Check out the new USENIX Web site.


LISA '05 Paper    [LISA '05 Technical Program]

Administering Access Control in Dynamic Coalitions

Rakesh Bobba[Note 1] - NCSA, University of Illinois, Urbana-Champaign, IL
Serban Gavrila - VDG Inc., Chevy Chase, MD
Virgil Gligor - University of Maryland, College Park, MD
Himanshu Khurana - NCSA, University of Illinois, Urbana-Champaign, IL
Radostina Koleva - University of Maryland, College Park, MD

Pp. 249-261 of the Proceedings of LISA '05: Nineteenth Systems Administration Conference,
(San Diego, CA: USENIX Association, December 2005).

Abstract

Dynamic coalitions enable autonomous domains to achieve common objectives by sharing resources based on negotiated resource-sharing agreements. A major requirement for administering dynamic coalitions is the availability of a comprehensive set of access control tools. In this paper we discuss the design, implementation, evaluation, and demonstration of such tools. In particular, we have developed tools for negotiating resource-sharing agreements, access policy specification, access review, wholesale and selective distribution and revocation of privileges, and policy decision and enforcement.

Introduction

In various collaborative environments such as alliances for research and development, health care, airline route management, public emergency response, and military joint task forces, autonomous domains form coalitions to achieve common objectives by sharing resources (e.g., objects and applications). Coalition resources may be privately or jointly administered and resource sharing is achieved by the distribution of permissions for coalition resources to coalition members based on negotiated resource-sharing agreements, or common access states. These coalitions are dynamic in that member domains may leave or new domains may join after coalition establishment. The focus of this work is on providing tools for administering access control in such coalitions.

Consider the following example of a coalition. Initially, three DoD/Intelligence domains form a coalition to respond to a threat situation relating to national security (e.g., monitoring transport of nuclear material, activities of terrorist groups). Examples of such domains can be Defense Intelligence Agency (DIA), National Security Agency (NSA), Defense Threat Reduction Agency (DTRA) and Central Intelligence Agency (CIA). These three domains decide to share privately owned resources (e.g., NSA shares a database of intercepted communication and the CIA shares intelligence reports) as well as jointly administered resources (e.g., integrated intelligence data and operation reports). Jointly administered resources are typically critical to coalition objectives and remain with the coalition even after the departure of member domains [16]. Access to jointly administered resources is one of the benefits individual domains derive from their membership in the coalition.

To obtain assistance from local authorities for a specific threat the DoD/Intelligence domains invite a civilian domain, say the Threat/Emergency Response Division of County C, to join the coalition. Upon resolution of the specific threat, County C leaves the coalition. Such domain join and leave events should not require the breakdown and setup of coalitions from scratch. Instead, access control tools must support dynamic domain joins and leaves - Dynamic Coalitions (DC) - in a seamless manner with ease and efficiency.

In this example, all four domains are collaborating to achieve a common objective (i.e., addressing threats to national security) that is desired by all domains and achievable by none of them individually. To achieve the common objective, each domain has a set of resources that are of interest to the others and is willing to share some or all of its resources with some or all of the other members.

It is important to note that the domains may not be willing to share these resources in the absence of this common objective; e.g., the DoD domains may be competitors for military tasks and would compete based on their available resources. Resource sharing by a domain with other domains means that the domain (administrator) grants access privileges for the resource being shared to the other domains. The sharing relationships among these domains are defined by the access state of the coalition. An access state is defined by the permissions each member domain has to the shared resources of that coalition.

Thus negotiating a common access state (CAS) means obtaining the agreement of each domain to share some of its data and applications with the other domains of the coalition. In addition, a CAS[Note 2] of a coalition may include some jointly owned resources created during coalition operations, and a common policy for accessing these resources must also be negotiated.

The negotiation result is not merely a union of the contributed resources necessary to achieve a coalition objective. Instead, the negotiated CAS must satisfy both resource and permission constraints. In this work we consider all constraints that arise in the Role-Based Access Control (RBAC) model [8, 9, 10, 2]. For example, when the DoD domains initially form a coalition they may agree on a obligation constraint that requires at least one user from each domain to have administrative privileges for jointly administered resources.

Typically, these constraints arise from coalition objectives, access policies that are either jointly or privately enforced by autonomous domains, and resource-access requirements of coalition applications. The specification of negotiation constraints is an important part of any access-policy specification and drives the negotiation process; e.g., it determines the number of negotiation rounds and the convergence to and commitment of CAS. Hence, it must be defined in a precise manner [17].

A typical negotiation for this example would begin with the three DoD domains joining the coalition, specifying negotiation constraints, contributing resources that they are willing to share, proposing desired CAS, voting on the proposals based on satisfaction of constraints and extra-technological preferences, and committing to an agreed proposal. This negotiation process would be repeated when the civilian domain joins and leaves the coalition. Since the number of objects being negotiated and the number of rounds of negotiation could be large even in this small example, the negotiation process would be time-consuming and error-prone if undertaken manually. (In large coalitions such as those compromising tens of domains sharing hundreds of resources [22] this point is further emphasized.) Consequently, tools that fully (or at least partially) automate the negotiation process are needed. Automated negotiation tools would enable domain administrators to easily compose proposals for a CAS, verify that these proposals satisfy negotiation constraints, and commit them to production systems once agreed upon. Furthermore, for large-sized coalitions tools that enable administrators to visualize the CAS and to administer coalition resources via a graphical interface are very helpful.

In addition, access review tools are needed that would enable individual domains to review their local access state and verify that the state is secure prior to negotiation; i.e., that the state satisfies all local domain access policies. Based on this review, domains would be able to contribute resources to the coalition and compose proposals for CAS. Furthermore, access review for coalition resources may be undertaken at any point in time after coalition setup to (1) view the CAS along desired lines (e.g., subject permissions for a specific application, application access to specific objects), and (2) verify satisfaction of policies and constraints (e.g., Separation-of-Duty (SOD) policies, obligation constraints).

