Computer Science 725 – Software Computer Science 725 – Software Security PresentationSecurity Presentation

““Decentralized Trust ManagementDecentralized Trust Management””M. Blaze, J. Feigenbaum, J. Lacy,M. Blaze, J. Feigenbaum, J. Lacy,

IEEE Symposium on Security and Privacy, IEEE Symposium on Security and Privacy, pp. 164-173, 1996.pp. 164-173, 1996.

http://ieeexplore.ieee.org/iel3/3742/10940/00502679.pdf

SummarySummary

IdentifyIdentify Trust Management as a Trust Management as a distinct and important component in distinct and important component in network securitynetwork security

ReviewReview of 2 existing systems of 2 existing systems PresentPresent a new comprehensive a new comprehensive

approach to this problemapproach to this problem DescribeDescribe a prototype (PolicyMaker) a prototype (PolicyMaker)

which implements this new approachwhich implements this new approach

What is Trust Management?What is Trust Management?

PolicyPolicy (a banking system requires at least (a banking system requires at least kk officers to approve a loan of $10,000)officers to approve a loan of $10,000)

CredentialsCredentials (enable an employee to prove he can (enable an employee to prove he can be counted as 1 out of be counted as 1 out of kk approvers) approvers)

TrustTrust (enable the bank to specify who may issue (enable the bank to specify who may issue such credentials)such credentials)

Public Key Public Key

Public Key

Principles of our approachPrinciples of our approach

Unified mechanismUnified mechanism• A common language is provided for policies, credentials, A common language is provided for policies, credentials,

and relationshipsand relationships

FlexibilityFlexibility• The system is rich enough to support potentially The system is rich enough to support potentially

complex relationships in large networkscomplex relationships in large networks

Locality of controlLocality of control• Each party in the network can independently decide Each party in the network can independently decide

whether to accept the credentials presentedwhether to accept the credentials presented

Separation of mechanism from policySeparation of mechanism from policy• The mechanisms for verification does not depend on the The mechanisms for verification does not depend on the

credentials themselvescredentials themselves

Review of Existing SystemsReview of Existing Systems

What are some potential issues with this system?What are some potential issues with this system?

PGPPGP framework uses “ key certificates” in which trusted framework uses “ key certificates” in which trusted third parties (C, D) signs copies of a public key to be third parties (C, D) signs copies of a public key to be distributeddistributed

X.509X.509 framework uses a similar system, but also postulates framework uses a similar system, but also postulates that public keys are only obtained from official “certifying that public keys are only obtained from official “certifying authorities” (C, D)authorities” (C, D)

Specify trust

Public Key signed by C

Public Key signed by DEtc …

B accepts Public Key if its trust value is high enough

PolicyMaker ApproachPolicyMaker Approach

11 Obtain certificates, verify signatures on certificates and on application request, Obtain certificates, verify signatures on certificates and on application request, determine public key of original signer(s)determine public key of original signer(s)

22 Verify that certificates are unrevokedVerify that certificates are unrevoked33 Find “trust path” from trusted certifier to certificate of public key in questionFind “trust path” from trusted certifier to certificate of public key in question44 Extract names from certificatesExtract names from certificates55 Lookup names in database that maps names to the actions that they are trusted Lookup names in database that maps names to the actions that they are trusted

to performto perform66 Determine whether requested action is legal, based on the names extracted from Determine whether requested action is legal, based on the names extracted from

certificates and whether the certification authorities are permitted to authorize certificates and whether the certification authorities are permitted to authorize such actions according to local policy.such actions according to local policy.

77 Proceed if everything appears validProceed if everything appears valid

PolicyMakerPolicyMaker Submit request, certificates, and description of local policy to local Submit request, certificates, and description of local policy to local “trust management engine”“trust management engine”

The PolicyMaker SystemThe PolicyMaker System

What are some potential issues with this system?What are some potential issues with this system?

An independent trust management engine An independent trust management engine to be used either as a linked library (within to be used either as a linked library (within systems) or daemon (background systems) or daemon (background application)application)

Called using action query stringsCalled using action query strings Extendable to allow for external Extendable to allow for external

verification of signaturesverification of signatures

CommentsComments

The idea behind this paper is goodThe idea behind this paper is good• Encapsulation of trust managementEncapsulation of trust management• Better security provided by consolidated systemBetter security provided by consolidated system

The idea presented is more difficult to The idea presented is more difficult to implementimplement• Dedicated trust management engine and parser is more Dedicated trust management engine and parser is more

difficult to implement than certificate based systemdifficult to implement than certificate based system• Only applicable to large commercial applicationsOnly applicable to large commercial applications

Protype is already made.Protype is already made.

Questions?Questions?