330 likes | 472 Views
Query Certificate Manager. Carl A. Gunter Trevor Jim. cert. cert. cert. Using Certificates (Digital or Otherwise). Example: Area 1 parking stickers in Philadelphia. Example: mortgage pre-approval. Subscriber. query. Relying Party. cert. cert. cert. cert. Issuer. Issuer. Issuer.
E N D
Query Certificate Manager Carl A. Gunter Trevor Jim
cert cert cert Using Certificates (Digital or Otherwise) • Example: Area 1 parking stickers in Philadelphia. • Example: mortgage pre-approval. Subscriber query Relying Party cert cert cert cert Issuer Issuer Issuer Issuer
Public Network Basic Application-Independent Authorization Architecture Remote Data User Policy Retrieval Remote Data Application Verification
Domain Specific Languages for Authorization Policies • PolicyMaker. • Simple Distributed Security Infrastructure (SDSI). • Query Certificate Manager (QCM). • Simple Public Key Infrastructure (SPKI). • Keynote. 1996 M Blaze, J Feigenbaum, J Lacy 1997 B Lampson, R Rivest 1997 C Gunter and T Jim 1998 CM Ellison, B Frantz, B Lampson, R Rivest, BM Thomas, T Ylonen 1998 M Blaze, J Feigenbaum, J Ioannidis, AD Keromytis
Retrieval Challenge • Describing authorization policy isn’t the only problem. • How do the subscriber and relying party obtain the certificates relevant to the policy? • Examples • Entrust, Oscar (LDAP) • PGP (Key servers) • Problem: retrieval is not integrated with verification.
Options for Retrieval • General mirroring by relying party. (Simple, but limited and inefficient.) • Individual short-term certificates. (Pressure on issuer’s server.) • Subscriber submits long-term certificates to relying party. (Revocation challenge.)
Illustration: QCM Daemon for ABONE Access Control • ABONE is the active network testbed. • ACL’s at ABONE nodes were initialized by ANETD installation and then managed manually. • This was not convenient. • Now QCMD automatically synchronizes local ACL with SRI ACL, which provides access control policy for all nodes. ANETD: 1997 L Ricciulli QCMD: 1999 P Kakkar, M McDougall, CA Gunter, T Jim
Requirements Imposed on QCMD • No changes to ANETD. • No changes to keys: based on RSA Ref. • Scalability to 1000 nodes. • Simple implementation providing basic security. • Upgrade path to support additional functionality.
QCMD Client Options • Pull: node periodically instigates update by sending a hash of its current ACL. This is compared to hash of SRI ACL; update occurs if they don’t match. • Push: node registers with SRI server. • Server updates node initially and whenever the server ACL changes. • Server periodically clears registry; clients periodically re-register.
Implementation and Deployment of QCMD • Tests with mixed Penn clients and Aerospace server show 500 nodes are not a problem. • Deployed on Cairn and the ABONE.
Limitations of QCMD • Limited integration with ANETD means limited capabilities. • Individual certificates are not supported. • Keys must be online. • Little local autonomy for authorization or retrieval policy.
Query Certificate Manager (QCM) • QCM is a superset of QCMD. • Uses domain-specific language and techniques from distributed databases. • Integrates authorization policy and the three primary retrieval mechanisms. • Key concepts: • Policy-directed certificate retrieval. • Dynamic channel discovery. • Chaining (transparent delegation). 1998 CA Gunter and T Jim
Policy-Directed Certificate Retrieval Application Application Public Network Policy Policy Verification Verification Retrieval and Distribution Retrieval and Distribution
QCM Notation • K$u --- pronounced “K’s u”. • K is a principal • u is a global name • {(x ,y) | x v, y K$u} --- set comprehension: “all pairs (x,y) such that x is in v and y is in K$u.” • A QCM policy is a list of bindings of global names to sets.
Illustration: Web Filtering in QCM onlineBrowser{ OK = { p | (p,"G") <- Ratings }; Ratings = { x | ("Alice",k) <- PKD, x <- k$Ratings }; PKD = Keyserver$PKD; }
Challenge of Long-Term Certificates • Premise: most principals are authorized for a substantial period of time. • Strategy: issue long-term certificates and revoke privileges for principals as necessary. • Relying parties must check to see if a certificate has been revoked. • Window of vulnerability created.
