Академический Документы
Профессиональный Документы
Культура Документы
Problem: Publishing private data while, at the same time, protecting individual privacy
Sanitization: Automated de-identification of private data with certain privacy guarantees Opposed to formal determination by statisticians requirement of
HIPAA.
Two major research directions 1. Perturbation (e.g. random noise addition) 2. Anonymization (e.g. k-anonymization)
Anonymization: 1.) Removing unique identifiers is not sufficient. 2.) Quasi-identifier (QI) Maximal set of attributes that could help identify individuals
Assumed to be publicly available (e.g., voter registration lists)
As a process
TOOLS
1. Remove all unique identifier
2. Identify QI-attributes, model adversarys background knowledge.
3. Enforce some privacy definition (e.g. k-anonymity)
Multiple k-minimal generalizations may exist E.g., [1,0] and [0,1] from the example
Precision metric indicates the generalization with minimal information loss, maximal
usefulness.
Homogeneity attack
Entropy: Each equivalence class not only must have enough different
sensitive values, but also the different sensitive values must be distributed
evenly enough.
It means the entropy of the distribution of sensitive values in each equivalence class
is at least log(l)
Sometimes this maybe too restrictive. When some values are very common, the
entropy of the entire table may be very low. This leads to the less conservative notion of l-diversity.
Recursive (c,l) diversity: The most frequent value does not appear too frequently
Limitations of L- Diversity:
Privacy of Numeric Queries Via Simple Value Perturbation (The Laplace Mechanism): Differential Privacy
One-Time Password:
Problems: Syncing user / system, Distribution, & Generation of good random
passwords
One-time password scheme based on idea of Lamport using oneway MD5 or
SHA-1.
User chooses seed K, The key generator calculates: h(k) = k1, h(k1) = k2, ,
h(kn1) = kn
Passwords are in reverse order: p1 = kn, p2 = kn1, , pn1 = k2, pn = k1
Attacker gets pi , he would have invert the hash to get the next pi+1
Remember pi = kn-i+1 , pi+1 = kn-i, and h(kn-i) = kn-i+1, we have that h(pi+1) = pi
Cryptograph: Symmetrical
MAC: Message authentication involves hashing the message to produce a "digest," fingerprint and encrypting the digest with the private key to produce
a digital signature. Thereafter anyone can verify this signature by (1) computing the hash of the message, (2) decrypting the signature with the signer's public key,
and (3) comparing the computed digest with the decrypted digest. Remember Encryption doesnt protect against modification.
A hash is a many to one function so collision can happen.
HMAC: One might assume the same security that HMAC provides could be achieved with MAC = H(key message). However, this method suffers from a serious
flaw: with most hash functions, it is easy to append data to the message without knowing the key and obtain another valid MAC ("length-extension attack"). The
alternative, appending the key using MAC = H(message key), suffers from the problem that an attacker who can find a collision in the (unkeyed) hash function
has a collision in the MAC (as two messages m1 and m2 yielding the same hash will provide the same start condition to the hash function before the appended key
is hashed, hence the final hash will be the same). Using MAC = H(key message key) is better, but various security papers have suggested vulnerabilities with
this approach, even when two different keys are used.
No known extensions attacks have been found against the current HMAC specification which is defined as H(key H(key message)) because the outer
application of the hash function masks the intermediate result of the internal hash.
function hmac (key, message)
if (length(key) > blocksize) then
key = hash(key) // keys longer than blocksize are shortened
end if
if (length(key) < blocksize) then
key = key [0x00 * (blocksize - length(key))] // keys shorter than blocksize are zero-padded (where is concatenation)
end if
o_key_pad = [0x5c * blocksize] key // Where blocksize is that of the underlying hash function
i_key_pad = [0x36 * blocksize] key // Where is exclusive or (XOR)
return hash(o_key_pad hash(i_key_pad message)) // Where is concatenation
end function
Asymmetrical
Digital Signatures
RSA
SAML Assertion Statement is the main element which is a package of information (-Authentication (verification) - Attribute: Specify - Authorization decisions)
Identity Provider (IdP): The system, or administrative domain, that asserts information about a subject. Service Provider (SP): The system, or administrative
domain, that relies on information supplied to it by the Identity Provider. It is up to the Service Provider as to whether it trusts the assertions provided to it.
