[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: key management

To: atkinson@itd.nrl.navy.mil
Subject: Re: key management
From: "Paul A. Karger" <pak0@gte.com>
Date: Tue, 13 Dec 94 15:31:22 -0500
Cc: pkarger@gte.com, Avi Rubin <rubin@faline.bellcore.com>, ipsec@ans.net
Fax: +1 (617) 890-9320
In-Reply-To: Your message of "Tue, 13 Dec 94 15:12:10 EST." <9412131512.ZM11826@sundance.itd.nrl.navy.mil>
Organization: GTE Laboratories
Phone: +1 (617) 466-3844
Reply-To: pkarger@gte.com

> From: Ran Atkinson <atkinson@sundance.itd.nrl.navy.mil>
> Message-Id: <9412131512.ZM11826@sundance.itd.nrl.navy.mil>
> Date: Tue, 13 Dec 1994 15:12:10 -0500
> In-Reply-To: "Paul A. Karger" <pak0@gte.com>
>         "Re: key management" (Dec 13, 14:12)
> Reply-To: atkinson@itd.nrl.navy.mil
> To: pkarger@gte.com, Avi Rubin <rubin@faline.bellcore.com>
> Subject: Re: key management
> Cc: ipsec@ans.net
> 
> On Dec 13, 14:12, Paul A. Karger wrote:
> } Subject: Re: key management
> 
> % Mutually suspicious users can only share the same host if you
> % have a trusted operating system of some kind to separate them.
> 
> It isn't clear to me what you mean by "trusted operating system".
> 
> If you mean an OS with Mandatory Access Controls (e.g. B1 or better
> per Orange Book), then I disagree.  A C2 operating system with
> Discretionary Access Controls permits user A to configure permissions
> such that user B does not have access to user A's data and resources.
> If user A is on such a system and does not trust user B, then user A
> can configure its permissions accordingly.  MAC is needed when one is
> trying to enforce some kind of multi-level security policy, not merely
> to separate mutually suspicious users.
> 

I did not mean to imply any particular Orange Book level.  The question
was how can mutually suspicious users share the same host, and my answer
was intended to be very simple - they can only share the same host if
there is a trusted operating system running on that host to mediate access
between them.  Cryptography alone cannot solve this problem.  The
operating system must mediate, if only to protect keys.

How much sharing and how much trust and how suspicious are all issues
that will determine what kind of operating system you need.  Orange book
ratings will be a factor, as will underlying operating system features
that the Orange Book does not discuss.  To really support full mutual
suspicion, you need non-hierarchic protection domains as discussed in
Mike Schroeder's PhD thesis from MIT back in 1973 and then another
20-odd years of research since then.  

The point is that mutual suspicion on a single host is an operating system
issue - not a cryptographic protocol issue.

Paul

Follow-Ups:

Re: key management

From: "Perry E. Metzger" <perry@imsi.com>

References:

Re: key management

From: Ran Atkinson <atkinson@sundance.itd.nrl.navy.mil>

Prev by Date: Re: key management
Next by Date: Re: key management
Prev by thread: Re: key management
Next by thread: Re: key management
Index(es):
- Main
- Thread