End-to-end Authorization Jon Howell and David Kotz Presented by James Newell Background Barriers impede authorization into hop-by-hop approaches Administrative domains Networks scale Levels of abstraction Different protocols Gateways used to connect versions systems that bridge boundaries. End up making authorization decision on behalf of end-nodes. Motivation End-to-end authorization approach spans all barriers Make applications more secure Reducing the number of programs that make access-control decisions Giving more information to the access-control mechanisms Providing more useful audit trails Dynamic and Scalable Authorization Implementation Snowflake Built upon Simple Public Key Infrastructure (SPKI) Principals, statements, and proofs are languages of the system Statement is any assertion Principle is any entity that can make a statement Proof of authority is a collection of statements that together convince the reader of the truthfulness of the conclusion statement Proofs Send proof class to show authority Transmitted in structure form Proofs have expiration time Structure of proof preserved (Tree) Transitivity HD KC · N Transitivity Signed-Certificate KS KC · N HD KS Name-monotonicity Signed-Certificate HKc· N KC · N KS HKc· N Prover Tasks Collects delegations in graph Caches proofs Constructs new Delegations Graph Nodes are principles and edges are proofs Traverse graph breadth-first Caches are “short-cuts” in the graph Closures used to represent controlled principles Channels Where authorization is propagated Types Secure network channel Locally trustworthy channel Signed request Client Server Channel with secret key KCH Secure Channel Implementation of SSH with Java Sockets Channel is a principle Logic: M KCH K2 PC Local Channels Trustworthy enough No SSH channel IPC pipes No encryption in same JVM Signed Requests Modified version of HTTP Authorization Server’s Authenticate Message Issuer that the client needs to speak for Minimum restriction set Client’s Authorization Message Snowflake proof of the server’s message Hash of the request Server Authorization Applications Web file server Relational email database Quoting protocol gateway Measurements HTTP and RMI with Snowflake HTTP and RMI with SSL HTTP and RMI standard Results Major overhead on the order of many milliseconds with both Snowflake and SSL Snowflake sometimes over two-times slower than SSL Lack of performance may be due to slow libraries and no optimization Open Issues Implementation issues (very abstract) Performance is lacking Does not address how logical assumptions are known to be true How does administration work