Attribute Certificate for Group Access Control

1
Attribute Certificate for Group Access Control

• Jeong H. Yi
• jhyi_at_ics.uci.edu

2
ASM Protocol

• New User Group Member i

Generates Join request M
Join Request (plus Public-key Cert)
Verifies new user Generates ri
Partial Commit plus Group Cert
Computes
Verifies group cert of the member i
Joint Commit
Computes
Computes
Partial Signature
Generates
Computes
Verify
Signature(X,Y)
3
Requirement for Group Certificate

• Signed by list S (Multiple Issuer)
• Group ID
• Binding Info from X.509 certificate (Owner)
• Validity
• Signature
• Joint commitment X
• Joint signature Y

4
X.509 Public Key Certificate
Certificate format version
version 3 (2)
Certificate serial number
12345678
Signature algorithm id for CA
RSA with SHA-1
V1 (88)
Issuer X.500 name
ouics, ouci cus
Validity period
start01/09/01, expiry01/09/902
Subject X.500 name
cnjhyi, ouics, ouci, cus
Subject public key info
RSA with SHA-1
V2 (93)
Issuer unique identifier
(not used)
Subject unique identifier
(not used)
Type
Criticality
Value
V3 (96)
Type
Criticality
Value
Extensions
Type
Criticality
Value
CA Signature
5
Difference between PKC and AC

• PKC is passport and AC is visa

Attribute Certificate (AC)
Public Key Certificate (PKC)
Version
Version
Serial Number
Serial Number
Signature ID
Signature ID
Subject
Holder
Issuer
Issuer
Validity Period
Validity Period
Subject Public Key Info
Attributes
Extensions
Extensions
Public Key PKC binds a subject and a public key
No Public Key AC binds a holder and attributes
Signature
Signature
6
Attribute Types

• Group
• Role
• Clearance
• Service authentication info
• Access identity
• Charging identity

7
Why Attribute Certificate?

• Essential requirement is authorization not
  authentication
• X.509 Public-Key Certificate provides
  authentication service based on PKI
• More important to know what a user can do than
  who a user is
• Difficult to manage privilege information in PKI
• Complicated issuing process including user
  identification
• In general validity of privilege is much shorter
• Identity Certificate is passport and AC is visa
• Need to integrate PKC with AC
• AC is suitable for Local Domain

8
Binding PKC and AC
Attribute Certificate (AC)
Public Key Certificate (PKC)
Version
Version
Serial Number
Serial Number
Signature ID
Signature ID
Holder
Subject
Issuer
Issuer
Validity Period
Validity Period
Attributes
Subject Public Key Info
Extensions
Extensions
Signature
Signature
9
Using AC for Group Certificate
Attribute Certificate (AC)
Version
Serial Number
Signature ID
binding info from X.509 PKC
Holder
signer list S
Issuer
validity
Validity Period
group id
Attributes
Extensions
joint commitment X, joint signature Y
Signature
10
Discussion

• Case1 Group cert Group membership cert
• PKC(per-user) AC(per-user)
• AC is short-lived ? No revocation possible
• How to deliver PKC(i.e., gsi) for verifying group
  certificate
• Push vs. Pull
• Case2 Group cert Group PKC
• PKC(per-user) PKC(per-group)
• In general, PKC is long-lived
• Complicated mechanism ? Another PKI
• update, revocation, and so on

11
Discussion

• Case3 Group cert Organizational cert
• PKC(per-user) PKC(per-organization)
• Specially for common mod n of IBE
• Same management overhead as standard PKC