Once the CAS has been negotiated, tools that provide wholesale, selective distribution and revocation of access privileges are needed. Tools for wholesale distribution/revocation are needed as privileges must be granted to/revoked from all users of joining/leaving domains. Granting/revoking privileges to individual users would place undue overhead on administrators and, more importantly, would make it difficult to support coalitions where duration of domain membership could be smaller than coalition setup times using today's deployed technologies (e.g., weeks or months). Tools for selective distribution/revocation are needed as the tools must selectively target users of specific domains. One cannot, for example, exclude a member domain simply by modifying CA trust relations because those trust relations may be needed to share resources with that domain as part of another coalition.

There exists a need for coalitions in the commercial world as well as in government settings. What follows are two examples of commercial coalitions, taken from [15, 17]. First, consider a genetics research firm that discovers a gene sequence associated with a disease and establishes a coalition with a pharmaceutical company, two research hospitals and a Food and Drug Administration review board (FDA board) to find a cure using the gene sequence. Each domain shares some of its local resources with the coalition partners to achieve the coalition objective; e.g., the genetics firm contributes its gene sequence database, the pharmaceutical company provides a drug composition tool, the hospitals support clinical trials and give access to their patient databases (while preserving patient privacy by withholding sensitive patient information such as name, social security number, etc.), and the FDA review board shares a database of safety regulations. Given the impact of finding a cure, the coalition decides to jointly administer an application for remote consultation and drug analysis. This remote consultation and drug analysis application relies on a jointly administered secure group communication service. As coalition operations proceed, member domains may leave and new domains may join the coalition.

Another example of a coalition would be airline companies that collaborate to share various types of airlines routes in order to expand their market coverage. Sharing an individual route of a certain type implies that the airline domain that owns the route grants access permissions required to execute the route applications (e.g., reservations, billing, advertising) for that route to users of a foreign airline domain. Domains share routes (private resources) and may choose to jointly administer an auditing application that ensures adherence to coalition policies; e.g., policies on multi-hop route pricing and frequent flyer mile programs. As the coalition proceeds airline partners may leave or join the coalition.

In this paper we describe a suite of access control tools that we have developed for supporting dynamic coalitions. The tools employ the RBAC model and have been implemented in the Windows 2000 Server environment using Java. We have extended[Note 3] an existing RBAC tool, called Multi-Domain Role Control Center (MDRCC), to provide access policy negotiation (i.e., CAS negotiation), specification, and review. The extended tool, MDRCC (Multi Domain Role Control Center), has been integrated with the Windows Active Directory for instantiating a negotiated CAS and to provide a Policy Decision Point (PDP) for resource providers. MDRCC provides a policy visualization language and a Graphical User Interface (GUI) that enables domain administrators to have a common view of coalition operations and to administer those operations directly from the interface. MDRCC has been integrated with an Attribute Certificate Authority (ACA) to provide wholesale, selective distribution and revocation of privileges. We use the Windows IIS web server as an example of a resource provider that enforces access policies for shared web pages. We have conducted experiments with our tools to show that they scale to support reasonable size dynamic coalitions and provide results of these experiments. We demonstrated the tools at Joint Warrior Interoperability Demonstration (JWID) 2004 and obtained valuable feedback.

The rest of this paper is organized as follows: We discuss related work, present the architecture of our system and discuss the salient features on our access control tools, describe the implementation of the tools, present experimental results, discuss lessons learned, and then conclude.

Related Work

Access control in distributed systems, in general, and in DCs, in particular has been extensively studied in the past. However, to the best of our knowledge ours is the first complete set of tools for access control in DCs that provide (1) support for negotiating access policies among domains for coalition set up, (2) wholesale selective distribution and revocation of privileges, (3) access review capabilities, and (4) support for jointly administering coalition critical resources.

Access Control in Dynamic Coalitions

The Secure Virtual Enclaves (SVE) [23] infrastructure allows multiple organizations to share resources while retaining organizational autonomy over local resources. SVE provides tools for (1) access policy specification via RBAC and (2) policy decision and enforcement via Access Calculators and Interceptor/Enforcers respectively. The SVE infrastructure is implemented in Java. Java RMI is used for intra-enclave communication and Ensemble group communication via JavaGroups Interface is used for inter-enclave communication. Resources in SVE are distributed applications based on Java RMI, Microsoft DCOM, Sun's Java Web Server and Microsoft's IIS.

The Yalta system [24] enables secure tuplespaces distributed across administrative domains. A tuplespace is a content-addressable shared memory. Entities in Yalta share information through a shared tuplespace that is distributed across administrative domains. Yalta provides for policy specification via Java's policy objects, policy decision and enforcement via Java Authentication and Authorization Service(JAAS) interface, and privilege distribution and revocation via a threshold CA and a Certificate Revocation Notification (CRN) service respectively. Tuplespaces in Yalta are implemented using JavaSpaces. The threshold CA is implemented in Java using the Yalta JCE provider, which, in turn, is implemented using Jini and Java RMI over SSL.

dRBAC [7] is a decentralized trust management and access control mechanism. The supporting infrastructure is implemented in Java and enables resource sharing across administrative domains. The tools provide for policy specification via RBAC, and provide privilege distribution and revocation and policy enforcement via a distributed network of wallets.

However, none of the above work (SVE, Yalta and dRBAC) provide tools for negotiating access policies, wholesale and selective distribution and revocation of privileges, reviewing access policy and joint administration of resources.

