Antigone: Implementing Policy in Secure Group Communication

1
Antigone Implementing Policy in Secure Group
Communication

• Daniele Mazzocchi

2
What is Antigone

• Antigone is a framework for the definition and
  implementation of security policies in group
  comm. systems
• Flexible Security Policy
• Flexible Threat Model
• Security Infrastructure Independence
• Transport Layer Independence
• Performance

3
Taxonomy of group security policies

• session rekeying policy
• defines set of events that leads to rekey
• data security policy
• security services offered to application messages
• membership awareness policy
• availability and accuracy of membership infos
• process failure policy
• type of failure detected and way to recover
• access control policy
• the rights of the group members

4
Session rekeying policy

• what it is necessary to achieve
• session key independence
• membership forward secrecy
• membership backward secrecy
• limited lifetime
• close relation between session rekeying and group
  membership
• a policy is sensitive to an event if the session
  key changes after the event occured

5
rekeying policies

• time-sensitive policy
• protection against DoS (aimed to force to use the
  same key) during a rekeying
• leave-sensitive policy
• join-sensitive policy
• membership-sensitive

6
Data security policy

• the following services integrity (1),
  confidentiality (2), group authenticity and
  sender authenticity
• group authenticity a message was effectively
  transmitted by a group member
• proof of knowledge of the session key trough (1)
  and (2)
• sender authenticity strong authentication
  (e.g., non repudiation)

7
Membership policy

• best-effort membership
• no guarantees about timeliness or accuracy
• positive membership
• all the members in the view are participating in
  the group
• negative membership
• every members who has access to the key is listed
  in the view
• perfect membership
• both positive and negative membership guaranteed

8
Other policies

• process failure policy
• which are the failures detected, security of
  failure detection process
• access control policy
• classical rights management
• strictly related to the authentication process

9
Antigone Architecture
10
Supported policies

• members assumed as trusted
• active attackers
• rekeying is session key indipendent
• only one simple access control right the ability
  to gain access to the group. Group access stored
  in an ACL at the group leader
• arbitrated group, no peer groups support

11
Principals in Antigone
session leader
TTP
member1
LAN/WAN
member2
membern
12
Terminology

• G group identifier (8 bytes string)
• g view identifier (concatenation of G with a
  random value)
• ...K denotes encryption under key K
• SA is the sequence number of A (reset following a
  rekey)
• Pug and Prg is an asymmetric key pair

13
Authenticate

• A?SL A,G,I0
• SL?TTPSL,A,I1
• TTP?SL?SL,AAKsl?SLKa,I1Ksl
• SL?ASL,A,g,A,I0,I2,policy block,Pug ?sl,a
• (reject)SL?ASL,A,G,I0,H(SL,A,G,I0) ?sl,a
• ?sl,a SLKa this value needs not to be
  transmitted, A can computes it by herself
• based on Leighton-Micali protocol

14
Join

• A?SL A,A,I2 ?sl,a

Leave

• A?SL A,g,A,SA,g,B SKg ?sl,a

15
Rekey/Group Membership

• SL?Ag,SSL,(A,g,SKg ?sl,a), H(g,SSL,(A,g,SKg
  ?sl,a)SKg
• SL?Ag,SSL,(A,g,SKg ?sl,a),B,C,D,...
  H(g,SSL,(A,g,SKg ?sl,a),B,C,D,...SKg
• SL?groupg1,SSL,(A,g1,SKg1 ?sl,a),
  (B,g1,SKg1 ?sl,b),H(g,SSL,...SKg1

16
Failure Detection

• A?SLSAi,?k-i,g,A, SA0, ?k,
  H(g, A, SA0, ?k) ?sl,a member heartbeat
• SL?group SSLi, ?k-i,g,SL, SSL0, ?k, H(g, A,
  SSL0, ?k)Prg SL heartbeat
• A?SL g,A
• based on hash chain ?0x, ?1f(x), ?2f2(x),...,
  ?kfk(x)
• SAi SA0 i

17
Characteristics

• a policy block is distributed to each member at
  authentication time
• no negotiation
• no enforcement of policy dependencies (e.g.,
  without failure detection is possible to have
  problem with policies that are membership
  sensitive)
• views are presented and guaranteed only at
  session key distribution and rekeying

18
Principles of policy in secure group
19
Some generalities

• Group Owner(GO) the policy issuer, considered
  trusted by the members
• Group Controller (GC) in charge of key
  dissemination, enforces group access control
• Subordinate Group Controller (SGC), no session
  key creation
• Member (M)

20
Security relevant group actions

• policy creation -create/assert policy
• policy modification
• grant rights - granted to external entities
• key creation
• group destruction
• key dissemination
• rekey action initiation - used for eject member
• authorize member
• admit member
• audit group
• key access

21
What is necessary to define

• Identification must be unambiguous
• Authorization the policy must identify the
  entities allowed to perform protected action
• Access Control mapping between authorized
  parties and actions in group
• Mechanism how security requirements for the
  group are to be addressed
• Verification every policy must present evidence
  of its validity. Origin, integrity and freshness
  are asserted

22
1. Enforcement of group policy must be consistent
across a group

• the view of the policy must be the same during
  the life of the group
• two concepts
• mechanism equivalence
• synchronization (e.g., must reach consensus about
  the use of a new key after rekeying)

23
2.Only authorized entities can affect the
security posture of the group

• for example a new member must not be permitted to
  admit further members unless explicitely
  authorized by the policy
• the actions must be associated only with members
  allowed to perform them
• policy creation, key dissemination, initiate
  rekey, group destruction

24
3. Group content must be protected

• carefully enforce access control (e.g., the
  session key must be accessible only to authorized
  members)
• example access only with a valid certificate

25
4. Group must be capable of recovery from
security relevant failures to a secure state

• policy must specify how compromises are detected
  and the mechanism for the recovery
• e.g., use sophisticated rekeying approaches (the
  compromised member are excluded after rekey)
• try to recover also from external problem (e.g.,
  network partition)

26
GSAKMP

• Group Secure Association Key Management Protocol
• Analysis of the full compliance of GSAKMP to the
  principles expressed before