Trust Management II
description
Transcript of Trust Management II
![Page 1: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/1.jpg)
Trust Management II
Anupam DattaFall 2007-08
18739A: Foundations of Security and Privacy
![Page 2: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/2.jpg)
2
Logistics Please plan to meet with me over this
week to discuss project progress and issues Office hours Friday 2-3:30PM
![Page 3: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/3.jpg)
3
Overview Last lecture
Overview of Trust Management [BFL96] RT syntax and examples [LMW02]
Today Translating RT into datalog; algorithmic
results [LMW02] Distributed credential chain discovery
[LWM01]
![Page 4: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/4.jpg)
4
Translating RT1 to Datalog Type I:
A.R D to isMember(D, A.R)
Type II: A.R B.R1 to isMember(?z, A.R) isMember(?z, B.R1)
Type III: A.R A.R1.R2 to isMember(?z, A.R) isMember(?x, A.R1), isMember(?z,?
x.R2) Type IV:
A.R B1.R1 B2.R2 … Bn.Rn to isMember(?z, A.R) isMember(?z, B.R1),…, isMember(?
z,B.Rn)
![Page 5: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/5.jpg)
5
Translation (2) isMember(?z, A.r(h1,…,hn)) to member(A, r, h1,…, hn, ?z)
Trans(C): Datalog program resulting from translation of RT1 credentials C
Implications of C: Set of membership relations implied by C
![Page 6: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/6.jpg)
6
RT1 is tractable
Theorem: Given a set C of RT1 credentials, the implications of C can be computed in time O(MNv+2), where Each credential of C has at most v variables Each role name has at most p arguments N0 is the number of credentials in C N = max(N0, pN0) M is the size of C
A.r f1fk has size k, other credentials have size 1
![Page 7: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/7.jpg)
7
Example RT Credentials
A.Ri A.Ri+1 for i=1,…,K-1 A.RK Alice, A.RK Bob
Translation1. isMember(?z, A. Ri) isMember(?z, A.Ri+1) for i=1,…,K-1
2. isMember(Alice, A.RK), isMember(Bob, A.RK)
Start from ground facts; repeatedly apply rule 1 to infer implications in time O((K+1)*2)
p = 0, v = 0, N0 = K + 1, N =K+1, M = K + 1 O(MNv+2) = O((K+1)*(K+1)2) Translation only introduces only one dummy variable
because no linked roles, so (v+1) instead of (v+2)
![Page 8: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/8.jpg)
8
Summary Similar translations into Datalog and
tractability results for other languages in the RT family
This is an advantage of RT over other formalisms for distributed access control, e.g. Lampson et al logic (for which the implication problem is undecidable)
![Page 9: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/9.jpg)
9
Overview Last lecture
Overview of Trust Management [BFL96] RT syntax and examples [LMW02]
Today Translating RT into datalog; algorithmic
results [LMW02] Distributed credential chain discovery
[LWM01]
![Page 10: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/10.jpg)
10
Goal-directed Chain Discovery
Three kinds of queries and algorithms for answering them in RT0:1. Given A.r, determines its members
– The backward search algorithm
2. Given D, determines the set of roles that D is a member of– The forward search algorithm
3. Given A.r and D, determines whether D is a member of A.r– The Bi-direction search algorithm
![Page 11: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/11.jpg)
11
Why Develop These Algorithms?
