1 / 30

Security Policy Reconciliation in Distributed Environments

Security Policy Reconciliation in Distributed Environments. Patrick D. McDaniel AT&T Research. Hao Wang , Somesh Jha, Miron Livny University of Wisconsin. Policy Reconciliation. To reconcile multiple policies among participants. Session policy. 1. … 2. …. 1. … 2. … 3. …. Alice.

ezhno
Download Presentation

Security Policy Reconciliation in Distributed Environments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Policy Reconciliation in Distributed Environments Patrick D. McDaniel AT&T Research Hao Wang, Somesh Jha, Miron Livny University of Wisconsin

  2. Policy Reconciliation • To reconcile multiple policies among participants Session policy 1. … 2. … 1. … 2. … 3. … Alice Bob IEEE Policy 2004, Hao Wang

  3. Motivation—Secure Communication SSH Session Different requirement Different preference Different preference IEEE Policy 2004, Hao Wang

  4. Motivation—Resource Sharing • Policy reconciliation also occurs in collaborative environments • E.g. GRID, Condor, SETI@Home • Policies may change frequently • MUST authenticate • Use PKI • Use Kerberos • MUST encrypt all channels • Use AES-128 ? • MUST authenticate • Use PKI • Use Kerberos • MUST encrypt all channels • Use AES-128 • Use DES-128 • Use Blowfish-128 • MAY use integrity check • HMAC-MD5 Internet ? • MUST authenticate • Use Kerberos • MAY encrypt all channels • Use AES-128 IEEE Policy 2004, Hao Wang

  5. Recurring Theme • Each site/host/user may have • Different security requirements • Different security preferences • Session policy is dynamic Internet IEEE Policy 2004, Hao Wang

  6. Policy Reconciliation • To establish a provisioning session policy among participants Session policy 1. … 2. … 1. … 2. … 3. … Alice Bob Reconciliation Engine IEEE Policy 2004, Hao Wang

  7. Problem Domain • We deal with session provisioning policy • E.g. a secure session between two parties • We do not deal with • Policy decisions • Policy constructions, transformations • Resolving policy conflicts • Separation of policies and mechanisms • Our work provides the mechanism IEEE Policy 2004, Hao Wang

  8. Outline • Motivation • Policy Representation using DAG • Policy Reconciliation • Implementation IEEE Policy 2004, Hao Wang

  9. Security Policy Reconciliation • How to represent security policies • Need to capture dependencies within each policy • Need to capture policy preferences • How to reconcile security policies • Need to resolve policy preferences • Need to be efficient IEEE Policy 2004, Hao Wang

  10. Existing Approaches • How to represent security policies • Flat • Do not address preferences • e.g. IPsec policy: • Proposal 1: AH • Transform 1: HMAC-SHA • Transform 2: HMAC-MD5 • Proposal 2: ESP • Transform 1: 3DES with HMAC-SHA • Transform 2: 3DES with HMAC-MD5 • Proposal 2: PCP • Transform 1: LZS • Transform 2: Deflate Proposal 1 may use one of the 2 listed transforms This policy offers 2 proposals Proposal 2 MUST use both ESP and PCP; and there are two transforms each for ESP and PCP. IEEE Policy 2004, Hao Wang

  11. Existing Approaches (cont.) • How to reconcile security policies • Policies with preferences have not been well addressed • Dependencies within policies are not expressed explicitly • Generally a NP-complete problem • Gong and Qian, 1994 • McDaniel and Prakash, 2002 IEEE Policy 2004, Hao Wang

  12. Our Contributions • How to represent security policies • Use directed acyclic graph (DAG) to represent policies • Concise • Capture dependencies among policy components • Allow efficient reconciliation • Handle policies with preferences IEEE Policy 2004, Hao Wang

  13. Our Contributions • How to reconcile security policies • DAG model simplifies the problem • Policy is reconciled only once per session • Reconcile policies with preferences • Polynomial time reconciliation • Supports multi-party reconciliation • Current implementation supports two-party reconciliation IEEE Policy 2004, Hao Wang

  14. Policy Representation • Graph model • Use Directed Acyclic Graph (DAG) S = (N, E) called schema • N—set of nodes • Each node is either an AND ( ) or an OR ( ) node • AND node == collection • OR node == decision • E—set of edges • A policy P = (S, C) is a sub-schema derived from S, where C is the condition function • A policy instance is derived from P IEEE Policy 2004, Hao Wang

  15. Policy Schema • Authentication • Kerberos • PKI (X.509) • Password • Encryption • AES-CBC • 3DES-CBC • Blowfish-CBC • Integrity • HMAC-MD5 • HMAC-SHA1 root Authentication Encryption Integrity HMAC Kerberos PKI Password AES 3DES Blowfish CBC MD5 SHA1 IEEE Policy 2004, Hao Wang

  16. Policy Schema & Policies • The policy schema defines the blue print • Each site has its own security policy based on the schema, i.e. sub-schema • Similar to database schema root root Authentication Encryption Integrity Authentication Encryption Integrity HMAC HMAC Kerberos PKI Password AES 3DES Blowfish Kerberos PKI AES 3DES Schema Policy sub-schema CBC MD5 SHA1 CBC MD5 SHA1 IEEE Policy 2004, Hao Wang