Phillips, et al. [21], describe a security model and enforcement framework that controls access to APIs of software that operate in a distributed environment running middleware like JINI or CORBA. The framework provides tools for policy specification via RBAC, policy decision and enforcement and privilege distribution and revocation via Unified Security Resource (USR). USR is a set of middleware resources (JINI and CORBA) that manage all mandatory access control (MAC) and RBAC meta-data for users, user roles and resources. However, the framework uses password based authentication that might cause longer coalition set up times. This work provides tools for access review but does not provide tools for negotiating access policies, jointly administering resources or wholesale selective distribution and revocation of privileges.

TrustBuilder [25] addresses the problem of credential negotiation for trust establishment between clients and resource servers. This work assumes extra-technological resource sharing agreement between domains and deals only with credential negotiation. This would not scale well in large coalitions where users have to negotiate credentials on every access. In our work we facilitate multi-party negotiations between domains to come up with resource sharing agreements and policies for member domains to gain access to those resources.

Access Control in Distributed Systems

Though the following work doesn't deal with coalitions explicitly, it is relevant to our work. Herzberg et al. [11] presents a Trust Policy Language (TPL) that allows organizations to define policies that map users to roles based on credentials presented by the user and those automatically retrieved by the system from credential repositories. RT [19] is a family of Role-Based Trust Management languages for representing policies and credentials in distributed authorization. KeyNote [4] is a decentralized trust management system that provides policy specification via PolicyMaker, policy decision via Keynote policy interpreter that takes the application's policy and credentials presented in the request and outputs a decision. It de-couples the application logic from access policy and authorization logic. The RBAC model employed by RCC may have fewer features when compared with TPL, RT, KeyNote, and dRBAC. However, RCC has an implementation that provides support for easy constraint specification and verification and an intuitive GUI for policy specification, visualization and administration.



Figure 1: Architecture for access control in dynamic coalitions.

Architecture and Access Control Tools

In Figure 1, we outline the architecture for administration of access control in a dynamic coalition comprising of two domains - which can easily be extended to n domains. We assume that each autonomous domain has its own Identity Certificate Authority (CA) that distributes identity certificates to users registered in that domain, and a container of users, resources (objects, applications), and privileges. To participate in the coalition each domain (administrator) installs the Coalition Resource Management (CRM) toolkit that consists of MDRCC, an Attribute CA, and a Secure Group Communication (SGC) toolkit. MDRCC provides specification of access control policies in the RBAC model, partially automated negotiation of the CAS, a visual common view of coalition operations, and access review capability. Once the CAS is instantiated on the container of users and resources, MDRCC provides a PDP via the container and administration of access policies for the users and resources via an intuitive GUI. The Attribute CA distributes (and revokes) attribute certificates (ACs) to both local and foreign domain users authorizing access to local domain resources. To jointly administer coalition resources, member domains establish a Joint Attribute Authority (JAA) that consists of an MDRCC module and a Joint Attribute CA (JACA), that is, an Attribute CA whose private key is shared among the member domains in a threshold manner [5]. As an example of a resource provider, coalition domains also establish local domain and coalition web servers that manage local and jointly administered applications (e.g., App O). The SGC component enables domains to communicate securely; e.g., to establish a CAS.

Policy Specification

MDRCC uses the RBAC access control model for policy specification. We chose the RBAC model for two reasons. First, it simplifies administration of access control for large systems by separating the assignment of resource privileges to roles and users to roles [6]. Second, it supports easy specification and verification of constraints; e.g., Separation of Duty, and obligation constraints [8, 9, 2]. Though there are several policy specification tools based on RBAC (e.g., [7, 19, 11]) we chose MDRCC because it has been implemented, supports constraint specification and verification, and has a policy visualization language as well as an intuitive GUI that allows domain administrators to have a common view of coalition operations and to administer those operations from the GUI (e.g., add/remove users from roles).

Common Access State Negotiation

We use MDRCC and the SGC tool for partial automation of the process of negotiating a CAS among member domain. Administrators use MDRCC's GUI to encode negotiation constraints that can be either global, in which case they are known and agreed upon by all member domains, or local, in which case the constraints may remain private to some member domains. Types of constraints include Separation-of-Duty policies and cardinality constraints. Each domain administrator then uses MDRCC's intuitive GUI to specify access policies of resources they are willing to share and provides a view of these resources to other member domains. Any domain administrator then composes a proposal of a CAS (again using MDRCC's GUI) and sends the proposal to the other member domains. On receiving this proposal, domain administrators can view it and verify that it satisfies both global and local domain constraints (local constraints are also encoded using MDRCC's GUI). Domain administrators either register their vote on a given proposal or propose alternative CAS. Once all domains agree on a given proposal it is committed in that all domain administrators use MDRCC to instantiate the negotiated CAS on the local system; i.e., abstract objects and permissions in the CAS are mapped to actual objects and permissions of target systems.

Several approaches (e.g., agent-based) that fully automate multi-party access policy negotiations have been proposed (e.g., [3]) but have not yet been fully implemented. Though we are exploring such approaches, for the current system we chose the partially automated approach with MDRCC because, in practice, domain administrators would need to get involved in the negotiation as they would be responsible for administering the coalition and MDRCC provides these administrators with an intuitive GUI for the negotiation and administration.

Policy Decision and Enforcement

When a resource provider gets an access request it needs to verify the request against a specified access policy. To do so, the resource provider sends a request to a PDP and obtains the policy decision. In our solution this PDP is provided by the container where MDRCC instantiates the negotiated CAS. (As we will see later, Windows Active Directory is the container in our implementation that allows resource providers to send Lightweight Directory Access Protocol(LDAP) queries for policy decisions). This approach is scalable and is employed by many large-scale distributed systems; e.g., the XACML specification for web services [20]. After the resource provider obtains the policy decision it must enforce it. In our system we use a web server as an example resource provider and after obtaining a policy decision from the PDP the web server enforces it by allowing or denying access to the requested web page.

