Veranstaltung

Competency Goals:

The student understands that an information security model defines access rights that express for a given system which subjects are allowed to perform which actions on which objects. The student understands that a system is said to be secure with respect to a given information security model, if it enforces the corresponding access rights.
The student is able to derive suitable access control models from scenario requirements and is able to specify concrete access control systems. The student is aware of the limits of access control models and systems with respect to their analyzability and performance and security characteristics. The student is able to identify the resulting tradeoffs. The student knows the state of the art with respect to current research endeavors in the field of access control.
The specific competences are as follows. The student...
… understand the challenges of access control in the era of hyperconnectivity
... is able to decide which concrete architectures and protocols are technically suited for realizing a given access control model.
... is able to design an access control system architecture adhering to the requirements of a concrete scenario.
... knows access control models derived from social graphs
... knows specific access control of cloud-based services.
... knows access control mechanisms for secure data outsourcing and is able to analyze and compare the performance and security guarantees of the different approaches.
... knows access control protocols to enable decentralized data sharing through cryptographic methods and is able to compare protocol realizations based on different cryptographic building blocks with respect to their performance.
… is aware of hardware-assisted access control mechanisms (e.g., Trusted Execution Environments) and attacks on hardware and operating system security
… is able to name and describe desired features of Trusted Execution Environments and knows current approaches from industry and research.
… knows the requirements for access control mechanisms in decentralized systems (e.g., blockchain-based systems, Matrix) and is able to name and describe current approaches to address the domain-specific requirements

Content:

Access control systems are everywhere: think of operating systems, information systems, banking, vehicles, robotics, cryptocurrencies, or decentralized applications as examples. Access control systems are the backbone of secure services as they incorporate who is authorized and who is not. The course starts with current challenges of access control in the era of hyperconnectivity, i.e. in cyber physical systems and decentralized systems. Based on the derived needs for next generation access control, we first study how to specify access control (access control matrix, role-based access control, attribute-based access control, usage control) and analyze strengths and weaknesses of various approaches. We then focus on up-to-date proposals, like relationship-based access control and IoT access control. We look at current cryptographic access control aspects of secure data outsourcing and sharing, blockchains and cryptocurrencies, and trusted execution environments. We also discuss the ethical dimension of access management.
Students prepare for lecture and exercise sessions by studying previously announced literature and by preparation of exercises that are jointly discussed in the sessions.

Workload:

Lecture workload:
1. Attendance time (Course, exercise, etc.)
Lecture: 2 SWS: 2,0h x 15 = 30h
Exercises: 1 SWS: 1,0h x 15 = 15h
2. Self-study (e.g. independent review of course material,
work on homework assignments)
Weekly preparation and follow-up of the lecture: 15 x 1h x 3 = 45h
Weekly preparation and follow-up of the exercise: 15 x 2h = 30h
3. Preparation for the exam: 30 h
Σ = 150h = 5 ECTS

Recommendations:

Basics according to the lectures "IT Security Management for Networked Systems" and "Telematics" are recommended.

Duration: One terms