1 / 11

Secure Role Based IM using ENforCE

This paper presents a Secure Role-Based Instant Messaging (IM) system using ENforCE, designed to minimize excessive chatting by restricting users to communicate only with peers in similar roles within their department. It introduces a request mechanism for users seeking to chat outside specified roles. Leveraging ASP.NET and IIS authentication, the system enforces access control through a robust policy decision and enforcement framework. Additionally, it outlines methods for validating user permissions, managing communications, and ensuring secure message exchange within organizations.

eron
Download Presentation

Secure Role Based IM using ENforCE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Kelly Whitacre, Kunal Bele , and Mike Gerschefske Secure Role Based IM using ENforCE

  2. Secure Role Based IM • Create an IM to cut down on excess chatting • Restrict users to chat only with people with similar roles within department • Provide Mechanism to allow users to request chat outside specific role • Leverage ENforCE

  3. ASP.NET Application Global.asax IIS Authentication Protected web resources A1/B1) User Request ISAPI A2) Http request B2) Http request RPS A5) XML response B7) XML response Policy Decision Point Policy Enforcement Point PPS A4/B4) Get Decision Session policy source B8) Network- resource Access FC4 machine (Firewall) Domain Controller B6) Open or Close service commands Iptables Control Service Active Directory A3/ B3) Get User's AC Protected Network resources The ENforCE System

  4. Role Based Hierarchy

  5. What ENforCE Provides • Ability to determine if a user has access to a resource • i.e. user changed jobs, or was fired • Users’ management chains • Yet, Our Policy Enforcement is in our Server rather then Enforce

  6. Server Algorithm • Check if user 1 can communicate with user 2 via XACML request to ENforCE • If not, ENforCE determines highest manager of user 1 required to get authorization to user 2 • Send request to that manager and wait for acceptance • If authorized allow user 1 to send data to user 2 for some period of time • Obtain Public Key of Receiver by AD of ENforCE for Client of Sender • Note: • One way communication • Message sent to manager requiring token to be sent back to acknowledge acceptance

  7. (Two) One Way Communication Request(s)

  8. Conceptual Design ENforCE AD Alice’s Boss Server XACML Bob’s Boss IIS Bob Alice

  9. Clients • Very Simple • Send messages containing • Message • To • Buddy List/Active Directory Browsing could be added • Clients encrypt via destinations public key • Could look into asymmetric crypto

  10. Progress • Extracted IIS and DC of ENforCE • Recreated FW • Problems with Windows Activation • Problems with VMware Converter removing hardware • Problems with physical Unix machine

  11. Questions??

More Related