antigone: security policy management in group communication
DESCRIPTION
Antigone: Security Policy Management in Group Communication. Patrick McDaniel EECS, University of Michigan April 30, 2001. Outline. Problem Statement Ismene Group Policy Management Antigone Communication Infrastructure Implementation and Applications. Headquarters. Telecommuters. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/1.jpg)
Antigone: Security Policy Management in Group
Communication
Patrick McDaniel
EECS, University of Michigan
April 30, 2001
![Page 2: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/2.jpg)
Outline
Problem Statement Ismene Group Policy Management Antigone Communication Infrastructure Implementation and Applications
![Page 3: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/3.jpg)
Scenario 1
Headquarters
Start Application 1 Application 2
Printer
Scanner
Fax
Telecommuters
Customers
Consultants
Confidentiality
IntegrityAuthenticity
Authorization
![Page 4: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/4.jpg)
Scenario 2
Contract Negotiation
Legal Representatives
Arbitrator
Satellite Offices
Confidentiality
IntegrityAuthenticity
AuthorizationCommitment
![Page 5: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/5.jpg)
Problem
How do we develop and enforce a group session security policy appropriate for the run-time environment and membership within a single framework? Session requirements may be unique Each entity may have unique abilities and
constraints The structure and needs of the group may
change dramatically over time
![Page 6: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/6.jpg)
(Our) definition of session policy
“... a statement of the entirety of security relevant parameters and facilities used to implement the group.”
Member
Member
Member
Member
MemberMember
Member
Member
Network
who are the entities allowed to participate and in what capacity (authorization and access control)
which mechanisms will be used to achieve mission critical goals (provisioning)
Note: historically not restricted to electronically distributed
![Page 7: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/7.jpg)
Related Work
Policy Management IPsec SPS, Policy Working Group
Group/Coalition Policy Management MSME, GSAKMP, DCCM, SMuG/MSEC
Authorization and Access Control GAA-API, Extended ACLs, and many more
Trust management REFEREE, PolicyMaker, KeyNote, SPKI/SDSI,
Strongman
![Page 8: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/8.jpg)
Contributions
Investigation of Policy Group Policy Design Space Policy Determination (Ismene) Policy Enforcement (Antigone)
![Page 9: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/9.jpg)
Goals
Policy Determination Flexibly express conditional session requirements Support reconciliation of member policies Allow assessment of session policy with local requirements Efficiently derive/evaluate policy
Policy Enforcement Provide efficient, secure (unreliable) group communication Support a wide range of security services/policies Easily integrate new services/policies
![Page 10: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/10.jpg)
The Antigone/Ismene Approach
Ismene
AntigonePolicyEngine
Security Services
Transport Services
PolicyCompiler
GroupAPI
Application
LocalPolicies
GroupPolicy
Confidentl/DESIntegrity/HMACKeyMgmt/LKH
PolicyInstantiation
![Page 11: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/11.jpg)
Outline
Problem Statement Ismene Group Policy Management
Antigone Communication Infrastructure Implementation and Applications
Ismene
AntigonePolicyEngine
Security Services
Transport Services
PolicyCompiler
GroupAPI
Application
LocalPolicies
GroupPolicy
Confidentl/DESIntegrity/HMACKeyMgmt/LKH
PolicyInstantiation
![Page 12: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/12.jpg)
Secure Group Policy Dimensions Session rekeying policy
How and when to rekey? Data Security policy
Content guarantees Membership policy
Distribution/accuracy of membership Process failure policy
Failures detected/recovered from? Authorization and Access Control
![Page 13: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/13.jpg)
Example Policy : Confidentiality
Confidentiality Policy : All code reviews using the distributed editor must be confidential.
session: GroupType(codeReview),
Application(DistEdit)
:: config(datahandler(guar=conf));
Policy states the requirements appropriate for application, data sensitivity, membership, and other aspects of the environment
![Page 14: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/14.jpg)
Example Policy: Group Participation
Group Participation Policy: Only members of the legal department can participate in contract negotiations.
join : GroupType(contractNegotiation), credential( &cert, $cert.issuer=$CA, $cert.type="X.509", $cert.ORG=“LegalDept" ) :: accept;
Any number of possible services may be used for stating authorization and access control
![Page 15: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/15.jpg)
An Antigone Group
Policy Issuer
Initiator (M0)
Member (M1)
Member (M2)
Member (M3)
Member (Mn)
PolicyRepository
Key
...
Local Policy
Instantiated Policy
PolicySpecification
+
![Page 16: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/16.jpg)
Ismene Policy Description Language (IPDL)
Clause : (policy) tag: (if) conditionals :: (then) consequences Tags identify sub-policies that must be satisfied, Conditionals test the environment (predicate) Consequences apply policy
E.g., “All Contract negotiations must use a leave-sensitive LKH key management service. Other sessions should use KEK key management.”
groupprot: GroupType(contractNegotiation) :: config(lkhkeymgmt(sens=leave));
groupprot: :: config(kekkeymgmt());
![Page 17: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/17.jpg)
Consequences
Describes results of positive evaluation of conditionals Tags Configuration
config(lkhkeymgmt());
config(lkhkeymgmt(keytime=10secs));
Pick Statements pick(config(lkhkeymgmt(keytime=10secs)),
config(kekkeymgmt(keytime=5secs)) );
![Page 18: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/18.jpg)
Provisioning Policy Evaluationprovision : :: keymgt, dhandler, fprot;keymgt : GroupType(contractNegotiation) :: config(lkhkeymgt());keymgt : :: config(kekkeymgt());
dhandler : GroupType(contractNegotiation) :: config(dhnd(crypt=aes));dhandler : :: pick(config(dhnd(crypt=des), config(dhnd(crypt=rc4)));
fprot: :: config(chainfp()), fpparms;fpparms: groupsize(>100) :: config(chainfp(hbperiod=5));fpparms: config(chainfp(hbperiod=3));
![Page 19: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/19.jpg)
Authorization and Access Control Credentials are modeled sets of attributes
E.g., X.509 Certificates consist of attributes for subject/common name, …
Credential conditions test the existence of credentials with specific attributes
Authorization and Access Control Clauses
join : day(Monday), config(kekkeymgt()), credential(&tick,$tick.service=contractconference,
$tick.server=bigco.com) :: accept;
IPDL represents a closed world
![Page 20: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/20.jpg)
Integrating External Authorization and Access Control
Current approach designed to express simple authorization and access control Some applications may require more sophistication
Using external policy infrastructure (e.g. KeyNote)
join : KeyNote($requestor, $attrset, $grppol, $creds)
:: accept;
![Page 21: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/21.jpg)
Policy Reconciliation
The group and each local policy is evaluated (result: config, pick, Auth+A-Cntl statements)
Example: kekkeymgt(), chainfp(hbperiod=5),
pick(config(dhnd(crypt=des),
config(dhnd(crypt=rc4)))
Reconciliation: Given evaluated group and local policies, how do we arrive at single configuration?
GroupPolicy
Ismene
PolicyCompiler
LocalPolicies
Confidentl/DESIntegrity/HMACKeyMgmt/LKH
![Page 22: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/22.jpg)
Provisioning Reconciliation Strategies
Option 1: Prioritized local policies, implemented
Option 2: Finding largest satisfiable subgroup (NP-complete) Reduction:MAX2SAT
Group policy
a, b, pick(c,d), pick(e,f)
Local policy A
d, pick(e,f)
Local policy B
d, pick(e,g)
Policy Instantiation
a,b,d,e
![Page 23: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/23.jpg)
Authorization and Access Control Reconciliation Strategies How do we reconcile the authorization and
access control statements to arrive at a definition satisfying all local policies OR (if any policy would accept) AND (if all policies accept)
Group policy
join : C1 :: accept;
join : C2 :: accept;
Local policy A
join : C3 :: accept;
Local policy B
join : C4 :: accept;
Policy Instantiation
join : ((C1 or C2) and c3 and c4)
:: accept;
![Page 24: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/24.jpg)
Compliance
)()(| ccc
Is the session policy instantiation in consistent with my local policy?
Provisioning compliance (containment), Simple search – P-time
Authorization and Access Control For all actions/conditions, is the group policy more specific
(less permissive) than local policy
Closely related problem of secure interoperatibility is NP [Gong and Qian, 1994]
Note: reconciled policies are trivially compliant
![Page 25: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/25.jpg)
Ismene Summary IPDL is a language for expressing group policy
Provisioning and access control flexibly specified Policies sensitive to changing conditions
Algorithm Efficiency
Other features Analysis, reconfig, …
Participant Reconciliation Provisioning Compliance
A+ACtrl Compliance
Initiator/ Reconciled Member
PKnown
a priori
Known
a priori
Unreconciled Member
None P P
![Page 26: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/26.jpg)
Outline
Problem Statement Ismene Group Policy Management Antigone Communication Infrastructure
Implementation and Applications
Ismene
AntigonePolicyEngine
Security Services
Transport Services
PolicyCompiler
GroupAPI
Application
LocalPolicies
GroupPolicy
Confidentl/DESIntegrity/HMACKeyMgmt/LKH
PolicyInstantiation
![Page 27: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/27.jpg)
Antigone
Group communication framework implementing policy though the the flexible composition of security mechanisms
Composition directed by the security policy specification
Study of the requirements and enforcement of group policy
Group Interface
Application
M1 MnM3M2
Mechanisms Layer
Broadcast Transport Layer
PolicyEngine
...
