SEVA: Securing Extranets Yves ROUDIER, Refik MOLVA Institut Eurécom

Extranets: Deployment Issues client (browser) server (web) firewall HTTP request User Application Access Control User Management "server" intranet "client" intranet User ? Network Access Control ? ?

SEVA: Overview Automated management of access control –configuration and collaboration of security devices –delegation + role based access control Transparent mechanism –retrofitting clients / servers without modification –using a remote network like a local one Strong security –cryptographic mechanisms –fine grained authorizations and resource scoping

SEVA: Overall Architecture client (browser) server (web) "server" intranet "client" intranet Initial Agreement (Role-Based Delegation) groups of resources Roles Access Control rules - fine grained - application-level Defines Transparent and automated enforcement

Role Based Delegation Handle 1 Admin handle 1 "server" intranet "client" intranet group of resources (Handle = uniform naming) SPKI User or Role URL 2 SPKI authorization certificate User handle 1 URL 1 Authorization certificate

Handle 1 Role Based Delegation Admin Handle 1 "server" intranet "client" intranet Handle 1 Access control User Handle 1 Authorization certificate Handle 1 URL 2 URL 1 Authorization certificate

Scoping of Authorizations Handle 1 Handle 2 Handle 3 Admin Handle 3 "server" intranet "client" intranet Handle 3. Handle 1 Missing in SPKI ! user rights(handle 1)  rights(handle 3)

Defining Rights Based on SPKI (Simple Public Key Infrastructure) –access-, not identification-centric: key = principal –role-based: group certificates –delegation: access control, key management New in SEVA –agent-based automated issuance –one resolution  several accesses (cert (issuer (public-key (rsa-pkcs1 (e #11#) (n |AKfUCx8fOMNPYBHBJDF8GRSEP2+Egg9f3EZ/ry3SN7tyah7+VOMqSHgb hDV8Bl1C0lhDvC2KdEWlJ7iGj5l5cl+4+h4KMXOIiZ//3R2QObuYq7pMM 2aOjDPuPFmeBZZX3w5g0hOFZv4CouGdVO5G3x5OJGxJuIts73rPyHei+h8x|)))) (subject (name SEVA)) (tag (read

Defining Resources Based on CNRI’s handle system (draft IETF) –naming layer: uniform without modifying servers –naming authority responsible for its resources New in SEVA –integrated with SPKI authorizations –navigation protocol modified to verify access rights –Extranet  Handle System / jan2001-hs-overview Naming Authority [prefix] Item Identifier [suffix] : 1 : URL : : {Relative: 24 hours} : public-read, authorized-write : : {empty}

User Interface client (browser) server (web) firewall KSKS "server" intranet "client" intranet Smartcard Update access rights Transparent protection -unmodified client / server software -operation similar to local server yet strong security -materialized by smartcard -enforced through traffic tagging Traffic tagging layer

Traffic Tagging client (browser) server (web) firewall Traffic tagging Tag verification (access control) "server" intranet "client" intranet Network-Level Access Control -stream authentication Application-Level Access Control: -fine granularity (resource + operation) -application level HTTP request Lightweight Tagging -one-way function

SEVA: Current Status Working Prototype –Traffic tagging –Application-level verification mechanism –Role management and delegation –Resource management and scoping Embedded technologies –SPKI –Handle System –Java Card –cryptography: Cryptix (Java), Cryptlib (C), GemXpresso

Summary: Classical vs. SEVA Extranets Access Control Management –identity / delegation+role –coarse / fine-grained Access Control Location –definition: network+application / application only –enforcement: network+application / network only Access Control Enforcement –configuration: manual / automated –user authentication: explicit / transparent