Description
In times of various security breaches, the decentralization of trust has become more ev-
ident than ever. As a result, decentralized trust management systems are an increasingly
frequent topic in today’s research. The main responsibility of trust management systems
is the definition and subsequent evaluation of authorization policies. Attributed Based
Delegation (ABD) provides a scheme to establish decentralized trust.In 2003, a theoreti-
cal approach to defining and resolving trust chains in the decentralized ABD system was
proposed. Recently, a practical implementation based on a secure naming system was
presented in line with this approach. The ABD prototype resulting from this work meets
today’s security requirements and forms the basis for this thesis.
We evaluate the feasibility of the attribute-based approach and extend the practical name
system based implementation by introducing more flexible algorithms. The proposed the-
oretical algorithms for chain recognition must be carefully evaluated and adapted to the
requirements of the real world. We extend the prototype implementation of the backward
resolution algorithm to achieve the same versatility of the theoretical approach while re-
ducing its constraints. The central point of the trust chain resolution is the strategy of
the resolution algorithm. We replace the one-sided backward search algorithm with the
introduction of the improved bidirectional search.
The practice of numerous popular technologies has shown that easier to use and better
accessible technologies are more likely to be used. We propose a set of constraints to sup-
port delegation authorities during credential enrollment. The derived rule set can be used
to prevent errors and resulting revocations. In addition, we have improved the algorithm
access by enhancing the command-line interface and laying the foundation for a common
user interface.
As a results of this thesis, we present an improved bidirectional search algorithm for
trust chains that takes advantage of storage location and two way discovery. Additionally,
the defined credential enrollment constraints provide a theoretical basis for further practi-
cal implementation and guarantee coherent trust chains. Finally, we propose possibilities
for further work and present a current implementation that would benefit from the intro-
duction of trust establishment and attribute verification via attribute-based delegation.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching