home · mobile · calendar · colloquia · 2002-2003 · 

Colloquium - Sicker

Role Based Authorization in Distributed Real-time Communication
Department of Interdisciplinary Telecommunications

A role-based security policy allows authorization decisions to be based on a role that the user asserts rather than on identity. Role-based authorization can be implemented through an approach that conveys user information in the form of attributes associated with that user. Relying on attributes provides a number of advantages, including simplifying access control, providing a means for more granular (and subsequently more flexible) authorization decisions, and providing a measure of privacy. While role-based authorization has been investigated in the intra-domain space, it is only recently that it has been considered for inter-domain communication.

An approach to providing role-based authorization capabilities between domains could be based on the use of the Session Initiation Protocol (SIP). SIP is an application layer protocol that allows endpoints to locate other endpoints and invite them to participate in a session. SIP presently defines various methods for performing authentication (and to a limited extent authorization). However, these methods are generally identity based. In order to facilitate inter-domain role-based authorization, several new SIP-based mechanisms must be defined. This approach would require asserting user attributes between domains in a secure manner. Security Assertion Markup Language (SAML) provides a format for describing these assertions. These user attributes are coded into SAML assertions that are then transported between the SIP entities.

In this talk, I will begin by providing an overview of the architecture for inter-domain role-based authorization. I will then describe a SIP profile and binding for SAML. These profiles and bindings define the ways to incorporate SAML into various communication protocols. Next, I will present a security analysis of the threat model for each of the profiles. I'll conclude this talk by presenting some performance assessments of this design.

Douglas C. Sicker is an assistant professor at the University of Colorado at Boulder in the Department of Interdisciplinary Telecommunications. Before this he was Director of Global Architecture at Level 3 Communications, LLC. Prior to this, Doug was Chief of the Network Technology Division at the Federal Communications Commission (FCC). He has also held faculty positions in the field of medical sciences. Doug's general interests include signaling and security in IP-based networks. His recent work focuses on privacy and role-based authorization in IP-based networks. He is also interested in the interaction of policy and network technology. Doug is a senior member of the IEEE, as well as a member of the ACM and the Internet Society. Doug is active in the Internet2 and the IETF. After leaving the FCC, Doug served as the Chair of the Network Reliability and Interoperability Council steering committee, an FCC federal advisory committee. Doug also served on the Technical Advisory Council of the FCC. Doug holds a PhD from the University of Pittsburgh.

Department of Computer Science
University of Colorado Boulder
Boulder, CO 80309-0430 USA
May 5, 2012 (14:13)