Presentation is loading. Please wait.

Presentation is loading. Please wait.

Making certificates programmable1 John DeTreville Microsoft Research April 24, 2002.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Making certificates programmable1 John DeTreville Microsoft Research April 24, 2002."— Presentation transcript:

1 Making certificates programmable1 John DeTreville Microsoft Research April 24, 2002

2 Making certificates programmable2 Why haven’t PKIs “happened yet”? “To a large extent, the hoped-for public key infrastructure has not ‘happened yet.’ PKI for large, eclectic populations has not materialized; PKI for smaller, less diverse ‘enterprise’ populations is beginning to emerge, but at a slower rate than many would like or had expected.” We argue a structural reason, based on the restricted expressiveness of current PKIs

3 Making certificates programmable3 How expressive are certificates? Current certificates—X.509, SDSI/SPKI, etc.—are limited in their expressiveness Many interesting relations are inexpressible It is currently too hard to build a PKI from small, loosely-coupled parts  This restricts the global PKI ecosystem Open systems need open certificates We must reduce the barriers to entry “Every message should say what it means: the interpretation of a message should depend only on its content. It should be possible to write down a straightforward English sentence describing the content.” [Abadi & Needham 1996]

4 Making certificates programmable4 How expressive should certificates be? The expressiveness of our certificates is a cause for concern If our certificates are highly regular data structures that can work together only in a few restricted ways, it might be impossible to state a rich variety of relations This may be an advantage in some contexts Open systems need open certificates

5 Making certificates programmable5 Security languages Security languages encode security statements (e.g., certificates) as schematized data structures, like ACLs or X.509 certificates The schema and its accompanying decision procedure define a security language Our certificates, policies, and ACLs are formed from security statements written in our security language and interpreted by its decision procedure Most security languages are ad hoc and task- specific

6 Making certificates programmable6 Example 1: simple client ACL Bill, read Steve, read John, read/write request response service resource

7 Making certificates programmable7 Example 2: more complex request response Rick ACL Bill, read Steve, read John, read/write MSR, read service resource local policy MS HR can say who’s in MSR certificate Rick is in MSR (signed, MS HR)

8 Making certificates programmable8 certificate Bill is Rick’s boss (signed, MS HR) Example 3: too complex request response Rick ACL Bill, read Steve, read John, read/write MSR, read, if boss says so service resource local policy MS HR can say who’s in MSR, who’s whose boss certificate Rick is in MSR (signed, MS HR) certificate Rick can read it (signed, Bill)

9 Making certificates programmable9 Open systems need open security languages For a closed system with known requirements, we can choose a minimalist security language, closely matched to our needs For an open system to be used in unexpected ways and to evolve in unknown directions, we must make our language more expressive An open distributed system with multiple administrative domains will have multiple interoperating policies Independent security policies must interoperate fluidly and efficiently and correctly

10 Making certificates programmable10 More expressiveness is good The more expressive our security language, the easier it is say the wrong thing Of all the possible security relations among clients, services, and resources, which can we model? And perhaps most importantly, of all the simple relations, which ones can we model simply? Open systems need open security languages Our language is declarative Multiple policies must interoperate fluidly and efficiently and correctly Our language is PTIME-complete

11 Making certificates programmable11 A hypothetical centralized system with maximal expressiveness We might imagine storing all our security statements as data in a single shared, centralized database, and using database queries to answer our access control questions Given a particular request, we would construct an appropriate query to discover whether the principal issuing the request should be allowed to access the resource named

12 Making certificates programmable12 A hypothetical central database

13 Making certificates programmable13 Using a relational database to represent state and logic The central authorization database contains tables and views Tables store data Views are defined in terms of data that appear in tables and other views We can define the database views and queries in terms of relational algebra, which operates on tables and views using operators like select, project, and join We can also define them in terms of the logic- programming language datalog

14 Making certificates programmable14 Authorization via tables and views

15 Making certificates programmable15 Distributed logic programming We extend datalog with authenticated communication across a distributed environment export import context 1 statement context 2 context 1 says, statement certificate statement (signed,context 1) employee(john, msr). employee(john, msr) (signed, ms_hr). ms_hr says employee(john, msr).

16 Making certificates programmable16 Example 1

17 Making certificates programmable17 Example 1 in datalog #English statementdatalog statement 1“Bill can read R” can(bill, read, r). 2“Steve can read R” can(steve, read, r). 3“John can read and write R” can(john, read, r). can(john, write, r).

18 Making certificates programmable18 Example 2

19 Making certificates programmable19 Example 2 in datalog #English statementdatalog statement 1“Bill can read R” can(bill, read, r). 2“Steve can read R” can(steve, read, r). 3“John can read and write R” can(john, read, r). can(john, write, r). 4“Members of MSR can read R” can(X, read, r) :- member(X, msr).

20 Making certificates programmable20 Example 2 in datalog (continued) #English statement datalog statement 5“MS HR can say who’s in MSR” member(X, msr) :- ms_hr says member(X, msr).

