191 The idea is that the secrets classified as top-secret are most |
191 The idea is that the secrets classified as top-secret are most |
192 closely guarded and only accessible to people who have a |
192 closely guarded and only accessible to people who have a |
193 special clearance. The unclassified category is the lowest |
193 special clearance. The unclassified category is the lowest |
194 level not needing any clearance. While the idea behind these |
194 level not needing any clearance. While the idea behind these |
195 security levels is quite straightforward, there are some |
195 security levels is quite straightforward, there are some |
196 interesting implications for when you want to realise such a |
196 interesting phenomenons that you need to think about when |
197 system. To begin the access control needs to be |
197 realising such a system. First this kind of access control |
198 \emph{mandatory} as opposed to \emph{discretionary}. With |
198 needs to be \emph{mandatory} as opposed to |
199 discretionary access control, the users can decide how to |
199 \emph{discretionary}. With discretionary access control, the |
200 restrict or grant access to resources. With mandatory access |
200 users can decide how to restrict or grant access to resources. |
201 control, the access to resources is enforced ``system-wide'' |
201 With mandatory access control, the access to resources is |
202 and cannot be controlled by the user. There are also some |
202 enforced ``system-wide'' and cannot be controlled by the user. |
203 interesting rules for reading and writing an object that |
203 There are also some interesting rules for reading and writing |
204 need to be enforced: |
204 a resource that need to be enforced: |
205 |
205 |
206 |
206 |
207 \begin{itemize} |
207 \begin{itemize} |
208 \item {\bf Read Rule}: a principal $P$ can read an object $O$ |
208 \item {\bf Read Rule}: a principal $P$ can read a resource $O$ |
209 provided $P$'s security level is at least as high as $O$'s |
209 provided $P$'s security level is at least as high as |
210 |
210 $O$'s |
211 \item {\bf Write Rule}: a principal $P$ can write an object $O$ |
211 \item {\bf Write Rule}: a principal $P$ can write a resource |
212 provided $O$'s security level is at least as high as $P$'s |
212 $O$ provided $O$'s security level is at least as high as |
|
213 $P$'s |
213 \end{itemize} |
214 \end{itemize} |
214 |
215 |
215 \noindent The first rule says that a principal with secret |
216 \noindent The first rule implies that a principal with secret |
216 clearance can read secret documents or lower, but not |
217 clearance can read secret documents or lower, but not |
217 documents classified top-secret. The second rule for writing |
218 documents classified top-secret. The second rule for writing |
218 needs to be the other way around: someone with secret |
219 needs to be the other way around: someone with secret |
219 clearance can write secret or top-secret documents---no |
220 clearance can write secret or top-secret documents---no |
220 information is leaked. In contrast it cannot write |
221 information is leaked in these cases. In contrast the |
221 confidential documents, because then information can be leaked |
222 principal cannot write confidential documents, because then |
222 to lower levels. These rules about enforcing secrecy with |
223 information can be leaked to lower levels. These rules about |
223 mult-level clearances is often called \emph{Bell/LaPudela} |
224 enforcing secrecy with multi-level clearances are often called |
224 model, named after two people who studied such systems. |
225 \emph{Bell/LaPadula} model, named after two people who studied |
225 |
226 such systems. |
226 A problem with this access control system is when two people |
227 |
227 want to talk to each other but having different security |
228 A problem with this kind of access control system is when two |
228 clearances, say secret and confidential. In these situations, |
229 people want to talk to each other but are assigned different |
229 the people with the higher clearance have to lower their |
230 security clearances, say secret and confidential. In these |
230 security level and are not allowed to take any document |
231 situations, the people with the higher clearance have to lower |
231 from the higher level with them (otherwise again information |
232 their security level and are not allowed to take any document |
232 could be leaked). In actual systems this might mean that |
233 from the higher level with them to the lower level (otherwise |
233 people need to log out and log into the system again---this |
234 information could be leaked). In actual systems, this |
