Query Certificate Manager Carl A. Gunter Trevor Jim Using Certificates (Digital or Otherwise) Example: Area 1 parking stickers in Philadelphia. Example: mortgage pre-approval. query Subscriber cert Issuer cert cert cert cert cert Issuer Relying Party cert Issuer Issuer Basic Application-Independent Authorization Architecture Remote Data User Retrieval Policy Remote Data Application Verification Public Network Domain Specific Languages for Authorization Policies 1996 1997 1997 1998 1998 PolicyMaker. Simple Distributed Security Infrastructure (SDSI). Query Certificate Manager (QCM). Simple Public Key Infrastructure (SPKI). Keynote. M Blaze, J Feigenbaum, J Lacy B Lampson, R Rivest C Gunter and T Jim CM Ellison, B Frantz, B Lampson, R Rivest, BM Thomas, T Ylonen M Blaze, J Feigenbaum, J Ioannidis, AD Keromytis Retrieval Challenge Describing authorization policy isn’t the only problem. How do the subscriber and relying party obtain the certificates relevant to the policy? Examples Entrust, Oscar (LDAP) PGP (Key servers) Problem: retrieval is not integrated with verification. Options for Retrieval General mirroring by relying party. (Simple, but limited and inefficient.) Individual short-term certificates. (Pressure on issuer’s server.) Subscriber submits long-term certificates to relying party. (Revocation challenge.) Illustration: QCM Daemon for ABONE Access Control ABONE is the active network testbed. ACL’s at ABONE nodes were initialized by ANETD installation and then managed manually. This was not convenient. Now QCMD automatically synchronizes local ACL with SRI ACL, which provides access control policy for all nodes. ANETD: 1997 L Ricciulli QCMD: 1999 P Kakkar, M McDougall, CA Gunter, T Jim Requirements Imposed on QCMD No changes to ANETD. No changes to keys: based on RSA Ref. Scalability to 1000 nodes. Simple implementation providing basic security. Upgrade path to support additional functionality. QCMD Client Options Pull: node periodically instigates update by sending a hash of its current ACL. This is compared to hash of SRI ACL; update occurs if they don’t match. Push: node registers with SRI server. Server updates node initially and whenever the server ACL changes. Server periodically clears registry; clients periodically re-register. Implementation and Deployment of QCMD Tests with mixed Penn clients and Aerospace server show 500 nodes are not a problem. Deployed on Cairn and the ABONE. Limitations of QCMD Limited integration with ANETD means limited capabilities. Individual certificates are not supported. Keys must be online. Little local autonomy for authorization or retrieval policy. Query Certificate Manager (QCM) QCM is a superset of QCMD. Uses domain-specific language and techniques from distributed databases. Integrates authorization policy and the three primary retrieval mechanisms. Key concepts: Policy-directed certificate retrieval. Dynamic channel discovery. Chaining (transparent delegation). 1998 CA Gunter and T Jim Policy-Directed Certificate Retrieval Application Policy Public Network Application Policy Verification Verification Retrieval and Distribution Retrieval and Distribution QCM Notation K$u --- pronounced “K’s u”. K is a principal u is a global name {(x ,y) | x v, y K$u} --- set comprehension: “all pairs (x,y) such that x is in v and y is in K$u.” A QCM policy is a list of bindings of global names to sets. Illustration: Web Filtering in QCM online Browser { OK = { p | (p,"G") <- Ratings }; Ratings = { x | ("Alice",k) <- PKD, x <- k$Ratings }; PKD = Keyserver$PKD; } Challenge of Long-Term Certificates Premise: most principals are authorized for a substantial period of time. Strategy: issue long-term certificates and revoke privileges for principals as necessary. Relying parties must check to see if a certificate has been revoked. Window of vulnerability created. Revocation is Costly for Retrieval A MITRE study to recommend a PKI for the U.S. Government noted: Certificate revocation list distribution is by far the biggest cost driver associated with the operation of the PKI. Requiring that every request to the directory service for a certificate be accompanied by a similar request for the CRL on which that certificate may appear places an extremely heavy burden on the directory communications system... Other ways of dealing with the CRL's must be considered. CRL Retrieval Strategies A variety of ways to optimize CRL distribution have been explored. Distribution points. Delta CRL’s. Indirect CRL’s. Unreliable (push) CRL distribution. Revocation Also Introduces Semantic Challenges Three certificates. Revoke 1. 