1. Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005

2. 2 What is NAAS? Network Authentication and Authorization Services (NAAS) are shared and centrally managed security services NAAS are designed to meet all node security requirements NAAS cover authentication, authorization, and identity management NAAS are easy to use and available to all network nodes NAAS are Web services with Web service description language (WSDL) files

3. 3 Why NAAS? Simplify implementation Enhanced security Cost effective Highly extensible Supports single sign-on (SSO) Security monitoring

4. 4 NAAS Major Services NAAS Web Service Interface: Simple Object Access Protocol (SOAP) service that exposes user authentication and authorization functions to all state nodes. It is the entry point for all service requests Network Authentication Service: This is a subsystem for verifying subject (user or machine) identity Network Authorization Service: This component is for entitlement management. Authorization is typically role- or policy-based. It must be flexible so that a variety of factors can be part of the decision to grant or deny access to specific resources User Identity Management: This component is responsible for registering users, removing users, and modifying user profiles Policy Management: The component allows administrators to create or modify rules or policies for resource access Vulnerability Management: This component tracks instances of security breaches and generates reports that contain specific information about vulnerability and actions taken. A good vulnerability management system helps to prevent security problems from recurring Network Certificate Authority: This component issues and manages certificates used for secure socket layer (SSL), encryption, and signature Public Key Management: This component allows users to locate and validate public keys

5. 5 Network Security Infrastructure

6. 6 Delegated Authentication Nodes delegate authentication task to NAAS Security Token is validated through NAAS

7. 7 Direct Authentication Users authenticate at NAAS and obtain Security Token Users use the Security Token to access a node Node validates the Security Token at NAAS

8. 8 Direct and Delegated Authentication Comparison Delegated Authentication Convenient to users. Operation and authentication at a single place Nodes have control over how users can be authenticated There is a small performance overhead in delegation Direct Authentication No performance penalty Best for accessing multiple nodes Recommended for machine-to- machine interactions Node local authentication may not be possible A network node must accept security tokens issued by NAAS in order to participate in the network-wide exchanges.

9. 9 Local authentication can be performed on node own domain users Locally authenticated users can not access other nodes and the Central Data Exchange (CDX) Nodes must perform access control over locally authenticated users Node can perform additional access control after NAAS authorization decisions for network users Local Authentication versus Network Authentication

10. 10 Digest: Use the hash value of the password to authenticate users HMAC Signature: Sign the authentication message using the password to prove identity XKMS: Sign the authentication message using a key stored in the key management service Certificate: Sign the authentication message using a certificate issued by a trusted party Advance Authentication Methods

11. 11 Password digest is a fingerprint of a password Digest algorithm is one-way. It is difficult to calculate a password given its digest Users send password digest to the server and the server calculates the password digest and compares it with the one received Sha-1 should be used to calculate the password digest Digest authentication has better protection of user passwords but has many of the same problems as password authentication Digest Authentication

12. 12 Users sign the authentication message using password before sending to NAAS NAAS uses the user’s password as the key to verify the signature. The user is authenticated if the signature is valid Much safer than digest, and the message integrity is protected Still need passwords – known to both client and server Hashed Message Authentication Code (HMAC) Signature

13. 13 XKMS is the XML Key Management Service (2.0 specification is coming out) Users generate public / private key pair and register the public key at XKMS Users sign the Authenticate message using the private key before sending to NAAS NAAS looks up the user’s public key in XKMS and verifies the signature using the public key User is authenticated if the signature is valid (proof of possession of private key that could not possibly be owned by anyone else) XKMS Authentication

14. 14 Users obtain certificate from a trusted authority Users sign the Authenticate message using the private key and insert the certificate in the signature NAAS validate the certificate through a certificate validation service, possibly the Federal Bridge Certification Authority (FBCA) NAAS verify the signature in the message The user is authenticated if both the certificate and the signature are valid Certificate Authentication

15. 15 All advanced authentications using the same Authenticate method defined in the node functional specification – they have no impact to the existing nodes and clients The authenticationMethod parameter can now be digest, XKMS, HMAC, and certificate. New node clients and Software Development Kit (SDK) will be provided to support and simplify deployment of strong authentication methods Technical document – Network authentication mechanisms will be released to promote the new methods We are moving to must stronger authentication using keys, and moving away from password authentications. Using Advance Authentication

16. 16 Questions?