S4 03Dwaine Clarke

Information about S4 03Dwaine Clarke

Published on December 25, 2007

Author: Dixon

Source: authorstream.com

Content

Security Protocols in Automation:  Security Protocols in Automation Dwaine Clarke [email protected] MIT Laboratory for Computer Science January 8, 2002 With help from: Matt Burnside, Todd Mills, Andrew Maywah, Srinivas Devadas, Ronald Rivest Slide2:  Problem Description SPKI/SDSI Introduction Name Certificate Authorization Certificate Proxy-to-Proxy protocol Examples Status Questions Overview Problem: Proxy to Proxy Security:  Problem: Proxy to Proxy Security All proxies talk to each other with the same protocol SPKI/SDSI Introduction (Simple Public-Key Infrastructure/Simple Distributed Security Infrastructure):  SPKI/SDSI Introduction (Simple Public-Key Infrastructure/Simple Distributed Security Infrastructure) Build secure distributed computing systems Access control over the network Simple, flexible, trust policy model with specific authorizations Fine-grained access control Scalable infrastructure SPKI/SDSI Introduction (Simple Public-Key Infrastructure/Simple Distributed Security Infrastructure):  SPKI/SDSI Introduction (Simple Public-Key Infrastructure/Simple Distributed Security Infrastructure) Designed by Ron Rivest, Butler Lampson and Carl Ellison Each public key is a CA Name certificate: defines a name in issuer’s name space Authorization certificate: grants a specific authorization from issuer to subject SPKI/SDSI: Name Certificates:  SPKI/SDSI: Name Certificates Local name spaces Groups SPKI/SDSI: Name Certificate:  SPKI/SDSI: Name Certificate (cert (issuer (name (public-key (rsa-pkcs1-md5 (e #23#) (n |AMMgMuKpqK13pHMhC8kuxaSeCo+yt8TadcgnG8bEo+erdrSBveY3C MBkkZqrM0St4KkmMuHMXhsp5FX71XBiVW1+JGCBLfI7hxWDZCxGTMg bR4Fk+ctyUxIv3CQ93uYVkg9ca6awCxtS0EI7sLuEB+HKuOLjzTsH+ +Txw9NAHq4r|))) friends)) (subject (public-key (rsa-pkcs1-md5 (e #23#) (n |AKg3tOzoJ5PGQ5q9jzxzwxE8o6bIZ6/cE8gEL+1xJa23viE3bz68ru hpD5muqJ+uyDCNxgAZ0JVXJazmX1QjiGudj9kEmuni8gJRLZRu0T5E3 K7OU2dodu0kdDg32kym7+ooZNe/F0zWGekfESeezyQ25kvNO3XQvMHX afWcYjRw|))))) SPKI/SDSI: Authorization Model:  SPKI/SDSI: Authorization Model Simple trust policy model Authorizations specified in flexible, user-defined tags Authorizations can be defined as specific or as general as the user desires Delegation (specific) SPKI/SDSI: Authorization Certificate:  SPKI/SDSI: Authorization Certificate (cert (issuer (public-key (rsa-pkcs1-md5 (e #23#) (n |AMMgMuKpqK13pHMhC8kuxaSeCo+yt8TadcgnG8bEo+erdrSBveY3C MBkkZqrM0St4KkmMuHMXhsp5FX71XBiVW1+JGCBLfI7hxWDZCxGTMg bR4Fk+ctyUxIv3CQ93uYVkg9ca6awCxtS0EI7sLuEB+HKuOLjzTsH+ +Txw9NAHq4r|)))) (subject (public-key (rsa-pkcs1-md5 (e #23#) (n |AKg3tOzoJ5PGQ5q9jzxzwxE8o6bIZ6/cE8gEL+1xJa23viE3bz68ru hpD5muqJ+uyDCNxgAZ0JVXJazmX1QjiGudj9kEmuni8gJRLZRu0T5E3 K7OU2dodu0kdDg32kym7+ooZNe/F0zWGekfESeezyQ25kvNO3XQvMHX afWcYjRw|)))) (tag (http (* set GET POST) (* prefix http://ostrich.lcs.mit.edu/demo/))) (propagate)) SPKI/SDSI: Tag:  (tag (http (* set GET POST) (* prefix http://ostrich.lcs.mit.edu/demo/))) SPKI/SDSI: Tag Intuitively, a tag is a set of requests. Proxy to Proxy:  Proxy to Proxy Alice (Client Proxy) Bob (Server Proxy) Da (private key) Ea (public key) Alice’s client certs List of CA certs Db (private key) Eb (public key) ACL Server certs Set up SSL connection: Server auth Session key for privacy Freshness Protection from MIM Initialization: Proxy to Proxy Case 1: user’s key is directly on the ACL :  Proxy to Proxy Case 1: user’s key is directly on the ACL Alice (Client) Bob (Server) Da (private key) Ea (public key) Alice’s client certs List of CA certs Db (private key) Eb (public key) ACL Server certs [tag]Da Response ACL: {Ec, Eb, Ea} Proxy to Proxy:  Proxy to Proxy Case 2: user’s key is “indirectly” on the ACL Client performs certificate chain discovery. Server verifies certificate chain. ACL: {‘Eb friends’} Certificate Chaining Example:  Certificate Chaining Example Bob’s ACL says only MIT faculty are allowed to access his server. Alice’s first request is simply signed with Alice’s key, and Bob rejects this request. Alice’s second request contains a chain consisting of the following certificates: A certificate saying she is an LCS Professor A second certificate saying LCS Professors are MIT faculty Certificate Chain Discovery (Client Proxy):  Certificate Chain Discovery (Client Proxy) Derive certificate chains Input: device’s ACL, requestor’s public key, requestor’s set of signed certificates, tag Output: a chain of certificates leading from an entry on the ACL to the requestor’s public key. (The certificate chain consists of signed certificates. It proves that the requestor is authorized to perform the tag’s operations on the device.) * Recall, intuitively, a tag is a set of requests. Certificate Chain Verification (Server Proxy):  Certificate Chain Verification (Server Proxy) Verify certificate chains Input: device’s ACL, requestor’s public key, requestor’s certificate chain, tag Output: 1 if certificate chain proves that the public key is authorized to perform the tag’s operations on the device; 0 otherwise. Proxy to Proxy:  Proxy to Proxy Alice (Client Proxy) Bob (Server Proxy) Da (private key) Ea (public key) Alice’s client certs List of CA certs Db (private key) Eb (public key) ACL Server certs [tag]Da Rejected: [tag]Da, certs ACL Case 2 revisited user’s key is “indirectly” on the ACL Signed request provides proof of authenticity of the request Certificate chain provides proof that the request is authorized Example: Public resource:  Example: Public resource Mary wants to turn on/off a public light switch. Light switch’s proxy may require requests to be signed for auditing purposes. Example: user’s key directly on ACL:  Example: user’s key directly on ACL Mary wants to log into an account on a dialup machine. ACL: {Ec, Ef, Em} Example:user’s key is indirectly on ACL:  Example:user’s key is indirectly on ACL Mary wants to play music on John’s speaker. ACL: {‘Ej friends’} Summary: Issues we are dealing with:  Summary: Issues we are dealing with Specifying, granting, delegating and revoking authorizations Creating, maintaining and auditing groups Attribute searching Facilitating scalability Designing simple, user-friendly systems Questions?:  Questions?