2. 3. Q says P is the public key of Alice. R says P is the public key of Alice. Q says R is the public key of Bob. Three kinds of revocation. 1. 2. 3. P is not the public key of Alice. (3 not 2.) Q no longer vouches for whether P is the public key of Alice. (2 and 3.) The key of Q has been compromised. (2 not 3.) 1998 Fox and LaMacchia Challenge of Integrating Revocation with Chaining Using “push” certificates entails working with partial information. This must be integrated with chaining, where information is retrieved by the relying party. QCM solves this problem with a monotonicity invariant. Responses are assumed to provide a lower approximation of the right answer. Using long-term certificates entails working with revocation, which involves “negative information”. Inconsistencies Consider the following definitions: School = Teachers Administrators Students Employees = School – Students Suppose Alice is given a certificate Alice Students And later the school revokes this with a certificate Alice Students. Alice uses the first to prove she is in the school and the second to prove she is an employee. Generalized Certificate Revocation for QCM General theory of negative data with model using sets. Sound operational semantics. Soundness enforced by typing rules assigning “polarities” to variables in an internal language. General revocation policy obtained through compilation from an external language. 1999 CA Gunter, T Jim External Language, Online Signing Compromised keys are defined by the relying party. The compiler replaces each expression e$u by {x | e Compromised, x e$u}. Example Read = {K1,K2} Write Write = {K3} (Alice$Write) Compromised = {K4} Bureau$Compromised External Language, Offline Signing Offline certificates may be revoked by the issuing party. Only certificates that require checks for revocation are issued. A source policy is created. The compiler produces serial numbers and “revocable” certificates. External Language, Offline Signing: Example Source policy for principal K OK = {K1,K2} Target policy OK {K1 | n1 K$OKRevoked} OK {K2 | n2 K$OKRevoked} K maintains OKRevoked. Relying parties whose QCM interpreters use these certificates will consult OKRevoked before making conclusions about membership in OK. Security Model Positive variables are monotonic with respect to approximation. Negative variables are anti-monotonic with respect to approximation. Thus positive variables must be underestimated, while negative variables must be over-estimated. These are the key theorems for the denotational semantics of the internal language. The operational semantics (implementation) is shown to conform with the denotational. Internal Language Variables and Constants Keys K Key Constants c Key Num String Bool Comparables w ::= c | (w,…,w) Positive variables x+ Negative variables xVariables x Positive names u+ Negative names uNames u Polarities ::= 0 | + | - Internal Language Expressions e ::= Variables Constants Qualified Names Enumerated Sets Tuples Set Unions Comprehensions Remote Evals Co-finite Sets x c e$u {e,…,e} (e,…,e) Union(e) {e | g,…,g} e@e Compl{w,…w} Internal Language The Rest g ::= Generators Guards pe e=e ee ee p ::= Patterns x | (x,…,x) d ::= Definitions u=e P ::= Programs d,…,d Sample Typing Rules e:0 ----- Subsumption e: {e1 | g1,…,gn} : x : e2 : ------------------------------------ Polarity for positive comprehensions {e1 | x e2, g1, …, gn} : {e1 | g1,…, gn} : e3 : - ----------------------------{e1 | e2 e3, g1, …, gn} : Polarity for positive comprehensions Denotational Semantics Denotational semantics in terms of a universal domain derived from a recursive domain equation. Monotonicity Theorem: Monotone in positive variables. Anti-monotone in negative variables. Related comparables are equal. Operational Semantics Operational semantics in terms of local and global operational rules. Local Soundness Theorem: Denotational meaning is preserved by the local operational rules. Soundness Theorem: Global operational rules provide approximations with proper polarity. Conclusions Policy-directed certificate retrieval is possible for long-term certificates with revocation. Compilation architecture aids convenience, but decreases flexibility. Precise model of security essential.