Access Control, Security, and Trust A Logical Approach C8628_Printer_PDF.indd 1 6/22/10 4:47:20 PM Chapman & Hall/CRC CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY CRYPTOGRAPHY AND NETWORK SECURITY Access Control, Series Editor Douglas R. Stinson Security, and Trust Published Titles A Logical Approach Jonathan Katz and Yehuda Lindell, Introduction to Modern Cryptography Antoine Joux, Algorithmic Cryptanalysis M. Jason Hinek, Cryptanalysis of RSA and Its Variants Burton Rosenberg, Handbook of Financial Cryptography and Security Shiu-Kai Chin and Susan Older, Access Control, Security, and Trust: A Logical Approach Shiu-Kai Chin Syracuse University Forthcoming Titles Syracuse, New York, USA Maria Isabel Vasco, Spyros Magliveras, and Rainer Steinwandt, Susan Older Group Theoretic Cryptography Syracuse University Syracuse, New York, USA C8628_Printer_PDF.indd 2 6/22/10 4:47:20 PM Chapman & Hall/CRC CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY CRYPTOGRAPHY AND NETWORK SECURITY Access Control, Series Editor Douglas R. Stinson Security, and Trust Published Titles A Logical Approach Jonathan Katz and Yehuda Lindell, Introduction to Modern Cryptography Antoine Joux, Algorithmic Cryptanalysis M. Jason Hinek, Cryptanalysis of RSA and Its Variants Burton Rosenberg, Handbook of Financial Cryptography and Security Shiu-Kai Chin and Susan Older, Access Control, Security, and Trust: A Logical Approach Shiu-Kai Chin Syracuse University Forthcoming Titles Syracuse, New York, USA Maria Isabel Vasco, Spyros Magliveras, and Rainer Steinwandt, Susan Older Group Theoretic Cryptography Syracuse University Syracuse, New York, USA C8628_Printer_PDF.indd 3 6/22/10 4:47:20 PM About the cover: The cover image of a mother loon carrying her chick across the water depicts the interde- pendent nature of this book’s main themes: access-control, security, and trust. Loons are fiercely protective of their offspring. In turn, the chicks often ride on their parents’ backs, trusting them to provide both warmth and protection from predators. Chapman & Hall/CRC Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2011 by Taylor and Francis Group, LLC Chapman & Hall/CRC is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Printed in the United States of America on acid-free paper 10 9 8 7 6 5 4 3 2 1 International Standard Book Number-13: 978-1-58488-863-5 (Ebook-PDF) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmit- ted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright. com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com ToLinda,Benjamin,Emily,andmymomfortheirloveandsupport ToGarth,forhispatience;andtoRyan,whocouldn’twaitforthisbooktobe completed Contents ListofTables xiii ListofFigures xv Preface xix 1 AccessControl,Security,Trust,andLogic 1 1.1 DeconstructingAccess-ControlDecisions . . . . . . . . . . . . . . 3 1.2 ALogicalApproachtoAccessControl . . . . . . . . . . . . . . . 6 I Preliminaries 9 2 ALanguageforAccessControl 11 2.1 SetsandRelations . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.1.1 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.1.2 ApproachesforMathematicalProofs . . . . . . . . . . . . 13 2.2 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2.1 PrincipalExpressions . . . . . . . . . . . . . . . . . . . . . 17 2.2.2 Access-ControlStatements . . . . . . . . . . . . . . . . . . 18 2.2.3 Well-FormedFormulas . . . . . . . . . . . . . . . . . . . . 20 2.3 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.3.1 KripkeStructures . . . . . . . . . . . . . . . . . . . . . . . 23 2.3.2 SemanticsoftheLogic . . . . . . . . . . . . . . . . . . . . 28 2.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 2.5 FurtherReading . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 3 ReasoningaboutAccessControl 39 3.1 LogicalRules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 3.1.1 TheTautRule. . . . . . . . . . . . . . . . . . . . . . . . . 41 3.1.2 TheModusPonensRule . . . . . . . . . . . . . . . . . . . 42 3.1.3 TheSaysRule . . . . . . . . . . . . . . . . . . . . . . . . 42 3.1.4 TheMPSaysRule . . . . . . . . . . . . . . . . . . . . . . 42 3.1.5 TheSpeaksForRule . . . . . . . . . . . . . . . . . . . . . 43 3.1.6 The &SaysandQuotingRules . . . . . . . . . . . . . . . 43 3.1.7 Propertiesof⇒ . . . . . . . . . . . . . . . . . . . . . . . . 43 3.1.8 TheEquivalenceRule . . . . . . . . . . . . . . . . . . . . 45 vii viii 3.1.9 TheControlsDefinition . . . . . . . . . . . . . . . . . . . 46 3.2 FormalProofsandTheorems . . . . . . . . . . . . . . . . . . . . . 47 3.3 SoundnessofLogicalRules . . . . . . . . . . . . . . . . . . . . . 50 3.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 3.5 FurtherReading . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 4 BasicConcepts 57 4.1 ReferenceMonitors . . . . . . . . . . . . . . . . . . . . . . . . . 