Four main drivers Limitation of browser cookies Single Sign On (SSO) interoperability - Web services: WS security is still being defined - Federation: the
need to simplify identity management across organizational boundaries, allowing users to consolidate many local identities into a single federated identity
Sample SAML Assertion: <saml:Assertion MajorVersion=2" MinorVersion="0"AssertionID="128.9.167.32.12345678" Issuer="Company.com"
IssueInstant="2002-03-21T10:02:00Z"><saml:Conditions NotBefore="2002-03-21T10:02:00Z" NotAfter="2002-03-21T10:07:00Z" /> <saml:AuthnStatement
AuthenticationMethod="password" AuthenticationInstant="2002-03-21T10:02:00Z"> <saml:Subject> <saml:NameIdentifier SecurityDomain="Comany.com"
Name="joeuser" /> </saml:Subject> </saml:AuthenticationStatement> </saml:Assertion>
XACML: GOALS: Define a core XML schema for representing authorization and entitlement policies Target - any object - referenced using XML Fine access
control grained control Access control based on subject and object attributes Access control based on the object contents; if the object is not an XML
document, the object attributes can be used Consistent with and building upon SAML
XACML(Key Aspects): General-purpose authorization policy model and XML-based specification language XACML is independent of SAML specification
Triple-based policy syntax: <Object, Subject, Action> Negative authorization is supported Input/output to the XACML policy processor is clearly defined as
XACML context data structure Input data is referred by XACML-specific attribute designator as well as XPath expression Extension points: function,
identifier, data type, rule-combining algorithm, policy-combining algorithm, etc. A policy consists of multiple rules A set of policies is combined by a higher
level policy (PolicySet element)
XACML Protocol: When a client makes a resource request upon a server, the PEP is charged
with AC In order to enforce AC policies, the PEP will formalize the attributes describing the
requester at the PIP and delegate the authorization decision to the PDP Applicable policies are
located in a policy store, managed by the PAP, and evaluated at the PDP, which then returns the
authorization decision Using this information, the PEP can deliver the appropriate response to
the client. 1. The Policy Administration Point (PAP) creates security policies and stores these
policies in the appropriate repository. 2. The Policy Enforcement Point (PEP) performs access
control by making decision requests and enforcing authorization decisions. 3. The Policy
Information Point (PIP) serves as the source of attribute values, or the data required for policy
evaluation. 4. The Policy Decision Point (PDP) evaluates the applicable policy and renders an
authorization decision. Note: The PEP and PDP might both be contained within the same
application, or might be distributed across different servers.
XACML Request: Subject Object Action XACML Response Permit Permit with
Obligations Deny NotApplicable (the PDP cannot locate a policy whose target matches the
required resource) Indeterminate (an error occurred or some required value was missing)
Data Flow Model: 1. PAPs write policies and policy sets and make them available to the PDP.
These policies or policy sets represent the complete policy for a specified target 2. The access
requester sends a request for access to the PEP 3. The PEP sends the request for access to the
context handler in its native request format, optionally including attributes of the subjects,
resource, action and environment 4. The context handler constructs an XACML request
context and send it to the PDP 5. The PDP requests any additional subject, resource, action,
and environment attributes from the context handler 6. The context handler requests the
attributes from a PIP 7. The PIP obtains the requested attributes 8. The PIP returns the
requested attributes to the context handler 9. Optionally, the context handler includes the
resource in the context 10. The context handler sends the requested attributes and (optionally)
the resource to the PDP. The PDP evaluates the policy 11. The PDP returns the response
context (including the authorization decision) to the context handler 12. The context handler
translates the response context to the native response format of the PEP. The context handler
returns the response to the PEP 13. The PEP fulfills the obligations 14. If access is permitted,
then the PEP permits access to the resource; otherwise, it denies access.