Multicast/Point to Point - UDP/IP
;
![Page 28: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/28.jpg)
Antigone Policy Enforcement Architecture
Given a group policy, coordinates the provisioning and enforcement of available services
Mechanism … is a basic service used to implement the group E.g., Data-handler (MSEC, GSAKMP, …)
Event-based architecture Security relevant events are detected and distributed to
interested mechanisms Policy directs reaction to observed events
![Page 29: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/29.jpg)
Antigone Architecture
Group Interface
Application
M1 MnM3M2
Mechanisms Layer
Broadcast Transport Layer
PolicyEngine
...
Multicast/Point to Point - UDP/IP
;
![Page 30: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/30.jpg)
Event Bus
MembershipManagement
KeyManagement
Data HandlerFault
Detection
Group Interface Policy Engine
...
...
...
...
Broadcast Transport
buf
sent SE buf
Send?
SE
Yes
SE bufSE
Policy Enforcement
SE
SE SE
SE
buf
sent SE buf
sent SE bufbufSE bufSE
hdr encr hmac
![Page 31: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/31.jpg)
Features/Optimizations
Message construction/marshalling Implementing the many mechanism protocol
variants difficult (e.g., AH, ESP, MESP, …) Generalized message handling
Internal buffer handling Messages are frequently created/destroyed Internal heap of often used/resized buffer objects
Minimization of byte copying, key context switching
![Page 32: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/32.jpg)
Throughput and Latency
LatencyThroughput
0
1
2
3
4
5
6
7
8
9
10
512 1024 4096 8192
Packet size (bytes)
Me
ga
byt
es/
seco
nd
Direct Antigone
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
5
30 512 1024 4096 8192
Packet Size
RT
T (m
sec)
Direct Antigone
![Page 33: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/33.jpg)
Antigone Overhead Constant overhead (50usec /message)
46%
40%
10%4% Marshalling
Event Processing
Buffer Management
Queueing
![Page 34: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/34.jpg)
Antigone Summary Framework for enforcing group policy
Supports a wide range of security services Event based architecture Easy integration of new services and policies
Efficient implementation Low per packet overhead (50usec) High throughput
![Page 35: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/35.jpg)
Outline
Problem Statement Ismene Group Policy Management Antigone Communication Infrastructure Implementation and Applications
Ismene
AntigonePolicyEngine
Security Services
Transport Services
PolicyCompiler
GroupAPI
Application
LocalPolicies
GroupPolicy
Confidentl/DESIntegrity/HMACKeyMgmt/LKH
PolicyInstantiation
![Page 36: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/36.jpg)
Implementation Status
Antigone API – six libraries, implementing various security,
group management, and transport level services Language grammar, apcc compiler 30,000 lines of C++ code Supports a wide range of secure group
communication mechanisms (e.g., OpenSSL) Currently alpha
Experimenting/optimizing/developing Freely available
http://antigone.eecs.umich.edu
![Page 37: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/37.jpg)
Applications
Simultaneous groups distribute files implementing policies appropriate for their content
Secure Group Messaging Service Group based secure instant messaging (I.e., ICQ, MS-M)
Native Antigone - “Bump-in-the stack” Secure existing applications
AMirD – secure filesystem replication Filesystem state updated over
secure “control group”
![Page 38: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/38.jpg)
Conclusions Ismene : language and infrastructure for flexible and
efficient policy determination Flexible conditional statements of provisioning and
authorization and access control Efficient reconciliation and analysis (and compliance)
Antigone : framework for the flexible and efficient enforcement of group security policy Unreliable group communication service Easy integration of new services and policies Low latency, high throughput group communication
Applications illustrate the Antigone policy approach
![Page 39: Antigone: Security Policy Management in Group Communication](https://reader036.vdocuments.net/reader036/viewer/2022070419/56815b67550346895dc958ce/html5/thumbnails/39.jpg)
Contact Information
Comments, questions are welcomed
Antigone/Ismene Websitehttp://antigone.eecs.umich.edu/