234 time with credentials for the lower level. |
235 might mean that people need to log out and log into the system |
|
236 again---this time with credentials for the lower level. |
235 |
237 |
236 While secrecy is one property you often want to enforce, |
238 While secrecy is one property you often want to enforce, |
237 integrity is another. This property ensures that no |
239 integrity is another. This property ensures that nobody |
|
240 without adequate clearance can change, or tamper with, |
|
241 systems. An example for this property is a \emph{fire-wall}, |
|
242 which isolates a local system from threads from the |
|
243 Internet, for example. The rule for such a system is |
|
244 that somebody from inside the fire-wall can write resources |
|
245 outside the firewall, but you cannot write a resource inside |
|
246 the fire-wall from outside. Otherwise an outside can just |
|
247 tamper with a system in order to break in. In contrast |
|
248 we can read resources from inside the fire-wall, for example |
|
249 web-pages. But we cannot read anything from outside the |
|
250 fire-wall. Lest we might introduce a virus into the system |
|
251 (behind the fire-wall). In effect in order to ensure |
|
252 integrity the read and write rules are reversed from the |
|
253 case of secrecy: |
|
254 |
|
255 \begin{itemize} |
|
256 \item {\bf Read Rule}: a principal $P$ can read a resource $O$ |
|
257 provided $P$'s security level is lower or equal than |
|
258 $O$'s |
|
259 \item {\bf Write Rule}: a principal $P$ can write a resource |
|
260 $O$ provided $O$'s security level is lower or equal than |
|
261 $P$'s |
|
262 \end{itemize} |
|
263 |
|
264 \noindent This kind of access control system is called |
|
265 \emph{Biba} model, named after Kenneth Biba. Its purpose is to |
|
266 prevent data modification by unauthorised principals. |
|
267 |
|
268 The paradoxical result of the different reading and writing |
|
269 rules in the \emph{Bell/LaPadula} and \emph{Biba} models is |
|
270 that we cannot have secrecy and integrity at the same time |
|
271 in a system, or they need to be enforced by different means. |
|
272 |
|
273 \subsubsection*{Multi-Agent Access Control} |
|
274 |
|
275 In military or banking, for example, very critical decisions |
|
276 need to be made using a \emph{two-man rule}. This means such |
|
277 decisions need to be taken by two people together, so that |
|
278 no single person can defraud a bank or start a nuclear war |
|
279 (you will know what I mean if you have seen the classic movie |
|
280 ``Dr Strangelove or: How I Learned to Stop Worrying and Love |
|
281 the |
|
282 Bomb''\footnote{\url{http://en.wikipedia.org/wiki/Dr._Strangelove}}). |
|
283 |
|
284 Let us assume we want to implement a system where a CEOs can |
|
285 fell decisions on their own, but two managing directors (MDs) |
|
286 need to come together to fell the same decision. If ``lowly'' |
|
287 directors (Ds) want to take the decision, three need to come |
|
288 together. An obvious solution to such a problem is to split |
|
289 the necessary key into $n$ parts according to the ``level'' |
|
290 where the decision is taken. For example one key for a CEO, |
|
291 two halves for the MDs and three thirds for the Ds. The |
|
292 problem with this kind of sharing a key is that there might |
|
293 be many hundreds MDs and Ds in your organisations. Simple-minded |
|
294 halving or devision by three of the keey just does not work. |
|
295 |
|
296 A much more clever solution was Blakley and Shamir in 1979. |
|
297 This solution is inspired by some simple geometric facts. |
|
298 Given a three-dimentional axis system, we can specify a |
|
299 point on the $z$-axis, say, by specifying its coordinates. |
|
300 But we could equally specify this point by a line that |
|
301 intersects the $z$-axis in this point. How can a line be |
|
302 specified? Well, by giving two spaces in space. But as you |
|
303 might remember from school days, we can specify the point |
|
304 also by a plane and a plane can be specified by three points |
|
305 in space. This could be pictured as follows: |
|
306 |
|
307 \begin{center} |
|
308 \includegraphics[scale=0.45]{../pics/pointsplane.jpg} |
|
309 \end{center} |
|
310 |
|
311 \noindent |
|
312 Scaling this idea to more dimensions allows for even more |
|
313 levels of access control. |
|
314 |
238 |
315 |
239 \subsubsection*{Further Information} |
316 \subsubsection*{Further Information} |
240 |
317 |
241 If you want to know more about the intricacies of the |
318 If you want to know more about the intricacies of the |
242 ``simple'' Unix access control system you might find the |
319 ``simple'' Unix access control system you might find the |