  17. Policy Schema & Policies root root Authentication Encryption Integrity Authentication Encryption Integrity HMAC HMAC Kerberos PKI Password AES 3DES Blowfish Kerberos PKI AES 3DES Schema Policy sub-schema CBC MD5 SHA1 CBC MD5 SHA1 root root Authentication Authentication Encryption Integrity Encryption Integrity HMAC HMAC Kerberos AES PKI 3DES Policy instance 1 Policy instance 2 CBC MD5 CBC MD5 IEEE Policy 2004, Hao Wang

  18. Policies May Have Preferences • Each user/host/site has its own preferences • Either due to design or requirements • E.g. A may consider Kerberos to be the preferred authentication algorithm over PKI; while B prefers PKI • A policy P with preference: (S, C, Pref) • Pref(n): partial order function for each node IEEE Policy 2004, Hao Wang

  19. Policy With Preferences • Authentication 1. Kerberos 2. PKI (X.509) 3. Password • Encryption 1. AES-CBC 2. 3DES-CBC 3. Blowfish-CBC • Integrity 1. HMAC-MD5 2. HMAC-SHA1 root Authentication Encryption Integrity 1 1 2 1 2 3 3 HMAC Kerberos PKI Password AES 3DES Blowfish 1 1 1 1 2 CBC MD5 SHA1 IEEE Policy 2004, Hao Wang

  20. Policy 1: Authentication Kerberos or PKI Password Kerberos PKI Password Kerberos PKI Password Policy With Preferences • Use partial ordering to express preferences • Policy 2: • Authentication • Kerberos • PKI • Password IEEE Policy 2004, Hao Wang

  21. Outline • Motivation • Policy Representation using DAG • Policy Reconciliation • Implementation IEEE Policy 2004, Hao Wang

  22. Policy Reconciliation • Assumptions • A common policy schema shared by participants • Custom policy schemas for different participants • Goals • A common policy schema for the participants • Reconciled once per session • Must handle preferences IEEE Policy 2004, Hao Wang

  23. Policy Construction root Authentication Encryption Integrity HMAC Kerberos PKI Password AES 3DES Blowfish Schema CBC MD5 SHA1 root root Authentication Encryption Integrity Authentication Encryption Integrity HMAC HMAC Kerberos PKI Password AES Blowfish Kerberos PKI Password AES 3DES Blowfish Sub-schema A Sub-schema B CBC MD5 CBC SHA1 SHA1 IEEE Policy 2004, Hao Wang

  24. Kerberos PKI Password Kerberos PKI Password Reconciling Preferences root root Authentication Encryption Integrity Authentication Encryption Integrity 1 1 2 1 2 1 2 3 1 2 3 HMAC HMAC Kerberos PKI Password AES Blowfish Kerberos PKI Password AES 3DES Blowfish 1 1 2 Sub-schema A Sub-schema B CBC MD5 CBC SHA1 SHA1 IEEE Policy 2004, Hao Wang

  25. Kerberos PKI Password Kerberos Kerberos PKI PKI Password Password Policy Reconciliation With Preferences root root root Authentication Authentication Authentication 1 1 2 1 2 3 1 2 3 Password Kerberos PKI Password Kerberos Kerberos PKI Password PKI Sub-schema A Reconciled Policy Schema Sub-schema B Preference A Reconciled Preference Preference B Preference A IEEE Policy 2004, Hao Wang

  26. Policy Reconciliation root root Authentication Encryption Integrity Authentication Encryption Integrity 1 1 2 1 2 1 2 3 1 2 3 HMAC HMAC Kerberos PKI Password AES Blowfish Kerberos PKI Password AES 3DES Blowfish 1 1 2 Sub-schema A Sub-schema B CBC MD5 CBC SHA1 SHA1 root Authentication Encryption Integrity 1 2 3 1 2 HMAC Kerberos PKI Password AES Blowfish 1 Reconciled Policy SHA1 CBC IEEE Policy 2004, Hao Wang

  27. Kerberos PKI Password Policy Instantiation root Authentication Encryption Integrity AES-CBC 1 1 2 1 2 HMAC Kerberos PKI Password AES Blowfish Blowfish-CBC 1 Reconciled Policy SHA1 CBC Most preferred Instance root root Authentication Authentication Encryption Encryption Integrity Integrity Kerberos AES HMAC Kerberos Blowfish HMAC Policy Instance 1 Policy Instance 2 SHA1 SHA1 CBC CBC IEEE Policy 2004, Hao Wang

  28. Policy Reconciliation—Summary Schema Policy sub-schema Policy sub-schema Policy sub-schema Policy Reconciliation Engine Reconciled Policy Schema Policy Instance Policy Instance Policy Instance IEEE Policy 2004, Hao Wang

  29. Implementation • Policy Reconciliation Engine (PRE) • See http://www.cs.wisc.edu/~hbwang/PRE/tr1499.pdffor details • Code available at http://www.cs.wisc.edu/~hbwang/PRE • Integrated with Condor, a high-throughput, distributed system • http://www.cs.wisc.edu/condor IEEE Policy 2004, Hao Wang

  30. Conclusion • We demonstrated a graph-based algorithm for policy reconciliation • Exposes the structure of policies • Is concise and efficient • Handles policies with preferences • Models dependencies within each policy IEEE Policy 2004, Hao Wang

More Related