Distribution and Revocation of Privileges

Once a CAS is negotiated and instantiated, access privileges sanctioned in the CAS need to be distributed and we use attribute certificates to do so. We assign role memberships in attribute certificates and use a Public Key Infrastructure (PKI) for distribution and revocation of attribute certificates. Coalition users send requests to domain Attribute CAs for attribute certificates that grant them privileges to access the domain's resources. These requests includes the users' identity certificates. Attribute CAs verify the validity of the identity certificate and send requests to the PDP to verify the user's certificate request; i.e., to verify that the user has been assigned to the requested role in the CAS. Based on the reply from the PDP, Attribute CAs issue the attribute certificates. When users send access requests to resource providers with their attribute certificates, the resource providers verify the validity of the attribute certificates and query the PDP to verify if the roles assigned in the attribute certificates have the necessary privileges to access the requested resources. To revoke privileges, Attribute CAs simply revoke the attribute certificates and resource providers will no longer be able to validate the attribute certificates accompanying the access requests.

In addition to sharing privately owned resources, coalition members also benefit from jointly administering certain resources. Examples of such resources include intelligence reports, purchase orders for equipment, and financial data. In some coalitions, jointly administered resources may include auditing applications that are used to ensure that all domains are adhering to predefined access policies. These resources are typically critical for the coalition objectives and, therefore, must remain with the coalition even after the departure of member domains. To ensure the continuity of access to jointly administered resources in the presence of coalition dynamics, member domains setup a JAA. Since joint administration is consensus-based it is important to ensure that no single domain should be able to unilaterally define and modify access policies of a jointly administered resources [16]. To achieve this, the JAA comprises a Joint Attribute CA whose private key is distributed among the member domains; i.e., it uses threshold cryptography with each domain maintaining a share of the private key and using that share for generating distributed signatures on attribute certificates [26]. The process of distributing and revoking privileges for jointly administered resources is similar to that for private resources except that signatures on the certificates are computed in a distributed manner with all domains participating to ensure consensus.

MDRCC is integrated with the domain Attribute CAs in each domain and with the Joint Attribute CA at the JAA to provide wholesale, selective distribution and revocation of attribute certificates. Administrators grant privileges to all users of a joining domain by just instantiating the CAS via MDRCC. MDRCC updates the container that acts as a PDP (w.r.t. certificate issuance) for the Attribute CA. Users of the joining domain can then request the Attribute CA (of the domain administering the shared resource) for attribute certificates before their first access to the resource and use the issued attribute certificate to access the resource there after. Whenever a user is issued an attribute certificate the Attribute CA registers it with its local MDRCC. Domain administrators can revoke all privileges of all users of a leaving domain just as easily as revoking the privileges of an individual user - with just a few clicks. When an administrator revokes user privileges via MDRCC's GUI, a request is sent to the local Attribute CA to revoke the respective attribute certificates. The Attribute CA revokes the attribute certificates and publishes a CRL.

Access Review

MDRCC uses the capabilities of the underlying RBAC language and a user-friendly GUI for access review and visualization. Domain administrators can (1) perform an access review along the desired lines (e.g., per-subject review, per-object review), and (2) verify the satisfaction of policies and constraints (e.g., Separation-of-Duty policies, obligation constraints) using MDRCC's interface. Also, once a policy is specified in MDRCC using the interface, MDRCC continuously monitors all future administrative actions for compliance.

Component Design and Implementation

Our tools are primarily implemented in Java and have been tested in Windows 2000 server environment. In this section we describe the implementation of the main components of our tools and the interaction between those components. In order for all the above components to inter-operate in a coalition environment, inter-domain trust relations must be established. For example, for MDRCC to verify signatures on CAS before instantiating it, MDRCC needs to have public-keys/certificates of the administrators and also trust them. These trust relations are set up manually before coalition set up using Windows Certificate Trust Lists that are easily composed and shared among the various components.

Multi-Domain Role Control Center (MDRCC)

MDRCC is a Java implementation of a Role-Based Access Control (RBAC) model [1] extended with general role hierarchies across multiple domains, static separation of duty and cardinality constraints, and advanced access review facilities. In MDRCC, each user or role is owned by a particular domain and the roles owned by a domain form a hierarchy based on the specified role inheritance relation. In each domain, the base of the role hierarchy is a special role called the domain base role. Users of any domain can be assigned to a role in a given domain. Roles are assigned abstract permissions to abstract objects. In addition, MDRCC includes data structures for (1) mapping selected portions of a role hierarchy within a domain to user accounts and groups on the domain controller, and (2) mapping the authorization information at the enterprise level (that is in terms of abstract objects and abstract permissions) to actual objects and permissions on the resources resident in various heterogeneous systems in the format required by native access control structures.

MDRCC is a three-tiered component that is made up of the following tiers: a Presentation Layer, an Application Logic Layer, and a Data Layer. The presentation layer comprises the MDRCC client(s), the application layer comprises the MDRCC server and MDRCC agents (resident in various target systems), and the data layer comprises the data repository. An MDRCC client provides a GUI for displaying the multi-domain RBAC model graph (or role graph), capturing user (Administrator) actions and sending them to the (remote) MDRCC server. The MDRCC server receives user (administrative) commands from the client, and executes them by accordingly updating the data layer. The MDRCC server is also responsible for mapping selected sub-graphs of the role graph (called views) to user accounts and groups on heterogeneous hosts (called also target systems), and for mapping abstract objects and role permissions to actual objects and permissions structures (e.g., ACLs) on those hosts. For these tasks, MDRCC uses agent software running on each host to create/delete groups and user accounts, and set up ACLs, according to commands received from the MDRCC server. The data layer consists of a directory service, which stores, retrieves, and protects the actual multi-domain RBAC data; i.e., the domain information, the user and role sets, the various relations, the abstract objects, and the mappings between multi-domain RBAC data and target system data. In our system, the Windows 2000 Active Directory provides the directory service; i.e., it is the data layer. The communication between MDRCC client and server is via SSL and is implemented using JSSE packages.

