We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byCarmel Skinner
Modified about 1 year ago
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko
©February 21, Amsterdam. Donkey Project Slide2 _2 Outlines Problems in traditional PKI and Identity Management Donkey goals Donkey Functionality Design issues Timetable Next steps Discussion: u Where the Donkey can be of use for RIPE NCC
©February 21, Amsterdam. Donkey Project Slide2 _3 Problems in PKI and Identity Management X.509 PKI is a heavy-weight solution and usually enterprise oriented: Requires Certificate Authority (CA) to create and trust a certificate (PKC) Certificate creation/revocation mechanism is complex, slow and expensive LDAP as a standard mechanism to publish X.509 Certs is not easily extensible and (generically) not globally scaled Distributed applications and mobile users require secure remote access to electronic credentials and identity information P2P networks normally (based on DHT) require non-hierarchical (non-PKI) security infrastructure Advent of XML/SOAP based standards for SSO/Identity management creates technological alternative for traditional PKI and PMI
©February 21, Amsterdam. Donkey Project Slide2 _4 Donkey and DNSSEC DNSSEC can be a source of public keys for zones/nodes but it's not intended to provide this service for other applications: Intended for host names, not arbitrary names Updates are slow (propagation through caches, administrative overhead) Requires DNSSEC protocol for public key access/request (standard request for KEY and SIG RRs) Donkey can provide (shadow/alternative) key distribution infrastructure using application specific protocols to off-load DNSSEC
©February 21, Amsterdam. Donkey Project Slide2 _5 Donkey Goal(s) Open extendable system for public key and Identity management Initial stage Open global distributed system for publishing and retrieving named, signed public keys Intended development Identity management for federated cross-domain AuthN and AuthZ Donkey website:
©February 21, Amsterdam. Donkey Project Slide2 _6 What is Donkey: Donkey functionality Donkey allows anyone to publish a named key, together with optional data (Donkey package) u Multiple parties are allowed to publish a key with the same name. Applications must select the correct key when multiple keys match u Donkey is NOT a permanent storage: key must be republished to remain available u Donkey does NOT define a policy for key/payload usage –This is an application specific function Donkey allows anyone to query for a published key, based on the key's name (required) and signers (optional) Donkey allows anyone to sign a published key
©February 21, Amsterdam. Donkey Project Slide2 _7 Design issues: Package structure (Proprietary) Internal format (Python data object) but XML based exchange format Package ID Content u Header –Flags –Names u Owner Public Key – must be unique u Body –Payload Application dependent content and format Intended for AA and Identity management May include specific format definition (e.g., embedded XML Schema) Signatures
©February 21, Amsterdam. Donkey Project Slide2 _8 Design considerations Build upon existing solutions and standards But still capable to do a low start Gradual development Build up upon key storage/management engine XML for package extensibility and exchange Including prospective use of the XML Protocol
©February 21, Amsterdam. Donkey Project Slide2 _9 Existing OpenSource solutions for AA and PMI Donkey will be built upon existing PKI and AA applications: PGP Key Server Internet2 PubCookie/WebISO and Shibboleth/AA PAPI (AuthZ and Web SSO) A-Select (AuthZ and Web SSO) PERMIS (PrivilEge and Role Management Infrastructure Standards Validation Project) Akenti (cross-domain AA for Grid applications)
©February 21, Amsterdam. Donkey Project Slide2 _10 Standards for security assertions PGP X.509 Public Key Certificate (PKC) X.509 Attribute Certificate (AC) for Privilege Management SAML (Security Assertion Mark-up Language) Liberty Alliance Network Identity (XML and SAML based) Web Services Security (SOAP Extensions)
©February 21, Amsterdam. Donkey Project Slide2 _11 PKC vs AC: Purposes X.509 PKC binds an identity and a public key AC is a component of X.509 Role-based PMI u AC contains no public key u AC may contain attributes that specify group membership, role, security clearance, or other authorisation information associated with the AC holder u Analogy: PKC is like passport, and AC is like entry visa PKC is used for Authentication and AC is used for Authorisation –AC may be included into Authentication message PKC relies on Certification Authority and AC requires Attribute Authority (AA)
