Making certificates programmable1 John DeTreville Microsoft Research April 24, 2002.

Slides:



Advertisements
Similar presentations
The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.
Advertisements

1. An Overview of Prolog.
Functional Maths Skills Learner Issues Su Nicholson Principal Examiner for Functional Maths Edexcel Resources produced as part of LSIS funded project.
Binder: A logic-based security language John DeTreville, Microsoft What has this to do with building secure software? I think we need many collaborating.
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn
CHAPTER 1: AN OVERVIEW OF COMPUTERS AND LOGIC. Objectives 2  Understand computer components and operations  Describe the steps involved in the programming.
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
8.2 Discretionary Access Control Models Weiling Li.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Active Directory: Final Solution to Enterprise System Integration
Ch1: File Systems and Databases Hachim Haddouti
©Silberschatz, Korth and Sudarshan1.1Database System Concepts Chapter 1: Introduction Purpose of Database Systems View of Data Data Models Data Definition.
Chapter 4: Database Management. Databases Before the Use of Computers Data kept in books, ledgers, card files, folders, and file cabinets Long response.
1 © Prentice Hall, 2002 The Client/Server Database Environment.
Web-Enabling the Warehouse Chapter 16. Benefits of Web-Enabling a Data Warehouse Better-informed decision making Lower costs of deployment and management.
Chapter 1 Introduction to Databases
CSC 351 FUNDAMENTALS OF DATABASE SYSTEMS
The Client/Server Database Environment
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
Chapter 1 Database Systems. Good decisions require good information derived from raw facts Data is managed most efficiently when stored in a database.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
Lecture 2 The Relational Model. Objectives Terminology of relational model. How tables are used to represent data. Connection between mathematical relations.
MBA 664 Database Management Systems Dave Salisbury ( )
Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely presents:
Designing Active Directory for Security
Presented by Amlan B Dey.  Access control is the traditional center of gravity of computer security.  It is where security engineering meets computer.
©Ian Sommerville 2000 Software Engineering, 6th edition. Slide 1 Component-based development l Building software from reusable components l Objectives.
Organizing Data and Information AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013.
CODD’s 12 RULES OF RELATIONAL DATABASE
Lecture On Introduction (DBMS) By- Jesmin Akhter Assistant Professor, IIT, Jahangirnagar University.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 5: Active Directory Logical Design.
Design Pattern Interpreter By Swathi Polusani. What is an Interpreter? The Interpreter pattern describes how to define a grammar for simple languages,
T 7.0 Chapter 7: Questioning for Inquiry Chapter 7: Questioning for Inquiry Central concepts:  Questioning stimulates and guides inquiry  Teachers use.
RELATIONAL FAULT TOLERANT INTERFACE TO HETEROGENEOUS DISTRIBUTED DATABASES Prof. Osama Abulnaja Afraa Khalifah
Database Design and Management CPTG /23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,
1 Relational Databases and SQL. Learning Objectives Understand techniques to model complex accounting phenomena in an E-R diagram Develop E-R diagrams.
ECE450 - Software Engineering II1 ECE450 – Software Engineering II Today: Design Patterns IX Interpreter, Mediator, Template Method recap.
The TAOS Authentication System: Reasoning Formally About Security Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
Matej Bel University Cascaded signatures Ladislav Huraj Department of Computer Science Faculty of Natural Sciences Matthias Bel University Banska Bystrica.
AL-MAAREFA COLLEGE FOR SCIENCE AND TECHNOLOGY INFO 232: DATABASE SYSTEMS CHAPTER 1 DATABASE SYSTEMS Instructor Ms. Arwa Binsaleh.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
Non-interference in Constructive Authorization Logic Deepak Garg and Frank Pfenning Carnegie Mellon University.
SecPAL Presented by Daniel Pechulis CS5204 – Operating Systems1.
Metadata By N.Gopinath AP/CSE Metadata and it’s role in the lifecycle. The collection, maintenance, and deployment of metadata Metadata and tool integration.
Mr.Prasad Sawant, MIT Pune India Introduction to DBMS.
Copyright (c) 2014 Pearson Education, Inc. Introduction to DBMS.
Yr 7.  Pupils use mathematics as an integral part of classroom activities. They represent their work with objects or pictures and discuss it. They recognise.
Artificial Intelligence: Research and Collaborative Possibilities a presentation by: Dr. Ernest L. McDuffie, Assistant Professor Department of Computer.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
CSC 351 FUNDAMENTALS OF DATABASE SYSTEMS. LECTURE 1: INTRODUCTION TO DATABASES.
Lecture On Introduction (DBMS) By- Jesmin Akhter Assistant Professor, IIT, Jahangirnagar University.
Enable Semantic Interoperability for Decision Support and Risk Management Presented by Dr. David Li Key Contributors: Dr. Ruixin Yang and Dr. John Qu.
ASET 1 Amity School of Engineering & Technology B. Tech. (CSE/IT), III Semester Database Management Systems Jitendra Rajpurohit.
#1 Make sense of problems and persevere in solving them How would you describe the problem in your own words? How would you describe what you are trying.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
IT 5433 LM1. Learning Objectives Understand key terms in database Explain file processing systems List parts of a database environment Explain types of.
Foundations of information systems : BIS 1202 Lecture 4: Database Systems and Business Intelligence.
E-commerce Architecture Ayşe Başar Bener. Client Server Architecture E-commerce is based on client/ server architecture –Client processes requesting service.
Chapter 1 Overview of Databases and Transaction Processing.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Anupam Joshi University of Maryland, Baltimore County Joint work with Tim Finin and several students Computational/Declarative Policies.
Decentralized Access Control: Policy Languages and Logics
Introduction to Algorithms
What is a CAT? What is a CAT?.
Chapter 9: The Client/Server Database Environment
The Client/Server Database Environment
Business Process Management
Introduction to Algorithms
Chapter 1 Database Systems
Presentation transcript:

Making certificates programmable1 John DeTreville Microsoft Research April 24, 2002

Making certificates programmable2 Why haven’t PKIs “happened yet”? “To a large extent, the hoped-for public key infrastructure has not ‘happened yet.’ PKI for large, eclectic populations has not materialized; PKI for smaller, less diverse ‘enterprise’ populations is beginning to emerge, but at a slower rate than many would like or had expected.” We argue a structural reason, based on the restricted expressiveness of current PKIs

Making certificates programmable3 How expressive are certificates? Current certificates—X.509, SDSI/SPKI, etc.—are limited in their expressiveness Many interesting relations are inexpressible It is currently too hard to build a PKI from small, loosely-coupled parts  This restricts the global PKI ecosystem Open systems need open certificates We must reduce the barriers to entry “Every message should say what it means: the interpretation of a message should depend only on its content. It should be possible to write down a straightforward English sentence describing the content.” [Abadi & Needham 1996]

Making certificates programmable4 How expressive should certificates be? The expressiveness of our certificates is a cause for concern If our certificates are highly regular data structures that can work together only in a few restricted ways, it might be impossible to state a rich variety of relations This may be an advantage in some contexts Open systems need open certificates

Making certificates programmable5 Security languages Security languages encode security statements (e.g., certificates) as schematized data structures, like ACLs or X.509 certificates The schema and its accompanying decision procedure define a security language Our certificates, policies, and ACLs are formed from security statements written in our security language and interpreted by its decision procedure Most security languages are ad hoc and task- specific

Making certificates programmable6 Example 1: simple client ACL Bill, read Steve, read John, read/write request response service resource

Making certificates programmable7 Example 2: more complex request response Rick ACL Bill, read Steve, read John, read/write MSR, read service resource local policy MS HR can say who’s in MSR certificate Rick is in MSR (signed, MS HR)

Making certificates programmable8 certificate Bill is Rick’s boss (signed, MS HR) Example 3: too complex request response Rick ACL Bill, read Steve, read John, read/write MSR, read, if boss says so service resource local policy MS HR can say who’s in MSR, who’s whose boss certificate Rick is in MSR (signed, MS HR) certificate Rick can read it (signed, Bill)

Making certificates programmable9 Open systems need open security languages For a closed system with known requirements, we can choose a minimalist security language, closely matched to our needs For an open system to be used in unexpected ways and to evolve in unknown directions, we must make our language more expressive An open distributed system with multiple administrative domains will have multiple interoperating policies Independent security policies must interoperate fluidly and efficiently and correctly

Making certificates programmable10 More expressiveness is good The more expressive our security language, the easier it is say the wrong thing Of all the possible security relations among clients, services, and resources, which can we model? And perhaps most importantly, of all the simple relations, which ones can we model simply? Open systems need open security languages Our language is declarative Multiple policies must interoperate fluidly and efficiently and correctly Our language is PTIME-complete

