credential-based access control extensions to xacml credential-based.pdf© 2009 ibm corporation...
TRANSCRIPT
![Page 1: Credential-based access control extensions to XACML credential-based.pdf© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov](https://reader034.vdocument.in/reader034/viewer/2022043003/5f82ede0a3c93513b0643e05/html5/thumbnails/1.jpg)
© 2009 IBM Corporation
Credential-based access control extensions to XACML
Gregory Neven, IBM Research – ZurichW3C Workshop on Access Control Scenarios, Nov. 18th, 2009, Luxembourg
Jan Camenisch, Sebastian Mödersheim, Gregory Neven,Franz-Stefan Preiss, Dieter Sommer
![Page 2: Credential-based access control extensions to XACML credential-based.pdf© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov](https://reader034.vdocument.in/reader034/viewer/2022043003/5f82ede0a3c93513b0643e05/html5/thumbnails/2.jpg)
© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov. 18th, 2009, Luxembourg 2
Application identity management
Enterprise A
![Page 3: Credential-based access control extensions to XACML credential-based.pdf© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov](https://reader034.vdocument.in/reader034/viewer/2022043003/5f82ede0a3c93513b0643e05/html5/thumbnails/3.jpg)
© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov. 18th, 2009, Luxembourg 3
Enterprise identity management
Enterprise A Enterprise B
![Page 4: Credential-based access control extensions to XACML credential-based.pdf© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov](https://reader034.vdocument.in/reader034/viewer/2022043003/5f82ede0a3c93513b0643e05/html5/thumbnails/4.jpg)
© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov. 18th, 2009, Luxembourg 4
Federated identity management
Enterprise A Enterprise B
static mapping
IDP
![Page 5: Credential-based access control extensions to XACML credential-based.pdf© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov](https://reader034.vdocument.in/reader034/viewer/2022043003/5f82ede0a3c93513b0643e05/html5/thumbnails/5.jpg)
© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov. 18th, 2009, Luxembourg 5
Collaborative identity management
Enterprise A Enterprise B
IDP IDP IDP
IDP
![Page 6: Credential-based access control extensions to XACML credential-based.pdf© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov](https://reader034.vdocument.in/reader034/viewer/2022043003/5f82ede0a3c93513b0643e05/html5/thumbnails/6.jpg)
© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov. 18th, 2009, Luxembourg 6
Trends in identity management
Enterprise
Identity
Management
Federated
Identity
Management
Collaborative
Identity
Management
Degree of Interconnectivity
Dynamic
Static
Less Externally Connected
More ExternallyConnected
Application
Identity
Management
![Page 7: Credential-based access control extensions to XACML credential-based.pdf© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov](https://reader034.vdocument.in/reader034/viewer/2022043003/5f82ede0a3c93513b0643e05/html5/thumbnails/7.jpg)
© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov. 18th, 2009, Luxembourg 7
Degree of Interconnectivity
Dynamic
Static
Less Externally Connected
More ExternallyConnected
Proprietary user DB
Internal LDAP
OpenID
eID smartcards
Kerberos tickets
Idemix,U-Prove
RFID
Enterprise
Identity
Management
Federated
Identity
Management
Collaborative
Identity
Management
Application
Identity
Management
SAML
Public LDAP
X.509 certificates
Trends in Identity Management
![Page 8: Credential-based access control extensions to XACML credential-based.pdf© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov](https://reader034.vdocument.in/reader034/viewer/2022043003/5f82ede0a3c93513b0643e05/html5/thumbnails/8.jpg)
© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov. 18th, 2009, Luxembourg 8
Degree of Interconnectivity
Dynamic
Static
Less Externally Connected
More ExternallyConnected
Proprietary user DB
Internal LDAP
OpenID
eID smartcards
Kerberos tickets
Idemix,U-Prove
RFID
Enterprise
Identity
Management
Federated
Identity
Management
Collaborative
Identity
Management
Application
Identity
Management
SAML
Public LDAP
X.509 certificates
Trends in Identity Management
Credentials
![Page 9: Credential-based access control extensions to XACML credential-based.pdf© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov](https://reader034.vdocument.in/reader034/viewer/2022043003/5f82ede0a3c93513b0643e05/html5/thumbnails/9.jpg)
© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov. 18th, 2009, Luxembourg 9
Credentials
� Credential: list of attribute values, certified by issuer
� Attributes describe user's identity (e.g., identity card), user’s rights (e.g., credit card, concert ticket) or both (e.g., driver’s license)
� Example technologies:
X.509, SAML, CardSpace, OpenID, Kerberos, LDAP, Idemix, U-Prove,…
� Possible additional features:
– attribute authentication
– proof of ownership
– (selectively) reveal attributes
– prove condition on attributes
– (selectively) reveal attributes to third parties
– sign statements
– limited spending
![Page 10: Credential-based access control extensions to XACML credential-based.pdf© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov](https://reader034.vdocument.in/reader034/viewer/2022043003/5f82ede0a3c93513b0643e05/html5/thumbnails/10.jpg)
© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov. 18th, 2009, Luxembourg 10
Language requirements
� Reference to individual credentials, (attribute-id, issuer) doesn’t suffice– Credential types
e.g. reveal name as on govt-issued passport, not ID cardextensible OWL ontology of attributes and credential types
– Credential mixinge.g. reveal number, expiration from same credit card
– Cross-credential conditionse.g. passport.name = creditcard.name
� Distinguish between “reveal attribute” and “prove that condition holds”
e.g. reveal birth date vs. age>18
� Provisional actions:
Sign statements, reveal to 3rd party, limited spending
![Page 11: Credential-based access control extensions to XACML credential-based.pdf© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov](https://reader034.vdocument.in/reader034/viewer/2022043003/5f82ede0a3c93513b0643e05/html5/thumbnails/11.jpg)
© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov. 18th, 2009, Luxembourg 11
Example policy
own p::Passport issued-by USAgov
own r ::ResidencePermit issued-by ChicagoTownhall
own c::CreditCard issued-by Visa,Amex
reveal c.number , c.expirationDate under ‘purpose=payment’
reveal r.address to ShippingCo under ‘purpose=shipping’
sign ‘I agree with the general terms and conditions.’
where p.dateOfBirth ≤ dateMinusYears(today(), 21) ^
c.expirationDate > today()
![Page 12: Credential-based access control extensions to XACML credential-based.pdf© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov](https://reader034.vdocument.in/reader034/viewer/2022043003/5f82ede0a3c93513b0643e05/html5/thumbnails/12.jpg)
© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov. 18th, 2009, Luxembourg 12
Embedding into XACML
![Page 13: Credential-based access control extensions to XACML credential-based.pdf© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov](https://reader034.vdocument.in/reader034/viewer/2022043003/5f82ede0a3c93513b0643e05/html5/thumbnails/13.jpg)
© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov. 18th, 2009, Luxembourg 13
Embedding into SAML
� New SAML statement types to carry– conditions on attributes using <xacml:Condition>
– provisional actions
� Extend SAML assertion authentication to any type of proof token, e.g.– <ds:Signature>
– LDAP server/password– Idemix proof– …
![Page 14: Credential-based access control extensions to XACML credential-based.pdf© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov](https://reader034.vdocument.in/reader034/viewer/2022043003/5f82ede0a3c93513b0643e05/html5/thumbnails/14.jpg)
© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov. 18th, 2009, Luxembourg 14
Summary
� Credential-based access control
– attributes grouped in credentials
– show multiple credentials simultaneously
– technology independence
� Privacy enhancements
– reveal attributes vs. prove condition
– support anonymous credentials
� Embedded into XACML & SAML