Skip to main content
SpringerLink
Log in

Authorization and Access Control: ABAC

  • Chapter
  • First Online:
The GENI Book

Abstract

GENI’s goal of wide-scale collaboration on infrastructure owned by independent and diverse stakeholders stresses current access control systems to the breaking point. Challenges not well addressed by current systems include, at minimum, support for distributed identity and policy management, correctness and auditability, and approachability. The Attribute Based Access Control (ABAC) system [1, 2] is an attribute-based authorization system that combines attributes using a simple reasoning system to provide authorization that (1) expresses delegation and other authorization models efficiently and scalably; (2) provides auditing information that includes both the decision and reasoning; and (3) supports multiple authentication frameworks as entry points into the attribute space. The GENI project has taken this powerful theoretical system and matured it into a form ready for practical use.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Strictly speaking, identity based systems are a subset of attribute based systems, because “identity” can be viewed as an attribute.

  2. 2.

    In this chapter, use of the capitalized ABAC acronym always refers to the specific ABAC system, rather than attribute based access control systems generally.

  3. 3.

    Later renamed McAfee Research. Subsequently, this research lab was acquired by SPARTA, Inc. and operated as the Security Research Division of SPARTA.

  4. 4.

    A misbehaving principal can undermine these properties, e.g., by sharing a private key. ABAC assumes good behavior of principals.

  5. 5.

    The typing is implicit. AM1.ListResources and AM2.ListResources must have direct assignments made so the system can determine the type and types must be consistent. This is a place where the theoretical nature of the ABAC papers is abundantly clear. In our implementation of RT2 we added syntax to declare types of parameters and perform explicit type checking.

  6. 6.

    For example, there is syntax for referring to the principal being evaluated when looking at a parameterized linking role. This is useful, but well beyond the scope of this document. The interested reader is referred to [1] Sections 3.1 and 3.3.

  7. 7.

    In the TIED ABAC RT2 library, we use distinct notation for o-set rules and attribute rules, to ensure that each is represented by a unique type.

  8. 8.

    Alternatively, a public key fingerprint can be utilized as the identity, if the benefits of the smaller identifier outweigh the increased collision probability.

  9. 9.

    There may be other reasons to make the server a principal; mutual authentication is rarely a mistake.

  10. 10.

    These are objects in the software engineering sense, containing and providing both executable methods and data.

  11. 11.

    In some sense this is extraneous code, as any X.509 toolkit can create an identity certificate and key files, but we have found the unified interface to be helpful.

References

  1. Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust management system. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy (May 2002)

    Google Scholar 

  2. Li, N., Winsborough, W.H., Mitchell, J.C.: Distributed credential chain discovery in trust management (extended abstract). In: Proceedings of the Eighth ACM Conference on Computer and Communications Security (CCS-8), pp. 156–165 (November 2001)

    Google Scholar 

  3. Callas, J., Donnerhacke, L., Finney, H., Shaw, D., Thayer, R.: Open PGP Message Format. RFC 4880 (November 2007)

    Google Scholar 

  4. Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)

    Article  MathSciNet  MATH  Google Scholar 

  5. Huang, S.S., Green, T.J., and Loo, B.T.: Datalog and emerging applications: an interactive tutorial. In: Proceedings of the 2011 ACM SIGMOD International Conference on Management of Data (SIGMOD '11), pp. 1213–1216. New York, NY, USA (June 2011)

    Google Scholar 

  6. Internet 2, InCommon: InCommon Basics and Participating in InCommon. http://www.incommon.org/docs/guides/InCommon_Resources.pdf. Retrieved Aug 2014

  7. TIED Team: GENI-Compatible ABAC Credentials. http://groups.geni.net/geni/wiki/TIEDC redentials. Retrieved Aug 2014

  8. ProtoGENI Team: Privileges in the Reference Implementation. http://www.protogeni.net/ProtoGeni/wiki/ReferenceImplementationPrivileges. Retrieved Aug 2014

  9. Benzel, T.: The science of cyber-security experimentation: the DETER project. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC) '11, Orlando, FL (December 2011)

    Google Scholar 

  10. Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Polk, W.: Internet X.509 Public Key Infrastructure Certificate and Certificate RevocationList (CRL) Profile. RFC 5280 (May 2008)

    Google Scholar 

  11. Yee, P.: Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 6818 (January 2013)

    Google Scholar 

  12. Shibboleth Consortium: Shibboleth 3—A New Identity Platform. https://shibboleth.net/consortium/documents.html. Retrieved Aug 2014

  13. Kohl, J., Neuman, C.: The Kerberos Network Authentication Service (V5). Internet RFC 1510 (September 1993)

    Google Scholar 

  14. TIED Team Libabac Software Distribution. http://abac.deterlab.net. Retrieved Aug 2014

  15. The DETER Team: The DETER Federation Architecture. http://fedd.deterlab.net/wiki/FeddAbout. Retrieved Aug 2014

  16. TIED Team: GENI ABAC Credentials. http://groups.geni.net/geni/wiki/TIEDABACCredential. Retrieved Aug 2014

  17. GENI Program Office: Clearinghouse. http://groups.geni.net/geni/wiki/GeniClearinghouse. Retrieved Aug 2014

  18. GENI Program Office: GENI Credentials. http://groups.geni.net/geni/wiki/GeniApiCredentials. Retrieved Aug 2014

  19. Bartel, M., Boyer, J., Fox, B., LaMacchia, B., Simon, E.: XML Signature and Processing, 2nd edn. W3C Recommendation. http://www.w3.org/TR/xmldsig-core/ (June 2008)

Download references

Author information

Authors and Affiliations

  1. USC Information Sciences Institute, Los Angeles, CA, USA

    Stephen Schwab

  2. USC Information Sciences Institute, Arlington, VA, USA

    Ted Faber & John Wroclawski

Authors
  1. Ted Faber
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stephen Schwab
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. John Wroclawski
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Stephen Schwab .

Editor information

Editors and Affiliations

  1. US Ignite, Washington, DC, USA

    Rick McGeer

  2. GENI Project Office, Raytheon BBN Technologies, Cambridge, Massachusetts, USA

    Mark Berman

  3. GENI Project Office, Raytheon BBN Technologies, Cambridge, Massachusetts, USA

    Chip Elliott

  4. School of Computing, University of Utah, Salt Lake City, Utah, USA

    Robert Ricci

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Faber, T., Schwab, S., Wroclawski, J. (2016). Authorization and Access Control: ABAC. In: McGeer, R., Berman, M., Elliott, C., Ricci, R. (eds) The GENI Book. Springer, Cham. https://doi.org/10.1007/978-3-319-33769-2_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-33769-2_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-33767-8

  • Online ISBN: 978-3-319-33769-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation