Security and Trust Management Extensions to the PERMIS X.509 Privilege Management Infrastructure
by David Chadwick
Authorization in vitual organizations (VOs) and multi-organization federations is difficult to set up and manage. Having a pan-VO role- or attribute-based access control infrastructure can ease the burden, providing that trust relationships between the various entities can be safely managed. This is the problem domain that the PERMIS authorization system (www.openpermis.org) has been addressing for several years. Currently, three research projects are adding significant new capabilities to it, in the form of dynamic delegation of authority, separation of duties, and reputation management of the participants.
The PERMIS Trust Model
The resource (target) owner is the authorization root of trust for all resources under his/her control. This is termed the Source of Authority (SOA) in an X.509 Privilege Management Infrastructure (PMI). The SOA creates his/her policy and stores it in a digitally signed policy attribute certificate (AC). When the PERMIS authorization engine is initialized, it receives the distinguished name of the SOA and the location of the LDAP directory where it will find the SOA's policy. PERMIS reads the policy from the SOA's LDAP entry and checks its signature. PERMIS can now be assured that it has the correct policy to trust, and that it has not been tampered with.
The SOA's policy, which follows the classical Role Based Access Control (RBAC) model, comprises two parts:
- a Role Assignment Policy (RAP) which specifies who is trusted to assign which roles (in the form of X.509 role ACs) to which groups of user
- a Target Access Policy (TAP) specifying which roles are needed to access which target resources under which conditions.
The RAP enables static delegation of authority because the SOA names one or more (possibly remotely located) managers who are trusted to assign roles. Since the names of these remote managers are included inside the digitally signed policy AC, they cannot be unknowingly tampered with; therefore PERMIS is able to trust these remote managers to assign X.509 role ACs to groups of users. Any role ACs that PERMIS is passed or retrieves in getcreds that do not conform to the RAP are simply discarded. In this way the SOA can be assured that his/her delegation policy is being rigorously enforced by PERMIS.
Current Research Projects
DyVOSE, run jointly with the e-Science centre at the University of Glasgow, is adding dynamic delegation of authority to PERMIS. This feature will allow the SOA to indicate whether he/she trusts remote managers to further dynamically delegate their roles to other users in the same domain as themselves. Dynamic delegation of authority is supported in the X.509 PMI model through an appropriate certificate extension, and the SOA can set an integer in his/her PERMIS policy to indicate the length of the delegation chain that can be trusted. Once this is fully implemented, the SOA will not need to update his/her RAP policy with the names of additional remote managers who can be trusted, as is currently the case. Instead, as long as these additional managers have a valid delegation path to a remote manager in the PERMIS policy, then any ACs issued by them will be trusted.
DyCom is combing PERMIS with GRASP to create a fine-grained access control infrastructure for Grids, and is also adding separation of duties to the PERMIS trust model. Separation of duties will ensure that a user with mutually exclusive roles is not allowed to perform conflicting tasks. This requires PERMIS to keep a record of past and present authorized actions, so that future conflicting ones can be denied. In an offshoot of this project, we have developed a secure audit Web service (SAWS) as a general purpose audit tool.
As part of the EC TrustCoM integrated project, we have built a reputation management system capable of recording the reputations of users (for example, as performed by eBay). The next step is to link this to the PERMIS decision engine so that access control decisions can be based on the current reputation of a user (which is related to their trustworthiness). Currently users are either trusted or not to access a target resource, based on their X.509 ACs. Once reputations are included in the decision-making however, users' permissions may be removed if their reputation drops below a certain value. In addition, the TrustCoM project is defining standard protocols for credential validation (ie calls to getcreds) and the making of policy decisions (ie calls to decision). It is likely that WS-TRUST and XACML respectively will be used for these. PERMIS will be enhanced to support these protocols once they have been finalized by the consortium.
David W. Chadwick, University of Kent, UK
Tel: +44 1227 82 3221
Richard Sinnott, (for DyVOSE), University of Kent, UK
Damian Mac Randal (for DyCom), CCLRC, UK
Theo Dimitrakos (for TrustCoM), BT, UK