In conventional access control systems, users request access to a resource, and access is granted if the resource's corresponding access control policy allows for access. The access control policy for the resource is stored and protected locally with the resource. In a distributed environment, this “closed” model has at least two major limitations. First, policy configuration cannot take place “remotely.” Rather, it is necessary to “connect” to the resource in order to configure the resource's control policy. Second, since control policies are localized, they tend to be very “static,” meaning that only principals that are known a priori can be granted authorization for the resource by the access control policy.
To address these problems, many approaches have been developed that allow for specifying policy in the form of declarative assertions secured by cryptographic means. Such assertions are sent from a remote source and then put together locally at the resource to determine whether they imply that access ought to be provided. These approaches are more flexible in expressing policy than the “closed” model in that the resource manager is able to evaluate the assertions and the degree to which it trusts the issuer of the assertions. For example, an access policy for a first resource R1 may state “Give read access to R1 to whoever John says is an employee.” To request access to R1, a first entity E1 may provide an assertion from John of the form “John says E1 is an employee.” In a more sophisticated scenario, E1 may provide an assertion from a second entity E2 of the form “E2 says E1 is an employee,” and another assertion from John of the form “John says E2 is authorized to make statements regarding who is an employee.”
A limitation associated with the existing “Issuer says Assertion” format described above is that such assertions are typically not directed towards any purpose; rather they are simply assumed to hold true for all contexts and usages. Thus, once an assertion has been issued, it is not possible for the issuer to control the use of the assertion. This lack of control may allow statements to be misused in order to allow some entities to gain access to resources that they are not authorized to use. For example, consider the scenario in which the legal drinking age for alcoholic beverages is 18 in Nevada, but the legal drinking age for alcoholic beverages is 21 in Utah. Suppose that an age verification service has determined that John Doe is 18 years old, and that the age verification service (“AVS”) issues an assertion intended for the Nevada State Police that “AVS says John Doe is of legal drinking age.” Now, suppose that John Doe wants to go drinking in Utah for the weekend, and that John Doe is somehow able to obtain access to the above assertion. In the existing “Issuer says Assertion” format, John Doe may be able to use the above assertion to show that he is of legal drinking age in Utah, even though he is only 18 years old. This is because, although the above assertion is intended only for the Nevada State Police (that enforce a legal drinking age of 18), there is no construct in the above assertion to show that the assertion is intended only for the Nevada State Police. Thus, for example, as long as the Utah State Police trust the age verification service, John Doe can provide the above assertion to the Utah State Police to gain access to alcohol in Utah.
In addition to allowing resources to be accessed by non-authorized entities, the existing “Issuer says Assertion” format is also disadvantageous because it may leave issuers of misused statements accountable even when their statements are provided to entities other than the entities for which the statements were originally intended. For example, in the above scenario, the Utah State Police may “blame” the age verification service for issuing the assertion that “John Doe is of legal drinking age.” This is because there was nothing in the statement to show that the statement was intended only for Nevada. Thus, the Utah State Police may have no way of knowing that the statement was not intended for Utah. If the age verification service is blamed for issuing the statement, then a number of unwanted consequences may occur. For example, the Utah State Police (and other similar entities) may choose to designate the age verification service as an entity that cannot be trusted.
To address these problems, some access control schemes associate a fixed lifetime to an assertion. The assertion is no longer valid after expiration of the lifetime. However, such provisions do not provide a guarantee of usage only as intended and can inhibit the issuer of the assertion from making such assertions, thereby precluding some scenarios that rely upon those assertions. Another approach is to maintain distribution information outside of policy by, for example, encrypting the policy to an intended recipient. However, these techniques have the potential of misuse if, for example, the intended recipient misuses the policy or if the encryption key is compromised. These techniques also do not remove the issuer of the statement from accountability towards the assertion. Yet another approach is to allow an issuer of the assertion to very specifically enumerate the usages of the assertion. However, such an enumeration can be tedious and error-prone and may also curb the flexibility that is useful in such systems.
Techniques for distributed knowledge access control are disclosed herein. These techniques may enable access control information to be provided in the form of a statement that includes an assertion and a construct that targets the assertion to one or more intended entities. By targeting the statement to intended entities, the construct may help protect resources from unauthorized use and may also help protect the issuer of the statement from accountability resulting from misuse of the statement.
Upon receiving access control information, a resource manager may examine the information to determine a known portion of the information. The known portion of the information may include either all of the information or less than all the information. The known portion of the information may include an assertion that is made by the resource manager itself or an assertion that is made by another entity and that is specifically targeted to the resource manager. The known portion of the information may also include information that logically follows from other known information. Upon identifying the known portion of the information, the resource manager may apply one or more trust policies to filter the known information into information that is known and trusted. The known and trusted and trusted information may then be incorporated into one or more applicable access control policies.
