Computer Science 725 – Software
Security Presentation
“Decentralized Trust Management”
M. Blaze, J. Feigenbaum, J. Lacy,
IEEE Symposium on Security and Privacy, pp. 164-173, 1996.
http://ieeexplore.ieee.org/iel3/3742/10940/00502679.pdf
Summary




Identify Trust Management as a
distinct and important component in
network security
Review of 2 existing systems
Present a new comprehensive
approach to this problem
Describe a prototype (PolicyMaker)
which implements this new approach
What is Trust Management?
Public Key
Public Key
Public Key



Policy (a banking system requires at least k
officers to approve a loan of $10,000)
Credentials (enable an employee to prove he can
be counted as 1 out of k approvers)
Trust (enable the bank to specify who may issue
such credentials)
Principles of our approach

Unified mechanism
• A common language is provided for policies, credentials,
and relationships

Flexibility
• The system is rich enough to support potentially
complex relationships in large networks

Locality of control
• Each party in the network can independently decide
whether to accept the credentials presented

Separation of mechanism from policy
• The mechanisms for verification does not depend on the
credentials themselves
Review of Existing Systems
Specify trust
Public Key
signed by C
Public Key
signed by D
Etc …
B accepts
Public Key if
its trust
value is high
enough
What are some potential issues with this system?


PGP framework uses “ key certificates” in which trusted
third parties (C, D) signs copies of a public key to be
distributed
X.509 framework uses a similar system, but also postulates
that public keys are only obtained from official “certifying
authorities” (C, D)
PolicyMaker Approach
1
2
3
4
5
6
7
Obtain certificates, verify signatures on certificates and on application request,
determine public key of original signer(s)
Verify that certificates are unrevoked
Find “trust path” from trusted certifier to certificate of public key in question
Extract names from certificates
Lookup names in database that maps names to the actions that they are trusted
to perform
Determine whether requested action is legal, based on the names extracted from
certificates and whether the certification authorities are permitted to authorize
such actions according to local policy.
Proceed if everything appears valid
PolicyMaker
Submit request, certificates, and description of local policy to local
“trust management engine”
The PolicyMaker System
What are some potential issues with this system?



An independent trust management engine
to be used either as a linked library
(within systems) or daemon (background
application)
Called using action query strings
Extendable to allow for external
verification of signatures
Comments

The idea behind this paper is good
• Encapsulation of trust management
• Better security provided by consolidated system

The idea presented is more difficult
to implement
• Dedicated trust management engine and parser is more
difficult to implement than certificate based system
• Only applicable to large commercial applications

Protype is already made.
Questions?