XACML Schemas: Request Schema: Request (Subject, Resource, Action), Policy Schema:
PolicySet (Combining Alg) Policy* (Combining Alg) Rule* (Effect) Target Subject* Resource* Action* Environment Effect Condition Obligation*
Policies and PolicySet The key top-level element is the <PolicySet> which aggregates other <PolicySet> elements or <Policy> elements The <Policy> element is
composed principally of <Target>, <RuleSet> and <Obligation> elements and is evaluated at the PDP to yield and access decision. Since multiple policies may be
found applicable to an access decision, (and since a single policy can contain multiple Rules) Combining Algorithms are used to reconcile multiple outcomes into a
single decision The <Target> element is used to associate a requested resource with an applicable Policy. It contains conditions that the requesting Subject,
Resource, or Action must meet for a Policy Set, Policy, or Rule to be applicable to the resource. The Target includes a build-in scheme for efficient
indexing/lookup of Policies. Rules provide the conditions which test the relevant attributes within a Policy. Any number of Rule elements may be used each of
which generates a true or false outcome. Combining these outcomes yields a single decision for the Policy, which may be "Permit", "Deny", "Indeterminate", or a
"NotApplicable" decision.
Policies and Policy Sets: Policy Smallest element PDP can evaluate Contains: Description, Defaults, Target, Rules, Obligations, Rule Combining Algorithm
Policy Set Allows Policies and Policy Sets to be combined Use not required Contains: Description, Defaults, Target, Policies, Policy Sets, Policy References,
Policy Set References, Obligations, Policy Combining Algorithm Combining Algorithms: Deny-overrides, Permit-overrides, Firstapplicable, Only-one-applicable
Policy Element: <RuleSet ruleCombiningAlgId= DenyOverrides> <Rule ruleId=R1> ------- <Rule ruleId=R2> <Rule RuleId=R1 Effect=Permit>
<Target> <Resources> <Subjects> <Actions> <Condition>
Combining Algorithms: Policy & Rule Combining algorithms Permit Overrides: If a single rule permits a request, irrespective of the other rules, the result of the
PDP is Permit Deny Overrides: If a single rule denies a request, irrespective of the other rules, the result of the PDP is deny. First Applicable: The first applicable
rule that satisfies the request is the result of the PDP Only-one-applicable: If there are two rules with different effects for the same request, the result is
indeterminate.
Rules: Smallest unit of administration, cannot be evaluated alone > Elements Description documentation Target select applicable rules Condition
boolean decision function Effect either Permit or Deny Results If condition is true, return Effect value If not, return NotApplicable If error or
missing data return Indeterminate Plus status code.
Target: Designed to efficiently find the policies that apply to a request Makes it feasible to have very complex Conditions Attributes of Subjects, Resources
and Actions Matches against value, using match function Regular expression RFC822 (email) name X.500 name User defined Attributes specified by Id
or XPath expression Normally use Subject or Resource, not both
Rule Element: The main components of the <rule> element are: a <target> the <target> element consists of a set of <resource> elements a set of <action>
elements an environment the <target> element may be absent from a <rule>. In this case the <target> of the rule is the same as that of the parent <policy>
element an <effect> Two values are allowed: Permit and Deny a <condition>
Policy Element: The main components of a <policy> element are: a <target> element the <target> element consists of a set of <resource> elements a set of
<action> elements an environment the <target> element may be declared explicitly or may be calculated; two possible approaches: Make the union of all the
target elements in the inner rules Make the intersection of all the target elements in the inner rules a rule-combining algorithm-identifier a set of <rule>
elements obligations
PolicySet Element: The main components of a <policyset> element are: a <target> a policy-combining algorithm-identifier a set of <policy> elements
obligations.