An MDRCC client not only provides visual access policy representation (see Figure 2) by displaying the role graph but also provides a very intuitive and user friendly GUI for administrative actions; e.g., creating roles, assigning permission to roles. For negotiating a CAS, domain administrators use an MDRCC client to build a role graph (a CAS proposal) from the known set of resources that domains are willing to share and export the role graph into a compact, machine readable access state file. Other domain administrators then import the proposed CAS file and visualize it. They can verify that the proposed CAS satisfies local permission-based constraints using MDRCC's constraint verification facilities, and then either vote upon it or propose a new CAS. MDRCC currently supports the specification and verification of Static Separation of Duty (SSD) and cardinality constraints [8].



Figure 2: General view of MDRCC and Attribute CA during coalition operation.

Once a CAS has been agreed upon all the administrators sign it with their private keys; i.e., to enforce agreement. The signed CAS is then imported into MDRCC at each domain and also at JAA. The CAS is then instantiated; i.e., abstract objects and permissions in the CAS are mapped to actual objects and permissions of target systems after verifying the signatures on the CAS.

Figure 2 shows a typical view of MDRCC's GUI and the Attribute CA GUI. MDRCC represents users and roles of the CAS as ovals of different colors, each color corresponding to a different domain. Roles are represented with solid ovals and users with solid ovals enclosed in an outer oval. Here we see two users from county C and a user from domain1 assigned to role "Manager". By right-clicking on any oval a drop-down menu is displayed which allows different operations for manipulating the MDRCC graph, setting and viewing role and user permissions, revoking user and viewing Separation-of-Duty constraints. Further options are available from the menu bar at the top which allow for changing the domain view, so that any domain can have a view of the entire CAS.

For access review administrators can perform either a per-subject review (reviewing all the permissions a subject has to all objects) or a per-object review (reviewing all users who have access permissions to a given object) with just a few clicks. For example, by right clicking on a user node in the graph and clicking "view permissions" in the drop down menu performs a per-subject review. Figure 3 shows how MDRCC allows for easy per-subject review of privileges. By left-clicking on the oval of a particular user, MDRCC displays all of the user's memberships to roles across all domains of the coalition. By right-clicking on each role and selecting view permission we can see the resources the user gets access to through that particular role and also the operations the user is allowed to perform on the resource. In some cases there is a need to view all of the user's accesses to coalition resources directly without viewing his role memberships, and MDRCC allows for viewing those accesses by right-clicking on the user name and selecting view permissions.

Figure 4 shows MDRCC's interface for viewing and defining static Separation-of-Duty (SSD) permissions. The upper left quarter shows a list of defined constraints. A constraint is defined by a role set and a threshold. In this case we have one constraint with a role set called ssd1 and a threshold of two. When a constraint is selected from the list, the roles that the role set of this constraint encompass are shown in the upper right quarter. The meaning of the constraint, ssd1:2, shown in the figure is the following: no more than two roles of the role set ssd1 can have a common user. In Figure 3 we can see that this constraint is violated as user J_Doe@domain3 belongs to more than two roles of the role set ssd1 and MDRCC shows an appropriate error message and does not proceed further until the conflict is resolved. On the lower right quarter of Figure 4 are the coalition roles, for selection when creating new constraints.



Figure 3: Per-subject review capability of MDRCC.

Certification Authorities

Our system comprises three different kinds of CAs namely, domain Attribute CA, Joint Attribute CA and domain Identity CA. We assume that every coalition member has an Identity CA prior to coalition formation and hence do not deal with it here. However, for our testing and experiments we configured the CA service in windows 2000 server environment to act as an identity CA for member domains.

Attribute CA. Each coalition member domain has an Attribute CA that issues attribute certificates to both local domain and foreign domain users authorizing access to local domain resources. Attribute CA is a three-tiered component comprising the following tiers: a Presentation Layer, an Application Logic Layer, and a Data Layer. The presentation layer comprises the Attribute CA console (GUI), the application logic layer comprises the CA logic, and the data layer consists of key stores, issued certificates, published Certificate Revocation Lists (CRLs) and persistent data structures. The Attribute CA console provides an interface for administrative actions (e.g., starting the CA, stopping the CA, generating new keys, viewing currently issued certificates, viewing revoked certificates) and is implemented using javax.Swing package. The Application Logic Layer deals with issuing certificates, revoking certificates, and generating keys and is implemented using the Bouncy Castle Crypto API [13] and Java JCE packages.

