- By
**eben** - Follow User

- 81 Views
- Uploaded on

Download Presentation
## Query Certificate Manager

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

cert

cert

Using Certificates (Digital or Otherwise)- Example: Area 1 parking stickers in Philadelphia.
- Example: mortgage pre-approval.

Subscriber

query

Relying Party

cert

cert

cert

cert

Issuer

Issuer

Issuer

Issuer

Network

Basic Application-Independent Authorization ArchitectureRemote

Data

User

Policy

Retrieval

Remote

Data

Application

Verification

Domain Specific Languages for Authorization Policies

- PolicyMaker.
- Simple Distributed Security Infrastructure (SDSI).
- Query Certificate Manager (QCM).
- Simple Public Key Infrastructure (SPKI).
- Keynote.

1996 M Blaze, J Feigenbaum, J Lacy

1997 B Lampson, R Rivest

1997 C Gunter and T Jim

1998 CM Ellison, B Frantz, B Lampson, R Rivest, BM Thomas, T Ylonen

1998 M Blaze, J Feigenbaum, J Ioannidis, AD Keromytis

Retrieval Challenge

- Describing authorization policy isn’t the only problem.
- How do the subscriber and relying party obtain the certificates relevant to the policy?
- Examples
- Entrust, Oscar (LDAP)
- PGP (Key servers)
- Problem: retrieval is not integrated with verification.

Options for Retrieval

- General mirroring by relying party. (Simple, but limited and inefficient.)
- Individual short-term certificates. (Pressure on issuer’s server.)
- Subscriber submits long-term certificates to relying party. (Revocation challenge.)

Illustration: QCM Daemon for ABONE Access Control

- ABONE is the active network testbed.
- ACL’s at ABONE nodes were initialized by ANETD installation and then managed manually.
- This was not convenient.
- Now QCMD automatically synchronizes local ACL with SRI ACL, which provides access control policy for all nodes.

ANETD: 1997 L Ricciulli

QCMD: 1999 P Kakkar, M McDougall, CA Gunter, T Jim

Requirements Imposed on QCMD

- No changes to ANETD.
- No changes to keys: based on RSA Ref.
- Scalability to 1000 nodes.
- Simple implementation providing basic security.
- Upgrade path to support additional functionality.

QCMD Client Options

- Pull: node periodically instigates update by sending a hash of its current ACL. This is compared to hash of SRI ACL; update occurs if they don’t match.
- Push: node registers with SRI server.
- Server updates node initially and whenever the server ACL changes.
- Server periodically clears registry; clients periodically re-register.

Implementation and Deployment of QCMD

- Tests with mixed Penn clients and Aerospace server show 500 nodes are not a problem.
- Deployed on Cairn and the ABONE.

Limitations of QCMD

- Limited integration with ANETD means limited capabilities.
- Individual certificates are not supported.
- Keys must be online.
- Little local autonomy for authorization or retrieval policy.

Query Certificate Manager (QCM)

- QCM is a superset of QCMD.
- Uses domain-specific language and techniques from distributed databases.
- Integrates authorization policy and the three primary retrieval mechanisms.
- Key concepts:
- Policy-directed certificate retrieval.
- Dynamic channel discovery.
- Chaining (transparent delegation).

1998 CA Gunter and T Jim

Policy-Directed Certificate Retrieval

Application

Application

Public

Network

Policy

Policy

Verification

Verification

Retrieval and

Distribution

Retrieval and

Distribution

QCM Notation

- K$u --- pronounced “K’s u”.
- K is a principal
- u is a global name
- {(x ,y) | x v, y K$u} --- set comprehension: “all pairs (x,y) such that x is in v and y is in K$u.”
- A QCM policy is a list of bindings of global names to sets.

Illustration: Web Filtering in QCM

onlineBrowser{

OK =

{ p | (p,"G") <- Ratings };

Ratings =

{ x | ("Alice",k) <- PKD,

x <- k$Ratings };

PKD = Keyserver$PKD;

}

Challenge of Long-Term Certificates

- Premise: most principals are authorized for a substantial period of time.
- Strategy: issue long-term certificates and revoke privileges for principals as necessary.
- Relying parties must check to see if a certificate has been revoked.
- Window of vulnerability created.

Revocation is Costly for Retrieval

- A MITRE study to recommend a PKI for the U.S. Government noted:

Certificate revocation list distribution is by far the biggest cost driver associated with the operation of the PKI. Requiring that every request to the directory service for a certificate be accompanied by a similar request for the CRL on which that certificate may appear places an extremely heavy burden on the directory communications system... Other ways of dealing with the CRL's must be considered.