A Policy Example The Policy applies to requests for the server called SampleServer The Policy has a Rule with a Target that requires an action of "login"
and a Condition that applies only if the Subject is trying to log in between 9am and 5pm. Note that this example can be extended to include other Rules for
different actions. If the first Rule does not apply, then a default Rule is used that always returns Deny (Rules are evaluated in order).
A Policy Example: <Policy PolicyId="SamplePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combiningalgorithm:permit-overrides"><!-This Policy only applies to requests on the SampleServer --><Target><Subjects> <AnySubject/> </Subjects> <Resources> <ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:stringequal"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SampleServer
</AttributeValue> <ResourceAttributeDesignator DataType=http://www.w3.org/2001/XMLSchema#string
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/></ResourceMatch></Resources><Actions> <AnyAction/> </Actions></Target>
Condition: Boolean function to decide if Effect applies Inputs come from Request Context Values can be primitive, complex or bags Can be specified by id
or XPath expression Fourteen primitive types Rich array of typed functions defined Functions for dealing with bags Order of evaluation unspecified
Allowed to quit when result is known Side effects not permitted
Functions: Equality predicates Arithmetic functions String conversion functions Numeric type conversion functions Logical functions Arithmetic
comparison functions Date and time arithmetic functions Non-numeric comparison functions Bag functions Set functions Higher-order bag functions
Special match functions XPath-based functions Extension functions and primitive types
Request and Response Context: Request Context Attributes of: Subjects requester, intermediary, recipient, etc. Resource name, can be hierarchical
Resource Content specific to resource type, e.g. XML document Action e.g. Read Environment other, e.g. time of request Response Context Resource
ID Decision Status (error values) Obligations
SQL Injection:
Secure Multi-Party Computation (SMC) The goal is computing a function f(x1,x2,.xn) without revealing xi - Semi-Honest Model (Parties follow the protocol) &
Malicious Model (Parties may or may not follow the protocol). We cannot do better then the existence of the third trusted party situation
Generic SMC is too inefficient for PPDDM.
In general, PPDDM protocols depend on few common sub-protocols that can be re-used.
SUBJECT
ACCESS REQUEST
REFERENCE MONITOR
OBJECT
The very nature of access control suggests that there is an active subject requiring access to a passive
object to perform some specific access operation.
A reference monitor grants or denies access
This fundamental and simple notion of access control is due to Lampson.
Subjects can be classified into:
O belongs to a COI from which S has not yet accessed any information.
Initially free to access. Once accessed, builds a Chinese wall around the data set for the user
Read does not avoid indirect data flow. X: a, b. Y: c, b. if X writes to b (data of a to b) Y can read data of a from b (not supposed to happen).
Write Rule: A subject S can write an object O if:
No object has been read by S which is in a different company dataset to the one on which write is performed.
CWP ensures that the flow of information is confined to its own company dataset.
This is restrictive, so, use sanitization to disguise the companys information to mask their identity.
ROLE BASED ACCESS CONTROL (RBAC):
In case of a large system, providing access to each and every user is difficult. Instead, create roles and provide access to roles.
Attach the roles to the users as and when required.
Granting and revoking of user authorizations is greatly simplified.
RBAC models have been shown to be policy-neutral.
Types of RBAC:
Core RBAC or Flat RBAC
Hierarchical RBAC
Constrained RBAC
Core RBAC:
(Permissions = Operations on Objects)
Basics:
USERS, ROLES, OPS, and OBS.
UA USERS X ROLES
assigned_users: (r: ROLES) -> 2USERS
assigned_users(r) = {u USERS | (u, r) UA}
Hierarchical RBAC:
Structuring roles to reflect an organizations line of authority and responsibility.
