Integrating Hierarchical RBAC with Efficient Key Management into a Distributed File System

1
Integrating Hierarchical RBAC with EfficientKey
Management into a Distributed File System

• Michael Huffman
• Bryon Gloden
• Mayank Gupta

2
Motivation

• A working model where multiple users can access
  company data based on their current role within
  the company and where communication is done
  securely.
• A real-world example is where companies must
  protect their information from unauthorized
  access.

3
Related Work

• Brewer F. Mash M. (1989). The Chinese Wall
  Security Policy. IEEE Security and Privacy.
• Frikken k., Atallah M., Bykova M. (2004).
  Hash-Based Access Control in an arbitrary
  hierarchy. CERIAS Tech Report 2004-49.
• Gloden B. Huffman M. (2005). Secure Group
  Communication. CS 555 project.
• Sandhu R., Coyne E., Fienstein H., Youman C.
  (1996). Role-based Access Control models. IEEE
  computer.

4
Overview of Our Approach

• We have integrated a client-server application
  with a hierarchical role-based access control
  system.
• The clients use a client application to
  authenticate and interact with a remote server or
  file system. Depending on the users role, they
  are allowed execute primitive remote procedures.
• All of the communication between the server and
  the client systems is encrypted using AES with a
  random 128-bit individual session key (ISK).

5
Secure Group Communication

• Each time a client connects to the server, the
  client will need to encrypt a data packet asking
  to join the system using a symmetric encryption
  authentication key (AK).
• Once the client has been successfully
  authenticated to the server, the server will send
  back an individual session key (ISK) that will be
  only shared between this client and the server.
  All communication done between this client and
  the server will utilize this key.
• These ISKs are generated on a per-user,
  per-session basis.

6
Hierarchical RBAC

• Our implementation only supports three roles (VP,
  Manager and Engineer) but other roles can be
  added to the system.
• The role VP has the maximum number of privileges
  and the role Engineer has the minimum number of
  privileges.
• The following functions are implemented create
  a file, create a directory, copy a file, delete a
  file, delete a directory

7
Efficient Key Management for Hierarchical RBAC
Where i is the dominate role, j is the
subordinate role, Hash is the same MD5 hash
function used to generate L and K, and p is the
size of the key (128 bits in our case).
8
Implementation - Client
9
Implementation - Server
10
Conclusion and Future Work

• We have successfully shown by our experiments
  that efficient key management can be implemented
  in a hierarchical RBAC system.
• We have also successfully integrated RBAC with
  the secure group communication.
• History-based access control