This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.
The illustrative embodiments will be better understood after reading the following detailed description with reference to the appended drawings, in which:
The inventive subject matter is described with specificity to meet statutory requirements. However, the description itself is not intended to limit the scope of this patent. Rather, it is contemplated that the claimed subject matter might also be embodied in other ways, to include different steps or combinations of steps similar to the ones described in this document, in conjunction with other present or future technologies.
Connected devices 14a-n communicate with resource manager 10 via network 13. Network 13 may be a local area network (LAN) or a wide area network (WAN) such as the Internet. As should be appreciated, connected devices 14a-n need not necessarily have a direct connection to resource manager 10 and may communicate with resource manager 10 via one or more intermediate devices. Connected devices 14a-n may be used, for example, to request access to resources 12a-n managed by resource manager 10. Additionally, a user and/or software application working or executing locally at resource manager 10 may also request access to resources 12a-n managed by resource manager 10. When resource manager 10 receives a request to access one of its managed resources 12a-n, resource manager 10 may use one or more corresponding access control policies 11a-n to determine whether or not the requester is authorized to access the requested resource 12a-n.
Connected devices 14a-n may also be used to issue and submit access control information to resource manager 10. Additionally, a user and/or software application working or executing locally at resource manager 10 may also issue and submit access control information to resource manager 10. Some exemplary techniques that may be employed to issue access control information for submission to resource manager 10 are set forth in detail below with reference to
A flowchart representing an exemplary method of issuing targeted access control information is shown in
The acts described in
At act 210, the issuer generates an assertion. The assertion may be any declaration that is either directly or indirectly relevant to management of one or more resources. Specifically, an entity may generate an assertion granting one or more entities (including the issuer itself) authority over one or more resources. For example, a first entity El can generate an assertion granting a second entity E2 authority over a first resource R1. Such an assertion may be represented by the following notation:
E1 says (E2=>R1)
As another example, an assertion can provide credentials for an entity requesting access to a resource. For example, a control policy for a second resource R2 may state “Give read access to R2 to whoever E1 says is an employee.” In this case, E1 may generate an assertion that “E2 is an employee.” E2 can then present this assertion to the resource manager to gain access to R2.
As yet another example, an assertion can provide credentials for entities that make assertions about other entities. For example, suppose a third entity E3 is not recognized by the resource manager. Also suppose that E3 generates an assertion that “E2 is an employee.” In this case, E1 may generate an assertion that “E3 is authorized to make assertions regarding employees.” E2 can then present both E1's and E3's assertions to the resource manager to gain access to R2.
At act 212, one or more intended entities are identified for which the assertion generated at act to 210 is targeted. The intended entities may be, for example, various resource managers or any other organization, authority, individual, group, service, application, device, feature, address, or other entity associated, either directly or indirectly, with any resource access control procedures. The intended entities may be identified using any identification technique such as, for example, a name, address (e.g., Internet Protocol (IP) address), identification number, port number, serial number, or any other identifier. The intended entities need not necessarily be individually identified and may be collectively identified. In particular, the intended entities may be identified using a collection such as a specified organization, network, geographic area, device, address range. For example, the intended entities may be identified as all entities in the Microsoft Corp. local area network (LAN) or all entities in the state of Nevada. Additionally, if an assertion is not intended to be restricted to any particular entities, then the intended entities may be identified, for example, as “everyone” or “all entities.”
At act 214, a statement is generated that includes the assertion generated at act 210 (and possibly multiple assertions) and a construct that targets the assertion or assertions to the intended entity or entities. The construct may, for example, use the phrase “says to” to designate the intended entity. Thus the statement may assume the following form:
E1 says to RM1 (E2=>R1)
At act 216, the issuer sends access control information including the statement to the intended entity. In addition to the statement, the access control information may include any other information relevant to resource access control such as, for example, a proof of identity that the issuer is, in fact, who the issuer purports to be. The access control information may be sent either directly to the intended entity or in directly via one or more intermediate entities. For example, E1 may first send the statement listed above “E1 says to RM1 (E2=>R1)” to E2. E2 may then present the statement to RM1 to gain access to R1.
A flowchart representing an exemplary method of evaluating access control information is shown in
At act 312, the resource manager identifies a known portion of the received access control information. The known portion may be either all of the information or less than all of the information. In some cases none of the information may be known. The known portion of the information is information that meets at least one of three criteria.
The first criteria is that an entity knows all information that is issued by the entity itself. For example, suppose resource manager RM1 generates a statement including an assertion granting entity E4 access over resource R3. This statement is represented by the notation “RM1 says E4=>R3” (note that this is not “targeted” access control information). In this case, even though the statement is not targeted to RM1, RM1 will nevertheless “know” the statement because the statement was issued by RM1.