RH ROLES X ROLES
It has to be irreflexive and acyclic : dominance relation
SEMANTICS:
i. User Inheritance (UI): user authorized for r is also authorized for r where r r.
ii. Permission Inheritance (PI): A role r is authorized for all permissions for which
iii.
DSoD Constraints
INTEGRITY POLICIES:
DATABASE SECURITY:
All Commercial Systems use the DAC model. Currently uses the System R model. .
Whenever a user u executes a Grant operation, the system intersects the delegable privileges of u with the set of privileges specified in the command
if the intersection is empty, the command is not executed.
Ann has SELECT with GRANT and INSERT on the Employee table.
o
Ann: GRANT select, insert ON Employee TO Tim; this statement is partially executed.
REVOKE OPERATION:
ON Relation | View
Types:
Recursive revocation (with time stamp)
Recursive revocation without Time stamp
Non-cascading Revoke
Recursive revoke
(with time stamp):
-takes into account the
time stamps denoting
when the authorization
was provided.
-Variations without
timestamps have been
proposed to avoid
cascading.
Non-Cascading Revoke :
-Recursive can be disruptive.
-The non-cascading revoke allows a user to revoke a
privilege on a table from another user without
entailing automatic revocation of the authorizations
for the privilege on the table the latter may have
granted.
-Instead of deleting the authorizations the revoke may
have granted by using the privilege received by the
revoker, all these authorizations are restated as if
they had been granted by the revoker,
-The semantics of the revocation without cascade of
privilege p on table t from user y by user x is:
To restate with x as grantor all authorizations that y
granted by using the authorization being revoked.
1.
Authorizations on Views:
User creating a view : View Definer
Definer gets the privileges that he has on the base-table on the views.
Also on view semantics.
Operations that cannot be performed on a view is not given as a privilege to the
definer. Eg: alter and index.
Bob: GRANT Select, Insert, Update ON Employee to Tim;
Tim: CREATE VIEW V1 AS SELECT Emp#, Salary FROM Employee;
Tim: CREATE VIEW V2 (Emp#, Annual_Salary) AS SELECT Emp#,
Salary*12 FROM Employee;
Tim can exercise on V1 all privileges he has on relation Employee, that is,
Select, Insert, Update
By contrast, Tim can exercise on V2 only the privileges of Select and Update on
column Emp#;
Most of the commercial DBMSs also support RBAC features (Informix, Sybase,
Oracle). However, in most cases they only supports flat RBAC.
CREATE ROLE role-name IDENTIFIED BY
password |NOT IDENTIFIED;
DROP ROLE role-name;
Example:
CREATE ROLE teller IDENTIFIED BY cashflow;
GRANT teller TO Bob;
GRANT select ON Employee TO teller;
SET ROLE teller IDENTIFIED by cashflow;
SET ROLE ALL [EXCEPT role-name]; it can only be used for roles not requiring
passwords
SET ROLE ALL; SET ROLE ALL EXCEPT banker;
SET ROLE NONE; It disables roles for the current session (*MLR)
AUTHENTICATION:
Reasons for authenticating users:
o The user identity is a parameter in access control decisions
o The user identity is recorded when logging security-relevant events in the audit trail
User has to enter:
User name this step is called identification
Password this step is called authentication (process of verifying a claimed identity)
Authentication System:
(A, C, F, L, S)
A : information that proves identity
C : information stored on computer and used to validate authentication
information
F : complementation function f : A C
L : functions that prove identity
S : functions enabling entity to create, alter information in A or C
Authentication process:
Obtaining the authentication information from an entity
Analyzing the data
Determining if the authentication information is associated with
that entity
Passwords:
Sequence of characters
Examples: 10 digits, a string of letters, etc.
Generated randomly, by user, by computer with user input
Sequence of words
Examples: pass-phrases
Note: A pass-phrase is a sequence of characters that it is too long to be a password
and it is thus turned into a shorter virtual password by the password system.
Algorithms
Examples: challenge-response, one-time passwords