Antigone: Security Policy Management in Group
Communication
Patrick McDaniel
EECS, University of Michigan
April 30, 2001
Outline
Problem Statement Ismene Group Policy Management Antigone Communication Infrastructure Implementation and Applications
Scenario 1
Headquarters
Start Application 1 Application 2
Printer
Scanner
Fax
Telecommuters
Customers
Consultants
Confidentiality
IntegrityAuthenticity
Authorization
Scenario 2
Contract Negotiation
Legal Representatives
Arbitrator
Satellite Offices
Confidentiality
IntegrityAuthenticity
AuthorizationCommitment
Problem
How do we develop and enforce a group session security policy appropriate for the run-time environment and membership within a single framework? Session requirements may be unique Each entity may have unique abilities and
constraints The structure and needs of the group may
change dramatically over time
(Our) definition of session policy
“... a statement of the entirety of security relevant parameters and facilities used to implement the group.”
Member
Member
Member
Member
MemberMember
Member
Member
Network
who are the entities allowed to participate and in what capacity (authorization and access control)
which mechanisms will be used to achieve mission critical goals (provisioning)
Note: historically not restricted to electronically distributed
Related Work
Policy Management IPsec SPS, Policy Working Group
Group/Coalition Policy Management MSME, GSAKMP, DCCM, SMuG/MSEC
Authorization and Access Control GAA-API, Extended ACLs, and many more
Trust management REFEREE, PolicyMaker, KeyNote, SPKI/SDSI,
Strongman
Contributions
Investigation of Policy Group Policy Design Space Policy Determination (Ismene) Policy Enforcement (Antigone)
Goals
Policy Determination Flexibly express conditional session requirements Support reconciliation of member policies Allow assessment of session policy with local requirements Efficiently derive/evaluate policy
Policy Enforcement Provide efficient, secure (unreliable) group communication Support a wide range of security services/policies Easily integrate new services/policies
The Antigone/Ismene Approach
Ismene
AntigonePolicyEngine
Security Services
Transport Services
PolicyCompiler
GroupAPI
Application
LocalPolicies
GroupPolicy
Confidentl/DESIntegrity/HMACKeyMgmt/LKH
PolicyInstantiation
Outline
Problem Statement Ismene Group Policy Management
Antigone Communication Infrastructure Implementation and Applications
Ismene
AntigonePolicyEngine
Security Services
Transport Services
PolicyCompiler
GroupAPI
Application
LocalPolicies
GroupPolicy
Confidentl/DESIntegrity/HMACKeyMgmt/LKH
PolicyInstantiation
Secure Group Policy Dimensions Session rekeying policy
How and when to rekey? Data Security policy
Content guarantees Membership policy
Distribution/accuracy of membership Process failure policy
Failures detected/recovered from? Authorization and Access Control
Example Policy : Confidentiality
Confidentiality Policy : All code reviews using the distributed editor must be confidential.
session: GroupType(codeReview),
Application(DistEdit)
:: config(datahandler(guar=conf));
Policy states the requirements appropriate for application, data sensitivity, membership, and other aspects of the environment
Example Policy: Group Participation
Group Participation Policy: Only members of the legal department can participate in contract negotiations.
join : GroupType(contractNegotiation), credential( &cert, $cert.issuer=$CA, $cert.type="X.509", $cert.ORG=“LegalDept" ) :: accept;
Any number of possible services may be used for stating authorization and access control
An Antigone Group
Policy Issuer
Initiator (M0)
Member (M1)
Member (M2)
Member (M3)
Member (Mn)
PolicyRepository
Key
...