The second criteria is that an entity knows all information that is issued by another entity and targeted to the entity. For example, suppose that E5 generates a statement including an assertion targeted to resource manager RM1 granting entity E2 access over resource R1. This statement is represented by the notation “E5 says to RM1 (E2=>R1).” In this case, even though RM1 did not issue the statement, RM1 will nevertheless “know” the statement because the statement was issued by another entity and targeted to RM1.
The third criteria is that an entity knows all information that follows from other known information. To illustrate this concept, suppose resource manager RM1 knows two assertions: A1 and A2. Also suppose that a third assertion A3 logically follows from assertions A1 and A2. In this case, RM1 will also know assertion A3 because it logically follows from assertions A1 and A2. For example, suppose an access control policy for a resource says “grant access only to people that were born in June.” Now suppose RM1 receives the following statements:
At act 314, the resource manager applies a trust policy to filter the known portion of the information into a known and trusted portion of information. Trust policies are well known tools in the art for determining whether or not various entities can be trusted. Trust policies can apply to individual entities or collectively to groups of entities. Obviously, the resource manager will likely trust itself, and, therefore, information issued by the resource manager itself will likely be trusted. However, other entities that issue information targeted for the resource manager may, in certain circumstances, not be recognized and/or trusted by the resource manager. For example, consider the statement issued by E7 in which “E7 says to RM1 (E2=>R1).” In this case, if E7 is a trusted entity, then the statement will constitute known and trusted information. However, if E7 is not a trusted entity, then the statement, although it is known, will not be trusted information. If a known statement is issued by a non-trusted entity, then the statement may simply be disregarded. Alternatively, the statement may be saved for possible future use if, for example, the status of the currently non-trusted entity is later changed, and the entity becomes a trusted entity.
If the trust policies applied by the resource manager do not include information for determining whether E7 is trusted or non-trusted, then E7 may be considered a non-recognized entity. In this case, if E7 is non-recognized, the statement may, for example, be set aside until such time as a determination can be made regarding whether E7 is trusted or not. The statement may also be disregarded.
At act 316, the known and trusted portion of the access control information is used to control access to one or more resources. Any number of existing techniques may be employed to determine to which (if any) resources the known and trusted portion of the access control information is applicable. If the known and trusted portion of the information is applicable to any existing resources, then the known and trusted portion of the information may be entered into one or more resource access control policies corresponding to the applicable existing resources. If the known and trusted portion of the information is not applicable to any existing resources or resource access control policies, then the known and trusted portion of the information may, for example, be stored in memory for possible future use. Alternatively, if the known and trusted portion information is not applicable to any existing resources or resource access control policies, then it may simply be disregarded.
With reference to
Computer 110 typically includes a variety of computer readable media. Computer readable media can be any available media that can be accessed by computer 110 and includes both volatile and nonvolatile media, removable and non-removable media. By way of example, and not limitation, computer readable media may comprise computer storage media and communication media. Computer storage media include both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media include, but are not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CDROM, digital versatile disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by computer 110. Communication media typically embody computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and include any information delivery media. The term “modulated data signal” means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media include wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media. Combinations of any of the above should also be included within the scope of computer readable media.
The system memory 130 includes computer storage media in the form of volatile and/or nonvolatile memory such as read only memory (ROM) 131 and random access memory (RAM) 132. A basic input/output system 133 (BIOS), containing the basic routines that help to transfer information between elements within computer 110, such as during start-up, is typically stored in ROM 131. RAM 132 typically contains data and/or program modules that are immediately accessible to and/or presently being operated on by processing unit 120. By way of example, and not limitation,
The computer 110 may also include other removable/non-removable, volatile/nonvolatile computer storage media. By way of example only,
The drives and their associated computer storage media discussed above and illustrated in
The computer 110 may operate in a networked or distributed environment using logical connections to one or more remote computers, such as a remote computer 180. The remote computer 180 may be a personal computer, a server, a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above relative to the computer 110, although only a memory storage device 181 has been illustrated in
When used in a LAN networking environment, the computer 110 is connected to the LAN 171 through a network interface or adapter 170. When used in a WAN networking environment, the computer 110 typically includes a modem 172 or other means for establishing communications over the WAN 173, such as the Internet. The modem 172, which may be internal or external, may be connected to the system bus 121 via the user input interface 160, or other appropriate mechanism. In a networked environment, program modules depicted relative to the computer 110, or portions thereof, may be stored in the remote memory storage device. By way of example, and not limitation,
Although the subject matter has been described in language specific to the structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features or acts described above are disclosed as example forms of implementing the claims.