Query Certificate Manager

1
Query Certificate Manager

• Carl A. Gunter
• Trevor Jim

2
Using Certificates (Digital or Otherwise)

• Example Area 1 parking stickers in Philadelphia.
• Example mortgage pre-approval.

Subscriber
Relying Party
query
cert
cert
cert
cert
Issuer
Issuer
Issuer
Issuer
3
Basic Application-Independent Authorization
Architecture
Remote Data
User
Policy
Retrieval
Remote Data
Application
Verification
4
Domain Specific Languages for Authorization
Policies

• PolicyMaker.
• Simple Distributed Security Infrastructure
  (SDSI).
• Query Certificate Manager (QCM).
• Simple Public Key Infrastructure (SPKI).
• Keynote.

1996 M Blaze, J Feigenbaum, J Lacy 1997 B
Lampson, R Rivest 1997 C Gunter and T Jim 1998 CM
Ellison, B Frantz, B Lampson, R Rivest, BM
Thomas, T Ylonen 1998 M Blaze, J Feigenbaum, J
Ioannidis, AD Keromytis
5
Retrieval Challenge

• Describing authorization policy isnt the only
  problem.
• How do the subscriber and relying party obtain
  the certificates relevant to the policy?
• Examples
• Entrust, Oscar (LDAP)
• PGP (Key servers)
• Problem retrieval is not integrated with
  verification.

6
Options for Retrieval

• General mirroring by relying party. (Simple, but
  limited and inefficient.)
• Individual short-term certificates. (Pressure on
  issuers server.)
• Subscriber submits long-term certificates to
  relying party. (Revocation challenge.)

7
Illustration QCM Daemon for ABONE Access Control

• ABONE is the active network testbed.
• ACLs at ABONE nodes were initialized by ANETD
  installation and then managed manually.
• This was not convenient.
• Now QCMD automatically synchronizes local ACL
  with SRI ACL, which provides access control
  policy for all nodes.

ANETD 1997 L Ricciulli QCMD 1999 P Kakkar, M
McDougall, CA Gunter, T Jim
8
Requirements Imposed on QCMD

• No changes to ANETD.
• No changes to keys based on RSA Ref.
• Scalability to 1000 nodes.
• Simple implementation providing basic security.
• Upgrade path to support additional functionality.

9
QCMD Client Options

• Pull node periodically instigates update by
  sending a hash of its current ACL. This is
  compared to hash of SRI ACL update occurs if
  they dont match.
• Push node registers with SRI server.
• Server updates node initially and whenever the
  server ACL changes.
• Server periodically clears registry clients
  periodically re-register.

10
Implementation and Deployment of QCMD

• Tests with mixed Penn clients and Aerospace
  server show 500 nodes are not a problem.
• Deployed on Cairn and the ABONE.

11
Limitations of QCMD

• Limited integration with ANETD means limited
  capabilities.
• Individual certificates are not supported.
• Keys must be online.
• Little local autonomy for authorization or
  retrieval policy.

12
Query Certificate Manager (QCM)

• QCM is a superset of QCMD.
• Uses domain-specific language and techniques from
  distributed databases.
• Integrates authorization policy and the three
  primary retrieval mechanisms.
• Key concepts
• Policy-directed certificate retrieval.
• Dynamic channel discovery.
• Chaining (transparent delegation).

1998 CA Gunter and T Jim
13
Policy-Directed Certificate Retrieval
Application
Application
Public Network
Policy
Policy
Verification
Verification
Retrieval and Distribution
Retrieval and Distribution
14
QCM Notation

• Ku --- pronounced Ks u.
• K is a principal
• u is a global name
• (x ,y) x ? v, y ? Ku --- set comprehension
  all pairs (x,y) such that x is in v and y is in
  Ku.
• A QCM policy is a list of bindings of global
  names to sets.

15
Illustration Web Filtering in QCM
online Browser OK p (p,"G") lt- Ratings
Ratings x ("Alice",k) lt- PKD,
x lt- kRatings PKD KeyserverPKD
16
Challenge of Long-Term Certificates

• Premise most principals are authorized for a
  substantial period of time.
• Strategy issue long-term certificates and revoke
  privileges for principals as necessary.
• Relying parties must check to see if a
  certificate has been revoked.
• Window of vulnerability created.

17
Revocation is Costly for Retrieval

• A MITRE study to recommend a PKI for the U.S.
  Government noted

Certificate revocation list distribution is by
far the biggest cost driver associated with the
operation of the PKI. Requiring that every
request to the directory service for a
certificate be accompanied by a similar request
for the CRL on which that certificate may appear
places an extremely heavy burden on the directory
communications system... Other ways of dealing
with the CRL's must be considered.
18
CRL Retrieval Strategies

• A variety of ways to optimize CRL distribution
  have been explored.
• Distribution points.
• Delta CRLs.
• Indirect CRLs.
• Unreliable (push) CRL distribution.

