Mike Burmester, Computer Science, Florida State University Joint work with: Prasanta Das, Martin Edwards, MITRE Corporation, Alec Yasinsac, University of South Alabama 06/07/09
Our Goal & Model Requirements
Trust Management Model Formulation
The Way Ahead
A stabilization and humanitarian relief scenario
A coalition of militaries, government agencies, NGOs are involved in a stabilization and humanitarian relief effort in Orange Land, a sub-Sahara nation, in the mist of inter-tribal conflict and a three year drought.
The Orange Land government is generally pro-west, but there are two factions that have ties to terrorist organizations through their rhetoric and tribal affiliations.
A tactical wide area network is established to support the coordination and cooperation of the operations.
Each national military, governmental agency as well as the NGOs are on the network with common access based on attributes associated with the group.
The military consistently present information on insurgent locations and dangerous areas (e.g., improvised explosive device locations) to allow non-military group use of the information for safety and planning.
The military provides time-lines for general operations that will go force-on-force with insurgents to ensure the non-military efforts are not caught up in these operations, which could result in civilian casualties.
Key to the level of information sharing provided is the trust established between the organizations that information would be available to each group but groups would not share between themselves the information.
Each organization has its own “ information compartment ” which prevents cross-talk, but allows for coordinated approaches to resolving issues.
This trust relationship has allowed the military to successfully eliminate a number of insurgent strongholds and clearly map the IEDs (improvised explosive devices) planted.
A trust problem
It has become apparent to the military that information being posted about upcoming efforts is leaked to insurgents.
Operations have the military arriving within minutes of the insurgents departing and often to find a number of IEDs and other traps established.
The military is considering removing non-military organizations from the network, but see this as possibly leading to unnecessary endangerment of humanitarian efforts.
Other possible coalition scenarios
High seas piracy: coalitions of navies to check piracy off the African coast
Trust in a Variable Threat Environment
Current Trust Management systems are not designed to deal with variable threat environments in which access to networks resources must be restricted or suspended in response to an elevated threat level.
Ad Hoc Networking Collaboration
Modeling such requirements for ad hoc networking collaboration can be particularly challenging.
Maintenance of Privacy and Data Integrity
Modeling variable threat scenarios in Trust Management systems can be particularly challenging when privacy and integrity have to be supported.
No Dynamic Authorization of Access
What is needed is a flexible and dynamic access control model that takes into account the prevailing threats at the access point.
Support coalition information capability among:
Multinational Military, NGOs, the Intelligence Community
As well as, the DHS, Federal, State, Local &Tribal Interactions
Current Trust Relationship Gaps
Static – Trusted or Untrusted
Variable Threat Environments Require Flexible Access and Authority for Mission Accomplishment.
Flexible Approach to Security Policies
Responding to temporal and/or locational threats
Functionality is Restricted by Threat Levels
Access to network resources is restricted while the threat level at the access point is elevated.
A dynamic trust model is used to broker network resources between domains with varying threat levels
Rollback-Access is used to maintain continuity of service by restoring suspended services and records when the threat subsides
Network resources that have to be protected are
assigned threshold threat values
Access to a protected resource is subject to:
Traditional discretionary and mandatory access requirements (Bell-LaPadula).
The prevailing threat level at access point not exceeding resource’s threshold threat value.
If the threat level is raised above the threshold while a protected resource is accessed:
Access to protected resources is suspended while access to non-protected resources continues.
Access is only restricted to those domains for which the threat level is raised.
For all other domains there is no restriction, so distributed tasks can proceed normally.
Rollback-Access: supporting continuity of service
Service is restored when the threat level subsides.
All suspended records become available.
Records processed in other domains external to the raised threat level domain become available.
The threat levels for the Homeland Security Advisory system
( , auth ) =
Red auth Orange auth Yellow auth Blue auth Green
Define: = Information Compartment for threat level
Implies if then RA is triggered and invoked
Four-mode characterization of RA
i: Suspension ii: Transitory
ii: Segregation iv : Rollback an authorization to lower level threat
Execution of an action is suspended when
If then the record in suspended state is stored in
If threat level is later lowered to , the TM system will rollback (restore) those records of suspended execution for access action in
Initially for all
Rollback of is raised to
Put in a record of suspended access actions
Invoke the functionality
Every object produced during the threat level is assigned the threat level
Rollback of is lowered to
All records in where that are authorized by get restored and labeled as objects with and removed from
Every object produced during threat level is assigned the threat level
Build a Working Prototype
Test Against Scenarios
DoD Focus – Multi-national peacekeeping and humanitarian aide in destabilized area
DHS Focus – Interagency counterterrorism information sharing across full spectrum
The model discussed is asymmetric
It is resource-centric, not user-centric
Principals with the same clearance requesting access to the same resource are treated equally.
Some of these principals may be contributing to the elevated threat level
The system should monitor the behavior of principals and access should be conditioned on good behavior.
Wide Applicability Across Federal & Civil Sectors
Model Based on Bell-LaPadula Foundations
Dynamic Trust Based on Threat Levels & Locality
Concept is Provable and Buildable – Validation Important
Bibliography: Mike Burmester, Prasanta Das, Martin Edwards and Alec Yasinsac. ` Multi-Domain trust management in variable threat environments using rollback-access '. MILCOM 2008 , San Diego, November 17-19, 2008
Mike Burmester, Breno DeMedeiros and Alec Yasinsac. Community-centric vanilla-rollback access, or: How I stopped worrying and learned to love my computer. Proc. 13th Int. Security Protocols Workshop, Cambridge, LNCS #4631, Springer, pp. 228--237, 2007
Mike Burmester, Breno de Medeiros Rossana Motta. Provably Secure Grouping-proofs for RFID tags , CARDIS 2008.
Mike Burmester, Breno de Medeiros. The Security of EPCGen2 Anonymous compliant RFID Protocols , ACNS 2008
Mike Burmester, Breno de Medeiros Rossana Motta. Robust Anonymous RFID Authentication with Constant Key Lookup . ACM, ASIACCS 2008
Mike Burmester and Breno de Medeiros. Towards provable security for route discovery protocols in mobile ad hoc networks , 2008
Mike Burmester and Breno de Medeiros. Persistent Security for RFID . Conference on RFID Security, RFIDSec07, 2007
Mike Burmester and Breno de Medeiros. RFID Security, Countermeasures and Challenges . 5 th RFID Academic Convocation, The RFID Journal Conference, 2007
Tri van Le, Mike Burmester Breno de Medeiros. Universally Composable and Forward Secure RFID Authentication and Key exchange . ACM, ASIACCS 2007.
Mike Burmester, Tri van Le and Breno de Medeiros. Provably Secure Ubiquitous Systems: Universally Composable RFID Authentication Protocols , SecureComm 2006
Mike Burmester, Tri van Le, and Breno de Medeiros. Towards provable security for ubiquitous applications , ACISP 2006