Principles of Policy in Secure Principles of Policy in Secure GroupsGroups

Hugh Harney SPARTA, Inc.

Andrea Colegrove SPARTA, Inc.

Patrick McDaniel University of Michigan

DefinitionsDefinitions

A secure group is the collection of cooperating entities operating under a shared security policy

Security policies combine elements of Identification and Authentication, Authorization, Access Control, Mechanism Choices, and mechanisms for verifying the Validity of each

Peer vs. GroupPeer vs. GroupDifferent assumptions can be made for each:

– Peers --can determine who they are communicating with, can participate in key exchange, mechanisms negotiated according to local policy

– Groups -- security association is greater and more abstract than pair-wise counterpart

This difference affects what parts of policy must be explicitly determined and how that policy in enforced.

Explicit Policy ElementsExplicit Policy Elements

Identification -- Explicitness principle, etc.Access Control -- Who will you potentially

communicate with?Authorization -- Who can affect the security?Security Mechanisms -- How is the data

protected?Verification -- Bootstrap

Principle 1Principle 1

Enforcement of group policy must be consistent across a group Consistency

mechanism equivalence

synchronization

Consequence: Weakest link concept

Example of Principle 1Example of Principle 1

GSAKMP enforces the use of equivalent mechanisms through policy token definition

It provides methods for key and policy synchronization

Joins Rekey Compromise Recovery Policy token updates

Principle 2Principle 2

Only authorized entities can affect the security posture of the group– Policy creation, key dissemination, rekey

initiation, and group destruction– Actions affect group security posture– Limited to designated authorities

Authorization and Authentication checks

Example of Principle 2Example of Principle 2

How GSAKMP limits security posture influence to authorized entities:– Chain of trust

Policy token comes from authorized source and is authenticated

– Known group owner, trusted third party, etc.

Authorized entities are identified in the token Messages identified as affecting security posture are

verified to have come from authorized entity

Principle 3Principle 3

Group content must be protected– Access control

Secure key possession in accordance with access control policy + secure mechanisms

Example of Principle 3Example of Principle 3

How GSAKMP provides group content protection:– Crypto mechanisms specified in token– Access control policy specified in token and

enforced through legitimate distribution

Principle 4Principle 4

Groups must be capable of recovery from security relevant failures to a secure state– Compromise recovery– Group Deletion– Secure (authenticated) transactions

Example of Principle 4Example of Principle 4

How GSAKMP provides recovery:– Aborting failed join exchanges by either parties

Signatures, nonces, id fields, inadequate credentials

– Detecting and rejecting counterfeited rekey Incorrect signatures, timestamps, authorization

failures (token mismatch)

– Detecting and rejecting fake deletion– Access recovery via key trees such as LKH or

OFC

ConclusionsConclusions

Principles illustrate necessary requirements– Define and enforce policy– Failure recovery– How to ensure that good policy is defined?