spki sdsi simple public key infrastructure simple distributed security infrastructure n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
SPKI/SDSI (Simple Public Key Infrastructure/Simple Distributed Security Infrastructure ) PowerPoint Presentation
Download Presentation
SPKI/SDSI (Simple Public Key Infrastructure/Simple Distributed Security Infrastructure )

Loading in 2 Seconds...

play fullscreen
1 / 12

SPKI/SDSI (Simple Public Key Infrastructure/Simple Distributed Security Infrastructure ) - PowerPoint PPT Presentation


  • 104 Views
  • Uploaded on

SPKI/SDSI (Simple Public Key Infrastructure/Simple Distributed Security Infrastructure ).

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'SPKI/SDSI (Simple Public Key Infrastructure/Simple Distributed Security Infrastructure )' - dasan


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
spki sdsi simple public key infrastructure simple distributed security infrastructure
SPKI/SDSI(Simple Public Key Infrastructure/Simple Distributed Security Infrastructure)
  • Given an Access-Control List (ACL) for a protected resource, and a collection of SPKI/SDSI certificates, our programs should determine whether a given principal(Public-Key) is authorized to access the protected resource.
  • The heart of the system is the closure program running on SDSI servers for deciding whether a Public-Key is a member of the Group it’s claiming. For the sake of simplicity we are using simple short symbols for denoting the keys and the groups.
a simple example
A Simple Example
  • Lets take an example of a FTP server as a restricted resource I.e. to get access of documents or software residing in /pub/ of the FTP server the requester must produce a proof of membership of ftp-users group defined in the ACL.
  • I will illustrate the problem with two cases.
    • In first case the principal is a direct member of a group. Hence the problem is very trivial.
    • In Second case, the principal is not the dirct member. So let’s see what’s the mechanism that let’s the principal to get the access of the resource.
vishwas s groups
Vishwas’s groups

Vishwas’s Group

BARC’s Group

TIFR

Friends

Friends

-----------------------

BARC Emp

Raja

Basant

Mesfin

------

------

------

------

Mehul

Siddharth

Manish

Samir

------

-----

-----

Siddharth

TIFR

------

------

Dave

-----------------------

case 1

Vishwas’s Servers

Case 1 :-

A

SDSI

Server

B

Mehul

  • A-Membership Query Vishwas {Principal, Group Name}

FTP

Server

C

B - Reply : TRUE Certificate

C - Produce this certificate to gain the access of resouyrce

BARC’s

SDSI

Server

case 2

Vishwas’s Servers

Case 2 :-

SDSI

Server

  • A-Membership Query Vishwas {Principal, Group Name}

Siddharth

FTP

Server

BARC’s

SDSI

Server

I - Produce this TOKEN to get access of the resource

E - Membership.Query.BARC { Principal Groupo Name

F - Reply : TRUE Cert

H - Reply : TRUE Cert

B - Fail {Return Group Name} E.g. BARC’s EMP

C - Get .Query.Vishwas {Ask Name binding Certs}

D - Reply {Certs} E.g. BARC’s Employees

G - Produce this Cert to show BARC’s membership

spki sdsi certs
SPKI/SDSI Certs :-
  • Name Certs { K, A, S, V }
  • Auth Certs { K, S, D, T, V }

Certs as Rewrite rules :-

K A  S

K   S

  • K - issuers Public Key
  • A - local name of K
  • S - subject -a term in T
  • D - delegation bit
  • T - authorization specification Tag
  • V - validity specification
composition of certs
Composition of Certs :-

C = L  R

Let, C1 = L1 R1

C2 = L2 R2

for example,

KA friends  KA Bob myfriends

KA Bob  KB

If L2 is a prefix of R1

Here its true in above example

i.e. R1=L2X for some string X(possibly empty)

Then the Computation of rules

C3 = C1 ° C2

as C3 = C1 ° C2

= L1  (R1 ° C2)

= L1  R2X

If L2 is not a prefix of R1 then C1° C2 is undefined.

Otherwise they can be said compatible.

examples
Examples :-

KA Ted KB CarlJones Ted - 5

Since, KB CarlJones  KC - 11

so KA Ted  KC Ted (5 ° 11)

KA friends  KA Bob myfriends - 9

Since, KB Bob  KB - 3

so KA friends  KB myfriends (9 ° 3)

closure of a set of certs
Closure of a set of certs
  • The notion of the closure of a set of certificates is fundamental.
  • The closure contains all certificates that can be delivered by composition from the given set of certificates.
  • It is denoted by C+
  • It can be potentially infinite, even if the input set of rules is finite.
  • But what is useful to us is a finite subsets of the closure, called the “name -reduction closure” C#
how to compute c
How to compute C# ?
  • C = (L  R) is said to be reducing

if | L | > | R |

where | X | denotes the length of sequence X.

  • Important Definition for Convergence in C#

If C1 = (L1  R1) any arbitrary certificate

and C2 = (L2  R2) compatible reducing certificate

then C3 = C1° C2 = (L1  R3)

satisfies |R1| > |R3|

Example :-

K Alice  K Verisign MIT AliceSmith

compatible reducing certificate is

K Verisign  KV

K Alice  KV MIT AliceSmith

slide11
Thus to compute the name reduction closure, we only perform rewritings that cause a reduction in the length of the right-hand side, until no more such re-writings can be done.
whole algorithm in 3 steps
Whole algorithm in 3 steps

1. Initialize C’ to be the input set C of certificates.

2. As long as C’ contains two compatible certificates C1 and C2 such that C2 is a reducing certificate and C1 ° C2 is not yet in C’, add C3 to C’.

3. Return C’ as the computed value of C#.