End-to-end Authorization

advertisement
End-to-end Authorization
Jon Howell and David Kotz
Presented by James Newell
Background
Barriers impede authorization into hop-by-hop
approaches




Administrative domains
Networks scale
Levels of abstraction
Different protocols
Gateways used to connect versions systems
that bridge boundaries. End up making
authorization decision on behalf of end-nodes.
Motivation
End-to-end authorization approach spans
all barriers
Make applications more secure



Reducing the number of programs that make
access-control decisions
Giving more information to the access-control
mechanisms
Providing more useful audit trails
Dynamic and Scalable Authorization
Implementation
Snowflake
Built upon Simple Public Key Infrastructure (SPKI)
Principals, statements, and proofs are languages
of the system



Statement is any assertion
Principle is any entity that can make a statement
Proof of authority is a collection of statements that
together convince the reader of the truthfulness of the
conclusion statement
Proofs
Send proof class to show authority
Transmitted in structure form
Proofs have expiration time
Structure of proof preserved (Tree)
Transitivity
HD  KC · N
Transitivity
Signed-Certificate
KS  KC · N
HD  KS
Name-monotonicity
Signed-Certificate
HKc· N  KC · N
KS  HKc· N
Prover
Tasks



Collects delegations in graph
Caches proofs
Constructs new Delegations
Graph




Nodes are principles and edges are proofs
Traverse graph breadth-first
Caches are “short-cuts” in the graph
Closures used to represent controlled
principles
Channels
Where authorization is propagated
Types



Secure network channel
Locally trustworthy channel
Signed request
Client
Server
Channel with secret key KCH
Secure Channel
Implementation of SSH with Java Sockets
Channel is a principle
Logic:

M  KCH  K2  PC
Local Channels
Trustworthy enough



No SSH channel
IPC pipes
No encryption in same JVM
Signed Requests
Modified version of HTTP Authorization
Server’s Authenticate Message


Issuer that the client needs to speak for
Minimum restriction set
Client’s Authorization Message


Snowflake proof of the server’s message
Hash of the request
Server Authorization
Applications
Web file server
Relational email database
Quoting protocol gateway
Measurements
HTTP and RMI with Snowflake
HTTP and RMI with SSL
HTTP and RMI standard
Results



Major overhead on the order of many
milliseconds with both Snowflake and SSL
Snowflake sometimes over two-times slower
than SSL
Lack of performance may be due to slow
libraries and no optimization
Open Issues
Implementation issues (very abstract)
Performance is lacking
Does not address how logical
assumptions are known to be true
How does administration work
Download