Related presentations


Other presentations created by Dixon

Types of Flower Shop
06. 11. 2007
0 views

Types of Flower Shop

ALCATELe salud
30. 11. 2007
0 views

ALCATELe salud

Upanishads
06. 12. 2007
0 views

Upanishads

Teaching World History
25. 10. 2007
0 views

Teaching World History

400 Silent Years
30. 10. 2007
0 views

400 Silent Years

invasion2
31. 10. 2007
0 views

invasion2

2004 06 09 clavell constipation
31. 10. 2007
0 views

2004 06 09 clavell constipation

PresentazioneSofia20 05
01. 11. 2007
0 views

PresentazioneSofia20 05

Ch09
02. 11. 2007
0 views

Ch09

EEA Workshop Buhaug IMO index
06. 11. 2007
0 views

EEA Workshop Buhaug IMO index

reynolds
07. 11. 2007
0 views

reynolds

Week5
15. 11. 2007
0 views

Week5

The best of two worlds
16. 11. 2007
0 views

The best of two worlds

iso e
23. 11. 2007
0 views

iso e

pollination
17. 12. 2007
0 views

pollination

savannas
26. 11. 2007
0 views

savannas

discourse
12. 12. 2007
0 views

discourse

Field Forage
28. 12. 2007
0 views

Field Forage

Ethics Principles May 2003 1
29. 12. 2007
0 views

Ethics Principles May 2003 1

Alan Turing is Da Bombe
02. 01. 2008
0 views

Alan Turing is Da Bombe

Chalut1
03. 01. 2008
0 views

Chalut1

Search and Rescue
03. 01. 2008
0 views

Search and Rescue

StigmaLeipzigAtt
04. 01. 2008
0 views

StigmaLeipzigAtt

saworkshop pp addressing uebel
07. 01. 2008
0 views

saworkshop pp addressing uebel

file 10684
07. 01. 2008
0 views

file 10684

Laborin Mario
15. 11. 2007
0 views

Laborin Mario

una madre unica 21186
01. 10. 2007
0 views

una madre unica 21186

PDSI
21. 11. 2007
0 views

PDSI

BerwickPPT1sp04
10. 12. 2007
0 views

BerwickPPT1sp04

FDIprezentace 2
14. 11. 2007
0 views

FDIprezentace 2

bisc Progress Review 17 june
03. 12. 2007
0 views

bisc Progress Review 17 june

Lecture12Handout
30. 12. 2007
0 views

Lecture12Handout

Beauty05 biglietti
30. 10. 2007
0 views

Beauty05 biglietti

ch14
20. 02. 2008
0 views

ch14

A4081
24. 02. 2008
0 views

A4081

ELECTRONICversion
27. 02. 2008
0 views

ELECTRONICversion

italie powerpoint 04 05
31. 10. 2007
0 views

italie powerpoint 04 05

lecture 11 travel writing
27. 03. 2008
0 views

lecture 11 travel writing

BP ICIW07
31. 10. 2007
0 views

BP ICIW07

GOLINI
29. 10. 2007
0 views

GOLINI

WAYS OF DIVIDING THE WORLD
24. 12. 2007
0 views

WAYS OF DIVIDING THE WORLD

twp
23. 12. 2007
0 views

twp

barrett
02. 01. 2008
0 views

barrett

SLAC 02022005 AMvdB
05. 12. 2007
0 views

SLAC 02022005 AMvdB

Navas 30
23. 11. 2007
0 views

Navas 30

InSeT
16. 11. 2007
0 views

InSeT

Intermediate Microsoft Word
12. 03. 2008
0 views

Intermediate Microsoft Word

shin
11. 12. 2007
0 views

shin

SESAMI Menichelli
29. 10. 2007
0 views

SESAMI Menichelli

Wireless Workshop Tyndall
28. 11. 2007
0 views

Wireless Workshop Tyndall