Certificate-based Access Control for Widely Distributed Resources

Certificate-based Access Control for Widely Distributed Resources Mary Thompson, William Johnston, Srilekha Mudumbai, Gary Hoo, Keith Jackson, Abdelilah Essiari Lawrence Berkeley National Laboratory Outline          Motivation Goals Approach Architecture and Implementation Vulnerabilities Performance Related Work Future Directions Conclusion UsenixSec 08/26/99 2 Motivation  Distributed computing environments, collaborative research environments Resources, stakeholders and users are all distributed Spanning organizational as well as geographical boundaries, e.g., DOE Collaboratories Requires a flexible but secure way to identify users Requires a flexible and secure way for stakeholders to remotely specify access control for their resources     UsenixSec 08/26/99 3 Goals  Access based on policy statements made by stakeholders Handle multiple independent stakeholders for a single resource   Use Public Key Infrastructure standards to identify users and create digitally signed certificates Emphasize usability  UsenixSec 08/26/99 4 Approach    Public Key Infrastructure (PKI) Architecture Usability features UsenixSec 08/26/99 5 Public Key Infrastructure  Provides a uniform way for organizations to identify people or other entities through X.509 identity certificates containing public keys. These certificates and keys can be used though secured connections (SSL) and possession of a private key to establish the identity of the entities on the connection. The keys can be used to provide digital signatures on documents. The authors and contents of signed documents can be verified at the time of use. Public Key Infrastructure is beginning to be widely deployed in terms of organizations running Certificate Authorities.    UsenixSec 08/26/99 6 Akenti Access Control  Minimal local Policy Files (authorization files). Who to trust, where to look for certificates. Based on the following digitally signed certificates: › X.509 certificates for user authentication › UseCondition certificates containing stakeholder policy › Attribute certificates in which a trusted party attests that a user possesses some attribute, e.g. training, group membership   Can be called from any application that has an authenticated user’s identity certificate and a unique resource name, to return that users privileges with respect to the resource. UsenixSec 08/26/99 7 Required Infrastructure  Certificate Authority to issue identity certificates (required) › SSLeay provides simple CA for testing › Netscape CA - moderate cost and effort › Enterprise solutions - Entrust, Verisign, …  Method to check for revocation of identity certificates (required) › LDAP server - free from Univ. of Mich.. Or comes with Netscape CA › Certificate Revocation lists - supported by most CA’s  Network accessible ways for stakeholders to store their certificates (optional) › Web servers › MSQL web accessible data bases UsenixSec 08/26/99 8 AKENTI ARCHITECTURE Cache Manager DN Client Fetch Certificate Identity (X509) certificate on behalf of the user. Resource Server Akenti DN DN Log Server Internet Use condition or attribute certificates LDAP Database Server Web Server File Servers DN Identity certificates Certificate Servers AKENTI CERTIFICATE MANAGMENT Stakeholders S1 S2 S3 S4 Certificate Generator C1(S1) C2(S2) C3(S3) C4(S4) Certificate Servers Akenti Search based on resource name, user DN, and attribute Hash Generator Emphasis on usability  Akenti certificate generators provide a user friendly interface for stakeholders to specify the use constraints for their resources. User or stakeholder can see a static view of the policy that controls the use of a resource. Akenti Monitor applet provides a Web interface for a user to check his access to a resource to see why it succeeded or failed.   UsenixSec 08/26/99 11 Akenti certificate generator (1) Building a Use Condition expression Akenti certificate generator (2) Review Certificate conditions Monitor Applet Enables user to check his access to a resource Vulnerabilities  Distributed certificates might not be available when needed. Independent stakeholders may create a policy that is inconsistent with what they intend. Easy to deny all access.  UsenixSec 08/26/99 15 Performance Measurements     Server- Apache/SSL/akenti Web server Client - Java app using IAIK’s SSL library Measured fetching 1K and 1M files Two access domains › Minimum constraints: 1 use condition certificate, 2 identity certificates › Average constraints : 2 UseConditions, 1 attribute certificate and 4 identity certificates  Client, server and certificate servers all on 100MB LAN UsenixSec 08/26/99 16 Performance (cont.)    Total time the client program saw to fetch a file Time logged in the Akenti policy engine code Difference - attributable to network time and SSL overhead. › Mutual authentication protocol › encryption (optional) UsenixSec 08/26/99 17 Performance No caching Akenti Min Acc Ave Acc 1K 1M 1K 1M 0.86 0.90 2.26 2.24 SSL Network 0.65 1.75 0.73 1.96 Total 1.51 2.65 2.96 4.00 Akenti 0.20 0.22 0.12 0.19 Caching SSL Network 0.65 2.02 0.65 1.77 Total 0.85 2.34 0.76 1.96 All times are in seconds min access required 3 certificates Ave. access required 7 certificates 1K 1M With Akenti No Akenti 0.76 1.96 0.02 0.75 Performance Details  80% of the time in the Akenti policy engine is spent fetching certificates 8 - 9% spent verifying signatures If a capability certificate is found for the user and the resource is about 0.1 seconds (to find and verify the certificate) Searching and failing to find certificates takes longer than finding one.    UsenixSec 08/26/99 19 Related Work   Ellison, et.al. SPKI - authorization certificates Nekander & Partanen (HUT) SPKI style certificates for access permissions on Java code. To replace per/machine Java policy files.  Blaze,Feigenbaum Policy Maker and KeyNote based on authorization certificates written in a specified executable language. Foster, Kesselman Globus Use of X.509 identity certificates to authenticate users.  UsenixSec 08/26/99 20 Status  Akenti enabled Apache Web servers deployed at LBNL and Sandia. › Controlling Akenti code distribution, secure data/image repository, ORNL electronic notebooks  We have given code to CONDOR, Univ. of Wisc., WebFlow at Syracuse Univ., NIST, and ISI/USC Servers run on Solaris, but client code runs on Linux as well Java interface to Akenti policy engine exists and is used by the Anchor agent code.   UsenixSec 08/26/99 21 Future Directions   Implement Akenti as a standalone server Expand Use Conditions to include dynamic variables such as time-of-day, originating IP address, state variables.  Change syntax of certificates, probably to XML. We already have a Matchmaker want-ad style in addition to our original key-word/value syntax. Add delegation - probably in the form of authorization certificates Integrate with additional applications › Network bandwidth Quality of service, › Secure Mobile agents, › Group key agreement protocol.   UsenixSec 08/26/99 22 Conclusions  As enterprises deploy PKI, identifying users by their identity certificates will become natural and transparent. › Currently there are several competing standards   browsers, Netscape and Explorer Entrust - own client interface  Akenti/SSL overhead acceptable for medium grained access checking. E.g , starting an operation, making a authenticated connection.  Ease of use for stakeholders must be emphasized. UsenixSec 08/26/99 23 Further Information   http://www-itg.lbl.gov/Akenti/ pkidev@lbl.gov UsenixSec 08/26/99 24