We address the problem of authorization in large-scale, open...

Active Networks is a network infrastructure which is programmable on a per-user or even per-packet basis. Increasing the flexibility of such network infrastructures invites new security risks. Coping with these security risks represents the most fundamental contribution of Active Network research. The security concerns can be divided into those which affect the network as a whole and those which affect individual elements. It is clear that the element problems must be solved first, as the integrity of networklevel solutions will be based on trust of the network elements. In this

SPKI/SDSI is a language for expressing distributed access control policy, derived from SPKI and SDSI. We provide a first-order logic (FOL) semantics for SDSI, and show that it has several advantages over previous semantics. For example, the FOL semantics is easily extended to additional policy concepts and gives meaning to a larger class of access control and other policy analysis queries. We prove that the FOL semantics is equivalent to the string rewriting semantics used by SDSI designers, for all queries associated with the rewriting semantics. We also provide a FOL semantics for SPKI/SDSI and use it to analyze the design of SPKI/SDSI. This reveals some problems. For example, the standard proof procedure in RFC 2693 is semantically incomplete. In addition, as noted before by other authors, authorization tags in SPKI/SDSI are algorithmically problematic, making a complete proof procedure unlikely. We compare SPKI/SDSI with RT C 1, which is a language in the RT Role-based Trust-management framework that can be viewed as an extension of SDSI. The constraint feature of RT C 1, based on Constraint Datalog, provides an alternative mechanism that is expressively similar to SPKI/SDSI tags, semantically natural, and algorithmically tractable. 1

We analyze the notion of "local names" in SPKI/SDSI. By interpreting local names as distributed groups, we develop a simple logic program for SPKI/SDSI's linked localname scheme and prove that it is equivalent to the nameresolution procedure in SDSI 1.1 and the 4-tuple-reduction mechanism in SPKI/SDSI 2.0. This logic program is itself a logic for understanding SDSI's linked local-name scheme and has several advantages over previous logics, e.g., those of Abadi [1] and Halpern and van der Meyden [13]. We then

Abstract not found

Public-key cryptography is fast becoming the foundation for online commerce and other applications that require security and authentication in an open network. The widespread use of public-key cryptography requires a public-key infrastructure to publish and manage public-key values. Without a functioning infrastructure, public-key cryptography is only marginally more useful than traditional, secret -key cryptography. This thesis presents a set of characteristics that are common to all public-key infrastructures. These criteria are intended to encapsulate the fundamental issues that arise when dealing with such systems. They can be used both as a "shopping list" for those who need to choose an infrastructure for a particular application, and as a guide for infrastructure developers, that they may be more aware of any compromises or tradeoffs they might make in their work. The characteristics are used to present a survey of current and some proposed infrastructure systems. The criteria...

This paper presents RX, a new security-typed programming language with features intended to make the management of information-flow policies more practical. Security labels in RX, in contrast to prior approaches, are defined in terms of owned roles, as found in the RT rolebased trust-management framework. Role-based security policies allow flexible delegation, and our language RX provides constructs through which programs can robustly update policies and react to policy updates dynamically. Our dynamic semantics use statically verified transactions to eliminate illegal information flows across updates, which we call transitive flows. Because policy updates can be observed through dynamic queries, policy updates can potentially reveal sensitive information. As such, RX considers policy statements themselves to be potentially confidential information and subject to information-flow metapolicies. 1

In Dartmouth’s ”Greenpass ” project, we’re building an experimental system to explore two levels of authorization issues in the emerging information infrastructure. On a practical level, we want to enable only authorized users to access an internal wireless network—while also permitting appropriate users to delegate internal access to external guests, and doing this all with standard client software. On a deeper level, PKI needs to be part of this emerging information infrastructure—since sharing secrets is not workable. However, the traditional approach to PKI—with a centralized hierarchy based on global names and heavy-weight X.509 certificates—has often proved cumbersome. On this level, we want to explore alternative PKI structures that might overcome these barriers. By using SPKI/SDSI delegation on top of X.509 certificates within EAP-TLS authentication, we provide a flexible, decentralized solution to guest access that reflects real-world authorization flow, without requiring guests to download nonstandard client software. Within the “living laboratory ” of Dartmouth’s wireless network, this project lets us solve real problem with wireless networking, while also experimenting with trust flows and testing the limits of current tools. 1

In recent years, we have witnessed the evolutionary development of a new breed of distributed systems. Systems of this type share a number of characteristics. They are highly decentralized, of Internet-grade scalability, and autonomous within their administrative domains. Most importantly, they are designed to operate collaboratively, regardless of whether they know each other or not. Among many applications, the prime examples of this type of distributed systems include peer-to-peer systems and web services. Traditionally, authorization...

For distributed computing systems, specification and enforcement of permissions can be based on a public key infrastructure which deals with public keys for asymmetric cryptography. We review previous approaches and classify them as based on trusted authorities with licencing and dealing with free properties (characterizing attributes including identities), e.g. X.509, or based on owners with delegation dealing with bound properties (including capabilities), e.g. SPKI/SDSI. These approaches are extended and integrated into a hybrid model which uses protocols to convert free properties into bound properties. Furthermore we unify licencing and delegation by introducing administrative properties. The hybrid model is suitable for a wide range of applications requiring security policies for confidentiality and integrity. In the latter case appropriate challenge-response protocols are needed. Secure mediation is taken as an example for such applications.