Authorizing Strangers in Distributed Systems by Using Attribute-based Access Control

Will Winsborough

NAI Labs

An authenticated subject identity doesn't help in access control decisions if the principal on whose behalf the subject is executing is a stranger. Most authorization systems today are identity based, requiring principals to be known to the system (often through administrative actions such as account creation or certificate generation) before their requests for protected resources can be authorized. Consequently, in large or distributed systems, administrative scalability is a serious problem.

The Advances in Trust Negotiation (ATN) project is studying "attribute-based access control" (ABAC), an approach to authorization that addresses this problem of administrative scalability. Instead of using subject identity, ABAC authorization decisions are based on principal attributes that are housed in portable, verifiable attribute credentials. Attribute credentials contain potentially sensitive data (e.g., credit limit, security clearance level), and must be protected. Consequently, to establish the mutual trust necessary for the desired interaction, the requester and the resource holder cautiously engage in a sequence of mutual credential disclosures, which we call a "trust negotiation."

This talk will focus on our recent work in trust negotiation strategies, which determine the sequence of credential exchanges. In particular, we will discuss strategies that negotiate efficiently when not only are the details of credential contents sensitive, but the mere knowledge of possession of a credential of a certain type is also sensitive.

Gates 4B (opposite 490), 3/6/01, 4:15 PM