198 needs to be \emph{mandatory} as opposed to |
200 needs to be \emph{mandatory} as opposed to |
199 \emph{discretionary}. With discretionary access control, the |
201 \emph{discretionary}. With discretionary access control, the |
200 users can decide how to restrict or grant access to resources. |
202 users can decide how to restrict or grant access to resources. |
201 With mandatory access control, the access to resources is |
203 With mandatory access control, the access to resources is |
202 enforced ``system-wide'' and cannot be controlled by the user. |
204 enforced ``system-wide'' and cannot be controlled by the user. |
|
205 There would be no point to let users set the secrecy level, |
|
206 because if they want to leak information they would set it to |
|
207 the lowest. Even if there is no malicious intent, it could |
|
208 happen that somebody by accident sets the secrecy level too |
|
209 low for a document. Note also that the secrecy levels are in |
|
210 tension with the Unix-style access controls. There root is |
|
211 allowed to do everything, but in a system enforcing secrecy, |
|
212 you might not like to give root such powers. |
|
213 |
203 There are also some interesting rules for reading and writing |
214 There are also some interesting rules for reading and writing |
204 a resource that need to be enforced: |
215 a resource that need to be enforced: |
205 |
216 |
206 |
217 |
207 \begin{itemize} |
218 \begin{itemize} |
263 |
274 |
264 \noindent This kind of access control system is called |
275 \noindent This kind of access control system is called |
265 \emph{Biba} model, named after Kenneth Biba. Its purpose is to |
276 \emph{Biba} model, named after Kenneth Biba. Its purpose is to |
266 prevent data modification by unauthorised principals. |
277 prevent data modification by unauthorised principals. |
267 |
278 |
268 The paradoxical result of the different reading and writing |
279 The somewhat paradoxical result of the different reading and |
269 rules in the \emph{Bell/LaPadula} and \emph{Biba} models is |
280 writing rules in the \emph{\mbox{Bell}/LaPadula} and |
270 that we cannot have secrecy and integrity at the same time |
281 \emph{Biba} models is that we cannot have secrecy and |
271 in a system, or they need to be enforced by different means. |
282 integrity at the same time in a system, or they need to be |
|
283 enforced by different means. |
272 |
284 |
273 \subsubsection*{Multi-Agent Access Control} |
285 \subsubsection*{Multi-Agent Access Control} |
274 |
286 |
275 In military or banking, for example, very critical decisions |
287 In military or banking, for example, very critical decisions |
276 need to be made using a \emph{two-man rule}. This means such |
288 need to be made using a \emph{two-men rule}. This means such |
277 decisions need to be taken by two people together, so that |
289 decisions need to be taken by two people together, so that no |
278 no single person can defraud a bank or start a nuclear war |
290 single person can defraud a bank or start a nuclear war (you |
279 (you will know what I mean if you have seen the classic movie |
291 will know what I mean if you have seen the classic movie ``Dr |
280 ``Dr Strangelove or: How I Learned to Stop Worrying and Love |
292 Strangelove or: How I Learned to Stop Worrying and Love the |
281 the |
|
282 Bomb''\footnote{\url{http://en.wikipedia.org/wiki/Dr._Strangelove}}). |
293 Bomb''\footnote{\url{http://en.wikipedia.org/wiki/Dr._Strangelove}}). |
283 |
294 Translating the two-men rule into a software system seems not |
284 Let us assume we want to implement a system where a CEOs can |
295 as straightforward as one might think. |
285 fell decisions on their own, but two managing directors (MDs) |
296 |
286 need to come together to fell the same decision. If ``lowly'' |
297 Let us assume we want to implement a system where CEOs can |
287 directors (Ds) want to take the decision, three need to come |
298 make decisions on their own, for example whether or not to |
288 together. An obvious solution to such a problem is to split |
299 sell assets, but two managing directors (MDs) need to come |
289 the necessary key into $n$ parts according to the ``level'' |
300 together to make the same decision. If ``lowly'' directors |
290 where the decision is taken. For example one key for a CEO, |
301 (Ds) want to take this decision, three need to come together. |
291 two halves for the MDs and three thirds for the Ds. The |
302 Remember cryptographic keys are just sequences of bits. A |
292 problem with this kind of sharing a key is that there might |
303 naive solution to the problem above is to split the necessary |
293 be many hundreds MDs and Ds in your organisations. Simple-minded |
304 key into $n$ parts according to the ``level'' where the |
294 halving or devision by three of the keey just does not work. |
305 decision is taken. For example one complete key for a CEO, |
295 |
306 halves of the key for the MDs and thirds for the Ds. The |
296 A much more clever solution was Blakley and Shamir in 1979. |
307 problem with this kind of sharing a key is that there might be |
297 This solution is inspired by some simple geometric facts. |
308 many hundreds MDs and Ds in your organisations. Simple-minded |
298 Given a three-dimentional axis system, we can specify a |
309 halving or devision by three of the key just does not work. |
299 point on the $z$-axis, say, by specifying its coordinates. |
310 |
300 But we could equally specify this point by a line that |
311 A much more clever solution was proposed by Blakley and Shamir |
301 intersects the $z$-axis in this point. How can a line be |
312 in 1979. This solution is inspired by some simple geometric |
302 specified? Well, by giving two spaces in space. But as you |
313 laws. Suppose a three-dimentional axis system. We can, clearly, |
303 might remember from school days, we can specify the point |
314 specify a point on the $z$-axis, say, by specifying its |
304 also by a plane and a plane can be specified by three points |
315 coordinates. But we could equally specify this point by a line |
305 in space. This could be pictured as follows: |
316 that intersects the $z$-axis in this point. How can a line be |
|
317 specified? Well, by giving two points in space. But as you |
|
318 might remember from school days, we can specify the point also |
|
319 by a plane intersecting the $z$-axis and a plane can be |
|
320 specified by three points in space. This could be pictured as |
|
321 follows: |
306 |
322 |
307 \begin{center} |
323 \begin{center} |
308 \includegraphics[scale=0.45]{../pics/pointsplane.jpg} |
324 \includegraphics[scale=0.45]{../pics/pointsplane.jpg} |
309 \end{center} |
325 \end{center} |
310 |
326 |
311 \noindent |
327 \noindent The idea is to use the points as keys for each level |
312 Scaling this idea to more dimensions allows for even more |
328 of shared access. The CEO gets the point directly. The MDs get |
313 levels of access control. |
329 keys lying on a line and the Ds get keys lying on the plane. |
|
330 Clever, no? Scaling this idea to more dimensions allows for |
|
331 even more levels of access control and more interesting access |
|
332 rules, like one MD and 2 Ds can take a decision together. |
|
333 |
|
334 Is such a shared access control used in practice? Well |
|
335 military command-chains are obviously organised like this. |
|
336 But in software systems often need to rely on data that might |
|
337 not be entirely accurate. So the CEO-level would correspond |
|
338 to the in-house data-source that you can trust completely. |
|
339 The MD-level would correspond to simple errors where you need |
|
340 three inputs and you decide on what to do next according to |
|
341 what at least two data-sources agree (the third source |
|
342 is then disregarded, because it is assumed it contains an |
|
343 error). If your data contains not just simple errors, you |
|
344 need levels corresponding to Ds. |
314 |
345 |
315 |
346 |
316 \subsubsection*{Further Information} |
347 \subsubsection*{Further Information} |
317 |
348 |
318 If you want to know more about the intricacies of the |
349 If you want to know more about the intricacies of the |