Secure Role Based IM using ENforCESecure Role Based IMThe ENforCE SystemRole Based HierarchyWhat ENforCE ProvidesServer Algorithm(Two) One Way Communication Request(s)Conceptual DesignClientsProgressQuestions??Kelly Whitacre, Kunal Bele , and Mike GerschefskeSecure Role Based IMCreate an IM to cut down on excess chattingRestrict users to chat only with people with similar roles within departmentProvide Mechanism to allow users to request chat outside specific roleLeverage ENforCE2Policy Enforcement PointPolicy Enforcement PointGlobal.asaxASP.NET ApplicationFC4 machine (Firewall)FC4 machine (Firewall)Iptables Control ServiceB8) Network- resource AccessIIS AuthenticationISAPIProtected web resourcesProtected web resourcesA2) Http requestA5) XML responseSession policy sourceSession policy sourceA3/ B3) Get User's ACRPSPPSDomain ControllerDomain ControllerActive DirectoryActive DirectoryB2) Http request A1/B1) User RequestProtected Network resourcesProtected Network resources B7) XML response Policy DecisionPointPolicy DecisionPointB6) Open or Close service commandsA4/B4) GetDecisionThe ENforCE System3Role Based Hierarchy4What ENforCE ProvidesAbility to determine if a user has access to a resourcei.e. user changed jobs, or was firedUsers’ management chainsYet, Our Policy Enforcement is in our Server rather then Enforce5Server AlgorithmCheck if user 1 can communicate with user 2 via XACML request to ENforCEIf not, ENforCE determines highest manager of user 1 required to get authorization to user 2Send request to that manager and wait for acceptanceIf authorized allow user 1 to send data to user 2 for some period of timeObtain Public Key of Receiver by AD of ENforCE for Client of SenderNote:One way communicationMessage sent to manager requiring token to be sent back to acknowledge acceptance6(Two) One Way Communication Request(s)7Conceptual DesignENforCEServerBob AliceBob’sBossAlice’sBossADXACML8IISClientsVery SimpleSend messages containingMessageToBuddy List/Active Directory Browsing could be addedClients encrypt via destinations public keyCould look into asymmetric crypto9ProgressExtracted IIS and DC of ENforCERecreated FWProblems with Windows ActivationProblems with VMware Converter removing hardwareProblems with physical Unix
View Full Document