Joint Attribute CA. Joint Attribute CA resides at JAA and issues attribute certificates to coalition users authorizing them access to jointly administered resources. Similar to Attribute CA, Joint Attribute CA is a three-tiered tool that comprises a Presentation Layer, an Application Logic Layer, and a Data Layer. But unlike Attribute CA, which uses a standard RSA cryptosystem, Joint Attribute CA uses a shared-RSA cryptosystem [5] and hence its Application Logic Layer and Data Layer are distributed among the coalition member domains. (In shared public-key cryptosystems the public key is owned by multiple principals with each principal having a share of the corresponding private key. The shared private key is generated in a distributed manner by all the participating domains (principals) and each domain retains a share of the private key). These layers consist of (1) signature servers that reside in each domain for maintaining shares of the private key and signing certificates and CRLs and (2) a coordinator that resides at the JAA for coordinating the operations of the signature servers;



Figure 4: RCC's interface for specifying Separation-of-Duty constraints.

i.e., the signature operation is distributed and is performed by the signature servers but is composed into a valid RSA signature by the Joint Attribute CA coordinator (see Appendix A for details on the employed shared-cryptosystem). The application logic layer is implemented using the Bouncy Castle Crypto API [13] and the Yalta JCE provider [24], which implements Boneh and Franklin's shared-RSA cryptosystem [26] with signature servers that communicate over Java RMI. We augmented the signature servers with a policy module (i.e., to enable policy checking capabilities). The Attribute CA/Joint Attribute CA GUI in Figure 2 displays the issued and revoked attribute certificates issued to both local users (in case of Attribute CA) and users from other domains. It also has menu options that allow the operation of Attribute CA to be suspended and started as needed.

Certificate issuance for Attribute CA and Joint Attribute CA is provided via a web server. Users authenticate to the web server using their domain identity certificates and upload their certificate request files, which are PEM encoded PKCS 10 files. Users then download issued PEM encoded X.509 V3 certificates. Both Attribute CA and Joint Attribute CA check with local MDRCC (which acts as a PDP for certificate issuance) and register issued and revoked certificates with MDRCC. In Joint Attribute CA the signature servers are also capable of checking certificate requests with local MDRCC to ensure that they comply with the CAS. Communication between the CAs ( Attribute CA and Joint Attribute CA, both coordinator and signature servers) and MDRCC is via LDAP. When an administrator instantiates a negotiated CAS on the Active Directory, a PDP is automatically created that allows both Attribute CA and Joint Attribute CA to verify certificate requests providing wholesale distribution of privileges. If the instantiated CAS includes the departure of a domain then the administrator can revoke all users of that domain using the MDRCC client's GUI. This action results in the MDRCC Server sending a signed list of serial numbers (of certificates) that need to be revoked to the Attribute CA/Joint Attribute CA. Attribute CA/Joint Attribute CA process the request and publish a CRL on the web server, the URL for which is included in all certificates issued by the CAs. Attribute CA/Joint Attribute CA then register the revoked certificates with MDRCC via LDAP. Thus MDRCC and Attribute CA/Joint Attribute CA provide wholesale, selective distribution and revocation of privileges.

Figure 5 shows MDRCC's interface that allows for selective privilege revocation. Any domain (administrator) can selectively revoke the users from another domain (or all other) in a single operation. This figure in particular shows the MDRCC's ability for selective revocation where the privileges of users from another domain are revoked only for a specific role and not all roles in general.

Resource Server

In our implementation we use web pages as example resources and use the Windows IIS 5.0 web server as the resource server. To access web pages users submit attribute certificates to the web server, which checks the validity of the certificates by verifying the signature, checking the expiry time, and checking against the CRL for revocation information. After verifying the certificate (using the certificate verification functions built-in with IIS 5.0), the web server queries MDRCC (via LDAP) and grants or denies the request based on the authorization reply from MDRCC.

Secure Group Communication (SGC)

Secure group communication is needed in dynamic coalitions to aid administrators in negotiation during coalition set up and for smooth operation of the coalition after it is set up. Since the SGC requirement is not unique to dynamic coalitions we chose to use existing SGC tools. We use both Secure Spread [14] and Secure E-mail List Service [18]. The former provides secure, reliable multicast while the latter provides ease of use of e-mail in a secure manner.



Figure 5: MDRCC's interface for wholesale, selective revocation.

Shared-key generation (1024 bits) Exporting CAS Importing CAS Cert. Dist. by JACA Cert. Dist./ Revok. by domain ACAs Total time
Coalition set-up with 3 domains 41 minN/A11 min 14 min (500 certs) 3 * 6 min (3 * 500 certs) 84 min
Domain Join 46 min10 sec16 min 17.5 min 600 certs 4 * 2 min (4 * 125 certs) 88 min
Domain Leave N/A10 sec11 minN/A 3 * 2 min (3 * 125 certs) 17 min

Table 1: Experiments for Coalition Setup, Domain Join and Domain Leave.

Experimental Setup and Results

We set up experiments to measure the time taken for setting up a coalition of three domains and for domain join and leave events using our access control tools. Each domain in the experiment has ten applications that it shares with the coalition (private resources), ten roles that have permissions for the shared applications, and fifty users that get assigned to foreign domain roles and jointly administered roles for access to shared applications. Coalition members set up a JAA with ten jointly administered applications and ten roles with permissions for these applications. Coalition setup time is shown in Table 1 and includes time for importing a negotiated CAS (we do not include the time for negotiating a CAS as it is largely influenced by extra-technological decisions and actions), shared-key generation (since distributed shared-key generation is probabilistic the key generation times shown in the table are averaged generation times averaged over 10-15 runs), and certificate generation and distribution.

For coalition dynamics, we measured the time taken for a domain to join an existing coalition of three domains and for a domain to leave a coalition of four domains. The results are shown in Table 1. In case of domain departure we assume that the departing domain relinquishes its share of private key and hence there is no need to generate a new key. Note that this assumption only holds as long as the number of member domains that have left the coalition after the last key generation is not greater than floor(n/2) where n is number of domains in the coalition at the time of key generation. Otherwise the member domains that left the coalition can collude to compromise the private key [5]. A domain leave event with key generation takes about the same amount of time as a domain join event. As can been seen from the measured times coalition set up and dynamics take only few hours at most for moderate sized coalitions there by illustrating the scalability of our access control tools.