The queries can be answered using logic programs however, this requires collection of all
credentials in the system The backward algorithm is a goal-directed
top-down algorithm The forward algorithm is a goal-directed
bottom-up algorithm Distributed discovery requires combination
of both
![Page 12: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/12.jpg)
12
Credential Graph GC
Nodes: A.r and e for each credential A.r e in C
Credential edges: e A.r for each credential A.r e in C
Summary edges: B.r2 A.r1.r2 if there is a path from B to A.r1
D A1.r1 … Ak.rk if there are paths from D to each Aj.rj
Reachability in the credential graph is sound and complete wrt. the set-theoretic semantics of RT0
![Page 13: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/13.jpg)
13
An Example Credential Graph
StateU.stuID
EPub.university
ABU.accredited
StateU
Alice
ACM.member
EOrg.preferredEPub.university.stuID
EPub.studentEPub.spdiscount
EPub.student EOrg.preferred
Credential
Summary
Key
![Page 14: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/14.jpg)
14
The Backward Search Algorithm (Overview)
Goal: Given A.r, determines its members
The backward algorithm : each node stores outgoing edges each node stores entities that can reach it new edges are created in the reverse
direction solutions are propagated forward
![Page 15: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/15.jpg)
15
Backward Search In Action
2: EPub.student4: EPub.university.stuID
6: EPub.university8: ABU.accredited9: StateU
StateU StateU StateU
10: StateU.stuID
0: EPub.spdiscount 1: EPub.student EOrg.preferred
3: EOrg.preferred5: ACM.member7: Alice
Alice
Alice
Alice
AliceAlice
Alice Alice
Alice Alice
![Page 16: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/16.jpg)
16
The Forward Search Algorithm (Overview)
Starts with one entity node Constructs a proof graph Each node in the graph stores its solutions:
roles that this node can reach (is a member of ) Maintains a work list of nodes need to be processed Algorithm Outline:
keep processing nodes in the work list until it is empty
![Page 17: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/17.jpg)
17
Forward Search In Action
ABU.accredited
0: Alice
StateU.stuIDStateU.stuID
EPub.student
3: ABU.accredited2: StateU
6: EPub.university
1: StateU.stuID
ABU.accredited
EPub.universityEPub.university EPub.university
EPub.student
7: Epub.university.stuID
9: EPub.student
EPub.student EPub.student
1. StateU.stuID Alice
2. ABU.accredited StateU
3. EPub.university ABU.accredited
4. EPub.student EPub.university.stuID
5: ABU 8: EPub
4: ABU.accredited.stuID
![Page 18: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/18.jpg)
18
Worst-Case Complexity
Backward: time O(N3+NM), space O(NM) N is the number of rules M is the sum of the sizes of all rules,
A.r f1fk having size k, other credentials have size 1
Forward: time O(N2M), space O(NM) However, this is goal oriented, making it
much better in practice
![Page 19: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/19.jpg)
19
Bidirectional Search The bi-direction search algorithm
combines backward search and forward search
Bidirectional(e, D) Two queues: Forward processing and
backward processing queue Iteratively remove and process node until both
queues are empty Each node e stores
Backward solutions, backward monitors Full and partial forward solutions, forward
monitors
![Page 20: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/20.jpg)
20
Distributed Storage of Credentials
Example:1. EOrg.preferred ACM.member2. ACM.member Alice
Who should store a credential? either issuer or subject
It is not reasonable to require that all credentials are stored by issuers, or, all are stored by subjects.
![Page 21: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/21.jpg)
AliceEPub
StateUABU
3. ABU.accredited StateU
1. COE.stuID Alice4. EPub.university ABU.accredited5. EPub.student
EPub.university.stuID
Who stores these statements?
2. StateU.stuID COE.stuID
COE
![Page 22: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/22.jpg)
22
Traversability of Edges and Paths
StateU.stuID
Alice
EPub.university.stuID
EPub.student
EPub.university
ABU.accredited
StateU
Backward(Issuer stored)
Forward(Subject stored)
Key
Confluent
Idea: Confluent paths can be discovered by bidirectional search
An edge B.r2 A.r1.r2 has the same
traversability as B A.r1
![Page 23: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/23.jpg)
23
How to Ensure that Every Path is Confluent?
Goal: Use constraints local to each credential to ensure that every path is confluent
Approach: give each role name a traceability type introduce a notion of well-typed credentials
Main idea: by requiring consistent storage strategy at role
name level, guarantee chains using well-typed credentials are confluent
![Page 24: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/24.jpg)
24
Types of Role Names
A role name has two types: Issuer side:
issuer-traces-all issuer-traces-def (e.g. A1.r A2.r A3.r) issuer-traces-none
Subject side: subject-traces-all subject-traces-none
![Page 25: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/25.jpg)
25
Well-typedness of Role Names
![Page 26: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/26.jpg)
26
Typing role expressions
![Page 27: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/27.jpg)
27
Well-typed Credentials
![Page 28: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/28.jpg)
28
Example
![Page 29: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/29.jpg)
29
Example (contd)
![Page 30: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/30.jpg)
30
Properties
![Page 31: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/31.jpg)
31
Benefits of the Storage Type System
Guarantees that chains of well-typed credentials can be discovered
Enables efficient chain discovery by telling the algorithm whether forward or backward search should be used for an intermediate query
![Page 32: Trust Management II](https://reader035.fdocuments.in/reader035/viewer/2022081603/5681474a550346895db48c23/html5/thumbnails/32.jpg)
32
Acknowledgement Slides for the second part of the lecture
were based, in part, on slides from Ninghui Li and John Mitchell.