19
Revocation Also Introduces Semantic Challenges

• Three certificates.
• Q says P is the public key of Alice.
• R says P is the public key of Alice.
• Q says R is the public key of Bob.
• Three kinds of revocation.
• P is not the public key of Alice. (3 not 2.)
• Q no longer vouches for whether P is the public
  key of Alice. (2 and 3.)
• The key of Q has been compromised. (2 not 3.)

Revoke
1998 Fox and LaMacchia
20
Challenge of Integrating Revocation with Chaining

• Using push certificates entails working with
  partial information.
• This must be integrated with chaining, where
  information is retrieved by the relying party.
• QCM solves this problem with a monotonicity
  invariant. Responses are assumed to provide a
  lower approximation of the right answer.
• Using long-term certificates entails working with
  revocation, which involves negative information.

21
Inconsistencies

• Consider the following definitions
• School Teachers ? Administrators ? Students
• Employees School Students
• Suppose Alice is given a certificate Alice ?
  Students
• And later the school revokes this with a
  certificate Alice ? Students.
• Alice uses the first to prove she is in the
  school and the second to prove she is an employee.

22
Generalized Certificate Revocation for QCM

• General theory of negative data with model using
  sets.
• Sound operational semantics.
• Soundness enforced by typing rules assigning
  polarities to variables in an internal
  language.
• General revocation policy obtained through
  compilation from an external language.

1999 CA Gunter, T Jim
23
External Language, Online Signing

• Compromised keys are defined by the relying
  party.
• The compiler replaces each expression eu by x
  e ? Compromised, x ? eu.
• Example
• Read K1,K2 ? Write
• Write K3 ? (AliceWrite)
• Compromised K4 ? BureauCompromised

24
External Language,Offline Signing

• Offline certificates may be revoked by the
  issuing party. Only certificates that require
  checks for revocation are issued.
• A source policy is created. The compiler
  produces serial numbers and revocable
  certificates.

25
External Language, Offline Signing Example

• Source policy for principal K
• OK K1,K2
• Target policy
• OK ? K1 n1 ? KOKRevoked
• OK ? K2 n2 ? KOKRevoked
• K maintains OKRevoked. Relying parties whose QCM
  interpreters use these certificates will consult
  OKRevoked before making conclusions about
  membership in OK.

26
Security Model

• Positive variables are monotonic with respect to
  approximation. Negative variables are
  anti-monotonic with respect to approximation.
• Thus positive variables must be under-estimated,
  while negative variables must be over-estimated.
• These are the key theorems for the denotational
  semantics of the internal language.
• The operational semantics (implementation) is
  shown to conform with the denotational.

27
Internal LanguageVariables and Constants
Keys K ? Key Constants c ? Key ? Num ? String
? Bool Comparables w c (w,,w) Positive
variables x Negative variables x- Variables x P
ositive names u Negative names u- Names u Pol
arities ? 0 -
28
Internal LanguageExpressions
e Variables x Constants c Qualified
Names eu Enumerated Sets e,,e Tuples (e,,
e) Set Unions Union(e) Comprehensions e
g,,g Remote Evals e _at_ e Co-finite
Sets Complw,w
29
Internal LanguageThe Rest
g Generators p ? e Guards e e e ?
e e ? e p Patterns x (x,,x) d
Definitions u e P Programs d,,d
30
Sample Typing Rules
e 0 ----- Subsumption e ?
e1 g1,,gn ? x ? e2 ?
------------------------------------ e1 x ?
e2, g1, , gn ?
Polarity for positive comprehensions
e1 g1,, gn ? e3 -?
----------------------------- e1 e2 ? e3, g1,
, gn ?
Polarity for positive comprehensions
31
Denotational Semantics

• Denotational semantics in terms of a universal
  domain derived from a recursive domain equation.
• Monotonicity Theorem
• Monotone in positive variables.
• Anti-monotone in negative variables.
• Related comparables are equal.

32
Operational Semantics

• Operational semantics in terms of local and
  global operational rules.
• Local Soundness Theorem Denotational meaning is
  preserved by the local operational rules.
• Soundness Theorem Global operational rules
  provide approximations with proper polarity.

33
Conclusions

• Policy-directed certificate retrieval is possible
  for long-term certificates with revocation.
• Compilation architecture aids convenience, but
  decreases flexibility.
• Precise model of security essential.