Post on 05-Jan-2016
description
Principles of Policy in Secure Principles of Policy in Secure GroupsGroups
Hugh Harney SPARTA, Inc.
Andrea Colegrove SPARTA, Inc.
Patrick McDaniel University of Michigan
DefinitionsDefinitions
A secure group is the collection of cooperating entities operating under a shared security policy
Security policies combine elements of Identification and Authentication, Authorization, Access Control, Mechanism Choices, and mechanisms for verifying the Validity of each
Peer vs. GroupPeer vs. GroupDifferent assumptions can be made for each:
– Peers --can determine who they are communicating with, can participate in key exchange, mechanisms negotiated according to local policy
– Groups -- security association is greater and more abstract than pair-wise counterpart
This difference affects what parts of policy must be explicitly determined and how that policy in enforced.
Explicit Policy ElementsExplicit Policy Elements
Identification -- Explicitness principle, etc.Access Control -- Who will you potentially
communicate with?Authorization -- Who can affect the security?Security Mechanisms -- How is the data
protected?Verification -- Bootstrap
Principle 1Principle 1
Enforcement of group policy must be consistent across a group Consistency
mechanism equivalence
synchronization
Consequence: Weakest link concept
Example of Principle 1Example of Principle 1
GSAKMP enforces the use of equivalent mechanisms through policy token definition
It provides methods for key and policy synchronization
Joins Rekey Compromise Recovery Policy token updates
Principle 2Principle 2
Only authorized entities can affect the security posture of the group– Policy creation, key dissemination, rekey
initiation, and group destruction– Actions affect group security posture– Limited to designated authorities
Authorization and Authentication checks
Example of Principle 2Example of Principle 2
How GSAKMP limits security posture influence to authorized entities:– Chain of trust
Policy token comes from authorized source and is authenticated
– Known group owner, trusted third party, etc.
Authorized entities are identified in the token Messages identified as affecting security posture are
verified to have come from authorized entity
Principle 3Principle 3
Group content must be protected– Access control
Secure key possession in accordance with access control policy + secure mechanisms
Example of Principle 3Example of Principle 3
How GSAKMP provides group content protection:– Crypto mechanisms specified in token– Access control policy specified in token and
enforced through legitimate distribution
Principle 4Principle 4
Groups must be capable of recovery from security relevant failures to a secure state– Compromise recovery– Group Deletion– Secure (authenticated) transactions
Example of Principle 4Example of Principle 4
How GSAKMP provides recovery:– Aborting failed join exchanges by either parties
Signatures, nonces, id fields, inadequate credentials
– Detecting and rejecting counterfeited rekey Incorrect signatures, timestamps, authorization
failures (token mismatch)
– Detecting and rejecting fake deletion– Access recovery via key trees such as LKH or
OFC
ConclusionsConclusions
Principles illustrate necessary requirements– Define and enforce policy– Failure recovery– How to ensure that good policy is defined?