CRL Retrieval Strategies

A variety of ways to optimize CRL distribution have been explored.

- Distribution points.
- Delta CRL’s.
- Indirect CRL’s.
- Unreliable (push) CRL distribution.

Revocation Also Introduces Semantic Challenges

- Three certificates.
- Q says P is the public key of Alice.
- R says P is the public key of Alice.
- Q says R is the public key of Bob.
- Three kinds of revocation.
- P is not the public key of Alice. (3 not 2.)
- Q no longer vouches for whether P is the public key of Alice. (2 and 3.)
- The key of Q has been compromised. (2 not 3.)

Revoke

1998 Fox and LaMacchia

Challenge of Integrating Revocation with Chaining

- Using “push” certificates entails working with partial information.
- This must be integrated with chaining, where information is retrieved by the relying party.
- QCM solves this problem with a monotonicity invariant. Responses are assumed to provide a lower approximation of the right answer.
- Using long-term certificates entails working with revocation, which involves “negative information”.

Inconsistencies

- Consider the following definitions:
- School = Teachers Administrators Students
- Employees = School – Students
- Suppose Alice is given a certificate Alice Students
- And later the school revokes this with a certificate Alice Students.
- Alice uses the first to prove she is in the school and the second to prove she is an employee.

Generalized Certificate Revocation for QCM

- General theory of negative data with model using sets.
- Sound operational semantics.
- Soundness enforced by typing rules assigning “polarities” to variables in an internal language.
- General revocation policy obtained through compilation from an external language.

1999 CA Gunter, T Jim

External Language, Online Signing

- Compromised keys are defined by the relying party.
- The compiler replaces each expression e$u by {x | e Compromised, x e$u}.
- Example
- Read = {K1,K2} Write
- Write = {K3} (Alice$Write)
- Compromised = {K4} Bureau$Compromised

External Language,Offline Signing

- Offline certificates may be revoked by the issuing party. Only certificates that require checks for revocation are issued.
- A source policy is created. The compiler produces serial numbers and “revocable” certificates.

External Language, Offline Signing: Example

- Source policy for principal K
- OK = {K1,K2}
- Target policy
- OK {K1 | n1 K$OKRevoked}
- OK {K2 | n2 K$OKRevoked}
- K maintains OKRevoked. Relying parties whose QCM interpreters use these certificates will consult OKRevoked before making conclusions about membership in OK.

Security Model

- Positive variables are monotonic with respect to approximation. Negative variables are anti-monotonic with respect to approximation.
- Thus positive variables must be under-estimated, while negative variables must be over-estimated.
- These are the key theorems for the denotational semantics of the internal language.
- The operational semantics (implementation) is shown to conform with the denotational.

Internal LanguageVariables and Constants

Keys K Key

Constants c Key Num String Bool

Comparables w ::= c | (w,…,w)

Positive variables x+

Negative variables x-

Variables x

Positive names u+

Negative names u-

Names u

Polarities ::= 0 | + | -

Internal LanguageExpressions

e ::= Variables x

Constants c

Qualified Names e$u

Enumerated Sets {e,…,e}

Tuples (e,…,e)

Set Unions Union(e)

Comprehensions {e | g,…,g}

Remote Evals e @ e

Co-finite Sets Compl{w,…w}

Internal LanguageThe Rest

g ::= Generators p e

Guards e = e

e e

e e

p ::=Patterns x | (x,…,x)

d ::=Definitions u = e

P ::=Programs d,…,d

Sample Typing Rules

e : 0

----- Subsumption

e :

{e1 | g1,…,gn} : x : e2 :

------------------------------------

{e1 | x e2, g1, …, gn} :

Polarity for positive

comprehensions

{e1 | g1,…, gn} : e3 : -

-----------------------------

{e1 | e2 e3, g1, …, gn} :

Polarity for positive

comprehensions

Denotational Semantics

- Denotational semantics in terms of a universal domain derived from a recursive domain equation.
- Monotonicity Theorem:
- Monotone in positive variables.
- Anti-monotone in negative variables.
- Related comparables are equal.

Operational Semantics

- Operational semantics in terms of local and global operational rules.
- Local Soundness Theorem: Denotational meaning is preserved by the local operational rules.
- Soundness Theorem: Global operational rules provide approximations with proper polarity.

Conclusions

- Policy-directed certificate retrieval is possible for long-term certificates with revocation.
- Compilation architecture aids convenience, but decreases flexibility.
- Precise model of security essential.

Download Presentation

Connecting to Server..