21 Making certificates programmable21 Example 2 in datalog (continued) #English statement datalog statement 6“Rick is in MSR” member(rick, msr). (at MS HR, before export) ms_hr says member(rick, msr). (at service, after import)

22 Making certificates programmable22 Example 3

23 Making certificates programmable23 Example 3 in datalog #English statementdatalog statement 1“Bill can read R” can(bill, read, r). 2“Steve can read R” can(steve, read, r). 3“John can read and write R” can(john, read, r). can(john, write, r). 4“Members of MSR can read R if their boss says so” can(X, read, r) :- member(X, msr), boss(B, X), B says can(X, read, r).

24 Making certificates programmable24 Example 3 in datalog (continued) #English statement datalog statement 5“MS HR can say who’s in MSR” member(X, msr) :- ms_hr says member(X, msr).

25 Making certificates programmable25 Example 3 in datalog (continued) #English statement datalog statement 6“MS HR can say who’s whose boss” boss(B, X) :- ms_hr says boss(B, X).

26 Making certificates programmable26 Example 3 in datalog (continued) #English statement datalog statement 7“Rick is in MSR” member(rick, msr). (at MS HR, before export) ms_hr says member(rick, msr). (at service, after import)

27 Making certificates programmable27 Example 3 in datalog (continued) #English statement datalog statement 8“Bill is Rick’s boss” boss(bill, rick). (at MS HR, before export) ms_hr says boss(bill, rick). (at service, after import)

28 Making certificates programmable28 Example 3 in datalog (continued) #English statement datalog statement 9“Rick can read R” can(rick, read, r). (at Bill, before export) bill says can(rick, read, r). (at service, after import)

29 Making certificates programmable29 Indirection It is a folk theorem that any problem in computing can be solved by adding another level of indirection We reify tables and views and services References to public keys need not be constant, but can themselves be drawn from tables and views. Allowing views in one service to refer to tables or views in another allows the PKI designer to use an arbitrary number of levels of indirection This will be a powerful technique, and it can make explicit and extend many security assumptions that would otherwise be wired into the system architecture

30 Making certificates programmable30 Trust Delegation and trust are the tools for the indirection of security decisions in traditional security systems We model delegation and trust using the controlled import of datalog statements and rules One service trusts another if its views depend on tables or views from that other service For example, chains of delegation are modeled as chainable import rules Because the database can hold the names of services (e.g., their public keys), we can organize services into groups or other more complex relations We can have a table or view of which services “trust” which others

31 Making certificates programmable31 Conclusions and future work Most security languages to date have been ad hoc and task-specific Certificates can be made more expressive and precise using program code written in an enhanced relational algebra or datalog The choice of a security language involves an engineering tradeoff between increasing generality and maintaining usability Indirection is a tool Open systems need open security languages Security statements should be expressible in English

32 Making certificates programmable32 

Download ppt "Making certificates programmable1 John DeTreville Microsoft Research April 24, 2002."

Similar presentations

The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.

The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.
1. An Overview of Prolog.

1. An Overview of Prolog.
Functional Maths Skills Learner Issues Su Nicholson Principal Examiner for Functional Maths Edexcel Resources produced as part of LSIS funded project.

Functional Maths Skills Learner Issues Su Nicholson Principal Examiner for Functional Maths Edexcel Resources produced as part of LSIS funded project.
Binder: A logic-based security language John DeTreville, Microsoft What has this to do with building secure software? I think we need many collaborating.

Binder: A logic-based security language John DeTreville, Microsoft What has this to do with building secure software? I think we need many collaborating.
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn

Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn
CHAPTER 1: AN OVERVIEW OF COMPUTERS AND LOGIC. Objectives 2  Understand computer components and operations  Describe the steps involved in the programming.

CHAPTER 1: AN OVERVIEW OF COMPUTERS AND LOGIC. Objectives 2  Understand computer components and operations  Describe the steps involved in the programming.
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
8.2 Discretionary Access Control Models Weiling Li.

8.2 Discretionary Access Control Models Weiling Li.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
Ch1: File Systems and Databases Hachim Haddouti

Ch1: File Systems and Databases Hachim Haddouti
©Silberschatz, Korth and Sudarshan1.1Database System Concepts Chapter 1: Introduction Purpose of Database Systems View of Data Data Models Data Definition.

©Silberschatz, Korth and Sudarshan1.1Database System Concepts Chapter 1: Introduction Purpose of Database Systems View of Data Data Models Data Definition.
Chapter 4: Database Management. Databases Before the Use of Computers Data kept in books, ledgers, card files, folders, and file cabinets Long response.

Chapter 4: Database Management. Databases Before the Use of Computers Data kept in books, ledgers, card files, folders, and file cabinets Long response.
1 © Prentice Hall, 2002 The Client/Server Database Environment.

1 © Prentice Hall, 2002 The Client/Server Database Environment.
Web-Enabling the Warehouse Chapter 16. Benefits of Web-Enabling a Data Warehouse Better-informed decision making Lower costs of deployment and management.

Web-Enabling the Warehouse Chapter 16. Benefits of Web-Enabling a Data Warehouse Better-informed decision making Lower costs of deployment and management.
Chapter 1 Introduction to Databases

Chapter 1 Introduction to Databases
CSC 351 FUNDAMENTALS OF DATABASE SYSTEMS

CSC 351 FUNDAMENTALS OF DATABASE SYSTEMS
The Client/Server Database Environment

The Client/Server Database Environment
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Similar presentations

Ads by Google