Lessons Learned

The tools were demonstrated at various DARPA Principal Investigator (PI) meetings and most recently at the Joint Warrior Interoperability Demonstrations (JWID) in June 2004 [12]. JWID is an annual Chairman of the Joint Chiefs of Staff event that enables U. S. Combatant Commands and the international community to investigate command and control, communications and computer (C4) solutions that focus on selected core objectives. JWID 2004 assessed capabilities and technologies that allow information sharing with Homeland Security and Homeland Defense partners. This particular demonstration experience gave us a lot of useful feedback on our tools. JWID 2004 was conducted in a simulated operational environment. Our goal was to train users to use our tools who, in turn, demonstrated the usability of the tools to military personnel.

Our training experiences can be summarized in the following four lessons. First, we could train users (who had little security knowledge) in a very short amount of time to use our tools because 1) the tools enable visual representation of the CAS and provide an intuitive GUI and 2) we had generated and provided the users with extensive documentation in the form of task guides that take the users through execution of common coalition administrative operations step by step with the aid of images and animations. Second, the lack of security knowledge combined with multiple windows/interfaces of our tools intimidated the users. The users were expecting one unified tool (interface) but in reality we have a set of tools that integrate functionally and have individual interfaces. Third, in spite of our best efforts to test the system prior to the demonstration we still over looked flaws that were (inadvertently) detected in user training. For example, we did not prevent against multiple instantiations of MDRCC and users started multiple instances of MDRCC leaving the data layer in unknown states. Fourth, though our set of tools demonstrated the functional capabilities expected of them by the evaluators at JWID 2004, they were not as effective as we would have liked largely because users of the tools need to be knowledgeable of the underlying technologies in order to use them effectively. Our efforts in making them user friendly and providing good documentation helped us to a certain extent but did not eliminate the necessity to educate the users about the underlying technologies.

Conclusions

We have developed tools for administering access control in dynamic coalitions. In particular, tools for negotiating resource-sharing agreements, access policy specification, access review, wholesale and selective distribution and revocation of privileges, and policy decision and enforcement. Our experiments demonstrate that these tools scale to handle reasonable size coalitions. Demonstrations of the tools at JWID 2004 provided an opportunity for user training and obtaining useful feedback. Though we demonstrated our tools in Windows environment they can easily be ported to other platforms. In the future, we plan to implement the tools over web services for platform independence and rapid prototyping of enhanced features and capabilities.

Acknowledgements

We would like to thank Adam Moskowitz and the anonymous reviewers for their helpful comments and suggestions. Part of the first and fourth authors' work was funded by the Office of Naval Research under contract N00014-04-1-0562. The second, third and fifth authors' work and part of the first and fourth authors' work was funded by the Defense Advanced Research Projects Agency and managed by the U. S. Air Force Research Laboratory under contract F30602-00-2-0510. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Office of Naval Research, Defense Advanced Research Projects Agency, U. S. Air Force research Laboratory or the United States Government.

