Today's study group was given by Bin on the paper "Enforcing Confinement in Distributed Storage and a Cryptographic Model for Access Control" by Halevi et al. It deals with the T10 OSD protocol, which provides access control in a network storage setting. The contributions of the paper are two-fold: First, the authors propose binding access credentials to clients, which prevents clients from passing on credentials to other clients of the system. Second, they formalize access control in the model of universal composability and proof the security of the amended protocol therein.
The protocol involves four parties: a client, a security manager, a policy manager, and a storage server. It is required that the storage server and the security manager share a secret key. If the client wants to access an object on the storage server, it sends a request to the security manager, which in turn request a capability from the policy manager. If the request is accepted, the latter returns a capability, which is then included in the credential sent from the security manager the client. The client then uses the credential to access the desired object on the storage server. Finally, the security manager can also revoke credentials by communication directly with the storage server.
There are four security modes requiring increasing level of checks from the storage server: NoSec, CAPKEY, CMDRSD, ALLDATA. The talk was only concerned with CAPKEY. In this mode, the storage server checks the expiry time included in the capability as well as the so-called VTag. This is a MAC on a security token (a random number for every client-server pair) using a key that is derived by a PRF on the capability using the secret key shared by the security and the storage server. This authenticates the credential. However, this does not bind the credential a particular client. The authors therefore suggest to include a tag derived by PRF on the client ID using the same secret key.
To prove the security of the resulting protocol, the authors propose an ideal functionality keeping tracks of all credential issued and revoked, and they provide a simulator in the hybrid model assuming secure channels and a common reference string.