SPKI analysis SPKI analysis in in

strand spacestrand space

Alex Vidergar, 1Lt, USAFAlex Vidergar, 1Lt, USAFAir Force Institute of TechnologyAir Force Institute of TechnologyGraduate School of Computer Science & EngineeringGraduate School of Computer Science & EngineeringThesis Advisor: Robert Graham, Maj, USAFThesis Advisor: Robert Graham, Maj, USAF

OverviewOverview SPKISPKI

• what it is and why we use itwhat it is and why we use it

Strand SpaceStrand Space• How this tool was used effectivelyHow this tool was used effectively

Example AnalysisExample Analysis• Transport Layer Security (TLS)Transport Layer Security (TLS)

Conclusions about new security propertiesConclusions about new security properties• AuthorizationsAuthorizations

Simple Public Key InfrastructureSimple Public Key Infrastructure

Championed by Ron Rivest (RSA) and Championed by Ron Rivest (RSA) and

Carl Ellison (Intel)Carl Ellison (Intel)

Simple Distributed Security Infrastructure (SDSI) Simple Distributed Security Infrastructure (SDSI) and SPKI merged in the 90sand SPKI merged in the 90s

Developed to overcome shortcoming in the Developed to overcome shortcoming in the currently deployed PKI (X.509)currently deployed PKI (X.509)

Two types of certificates Name & AuthorizationTwo types of certificates Name & Authorization

X.509 ShortcomingsX.509 Shortcomings Unrealistic GoalsUnrealistic Goals

• Global reach of the x.500 directoryGlobal reach of the x.500 directory• Single global standardSingle global standard• Unique names in one namespaceUnique names in one namespace

PrivacyPrivacy• Participation in the network may unwillingly Participation in the network may unwillingly

revealing details about organization revealing details about organization

Lack of FlexibilityLack of Flexibility• Updated information impossibleUpdated information impossible• Multiple keys unsupportedMultiple keys unsupported

SPKI SolutionsSPKI Solutions

Egalitarian DesignEgalitarian Design• Every Principal acts as Certificate Authority Every Principal acts as Certificate Authority

(CA)(CA)• Local NamesLocal Names

Humans tend to relate well to things they name Humans tend to relate well to things they name themselvesthemselves

Local name spaceLocal name space• Allows unique names to be applied as Allows unique names to be applied as

understood by the principals that will be using understood by the principals that will be using themthem

• Fully qualified names act globallyFully qualified names act globally Alice’s Bob’s Charlie ≠ Allison’s Bob’s CharlieAlice’s Bob’s Charlie ≠ Allison’s Bob’s Charlie

SPKI SolutionsSPKI Solutions

Delegation of AuthorityDelegation of Authority• Delegation bitDelegation bit• University ExampleUniversity Example

University EnrollmentUniversity Enrollment Course EnrollmentCourse Enrollment

• DepartmentDepartment School School

- student- student

SPKI: Authorization TagsSPKI: Authorization Tags

Customized to applicationsCustomized to applications• Once again not standardizedOnce again not standardized• FlexibilityFlexibility

Security through obscurity?Security through obscurity?• What is access of 10 mean?What is access of 10 mean?• More importantly, meaningful to the More importantly, meaningful to the

issuers of access to a resourceissuers of access to a resource

SPKI: Flexibility or Meager Design?SPKI: Flexibility or Meager Design?

Constant theme of FlexibilityConstant theme of Flexibility• Very Vague SpecificationVery Vague Specification

Highly customizableHighly customizable

• Requires diligence in implementationRequires diligence in implementation Easily integrated into a systemEasily integrated into a system Potential security issues may arisePotential security issues may arise

Solution: Strand space analysisSolution: Strand space analysis

Strand SpaceStrand Space

Existing Strand Space ModelExisting Strand Space Model• Public Key ProtocolPublic Key Protocol

Diffie-HellmanDiffie-Hellman Injective hash functionInjective hash function Signatures in addition to encryptionsSignatures in addition to encryptions

• Mixed Strand SpaceMixed Strand Space Disparate protocols operating in the same spaceDisparate protocols operating in the same space RespectRespect Disjoint EncryptionDisjoint Encryption

Strand Space : MergeStrand Space : Merge

Mixed PKI Strand SpaceMixed PKI Strand Space

• Amalgamation of needed features of Amalgamation of needed features of previous strand space modelsprevious strand space models

• Ideal environment for testing SPKI Ideal environment for testing SPKI protocols being integrated into other protocols being integrated into other systemssystems

TLS : AnalysisTLS : Analysis

Ideal analysis protocol: Ideal analysis protocol:

Transport Layer SecurityTransport Layer Security

Arguably the most widely used Internet Arguably the most widely used Internet protocol for secure transactionsprotocol for secure transactions

Intrinsic use of certificatesIntrinsic use of certificates• Uses x.509Uses x.509

Layered protocol executionLayered protocol execution• TLS > DH > ResumeTLS > DH > Resume