Bibliography

[1] ANSI INCITS 359-2004, Information technology: Role based access control, 2004.
[2] Ahn, Gail-Joon and Ravi Sandhu, "Role-based authorization constraints specification," ACM Transactions of Information System Security, Vol. 3, Num. 4, pp. 207-226, 2000.
[3] Bharadwaj, Vijay G., and John S. Baras, "Towards automated negotiation of access control policies," POLICY '03: Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks, p. 111, IEEE Computer Society, Washington, DC, 2003.
[4] Blaze, Matt, Joan Feigenbaum, and Angelos D. Keromytis, "Keynote: Trust management for public-key infrastructures (position paper)," Proceedings of the 6th International Workshop on Security Protocols, pp. 59-63, Springer-Verlag, London, 1999.
[5] Boneh, Dan, and Matthew Franklin, "Efficient generation of shared RSA keys," Lecture Notes in Computer Science, Vol. 1294, 1997.
[6] Ferraiolo, David, Janet Cugini, and Richard Kuhn, "Role-based access control (rbac): Features and motivations," Proceedings of 11th Annual Computer Security Application Conference, pp. 241-248, Springer-Verlag, New Orleans, LA, 1995.
[7] Freudenthal, Eric, Tracy Pesin, Lawrence Port, Edward Keenan, and Vijay Karamcheti, "drbac: Distributed role-based access control for dynamic coalition environments," Proceedings of International Conference on Distributed Computing Systems, pp. 411-420, Vienna, Austria, 2002.
[8] Gligor, Virgil, Serban Gavrila, and David Ferraiolo, "On the formal definition of separation-of-duty policies and their composition," RSP: 19th IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, CA, 1998.
[9] Gligor, Virgil D. and Serban I. Gavrila, "Application-oriented security policies and their composition (position paper)," Proceedings of the 6th International Workshop on Security Protocols, pp. 67-74, Springer-Verlag, London, UK, 1999.
[10] Gligor, Virgil D., Himanshu Khurana, Radostina K. Koleva, Vijay G. Bharadwaj, and John S. Baras, "On the negotiation of access control policies," Revised Papers from the 9th International Workshop on Security Protocols, pp. 188-201, Springer-Verlag, London, UK, 2002.
[11] Herzberg, Amir, Yosi Mass, Joris Michaeli, Yiftach Ravid, and Dalit Naor, "Access control meets public key infrastructure, or: Assigning roles to strangers," SP '00: Proceedings of the 2000 IEEE Symposium on Security and Privacy, p. 2, IEEE Computer Society, Washington, DC, 2000.
[12] https://www.cwid.js.mil/public/cwid05fr/START_HERE.html.
[13] https://www.bouncycastle.org/.
[14] https://www.cnds.jhu.edu/research/group/secure_spread/.
[15] Khurana, Himanshu, Serban Gavrila, Rakesh Bobba, Radostina Koleva, Anuja Sonalker, Emilian Dinu, Virgil Gligor, and John Baras, "Integrated security services for dynamic coalitions," An extended exposition abstract in Proceedings of the 3rd DARPA Information Survivability Conference and Exposition (DISCEX III), 2003.
[16] Khurana, Himanshu, Virgil Gligor, and John Linn, "Reasoning about joint administration of access policies for coalition resources," ICDCS '02: Proceedings of the 22nd International Conference on Distributed Computing Systems (ICDCS'02), p. 429, IEEE Computer Society, Washington, DC, 2002.
[17] Khurana, Himanshu and Virgil D. Gligor, "A model for access negotiations in dynamic coalitions," WETICE '04: Proceedings of the 13th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE'04), pp. 205-210, IEEE Computer Society, Washington, DC, 2004.
[18] Khurana, Himanshu, Adam Slagell, and Rafael Bonilla, "Sels: a secure e-mail list service," SAC '05: Proceedings of the 2005 ACM symposium on Applied computing, p. 306-313, ACM Press, New York, NY, 2005.
[19] Li, Ninghui, John C. Mitchell, and William H. Winsborough, "Design of a role-based trust-management framework," SP '02: Proceedings of the 2002 IEEE Symposium on Security and Privacy, p. 114, IEEE Computer Society, Washington, DC, 2002.
[20] Moses, Tim, "Core specification: extensible access control markup language (xacml) version 2.0," OASIS Specification Document, https://docs.oasis-open.org/xacml/access_control-xacml-2_0-core-spec-cd-04.pdf, 2004.
[21] Phillips, Charles E., Steven A. Demurjian, and T. C. Ting, "Information sharing and security in dynamic coalitions," Proceedings of IEEE Information Assurance Workshop, 2002.
[22] Phillips, Charles E., T. C. Ting, and Steven A. Demurjian, "Information sharing and security in dynamic coalitions," SACMAT '02: Proceedings of the seventh ACM symposium on Access control models and technologies, p. 87-96, ACM Press, New York, NY, 2002.
[23] Shands, Deborah, Richard Yee, Jay Jacobs, and E. John Sebes, "Secure virtual enclaves: Supporting coalition use of distributed application technologies," Proceedings of the Network and Distributed System Security Symposium (NDSS), 2000.
[24] Smith, T. J., G. T. Byrd, W. Xiaoyong, X. Hongjie, K. Thangavelu, R. Wang, and A. Shah, "Yalta: A dynamic pki and secure tuplespaces for distributed coalitions," Proceedings of 3rd DARPA Information Survivability Conference and Exposition, Washington, DC, 2003.
[25] Winslett, Marianne, Ting Yu, Kent E. Seamons, Adam Hess, Jared Jacobson, Ryan Jarvis, Bryan Smith, and Lina Yu, "Negotiating trust on the web," IEEE Internet Computing, Vol. 6, Num. 6, pp. 30-37, 2002.
[26] Wu, Thomas, Michael Malkin, and Dan Boneh, "Building intrusion tolerant applications," Proceedings of the 8th USENIX Security Symposium, pp. 79-91, Washington, DC, 1999.

Appendix A: Shared RSA Public-Key Cryptosystem

In this section we discuss the use of shared public key techniques for generation and distribution of attribute certificates granting access to jointly owned resources.

Shared RSA Public Key Generation Algorithm

Here we review some of the features of the shared RSA public-key generation algorithm of [5].The algorithm enables n domains to generate a modulus N = pq and exponents e and d. At the end of the computation all domains are convinced that N is the product of two primes, however none of them know the factorization of N. The public exponent e is made public while d is shared among the domains in a way that enables m-out-of-n threshold signature generation. That is, m domains are able to issue a certificate without reconstructing the key d. This also implies that an attacker who penetrates at most m-1 domains is unable to obtain any information about the private key. From the point of view of collusion the algorithm is (n-1)/2 private. That is, even if (n-1)/2 domains share the information they learn during the protocol, they will still not be able to recover the factorization of N or the private key d.

Joint Signatures with Distributed Private Key Shares

For joint administration of access policies, the public key KAA of Joint Attribute CA (see Figure 1) is generated using the shared key generation algorithm resulting in private key shares that are distributed among all member domains (i.e., a n-of-n threshold sharing of the private key KAA-1). Once the public-key KAA has been generated, all domains must apply a joint signature algorithm with their private key shares in order to sign attribute certificates with the private key KAA-1. The joint signature algorithm involves the Joint Attribute CA coordinator sending a message (the attribute certificate) to all the signature servers (co-signers) with the message M to be signed and a key ID comprising the hash of N and the public exponent e. Each of the co-signers then apply their corresponding private key shares di to compute Si = Mdi mod N and send the computations back to the coordinator. The coordinator then computes the message signature KAA-1 is shared in a t-of-n manner among the member domains. The algorithm is similar to the case above except that when the coordinator only needs computations from t servers and can compute the message signature

Appendix B: List of Acronyms

This appendix contains a list of acronyms used in the paper. ACA Attribute Certificate Authority ACL(s) Access Control List(s) CA(s) Certificate Authority(ies) CAS Common Access State CRL(s) Certification Revocation List(s) GUI Graphical User Interface IIS Internet Information Service JAA Joint Attribute Authority JACA Joint Attribute Certificate Authority LDAP Lightweight Directory Access Protocol MDRCC Multi-Domain Role Control Center PDP Policy Decision Point PKI Public Key Infrastructure RBAC Role-Based Access Control SGC Secure Group Communication


Footnotes:
Note 1: Author names listed in alphabetical order.
Note 2: Appendix B lists acronyms used in this paper.
Note 3: The initial version of MDRCC, called RCC, provided RBAC policy administration for an individual domain and was implemented in Visual Basic.
?Need help?


Last changed: 11 Nov. 2005 jel