57 4.2 Access-ControlMechanisms: TicketsandLists . . . . . . . . . . . 60 4.2.1 Tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 4.2.2 Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 4.2.3 LogicalandPragmaticImplications . . . . . . . . . . . . . 66 4.3 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 4.3.1 Two-FactorAuthentication . . . . . . . . . . . . . . . . . . 68 4.3.2 UsingCredentialsfromOtherAuthorities . . . . . . . . . . 70 4.3.3 Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 4.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 4.5 FurtherReading . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 5 SecurityPolicies 77 5.1 Confidentiality,Integrity,andAvailability . . . . . . . . . . . . . . 77 5.2 DiscretionarySecurityPolicies . . . . . . . . . . . . . . . . . . . . 79 5.3 MandatorySecurityPolicies . . . . . . . . . . . . . . . . . . . . . 81 5.4 MilitarySecurityPolicies . . . . . . . . . . . . . . . . . . . . . . 85 5.4.1 ExtendingtheLogicwithSecurityLevels . . . . . . . . . . 85 5.4.2 ExpressingMilitarySecurityPolicies . . . . . . . . . . . . 87 5.4.3 MilitarySecurityPolicies: AnExtendedExample . . . . . . 90 5.5 CommercialPolicies . . . . . . . . . . . . . . . . . . . . . . . . . 94 5.5.1 ExtendingtheLogicwithIntegrityLevels . . . . . . . . . . 95 5.5.2 ProtectingIntegrity . . . . . . . . . . . . . . . . . . . . . . 97 5.5.3 StrictIntegrity . . . . . . . . . . . . . . . . . . . . . . . . 98 5.5.4 AnExtendedExampleofaStrictIntegrityPolicy . . . . . . 100 5.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 5.7 FurtherReading . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 II DistributedAccessControl 107 6 DigitalAuthentication 109 6.1 Public-KeyCryptography . . . . . . . . . . . . . . . . . . . . . . 109 6.2 EfficiencyMechanisms . . . . . . . . . . . . . . . . . . . . . . . . 112 6.2.1 CryptographicHashFunctions . . . . . . . . . . . . . . . . 112 6.2.2 Data-EncryptionKeys . . . . . . . . . . . . . . . . . . . . 113 6.2.3 DigitalSignatures . . . . . . . . . . . . . . . . . . . . . . 113 6.3 ReasoningaboutCryptographicCommunications . . . . . . . . . . 114 ix 6.4 Certificates,CertificateAuthorities,andTrust . . . . . . . . . . . . 116 6.5 Symmetric-KeyCryptography . . . . . . . . . . . . . . . . . . . . 125 6.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 6.7 FurtherReading . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 7 Delegation 133 7.1 SimpleDelegations . . . . . . . . . . . . . . . . . . . . . . . . . . 133 7.2 DelegationandItsProperties . . . . . . . . . . . . . . . . . . . . . 135 7.3 ADelegationExample: SimpleChecking . . . . . . . . . . . . . . 141 7.3.1 FormalDefinitionsofChecks . . . . . . . . . . . . . . . . 142 7.3.2 BankPoliciesonChecks . . . . . . . . . . . . . . . . . . . 143 7.3.3 OperatingRulesforChecks . . . . . . . . . . . . . . . . . 144 7.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 7.5 FurtherReading . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 8 Networks: CaseStudies 149 8.1 SSLandTLS:AuthenticationacrosstheWeb . . . . . . . . . . . . 149 8.1.1 HandshakeProtocol . . . . . . . . . . . . . . . . . . . . . 150 8.1.2 RecordProtocol . . . . . . . . . . . . . . . . . . . . . . . 155 8.2 Kerberos: AuthenticationforDistributedSystems . . . . . . . . . . 157 8.2.1 InitialAuthenticationRequests . . . . . . . . . . . . . . . . 157 8.2.2 RequestsforService-SpecificTickets . . . . . . . . . . . . 159 8.2.3 RequestsforServices . . . . . . . . . . . . . . . . . . . . . 161 8.2.4 ProxiableTickets . . . . . . . . . . . . . . . . . . . . . . . 162 8.3 FinancialNetworks . . . . . . . . . . . . . . . . . . . . . . . . . . 166 8.3.1 ElectronicClearinghouses . . . . . . . . . . . . . . . . . . 166 8.3.2 BankAuthorities,Jurisdiction,andPolicies . . . . . . . . . 169 8.3.3 BankOperatingRules . . . . . . . . . . . . . . . . . . . . 170 8.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 8.5 FurtherReading . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 III IsolationandSharing 175 9 APrimeronComputerHardware 177 9.1 OnesandZeros . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 9.2 SynchronousDesign . . . . . . . . . . . . . . . . . . . . . . . . . 178 9.2.1 SynchronousRegisters . . . . . . . . . . . . . . . . . . . . 178 9.2.2 RegisterswithLoadControl . . . . . . . . . . . . . . . . . 179 9.2.3 RegisterswithTri-StateOutputs . . . . . . . . . . . . . . . 179 9.2.4 CombinationalLogicandFunctions . . . . . . . . . . . . . 182 9.2.5 ArithmeticLogicUnits . . . . . . . . . . . . . . . . . . . . 184 9.3 Microcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 9.3.1 DataPathsandControlPaths . . . . . . . . . . . . . . . . . 190 9.3.2 Microprogramming . . . . . . . . . . . . . . . . . . . . . . 192