David Ferraiolo, Richard Kuhn
National Institute of Standards and Technology

Role-Based Access Control
15th NIST National Security Conference (NIST-NCSC 1992)

URL: http://citeseer.nj.nec.com/ferraiolo92rolebased.html

While Mandatory Access Controls (MAC) are appropriate for multilevel secure military applications, Discretionary Access Controls (DAC) are often perceived as meeting the security processing needs of industry and civilian government. This paper argues that reliance on DAC as the principal method of access control is unfounded and inappropriate for many commercial and civilian government organizations. The paper describes a type of non-discretionary access control - role-based access control (RBAC) - that is more central to the secure processing needs of non-military systems then DAC.

John Barkley
National Institute of Standards and Technology

Comparing Simple Role Based Access Control Models and Access Control Lists

URL: http://citeseer.nj.nec.com/barkley97comparing.html

The RBAC metaphor is powerful in its ability to express access control policy in terms of the way in which administrators view organizations. The functionality of simple Role Based Access Control (RBAC) models are compared to access control lists (ACL). A very simple RBAC model is shown to be no different from a group ACL mechanism from the point of view of its ability to express access control policy. RBAC is often distinguished from ACLs by the inclusion of a feature which allows a session to be associated with a proper subset of the roles (i.e., groups in ACL terms) authorized for a user. Two possible semantics for this feature are described: one which requires a similar amount of processing as that required by ACLs, and another which requires significantly more processing than that required by ACLs. In addition, the capability to define role hierarchies is compared to an equivalent feature in ACLs.

Chris Lesniewski-Laas and M. Frans Kaashoek
MIT

SSL Splitting: Securely Serving Data from Untrusted Caches
12th USENIX Security Symposium (Security'03), Pp. 187-200, Washington DC, August 4-8, 2003

URL: http://www.cs.wisc.edu/~lpkruger/lesniewski.pdf

A popular technique for reducing the bandwidth load on Web servers is to serve the content from proxies. Typically these hosts are trusted by the clients and server not to modify the data that they proxy. SSL splitting is a new technique for guaranteeing the integrity of data served from proxies without requiring changes to Web clients. Instead of relaying an insecure HTTP connection, an SSL splitting proxy simulates a normal Secure Sockets Layer (SSL) connection with the client by merging authentication records from the server with data records from a cache. This technique reduces the bandwidth load on the server, while allowing an unmodified Web browser to verify that the data served from proxies is endorsed by the originating server.

SSL splitting is implemented as a patch to the industry-standard OpenSSL library, with which the server is linked. In experiments replaying two-hour access.log traces taken from LCS Web sites over an ADSL link, SSL splitting reduces bandwidth consumption of the server by between 25% and 90% depending on the warmth of the cache and the redundancy of the trace. Uncached requests forwarded through the proxy exhibit latencies within approximately 5% of those of an unmodified SSL server.

B. Canvel, A. Hiltgen, S. Vaudenay, and M. Vuagnoux
EPFL LASEC / UBS / EPFL LASEC / EPFL SSC & Ilion

Password interception in a TLS/SSL channel
Advances in Cryptology - Crypto 2003, 17-21 Aug 2003, Santa Barbara (CA), USA

URL: http://lasecwww.epfl.ch/pub/lasec/doc/CHVV03.ps

Simple password authentication is often used e.g. from an email software application to a remote IMAP server. This is frequently done in a protected peer-to-peer tunnel, e.g. by SSL/TLS. At Eurocrypt'02, Vaudenay presented vulnerabilities in padding schemes used for block ciphers in CBC mode. He used a side channel, namely error information in the padding verification. This attack was not possible against SSL/TLS due both to the unavailability of the side channel (errors are encrypted) and premature abortion of the session in case of errors. In this paper we extend the attack and optimize it. We show it is actually applicable against the latest and most popular implementations of SSL/TLS (at the time this paper was written) for password interception. We demonstrate that a password for an IMAP account can be intercepted when the attacker is not too far from the server in less than an hour in a typical setting. We conclude that these versions of the SSL/TLS implementations are not secure when used with block ciphers in CBC mode and propose ways to strengthen them. We also propose to update the standard protocol.

B. Canvel, A. Hiltgen, S. Vaudenay, and M. Vuagnoux
EPFL LASEC / UBS / EPFL LASEC / EPFL SSC & Ilion

Password interception in a TLS/SSL channel
Advances in Cryptology - Crypto 2003, 17-21 Aug 2003, Santa Barbara (CA), USA

URL: http://lasecwww.epfl.ch/pub/lasec/doc/CHVV03.ps

Simple password authentication is often used e.g. from an email software application to a remote IMAP server. This is frequently done in a protected peer-to-peer tunnel, e.g. by SSL/TLS. At Eurocrypt'02, Vaudenay presented vulnerabilities in padding schemes used for block ciphers in CBC mode. He used a side channel, namely error information in the padding verification. This attack was not possible against SSL/TLS due both to the unavailability of the side channel (errors are encrypted) and premature abortion of the session in case of errors. In this paper we extend the attack and optimize it. We show it is actually applicable against the latest and most popular implementations of SSL/TLS (at the time this paper was written) for password interception. We demonstrate that a password for an IMAP account can be intercepted when the attacker is not too far from the server in less than an hour in a typical setting. We conclude that these versions of the SSL/TLS implementations are not secure when used with block ciphers in CBC mode and propose ways to strengthen them. We also propose to update the standard protocol.

S. Vaudenay
EPFL LASEC

Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS...
Advances in Cryptology - Eurocrypt 2002, 28 April - 2 May 2002, Amsterdam, Netherlands

URL: http://lasecwww.epfl.ch/pub/lasec/doc/Vau02a.ps

In many standards, e.g. SSL/TLS, IPSEC, WTLS, messages are first pre-formatted, then encrypted in CBC mode with a block cipher. Decryption needs to check if the format is valid. Validity of the format is easily leaked out from communication protocols because the receiver usually sends an error message when the format is not valid. This is a side channel.

In this paper we show that the validity of the format of the decryption is actually a hard core bit predicate. We demonstrate this by implementing an efficient and practical side channel attack which enables the decryption of any ciphertext. The attack complexity is O(NbW) where N is the message length in blocks, b is the block length in words, and W is the number of possible words (typically 256). We also discuss about extensions to other padding schemes and various ways to fix the problem.