Local Policy
Instantiated Policy
PolicySpecification
+
Ismene Policy Description Language (IPDL)
Clause : (policy) tag: (if) conditionals :: (then) consequences Tags identify sub-policies that must be satisfied, Conditionals test the environment (predicate) Consequences apply policy
E.g., “All Contract negotiations must use a leave-sensitive LKH key management service. Other sessions should use KEK key management.”
groupprot: GroupType(contractNegotiation) :: config(lkhkeymgmt(sens=leave));
groupprot: :: config(kekkeymgmt());
Consequences
Describes results of positive evaluation of conditionals Tags Configuration
config(lkhkeymgmt());
config(lkhkeymgmt(keytime=10secs));
Pick Statements pick(config(lkhkeymgmt(keytime=10secs)),
config(kekkeymgmt(keytime=5secs)) );
Provisioning Policy Evaluationprovision : :: keymgt, dhandler, fprot;keymgt : GroupType(contractNegotiation) :: config(lkhkeymgt());keymgt : :: config(kekkeymgt());
dhandler : GroupType(contractNegotiation) :: config(dhnd(crypt=aes));dhandler : :: pick(config(dhnd(crypt=des), config(dhnd(crypt=rc4)));
fprot: :: config(chainfp()), fpparms;fpparms: groupsize(>100) :: config(chainfp(hbperiod=5));fpparms: config(chainfp(hbperiod=3));
Authorization and Access Control Credentials are modeled sets of attributes
E.g., X.509 Certificates consist of attributes for subject/common name, …
Credential conditions test the existence of credentials with specific attributes
Authorization and Access Control Clauses
join : day(Monday), config(kekkeymgt()), credential(&tick,$tick.service=contractconference,
$tick.server=bigco.com) :: accept;
IPDL represents a closed world
Integrating External Authorization and Access Control
Current approach designed to express simple authorization and access control Some applications may require more sophistication
Using external policy infrastructure (e.g. KeyNote)
join : KeyNote($requestor, $attrset, $grppol, $creds)
:: accept;
Policy Reconciliation
The group and each local policy is evaluated (result: config, pick, Auth+A-Cntl statements)
Example: kekkeymgt(), chainfp(hbperiod=5),
pick(config(dhnd(crypt=des),
config(dhnd(crypt=rc4)))
Reconciliation: Given evaluated group and local policies, how do we arrive at single configuration?
GroupPolicy
Ismene
PolicyCompiler
LocalPolicies
Confidentl/DESIntegrity/HMACKeyMgmt/LKH
Provisioning Reconciliation Strategies
Option 1: Prioritized local policies, implemented
Option 2: Finding largest satisfiable subgroup (NP-complete) Reduction:MAX2SAT
Group policy
a, b, pick(c,d), pick(e,f)
Local policy A
d, pick(e,f)
Local policy B
d, pick(e,g)
Policy Instantiation
a,b,d,e
Authorization and Access Control Reconciliation Strategies How do we reconcile the authorization and
access control statements to arrive at a definition satisfying all local policies OR (if any policy would accept) AND (if all policies accept)
Group policy
join : C1 :: accept;
join : C2 :: accept;
Local policy A
join : C3 :: accept;
Local policy B
join : C4 :: accept;
Policy Instantiation
join : ((C1 or C2) and c3 and c4)
:: accept;
Compliance
)()(| ccc
Is the session policy instantiation in consistent with my local policy?
Provisioning compliance (containment), Simple search – P-time
Authorization and Access Control For all actions/conditions, is the group policy more specific
(less permissive) than local policy
Closely related problem of secure interoperatibility is NP [Gong and Qian, 1994]
Note: reconciled policies are trivially compliant
Ismene Summary IPDL is a language for expressing group policy
Provisioning and access control flexibly specified Policies sensitive to changing conditions
Algorithm Efficiency
Other features Analysis, reconfig, …
Participant Reconciliation Provisioning Compliance
A+ACtrl Compliance
Initiator/ Reconciled Member
PKnown
a priori
Known
a priori
Unreconciled Member
None P P
Outline
Problem Statement Ismene Group Policy Management Antigone Communication Infrastructure
Implementation and Applications
Ismene
AntigonePolicyEngine
Security Services
Transport Services
PolicyCompiler
GroupAPI
Application
LocalPolicies
GroupPolicy
Confidentl/DESIntegrity/HMACKeyMgmt/LKH
PolicyInstantiation
Antigone
Group communication framework implementing policy though the the flexible composition of security mechanisms
Composition directed by the security policy specification
Study of the requirements and enforcement of group policy
Group Interface
Application
M1 MnM3M2
Mechanisms Layer
Broadcast Transport Layer
PolicyEngine
...