©February 21, Amsterdam. Donkey Project Slide2 _12 X.509 PKC Fields and Extensions – check with RFC 3280 X.509 PKC Fields Serial Number Subject Subject Public Key Issuer Unique ID Subject Unique ID X.509 PKC Extensions Standard Extensions u Authority Key Identifier u Subject Key Identifier u Key Usage u Extended Key Usage u CRL Distribution List u Private Key Usage Period u Certificate Policies u Policy Mappings u Subject Alternative Name u Issuer Alternative Name u Subject Directory Attributes u Basic Constraints u Name Constraints X.509 PKC Fields Private Extensions u Authority Information Access u Subject Information Access Custom Extensions
©February 21, Amsterdam. Donkey Project Slide2 _13 X.509 PKC Extensions format Identifier: Key Usage: Critical: yes Key Usage: Digital Signature Key CertSign Crl Sign
©February 21, Amsterdam. Donkey Project Slide2 _14 AC vs PKC: Certificates structure X.509 PKC Version Serial number Signature Issuer Validity Subject Subject Public key info Issuer unique identifier Extensions AC Version Holder Issuer Signature Serial number Validity Attributes Issuer unique ID Extensions
©February 21, Amsterdam. Donkey Project Slide2 _15 AC Attribute Types and AC Extensions AC Attribute Types Service Authentication Informaion Access Identity Charging Identity Group Role Clearance Profile of AC AC Extensions Audit Identity u To protect privacy and provide anonymity u May be traceable via AC issuer AC Targeting Authority Key Identifier Authority Information Access CRL Distribution Points
©February 21, Amsterdam. Donkey Project Slide2 _16 Donkey Project milestones Overview and inventory/planning - current stage u Selected basic technologies and development environment u Overview document March-April: Prospective applications area overview u Requirements (common and specific for applications) u Draft Package and Protocol description/definition April-May: API(s) definition and Donkey prototyping u API requirements June-August: Development and pilot implementation for 1-2 applications
©February 21, Amsterdam. Donkey Project Slide2 _17 Donkey current status Just started work on Donkey prototype Key generation (DSA or RSA keys) Creating a new Donkey package Add and verify signature to/of an existing Donkey package Data model and XML DTD/Schema for Donkey packages Goal: Create a base for experiments with application specific payloads
©February 21, Amsterdam. Donkey Project Slide2 _18 Some specific next tasks Overview of existing solutions for AA and Identity management Analysis of applications specific requirements Scalability analysis Trust analysis Threats analysis
Donkey Project Technologies and Target applications March 6, 2003, Vrije Universiteit Yuri Demchenko.
Fonkey Project Update: Target Applications TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.
Trusted Systems Laboratory Hewlett-Packard Laboratories Bristol, UK InfraSec 2002 InfraSec 2002 Bristol, October 2002 Marco Casassa Mont Richard.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
PKI Future Directions 29 November 2001 Russ Housley RSA Laboratories CS – Class of 1981.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
TechSec WG: Related activities overview and Fonkey Project update TechSec WG, RIPE-46 September 3, 2003 Yuri Demchenko.
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
Chapter 14 – Authentication Applications Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal, U of Kentucky)
GT 4 Security Goals & Plans Sam Meder
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer
Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Shibboleth: An Introduction University of Pennsylvania SUG 13 October 2008.
DICOM Security Andrei Leontiev, Dynamic Imaging Presentation prepared by: Lawrence Tarbox, Ph.D. Chair, WG 14 Mallinckrodt Institute of Radiology Washington.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick
The EC PERMIS Project David Chadwick
1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.
DICOM Security Lawrence Tarbox, Ph.D. Chair, WG 14 Mallinckrodt Institute of Radiology Washington University in St. Louis School of Medicine.
Cryptography and Network Security Chapter 14 Authentication Fourth Edition by William Stallings Lecture slides by Lawrie Brown Changed and extended by.
SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.
Adding Distributed Trust Management to Shibboleth Srinivasan Iyer Sai Chaitanya.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
F. Guilleux, O. Salaün - CRU Middleware activities in French Higher Education.
© 2017 SlidePlayer.com Inc. All rights reserved.