Revocation is Costly for Retrieval • A MITRE study to recommend a PKI for the U.S. Government noted: Certificate revocation list distribution is by far the biggest cost driver associated with the operation of the PKI. Requiring that every request to the directory service for a certificate be accompanied by a similar request for the CRL on which that certificate may appear places an extremely heavy burden on the directory communications system... Other ways of dealing with the CRL's must be considered.
CRL Retrieval Strategies A variety of ways to optimize CRL distribution have been explored. • Distribution points. • Delta CRL’s. • Indirect CRL’s. • Unreliable (push) CRL distribution.
Revocation Also Introduces Semantic Challenges • Three certificates. • Q says P is the public key of Alice. • R says P is the public key of Alice. • Q says R is the public key of Bob. • Three kinds of revocation. • P is not the public key of Alice. (3 not 2.) • Q no longer vouches for whether P is the public key of Alice. (2 and 3.) • The key of Q has been compromised. (2 not 3.) Revoke 1998 Fox and LaMacchia
Challenge of Integrating Revocation with Chaining • Using “push” certificates entails working with partial information. • This must be integrated with chaining, where information is retrieved by the relying party. • QCM solves this problem with a monotonicity invariant. Responses are assumed to provide a lower approximation of the right answer. • Using long-term certificates entails working with revocation, which involves “negative information”.
Inconsistencies • Consider the following definitions: • School = Teachers Administrators Students • Employees = School – Students • Suppose Alice is given a certificate Alice Students • And later the school revokes this with a certificate Alice Students. • Alice uses the first to prove she is in the school and the second to prove she is an employee.
Generalized Certificate Revocation for QCM • General theory of negative data with model using sets. • Sound operational semantics. • Soundness enforced by typing rules assigning “polarities” to variables in an internal language. • General revocation policy obtained through compilation from an external language. 1999 CA Gunter, T Jim
External Language, Online Signing • Compromised keys are defined by the relying party. • The compiler replaces each expression e$u by {x | e Compromised, x e$u}. • Example • Read = {K1,K2} Write • Write = {K3} (Alice$Write) • Compromised = {K4} Bureau$Compromised
External Language,Offline Signing • Offline certificates may be revoked by the issuing party. Only certificates that require checks for revocation are issued. • A source policy is created. The compiler produces serial numbers and “revocable” certificates.
External Language, Offline Signing: Example • Source policy for principal K • OK = {K1,K2} • Target policy • OK {K1 | n1 K$OKRevoked} • OK {K2 | n2 K$OKRevoked} • K maintains OKRevoked. Relying parties whose QCM interpreters use these certificates will consult OKRevoked before making conclusions about membership in OK.
Security Model • Positive variables are monotonic with respect to approximation. Negative variables are anti-monotonic with respect to approximation. • Thus positive variables must be under-estimated, while negative variables must be over-estimated. • These are the key theorems for the denotational semantics of the internal language. • The operational semantics (implementation) is shown to conform with the denotational.
Internal LanguageVariables and Constants Keys K Key Constants c Key Num String Bool Comparables w ::= c | (w,…,w) Positive variables x+ Negative variables x- Variables x Positive names u+ Negative names u- Names u Polarities ::= 0 | + | -
Internal LanguageExpressions e ::= Variables x Constants c Qualified Names e$u Enumerated Sets {e,…,e} Tuples (e,…,e) Set Unions Union(e) Comprehensions {e | g,…,g} Remote Evals e @ e Co-finite Sets Compl{w,…w}
Internal LanguageThe Rest g ::= Generators p e Guards e = e e e e e p ::=Patterns x | (x,…,x) d ::=Definitions u = e P ::=Programs d,…,d
Sample Typing Rules e : 0 ----- Subsumption e : {e1 | g1,…,gn} : x : e2 : ------------------------------------ {e1 | x e2, g1, …, gn} : Polarity for positive comprehensions {e1 | g1,…, gn} : e3 : - ----------------------------- {e1 | e2 e3, g1, …, gn} : Polarity for positive comprehensions
Denotational Semantics • Denotational semantics in terms of a universal domain derived from a recursive domain equation. • Monotonicity Theorem: • Monotone in positive variables. • Anti-monotone in negative variables. • Related comparables are equal.
Operational Semantics • Operational semantics in terms of local and global operational rules. • Local Soundness Theorem: Denotational meaning is preserved by the local operational rules. • Soundness Theorem: Global operational rules provide approximations with proper polarity.
Conclusions • Policy-directed certificate retrieval is possible for long-term certificates with revocation. • Compilation architecture aids convenience, but decreases flexibility. • Precise model of security essential.