The Role of Trust Management in Distributed Systems Security

Existing authorization mechanisms fail to provide powerful and robust tools for handling security at the scale necessary for today's Internet. These mechanisms are coming under increasing strain from the development and deployment of systems that increase the programmability of the Internet. Moreover, this "increased flexibility through programmability" trend seems to be accelerating with the advent of proposals such as Active Networking and Mobile Agents. The trust-management approach to distributed-system security was developed as an answer to the inadequacy of traditional authorization mechanisms. Trust-management engines avoid the need to resolve "identities" in an authorization decision. Instead, they express privileges and restrictions in a programming language. This allows for increased flexibility and expressibility, as well as standardization of modern, scalable security mechanisms. Further advantages of the trust-management approach include proofs that requested transactions comply with local policies and system architectures that encourage developers and administrators to consider an application's security policy carefully and specify it explicitly. In this paper, we examine existing authorization mechanisms and their inadequacies. We introduce the concept of trust management, explain its basic principles, and describe some existing trust-management engines, including PoHcyMaker and KeyNote. We also report on our experience using trust-management engines in several distributed-system applications.

[1]  Yacov Yacobi,et al.  The Complexity of Promise Problems with Applications to Public-Key Cryptography , 1984, Inf. Control..

[2]  Stephen E. Deering,et al.  Host extensions for IP multicasting , 1986, RFC.

[3]  D. P. Maher,et al.  Music on the Internet and the intellectual property protection problem , 1997, ISIE '97 Proceeding of the IEEE International Symposium on Industrial Electronics.

[4]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[5]  William A. Arbaugh,et al.  The SwitchWare active network architecture , 1998, IEEE Netw..

[6]  Jan Vitek,et al.  Secure Internet Programming , 1999 .

[7]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System , 1998 .

[8]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[9]  Matt Blaze,et al.  Transparent Internet E-mail Security , 1996 .

[10]  Butler W. Lampson,et al.  Simple Public Key Certificate , 1998 .

[11]  Joan Feigenbaum,et al.  Compliance Checking in the PolicyMaker Trust Management System , 1998, Financial Cryptography.

[12]  J. Feigenbaum,et al.  The KeyNote trust management system version2, IETF RFC 2704 , 1999 .

[13]  Joan Feigenbaum,et al.  Managing trust in an information-labeling system , 1997, Eur. Trans. Telecommun..

[14]  Angelos D. Keromytis,et al.  A secure active network environment architecture: realization in SwitchWare , 1998, IEEE Netw..

[15]  George C. Necula,et al.  Proof-carrying code , 1997, POPL '97.

[16]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[17]  Angelos D. Keromytis,et al.  Firewalls in active networks , 1998 .

[18]  Carl A. Gunter,et al.  PLAN : A Programming Language for Active Networkssubmitted to PLDI ' 98 , 1998 .

[19]  Carl A. Gunter,et al.  PLAN: a packet language for active networks , 1998, ICFP '98.

[20]  Paul Resnick,et al.  PICS: Internet access controls without censorship , 1996, CACM.

[21]  Joan Feigenbaum,et al.  REFEREE: Trust Management for Web Applications , 1997, Comput. Networks.

[22]  John V. Guttag,et al.  ANTS: a toolkit for building and dynamically deploying network protocols , 1998, 1998 IEEE Open Architectures and Network Programming.

[23]  Lixia Zhang,et al.  Resource ReSerVation Protocol (RSVP) - Version 1 Functional Specification , 1997, RFC.

[24]  Angelos D. Keromytis,et al.  Security in Active Networks , 2001, Secure Internet Programming.

[25]  David Wetherall,et al.  Introducing new Internet services: why and how , 1998, IEEE Netw..

[26]  Jerome H. Saltzer,et al.  Kerberos authentication and authorization system , 1987 .