ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security.

Slides:

Advertisements

Similar presentations

Authentication.

Advertisements

draft-urien-tls-psk-emv-00

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.

Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE

Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.

Project Moonshot February Background Project Moonshot 2.

Trust Router. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any.

Trust Router Overview IETF 86, Orlando, FL Trust Router Bar BOF Margaret Wasserman

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.

Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013.

Project Moonshot update TF-EMC2 & TF-MNM 14 & 16 February 2011.

© Janet 2012 Project Moonshot Technology, use cases & pilot 17 January, 2012 Haka conference, Helsinki 1.

Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF March, Prague.

Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

802.1x EAP Authentication Protocols

Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP x EAP API.

OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.

ABFAB Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

Multihop Federations & Trust Router draft-mrw-abfab-multihop-fed-02.txt draft-mrw-abfab-trust-router-01.txt Margaret Wasserman

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

Project Moonshot TF-MNM. Use cases Project Moonshot 2.

EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

1 Confidential Authentication Session Hannes Tschofenig.

Draft-ietf-abfab-aaa-saml Josh Howlett, JANET IETF 82.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

SOCKS Group: Challenger Member: Lichun Zhan. Agenda Introduction SOCKS v4 SOCKS v5 Summary Conclusion References Questions.

Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.

WIRELESS LAN SECURITY Using

Wireless and Security CSCI 5857: Encoding and Encryption.

SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.

Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation.

AIMS’99 Workshop Heidelberg, May 1999 P805: Internet Roaming Giuseppe Sisto - Telecom Italia / CSELT Project participants:

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

Project Moonshot update ABFAB, IETF 80. About Moonshot Moonshot is implementing ABFAB Developer meeting, 24 March 2011 Testing event, 25 March 2011 A.

Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

EAP Authentication for SIP & HTTP V. Torvinen (Ericsson), J. Arkko (Ericsson), A. Niemi (Nokia),

Draft-ietf-abfab-aaa-saml Josh Howlett IETF 90. Remaining issues (recap from IETF 89) SAML naming of AAA entities The focus of this presentation Alejandro.

IEEE MEDIA INDEPENDENT HANDOVER DCN: Sec Title: Considerations on use of TLS for MIH protection Date Submitted: January 14, 2010.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Workshop roaming services: eduroam / govroam

Image © Viatour Luc ( Project Moonshot TNC 2010 Vilnius, 1 June 2010 Josh Howlett, JANET(UK)

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.

Introduction & use-cases FedAuth IETF78 Maastricht, July 27, 2010

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

IETF 78 Maastricht 27 July 2010 Josh Howlett, JANET(UK)

University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.

Slavko Kukrika MVP Connect Windows 10 to the Cloud – Cloud Join.

Trust Router Overview IETF 86, Orlando, FL Routing Area Meeting Margaret Wasserman

Moonshot-enabled Federated Access to Cloud Infrastructure Terena Networking Conference, Reykjavik. May 2012 David Orrell, Eduserv.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Project Moonshot Daniel Kouřil EGI Technical Forum

Introduction to Port-Based Network Access Control EAP, 802.1X, and RADIUS Anthony Critelli Introduction to Port-Based Network Access Control.

Non Web-based Identity Federations - Moonshot Daniel Kouril, Michal Prochazka, Marcel Poul ISGC 2015.

Draft-howlett-abfab-trust-router-ps ABFAB, IETF83 Josh Howlett & Margaret Wasserman.

CLASSe PROJECT: IMPROVING SSO IN THE CLOUD Alejandro Pérez Rafael Marín Gabriel López

Federated Access to Storage EGI CF 2012 Luke Howard, Daniel Kouril, Michal Prochazka.

Moonshot, in a nutshell SAML IdP Client Server AAA EAP RADIUS.

Solving the Identity Crisis

Office 365 Identity Management

UK Access Management Federation

Presentation transcript:

ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security

Agenda ABFAB Overview ABFAB for IoT Q&A

ABFAB OVERVIEW

What is ABFAB? Federated Identity for AuthN/AuthZ for any application/service Designed to take the best of breed of existing technologies, giving: – Security – Flexibility / wide scope – Ease of integration – Scaling

Fundamentals of ABFAB ABFAB builds on AAA technologies – EAP (RFC 3748): strong & extensible mutual authentication – RADIUS (RFC 2865) / RadSec (RFC 6614): federation between domains To this, ABFAB adds – SAML (OASIS standard), for rich authorisation semantics – Integration using operating system security APIs SSPI: Windows GSS-API (RFC 2078): Other operating systems SASL (RFC 4422): Windows and other operating systems

