SPARTA ISSO

Finished Projects

Security Infrastructure

Attribute-Based Access Control (ABAC)

Sponsored by:
Advanced Technology Office (ATO)
Defense Advanced Research Projects Agency (DARPA)

DARPA Contract # N66001-01-C-8005
Doug Maughan, DARPA, Program Manager
Kevin Kumferman, SPAWAR, COTR

Table of Contents

Who We Are
  • William H. Winsborough, Principal Investigator, Network Associates Labs, Network Associates, Inc.
  • Ninghui Li, Contributor, Department of Computer Science, Stanford University
  • Deborah Shands, Contributor, Network Associates Labs, Network Associates, Inc.

Overview of ABAC

Objective:
Today coalitions wishing to share resources often find themselves with no better alternative than to establish a virtual private network (VPN) and to make shared resources available to one another through the VPN. This means that users that have access to any of the shared resources have access to all of them, which is inappropriately course-grained access control. Alternative solutions that provide appropriate granularity are based on the identity, local role, or capabilities of the resource requestor. As such, they require foreign requestors to be known to the resource-providing organization before access can be authorized, which means these systems do not scale. The goal of this project is to overcome these granularity and scalability problems and in so doing develop access control systems that are suitable for dynamic coalitions.

Approach:
Authority in coalitions is inherently distributed. ABAC provides a means for each locus of authority to determine and specify its own judgments, and for those judgments to be combined naturally to make appropriate authorization decisions. Thus, while control is decentralized, resource owners retain fine-grained control of their own resources. For scalability, they have the option to delegate authority over judgments to those better qualified to make them. For instance, staffing decisions in foreign organizations require no local administration within the resource organization.

The approach bases authorization decisions on chains of digitally signed attribute credentials through which credential issuers assert their judgments about the attributes of entities, such as users and organizations. Because these credentials are digitally signed, they can serve to introduce strangers to one another off-line. A key to ABAC?s scalability is that the issuers of credentials can be strangers whose authority is determined based on their own attributes, as documented in further credentials.

A key issue that ABAC must address is the choice of an appropriate language design. The language is at the core of an ABAC system. It determines the kinds of judgments that can be issued in credentials. Furthermore, its semantics determines how the judgments contained in credentials issued by distributed authorities combine to decide authorization questions.

Another key issue is that the data contained in credentials is often sensitive and must be protected. This is central, since it means that the credentials that must be presented to obtain access are themselves subject to access control. Because we are interested in supporting coalitions of organizations that have only limited mutual trust, we believe that the requestor and the access mediator will typically be unable to agree upon a trusted third-party that might assist them in using their sensitive credentials to establish mutual trust. Instead, our approach calls for requestor and access mediator to enter into a kind of bilateral credential exchange, which we call a trust negotiation (TN). The negotiation consists of a sequence of credential exchanges that begin by disclosing credentials that are not sensitive. As credentials flow, more are unlocked, enabling them also to flow. In successful negotiations, credentials eventually flow that satisfy the policy of the desired resource. On-going strategy design work seeks to identify and avoid the potential pitfalls associated with protecting credential content during this process.

Recent Accomplishments:
The current project is a follow-on to a small start-up project, Advances in Trust Negotiation. Because the new project continues the technical goals of the former, we report together the accomplishments of both. Accomplishments to date have been in the following areas:

  1. Distributed credential discovery. We have specified algorithms and a credential type system that allows some credentials to be stored with their issuer and some with their subject, while ensuring credentials can be found to answer authorization questions. This work was done in collaboration with the group conducting the Agile Management of Dynamic Collaborations project at Stanford University, which is also funded by DARPA under the Dynamic Coalitions Program. It will be published this year in the leading ACM security conference.
  2. Policy language design. We have identified basic requirements for ABAC policy languages. We found that none of the policy languages used in existing trust negotiation strategies meet these requirements. We also found that prominent trust management languages such as KeyNote also do not meet them. We identified Delegation Logic (DL) as a candidate language that meets our basic requirements.
  3. Design of a realistic negotiation strategy. We have analyzed existing strategies from the point of view of whether they successfully control access to credential content and information about which credentials a negotiator holds. The important ones all have high-bandwidth covert channels that enable unauthorized access to credential content. We have developed design principles that seem to close the covert channels we have identified and are in the process of organizing a design specification.

Current Plan:
Under this contract, we plan the following activities and delivery schedule.

  1. The specification of a negotiation strategy that protects credential content from unauthorized disclosure. Unlike previous strategies, this one will be based on a realistic policy language--possibly DL. If it is available in time, we will instead use RT1, a new language currently being developed at Stanford that is expected to provide an XML format and an evaluation procedure that can drive distributed credential collection. We plan to deliver this specification in October, 2002.
  2. We are available to assist the Stanford group with the semantics and evaluation mechanism for RT1. (We contributed to these aspects of the development of its precursor, RT0.)
  3. We plan to implement a preliminary trust negotiation system using the strategy specified in activity 1. We will demonstrate the implementation during the second quarter of 2002.
  4. We plan to extend the credential-protection strategy to include optimization procedures that analyze incoming policy transmissions for interdependencies with local credentials and policies. The analysis will perform early detection of inevitable negotiation failure. It will also provide heuristical selection of credentials for transmission, aimed at hastening negotiation success. We plan to demonstrate this variant strategy by the first quarter of 2003.
  5. We plan to design at least one technique whereby distributed, sensitive credentials can be collected as they are needed during trust negotiation, in a manner that is driven by the policy exchanged during that negotiation. We plan to deliver a specification of this technique during the second quarter of 2003.
  6. We plan to prepare a methodology for authoring policy and credential contents for ABAC with a dynamic coalition environment. We plan to deliver a report presenting this methodology by the third quarter of 2003.

The focus of the base task does not include the design or construction of a full access control system. Rather it focuses on enabling technology. The contract contains an unfunded option to build an attribute-based access control system by employing the technology developed under the base task.

Technology Transition:
ABAC will have bearing on a wide variety of military and commercial coalition operations. For instance, the DARPA/Army Future Combat System requires rapid deployment and joint, international interoperability. This will require an authorization infrastructure that can be administered efficiently, such as the one being designed by the ABAC project.

Other likely military contexts for deployment of this technology include the U.S. Army Communications-Electronics Command (CECOM), where Joint Vision 2010 aims to maximize information systems integration and interoperability while increasing system/platform effectiveness. Integration of forces will require subjects, including intelligent software agents, from multiple organizations to be able to establish trust with one another rapidly, automatically, and effectively. The technology being developed under the ABAC project will be easily adapted to contexts, beyond traditional access control, that require trust establishment.

The ABAC project aims to address a fundamental problem confronting dynamic coalitions throughout the military and commercial sectors: how to make authorization decisions without requiring prior local knowledge of each subject in the coalition. More generally, this problem confronts any pair of subjects attempting to establish trust with no prior contact or knowledge of one another. The number of situations where this problem will be unavoidable is enormous, and currently there is no satisfactory alternative solution.

Results from the ABAC base task will provide a basis for access control, but will not provide a complete access control system. Several basic problems must be solved before ABAC will be ready for production use. Consequently, the immediate dissemination will be through technical presentations and publications. As basic issues are resolved, we will explore opportunities for developing a full access control system, and simultaneously seek visible military and/or commercial experimentation contexts.

ABAC Documents

Additional Information on ABAC
The Quad Chart provides a one page view including the architecture diagram, new ideas, impact, and schedule.