Multicast/Point to Point - UDP/IP
;
Antigone Policy Enforcement Architecture
Given a group policy, coordinates the provisioning and enforcement of available services
Mechanism … is a basic service used to implement the group E.g., Data-handler (MSEC, GSAKMP, …)
Event-based architecture Security relevant events are detected and distributed to
interested mechanisms Policy directs reaction to observed events
Antigone Architecture
Group Interface
Application
M1 MnM3M2
Mechanisms Layer
Broadcast Transport Layer
PolicyEngine
...
Multicast/Point to Point - UDP/IP
;
Event Bus
MembershipManagement
KeyManagement
Data HandlerFault
Detection
Group Interface Policy Engine
...
...
...
...
Broadcast Transport
buf
sent SE buf
Send?
SE
Yes
SE bufSE
Policy Enforcement
SE
SE SE
SE
buf
sent SE buf
sent SE bufbufSE bufSE
hdr encr hmac
Features/Optimizations
Message construction/marshalling Implementing the many mechanism protocol
variants difficult (e.g., AH, ESP, MESP, …) Generalized message handling
Internal buffer handling Messages are frequently created/destroyed Internal heap of often used/resized buffer objects
Minimization of byte copying, key context switching
Throughput and Latency
LatencyThroughput
0
1
2
3
4
5
6
7
8
9
10
512 1024 4096 8192
Packet size (bytes)
Me
ga
byt
es/
seco
nd
Direct Antigone
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
5
30 512 1024 4096 8192
Packet Size
RT
T (m
sec)
Direct Antigone
Antigone Overhead Constant overhead (50usec /message)
46%
40%
10%4% Marshalling
Event Processing
Buffer Management
Queueing
Antigone Summary Framework for enforcing group policy
Supports a wide range of security services Event based architecture Easy integration of new services and policies
Efficient implementation Low per packet overhead (50usec) High throughput
Outline
Problem Statement Ismene Group Policy Management Antigone Communication Infrastructure Implementation and Applications
Ismene
AntigonePolicyEngine
Security Services
Transport Services
PolicyCompiler
GroupAPI
Application
LocalPolicies
GroupPolicy
Confidentl/DESIntegrity/HMACKeyMgmt/LKH
PolicyInstantiation
Implementation Status
Antigone API – six libraries, implementing various security,
group management, and transport level services Language grammar, apcc compiler 30,000 lines of C++ code Supports a wide range of secure group
communication mechanisms (e.g., OpenSSL) Currently alpha
Experimenting/optimizing/developing Freely available
http://antigone.eecs.umich.edu
Applications
Simultaneous groups distribute files implementing policies appropriate for their content
Secure Group Messaging Service Group based secure instant messaging (I.e., ICQ, MS-M)
Native Antigone - “Bump-in-the stack” Secure existing applications
AMirD – secure filesystem replication Filesystem state updated over
secure “control group”
Conclusions Ismene : language and infrastructure for flexible and
efficient policy determination Flexible conditional statements of provisioning and
authorization and access control Efficient reconciliation and analysis (and compliance)
Antigone : framework for the flexible and efficient enforcement of group security policy Unreliable group communication service Easy integration of new services and policies Low latency, high throughput group communication
Applications illustrate the Antigone policy approach
Contact Information
Comments, questions are welcomed
Antigone/Ismene Websitehttp://antigone.eecs.umich.edu/
Top Related