The Role of Trust Management in Distributed Systems
21
The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte Dept of Computer Science Kent State University
description
The Role of Trust Management in Distributed Systems . Authors Matt Blaze, John Feigenbaum , John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte Dept of Computer Science Kent State University. Design of a Distributed Operating System. - PowerPoint PPT Presentation
Transcript of The Role of Trust Management in Distributed Systems
The Role of Trust Management in Distributed Systems
AuthorsMatt Blaze, John Feigenbaum, John Ioannidis,
Angelos D. Keromytis
Presented ByAkshay Gupte
Dept of Computer ScienceKent State University
Design of a Distributed Operating System
• A distributed OS provides the essential services and functionality required of an OS, adding attributes and particular configurations to allow it to support increased scaling and availability.
• The kernel known as microkernel supports a minimal set of functions, like low-level address space management, thread management, and inter-process communication (IPC).
Access Control Lists
• It is a list of permissions attached to an object i.e defines what kind of access is to be given to a specific operation.
• Used commonly in Operating Systems as a security mechanism.
• However they are inadequate for distributed systems even though they are used.
Authentication
• In a distributed system some form of authentication is to be provided before access can be granted
• Usernames and passwords help accomplish this
• But this can be easily overcome destroying the security and leaving the system vulnerable.
Delegation• Necessary for the scalability of a system.
• Helps in decentralizing administrative tasks.
• Security mechanisms usually delegate to a “certified entity”
• Authorizations are specified only on the highest level in the form of ACL
• But High level administrative authorities cannot directly specify overall security policy but only certify lower level authorities thus leaving the system inconsistent
Expressibility and Extensibility• A generic security mechanism must handle new and diverse
conditions and restrictions.
• ACL is inadequate and insufficient to do so
• Thus many times these new security policies have to be coded into applications.
• Thus renewing or changing security policies requires reconfiguration, rebuilding or even rewriting of applications
Local Trust Policy
• There can be many administrative entities in a distributed system.
• These entities’ trust for different users and entities may differ
• This implies that there must not be a implicit and uniform policy in a distributed system which is not possible in the case of ACL.
Trust Management
• This model is the solution to all the previously mentioned problems existing in the security of distributed systems
• This model was introduced by Michael Blaze in 1996
• This is a unified approach to interpreting, specifying security policies and credentials that help in direct authorization of security critical actions.
Components of a Trust Management System
• A language for describing ‘actions’, which are operations with security consequences that are to be controlled by the system.
• A mechanism for identifying ‘principals’, which are entities that can be authorized to perform actions.
• A language for specifying application ‘policies’, which govern the actions that principals are authorized to perform.
• A language for specifying ‘credentials’, which allow principals to delegate authorization to other principals.
• A ‘compliance checker’, which provides a service to applications for determining how an action requested by principals should be handled, given a policy and a set of credentials
Questions needed to answer when designing a Trust Management System
• How should “proof of compliance” be defined?
• Should policies and credentials be fully or partially programmable? In which language or notation should they be expressed in?
• How should responsibility be divided between the trust management engine and the calling application?
Example- Policy Maker• Its credentials and policies (together known as assertions)
are fully programmable.
• For the engine to make a decision, the input supplied to it by the calling application must contain one or more policy assertions.
• Credentials can be written in any programming language.
• The goal of policy maker is to make the Trust Management engine minimal and analyzable.
Example- Policy Maker
• The “proof of compliance” is fully specified and analyzed.
• Its runtime system provides an enviornment in which the assertions fed to it by the calling application can co-operate to produce (or fail to produce) a proof that the request complies with the policy.
Decisions
• Policy Maker must make the following decisions– In which order should the assertions be run
– How many times each assertion should be run
– When an assertion should be discarded because it is behaving in a non co-operative manner
Pseudo code for the Compliance Checking Algorithm
Example- Keynote
• Designed on the same principles as Policy Maker
• Gives more responsibility to the trust management engine than the calling application.
• Its credentials should be written in a specific assertion language that works smoothly with its compliance checker.
Sample Keynote Assertion
Applications of Trust Management Engines
1. Active Networks– Trust Management Systems are used for the following• Authorize principals to load code on active routers
• Set resource limits
• Establish a fine grained control on what actions a switch may take on the active node
• Notify nodes behind the firewall that the Particular piece of active code should or should not perform a specific action
Applications of Trust Management Engines
2. Mobile Code Security– Trust Management engines are used here for the
following reasons.• Express trust relations between code certifying entities
and the conditions under which their certification has meaning
• Credentials are used to describe the minimal set of capabilities the host environment must grant to enable the code to perform its tasks
Applications of Trust Management Engines
3. Access Control Distribution– Trust Management involves the distribution of traditional ACL
databases
– Architectures based on Trust Management system can be easily extended if it becomes necessary to base access decisions on more complex rules.
– Trust management system decouples the specification of access control policies from the mechanism used to distribute and implement them
Refrences• M.Blaze, J Feigenbaum, J Ioannidis, A. Keromytis. The KeyNote Trust Management System.
http://www.cis.upenn.edu/~angelos/keynote.html , June 1998
• M.Blaze, J Feigenbaum, J.Lacy. Decentralized Trust Management . In Proc. Of the 17th Symposium on Security and Privacy.
• M.Blaze, J Feigenbaum, M.Strauss. Compliance Checking in the Policy Maker Trust Management System. In Proc. Of the Financial Cryptography ’98, Lecture Notes in Computer Science vol 1465, pages 254-274, Springer, Berlin 1998
• http://en.wikipedia.org/wiki/Distributed_operating_systhttp://en.wikipedia.org/wiki/Distributed_operating_system
• http://en.wikipedia.org/wiki/Trust_management_(information_system)
• http://www.w3.org/2007/uwa/wiki/Trust_models
• http://tools.ietf.org/html/rfc2704