TLS : modificationsTLS : modifications

TLS uses x.509 certificatesTLS uses x.509 certificates• Mayweh implements SSL with SPKIMayweh implements SSL with SPKI

Substitute x.509 for SPKI name certsSubstitute x.509 for SPKI name certs Functionally identicalFunctionally identical Limited Network securityLimited Network security

• Assumed operating in secure environmentAssumed operating in secure environment

TLS : the sweet OnionTLS : the sweet Onion

TLS is a layer of protocolsTLS is a layer of protocols• TLS itself is a shellTLS itself is a shell

Arranges for other protocols to runArranges for other protocols to run

• Does not provide securityDoes not provide security Security provided by sub protocolsSecurity provided by sub protocols

• Diffie-HellmanDiffie-Hellman• RSA RSA

TLS : Primary ProtocolsTLS : Primary Protocols

ServerServer

AuthenticationAuthentication

ProtocolProtocol

Client unauthenticatedClient unauthenticated

TLS : Primary ProtocolsTLS : Primary Protocols

Server & ClientServer & Client

AuthenticationAuthentication

ProtocolProtocol

Both principalsBoth principals

authenticatedauthenticated

Mixed Strand Space : ResumeMixed Strand Space : Resume

Resume ProtocolResume Protocol

Inherently Inherently uninterestinguninteresting

Provides only a Provides only a recount of a recount of a previously executed previously executed sessionsession

Relies on message Relies on message digest for coordination digest for coordination and agreementand agreement

Mixed Strand Space : Mixed Strand Space : Certificate Chain DiscoveryCertificate Chain Discovery

Certificate Chain Discovery ProtocolCertificate Chain Discovery Protocol

Designed from the ground up with TLS in mindDesigned from the ground up with TLS in mind• establish authentication of CAestablish authentication of CA• validation of certificatevalidation of certificate• maintain security of primary protocolmaintain security of primary protocol

Mixed Strand Space : Mixed Strand Space : Certificate Chain DiscoveryCertificate Chain Discovery

Possible to assume Possible to assume disjoint set of keysdisjoint set of keys• therefore therefore

disjoint encryption is disjoint encryption is trivialtrivial

Message formats Message formats designed disjointlydesigned disjointly• once again simple once again simple

proof of respect if proof of respect if designed properlydesigned properly

AnalysisAnalysis

RespectRespect• Concept born in paper Concept born in paper Mixed Strand SpacesMixed Strand Spaces• Supplemented Supplemented

Method for defining respectMethod for defining respect• Characterize test componentsCharacterize test components• Identify sets of messagesIdentify sets of messages

Applied to Diffie-Hellman Applied to Diffie-Hellman

• Protocol design based on RespectProtocol design based on Respect SPKI Certificate Chain DiscoverySPKI Certificate Chain Discovery

• Disjoint EncryptionDisjoint Encryption• Respect of primary protocol’s test componentsRespect of primary protocol’s test components

• Necessary to Prove for each protocol as Necessary to Prove for each protocol as primary?primary?

AnalysisAnalysis

Disjoint Encryption Disjoint Encryption • Protocol Independence through Disjoint EncryptionProtocol Independence through Disjoint Encryption• Better Refined concept of respect Better Refined concept of respect → Independence→ Independence

Disjoint set of test componentsDisjoint set of test components Previous notion of Respect Previous notion of Respect

• covers naïve case of disjoint setscovers naïve case of disjoint sets Allows more complex secondary protocols to be designedAllows more complex secondary protocols to be designed

• In the CCD Protocol Design CaseIn the CCD Protocol Design Case CCD design from respect is indeed Disjoint EncryptionCCD design from respect is indeed Disjoint Encryption

• Disjoint Outbound Disjoint Outbound simple case: no shared termssimple case: no shared terms• Disjoint InboundDisjoint Inbound

• Visual representation of mixed strand spacesVisual representation of mixed strand spaces Problematic with entwined sub-protocolsProblematic with entwined sub-protocols

Simple and PowerfulSimple and Powerful Signed statements are certificationsSigned statements are certifications

An authority is an authority An authority is an authority • Certificate Authorities traditionally are simply Certificate Authorities traditionally are simply

name authoritiesname authorities Does not have to be limited to namesDoes not have to be limited to names

Authorizations are thus provided by an Authorizations are thus provided by an authorization principalauthorization principal• Already incorporated with authorization Already incorporated with authorization

certificates in SPKI standardcertificates in SPKI standard

Explicit Rely-Guarantee FunctionalityExplicit Rely-Guarantee Functionality

SummarySummary

SPKISPKI• Vague specification makes it flexibleVague specification makes it flexible

Requires diligence in implementationRequires diligence in implementation Strand SpaceStrand Space

• Mixed-PKI strand spaceMixed-PKI strand space TLSTLS

• Ideal testing ground for SPKI analysisIdeal testing ground for SPKI analysis AuthorizationAuthorization

• Intrinsic to SPKI standardIntrinsic to SPKI standard• CA are trusted to provideCA are trusted to provide

QuestionsQuestions