EAP Extensible Authentication Protocol – Authentication Framework – Decouples actual authn method from your protocol. – Protocol negotiates particular authn method – Many exist (54 values currently registered) e.g. EAP-PSK – Pre-shared key EAP-TLS – X509 EAP-SIM – SIM card authn (GSM uses this) EAP-TTLS – X509 to create tunnel, then further authn within tunnel (e.g. PAP / MSCHAP)

RADIUS / RadSec RADIUS - AAA protocol over UDP RadSec – RADIUS over TCP & TLS Can encapsulate EAP

AuthZ over AAA EAP is an authn protocol What about authz? RADIUS /RadSec enables authz to be separate from authn – Directly, but may be limited (RADIUS attrs) ABFAB also defines SAML over AAA for finer- grained, flexible, authz information

GSS-API / SSPI / SASL How to integrate applications? – GSS-API / SSPI / SASL are ways to abstract security from applications – GS2 (RFC 5801) bridges SASL and GSS-API ABFAB defines a GSS-API EAP mechanism (GSS-EAP)

Actors in ABFAB Client – Application/device attempting to access RP Relying Party (RP) – Service that is ABFAB enabled Identity Provider (IdP) – Authenticates users on behalf of that organisation N.B. – Trust relationship between IdP and RP.

Protocol Overview Relying Client Identity Party App Provider | (1) | Client Configuration | | | | | | Mechanism Selection | | | |<-----(3)-----<| | NAI transmitted to RP | | | | | Discovery | | | |>=====(5)====================>| Access request from RP to IdP | | | | |< - - (6) - -<| EAP method to Client | | | | | | EAP Exchange to authenticate | | | Client | | | | | (8 & 9) Local Policy Check | | | |<====(10)====================<| IdP Assertion to RP | | | (11) | | RP processes results | | | |>----(12)----->| | Results to client app = Between Client App and RP ===== = Between RP and IdP = Between Client App and IdP (via RP)

Discovery Most EAP methods have inner and outer tunnels – Stuff in outer tunnel is readable by bits in the middle – Stuff in inner tunnel only readable by the endpoints – Outer tunnel contains realm only ( This indicates IdP to use. – Inner tunnel contains credentials (e.g. & password)

Discovery The RP and IdP need to know where each other are, and have keys for each other – Options: Statically configured bi-lateral trust – RADIUS Statically configured hierarchical trust = RADIUS (e.g. eduroam) Dynamically created trust = Trust Router

RadSecRadSec RadSecRadSec GSSGSS EAPEAP EAPEAP Service (Relying Party) Client RP Proxy IdP Proxy Access-AcceptAccess-Accept Access-AcceptAccess-Accept SessionSession Flow with pre-configured keys

RadSecRadSec Trust Router RadSecRadSec TPQTPQ Temporary Identity GSSGSS EAPEAP EAPEAP Client Trust Router Trust Router RP Proxy IdP Proxy T.I.T.I. Access-AcceptAccess-Accept Access-AcceptAccess-Accept SessionSession Service (Relying Party) Flow with Trust Router

Requirements Client – ABFAB libraries, Identity Selection Mechanism Service – ABFAB libraries, RADSEC RP – ABFAB libraries, RADSEC server IdP – ABFAB libraries, RADSEC server, SAML server (opt)

ABFAB libraries? Moonshot – major implementation of ABFAB, from Janet. – Largely open source – Builds on Kerberos & Shibboleth SP code – GSS-API implementation (GSS-EAP)

ABFAB AND INTERNET-OF-THINGS

Overview An ABFAB-style mechanism seems appropriate – Decoupled AuthN/AuthZ from core protocol In a way that is flexible and extensible – Could use GSS-EAP directly – but thats built for our application/service layer use cases – Or could use a custom ABFAB mechanism that better fits IoT requirements i.e. GSS-less ABFAB E.g. EAP for authn, DTLS

ABFAB++ EAPs decoupling of credential types and trust establishment from rest of system ABFAB-style architecture – Separate out AuthN from AuthZ Flexibility about client and AuthZ server. Programmatic way of approaching AuthZ (AAA attributes)

ABFAB-- Multiple round trips in EAP – power reqs of this! – Need to optimise EAP – & use appropriate EAP method

Making ABFAB better for ACE An EAP method that works well with DICE/DTLS Optimising EAP – Removing unnecessary EAP round trips RADIUS over DTLS with DICE constraints (for authz server on constrained device) Compression/better encoding of authz info New instantiation of ABFAB arch – DTLS based

Q&A?