Making certificates programmable11 A hypothetical centralized system with maximal expressiveness We might imagine storing all our security statements as data in a single shared, centralized database, and using database queries to answer our access control questions Given a particular request, we would construct an appropriate query to discover whether the principal issuing the request should be allowed to access the resource named

Making certificates programmable12 A hypothetical central database

Making certificates programmable13 Using a relational database to represent state and logic The central authorization database contains tables and views Tables store data Views are defined in terms of data that appear in tables and other views We can define the database views and queries in terms of relational algebra, which operates on tables and views using operators like select, project, and join We can also define them in terms of the logic- programming language datalog

Making certificates programmable14 Authorization via tables and views

Making certificates programmable15 Distributed logic programming We extend datalog with authenticated communication across a distributed environment export import context 1 statement context 2 context 1 says, statement certificate statement (signed,context 1) employee(john, msr). employee(john, msr) (signed, ms_hr). ms_hr says employee(john, msr).

Making certificates programmable16 Example 1

Making certificates programmable17 Example 1 in datalog #English statementdatalog statement 1“Bill can read R” can(bill, read, r). 2“Steve can read R” can(steve, read, r). 3“John can read and write R” can(john, read, r). can(john, write, r).

Making certificates programmable18 Example 2

Making certificates programmable19 Example 2 in datalog #English statementdatalog statement 1“Bill can read R” can(bill, read, r). 2“Steve can read R” can(steve, read, r). 3“John can read and write R” can(john, read, r). can(john, write, r). 4“Members of MSR can read R” can(X, read, r) :- member(X, msr).

Making certificates programmable20 Example 2 in datalog (continued) #English statement datalog statement 5“MS HR can say who’s in MSR” member(X, msr) :- ms_hr says member(X, msr).

Making certificates programmable21 Example 2 in datalog (continued) #English statement datalog statement 6“Rick is in MSR” member(rick, msr). (at MS HR, before export) ms_hr says member(rick, msr). (at service, after import)

Making certificates programmable22 Example 3

Making certificates programmable23 Example 3 in datalog #English statementdatalog statement 1“Bill can read R” can(bill, read, r). 2“Steve can read R” can(steve, read, r). 3“John can read and write R” can(john, read, r). can(john, write, r). 4“Members of MSR can read R if their boss says so” can(X, read, r) :- member(X, msr), boss(B, X), B says can(X, read, r).

Making certificates programmable24 Example 3 in datalog (continued) #English statement datalog statement 5“MS HR can say who’s in MSR” member(X, msr) :- ms_hr says member(X, msr).

Making certificates programmable25 Example 3 in datalog (continued) #English statement datalog statement 6“MS HR can say who’s whose boss” boss(B, X) :- ms_hr says boss(B, X).

Making certificates programmable26 Example 3 in datalog (continued) #English statement datalog statement 7“Rick is in MSR” member(rick, msr). (at MS HR, before export) ms_hr says member(rick, msr). (at service, after import)

Making certificates programmable27 Example 3 in datalog (continued) #English statement datalog statement 8“Bill is Rick’s boss” boss(bill, rick). (at MS HR, before export) ms_hr says boss(bill, rick). (at service, after import)

Making certificates programmable28 Example 3 in datalog (continued) #English statement datalog statement 9“Rick can read R” can(rick, read, r). (at Bill, before export) bill says can(rick, read, r). (at service, after import)

Making certificates programmable29 Indirection It is a folk theorem that any problem in computing can be solved by adding another level of indirection We reify tables and views and services References to public keys need not be constant, but can themselves be drawn from tables and views. Allowing views in one service to refer to tables or views in another allows the PKI designer to use an arbitrary number of levels of indirection This will be a powerful technique, and it can make explicit and extend many security assumptions that would otherwise be wired into the system architecture

Making certificates programmable30 Trust Delegation and trust are the tools for the indirection of security decisions in traditional security systems We model delegation and trust using the controlled import of datalog statements and rules One service trusts another if its views depend on tables or views from that other service For example, chains of delegation are modeled as chainable import rules Because the database can hold the names of services (e.g., their public keys), we can organize services into groups or other more complex relations We can have a table or view of which services “trust” which others

Making certificates programmable31 Conclusions and future work Most security languages to date have been ad hoc and task-specific Certificates can be made more expressive and precise using program code written in an enhanced relational algebra or datalog The choice of a security language involves an engineering tradeoff between increasing generality and maintaining usability Indirection is a tool Open systems need open security languages Security statements should be expressible in English

Making certificates programmable32 

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.