[cap-talk] Forgeable capabilities
David Wagner
daw at cs.berkeley.edu
Sat Jul 7 13:34:52 EDT 2007
Pierre writes:
>I was wondering how forgeable capabilities are modeled in
>object-capabilities frameworks.
If it's forgeable, it's not a capability.
For the rest of the message I'm going to assume you wrote
"authentication tokens" instead of "forgeable capabilities".
>For example, if I have an object S that has a grantAuthority(credential)
>method, where credential is a couple (login, password), this couple
>constitutes [an authentication token]. If a call to grantAuthority
>with the adequate credential returns a capability to an object T, is it
>possible to model authority to S in another way than considering that
>authority to call S->grantAuthority is equivalent to authority to call
>T? That is, to model authority to S less conservatively.
Reasoning about this requires reasoning about both behavior and
knowledge. You have to reason about (a) the behavior of
grantAuthority() (i.e., under what conditions will it return the
cap to T?), and (b) the knowledge available to all parties in the
system (i.e., under what circumstances can they come to know or
guess the authentication token?). In general, reasoning about
knowledge is very difficult, and my experience is that object
capabilities don't help much with that task.
You could look at information flow systems for some attempts to
reason about knowledge, though in my opinion I'd call them closer
to failed attempts rather than successful attempts.
For this reason, my advice is to try to avoid structuring your system in
a way that demonstrating its security requires doing a lot of reasoning
about knowledge. Firewall or segregate off the knowledge-based stuff
(e.g., crypto, password checking, etc.) into its own little island so
that it is as encapsulated as possible and so that you can reason about
as much as possible of the rest of your application without needing to
reason about knowledge. That will maximize the effectiveness of the
object capability approach to reasoning about security.
Finally, I'll point out that cleartext passwords have many known problems
and one should think carefully about using them in new systems for
authentication, especially if it is a distributed system.
More information about the cap-talk
mailing list