consider their definition of interval consistency for every relevant credential in the view:
We can restate their interval definition as follows:
The following property is concluded from above definition:
On the other hand, we can formally deduce the following property from interval consistency definition in LW model:
Putting above concluded properties together would result in the following definition. Taking out the receive time, this definition becomes the same as our interval definition.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Shakarami, M., Sandhu, R. (2020). Safety and Consistency of Subject Attributes for Attribute-Based Pre-Authorization Systems. In: Choo, KK., Morris, T., Peterson, G. (eds) National Cyber Summit (NCS) Research Track. NCS 2019. Advances in Intelligent Systems and Computing, vol 1055. Springer, Cham. https://doi.org/10.1007/978-3-030-31239-8_19
Download citation
DOI: https://doi.org/10.1007/978-3-030-31239-8_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-31238-1
Online ISBN: 978-3-030-31239-8
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)