Information Security Engineering 2017.11.29 Access Control Huiping Sun( ) sunhp@ss.pku.edu.cn
主要内容
参考书
访问控制简介
Introduction 访问控制定义 The process of granting or denying specific requests to: obtain and use information and related information processing services; and enter specific physical facilities. NIST IR 7298 A process by which use of system resources is regulated according to a security policy and is permitted only by authorized entities (users, programs, processes, or other systems) according to that policy. RFC 4949
Introduction 不同层次的访问控制
Introduction 访问控制与其余安全功能的关系
Introduction 访问控制策略和机制 Authorization Access Control Object Subject
Introduction 主体和客体
Introduction 权限 (X,Y,P) X Y P X Y
Introduction 最小特权原则 vs vs http://web.mit.edu/saltzer/ Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.
Introduction 一个简单的例子
访问控制模型
Model 访问控制模型 Access Control Model DAC MAC RBAC ABAC
Model 自主访问控制模型 Subject Subject Subject Subject Subject Subject Discretionary Access Control Object Object Object Object Object Object
Model 强制访问控制模型 Subject Subject Object Object Subject Object Subject Object Subject Subject Classification Categories Object Object Mandatory Access Control SELinux Solaris
Model MAC A B C D E Bell-LaPadula Biba BMA
Model 基于角色访问控制模型 Subject Subject Object Object Subject Object Subject Object Subject Subject Role Object Object Role Based Access Control http://csrc.nist.gov/rbac
Model RBAC 模型
Model 基于属性的访问控制
Model 属性例子 ID......... URI Object Object
访问控制技术
Technology 访问控制矩阵
Technology 访问控制列表 vs 访问能力表
Technology UNIX 的文件访问控制 Unix
Technology RBAC: 用户和角色映射 Client Server User-role Authorization Server Client Server User-role Authorization Server Client Proxy Server Server User-role Authorization Server
Technology RBAC: 角色和客体
Technology XACML XACML OASIS IBM SAML XML XACML XACML http://www.oasis-open.org/committees/xacml/
Technology XACML
Technology 其余技术 : 基于规则的访问控制 5M 5M 10M
Technology 其余技术 : 限制用户接口 ATM 4500 10 6000 11 6500 12 1 10 2 11 2 12
Technology 其余 UCON
访问控制例子
Example 访问控制面临挑战 细粒度 海量 分布式 环境多变 管理简单 个性化 互联互通
Analyze log Access Control Example 基于行为 Doctor Government Insurer Access Access Control Engine Access allowed EHR Doctor Write log Access Log Administrator policy? Policy Database Generate policy based on user behavior Patient Control? Behavior Analyze Engine
Example 基于信任 + 风险 + 博弈
Example 隐私设定问题 OSN vs vs
Example 基于朋友亲密度的 SNS 隐私控制
Example 访问控制设定推荐向导
Example 隐私设定推荐向导
身份管理介绍
Identity Management 参考书
Identity Management 数字身份
Identity Management 数字身份生命周期
Identity Management 定义 IDM IAM AIM
Identity Management 身份管理参与方 3. 1. IdP 4. 5. 2.
Identity Management 孤立的 IDM Identifier Credential Audi Josang and Simon Pope. User Centric Identity Management. In Proc. AusCERT 2005
Identity Management 联盟的 IDM Assertion SAML Liberty Allicance Shibboleth
Identity Management 集中的 IDM CA
Identity Management 单点登录的 IDM Kerberos Microsoft Passport
Identity Management 标准
Identity Management Web 服务安全标准 XrML Provisioning XML Encryption WS-Security Biometrics XML Signature XKMS SAML XACML W3C Architecture OASIS Joint Security
Identity Management 身份管理标准 XML XML XML XML SPML SPML SAML SPML XML XACML
Identity Management SPML Service Provisioning Markup Language SPML IT IT
Identity Management SPML ListTargets Add Lookup Modify Delete RA status cancel setpassword expirepassword resetpassword batch bulkmodify BulkDelete search iterate PST validatepassword suspend resume active closeiterator update iterate closeiterator PSP
Identity Management SAML Service Assertion Markup Language SAML Web
Identity Management 计算模式变迁
Identity Management 身份管理服务 Service IDM OS APP IDM APP IDM APP IDM App OS App Service IDM Service Service IDM Service APP APP OS App IDM Service OS IDM App Service Service IDM OS App APP 应 系统 服务系统
Homework 课后作业 PACMAN: Personal Agent for Access Control in Social Media. In IEEE Internet Computing 2017.
sunhp@ss.pku.edu.cn