Identification, Authentication and Authorization

Multilevel security

Subjects (or roles) act on different security levels.

  • Levels do not intersect themselves.

  • Levels have some partial order.

    • Hierarchy.

    • Lattice.

Levels are used as attributes of subjects and objects.

  • Subjects: security level clearance.

  • Objects: security classification.

Information flows and security levels.

  • Same security level → authorized.

  • Different security levels → controlled.

    • Authorized or denied on a “need to know” basis.

Levels

Military / Intelligence organizations

Typical levels.

  • Top secret.

  • Secret.

  • Confidential.

  • Restricted.

  • Unclassified.

Portugal (NTE01, NTE04).

  • Muito Secreto.

  • Secreto.

  • Confidencial.

  • Reservado.

EU example.

  • EU TOP SECRET.

  • EU SECRET.

  • EU CONFIDENTIAL.

  • EU RESTRICTED.

  • EU COUNCIL / COMMISSION.

NATO example.

  • COSMIC TOP SECRET (CTS).

  • NATO SECRET (NS).

  • NATO CONFIDENTIAL (NC).

  • NATO RESTRICTED (NR).

Civil organizations

Typical levels.

  • Restricted.

  • Proprietary.

  • Sensitive.

  • Public.

Security categories (or compartments)

Self-contained information environments.

  • May span several security levels.

Military environments.

  • Military branches, military units.

Civil environments.

  • Departments, organizational units.

An object can belong to different compartments and have a different security classification in each of them.

Labels

  • Label = Category + Level

  • Relative order between labels.

    • Lb1 \le Lb2     \implies C1 \subseteq C2 \wedge Lv1 \leq Lv2

  • Labels form a lattice.

Bell-La Padula MLS Model

Access control policy for controlling information flows.

  • Addresses data confidentiality and access to classified information.

  • Addresses disclosure of classified information.

    • Object access control is not enough.

    • One needs to restrict the flow of information from a source to authorized destinations.

Uses a state-transition model.

  • In each state, there are subjects, objects, an access matrix and the current access information.

  • State transition rules.

  • Security levels and clearances.

    • Objects have security labels.

    • Subjects have security clearances.

    • Both refer to security levels (e.g. CONFIDENTIAL).

Secure state-transition model

Simple security condition (no read-up).

  • S can read O iff L(S) \ge L(O)

*-property (no write down).

  • S can write O iff L(S) \le L(O)

  • aka confinement property.

Discretionary Security Property.

  • DAC-based access control.

Secure state-transition model

Strong Star Property

  • S can read O iff L(S) = L(O)

Tranquility Principle

  • Strong tranquillity: S/O levels are static for the entire S/O lifetime.

  • Weak tranquillity: S/O levels may change if the security spirit of the system is not compromised.

Trusted Subjects

  • S can write to lower levels.

Biba Integrity Model

Access control policy for controlling information flows.

  • To enforce data integrity control.

  • Uses integrity levels, not security levels.

  • Subjects cannot corrupt objects at higher levels.

Similar to Bell-La Padula, with inverse rules.

  • Simple Integrity Property (no read down).

    • S can read O iff I(S) \le I(O)

  • Integrity *-Property (no write-up).

    • S can write O iff I(S) \ge I(O)

Invocation Property.

  • S cannot request higher access.

PreviousInformation flow modelsNextWindows mandatory integrity control

Last updated