Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:

Slides:

Advertisements

Similar presentations

PKIX BASED CERTIFICATION INFRASTRUCTURE IMPLEMENTATION ADAPTED TO NON PERSONAL END ENTITIES Jacob E., Liberal F., Unzilla J. {jtpjatae, jtplimaf,

Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.

1 ISA 562 Information Systems Theory and Practice 10. Digital Certificates.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Report on Attribute Certificates By Ganesh Godavari.

Chapter 9 Deploying IIS and Active Directory Certificate Services

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

The EC PERMIS Project David Chadwick

Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.

SIS: Secure Information Sharing for Windows Systems Osama Khaleel CS526 Semester Project.

Interoperation Between a Conventional PKI and an ID-Based Infrastructure Geraint Price Royal Holloway University of London joint work with Chris Mitchell.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

EEC 688/788 Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

UNCLASS DoD Public Key Infrastructure LCDR Tom Winnenberg DISA API1 Chief Engineer 25 April 2002.

Security Management.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Configuring Active Directory Certificate Services Lesson 13.

Public Key Infrastructure Ammar Hasayen ….

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

1 Lecture 11 Public Key Infrastructure (PKI) CIS CIS 5357 Network Security.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Lecture 5.3: Key Distribution: Public Key Setting CS 436/636/736 Spring 2012 Nitesh Saxena.

Configuring Directory Certificate Services Lesson 13.

Certificate revocation list

XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.

Digital Signatures A Brief Overview by Tim Sigmon April, 2001.

Module 9: Fundamentals of Securing Network Communication.

Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.

Building Security into Your System Bill Major Gregory Ponto.

Module 9: Designing Public Key Infrastructure in Windows Server 2008.

Integrating security services with the automatic processing of content TERENA 2001 Antalya, May 2001 Francesco Gennai, Marina Buzzi Istituto.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Update on PKI Activities in the Spanish Academic Network PKI-COORD November 26, Amsterdam.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Building trust on the internet Extending Attribute Protocols for Status Management and “Other Things” Patrick Richard, Xcert International.

Matej Bel University Cascaded signatures Ladislav Huraj Department of Computer Science Faculty of Natural Sciences Matthias Bel University Banska Bystrica.

Protocols for public-key management. Key management –two problems Distribution of public keys (for public- key cryptography) Distribution of secret keys.

Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.

February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM

TNC 2004 – Rhodes (Greece) On a Taxonomy of Authentication and Authorization Solutions (Exploring open problems) José A. Montenegro Javier López Rolf Oppliger.

L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.

Building Security into Your System

Presentation transcript:

Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:

2 AAI?  Authentication & Authorization Infrastructure Several possibilities We focused on PKI + PMI  Development Background PKI  Cert’eM - Online PKI and more …  X509 ITU-T PMI  Extending Cert’eM – Online PMI  X509 ITU-T

3 Online AAI? = CRL problem CRL Issue Key compromised Revocation Request Revocation time T 10 T0T0 Time CRL Issue Dishonest Use CRL = Problem in PKI and exacerbate in PMI, therefore an AAI issue to take into account Online AAI as possible solution

4 What is Cert’eM?  PKI online Designed & Implemented in ’98. Try to solve CRLs problems  OCSP service did not develop yet.  based on X509 usually linked to X500 name X509 proposal lets links to address (Rfc 822)  Use an architecture of CAs that satisfy the needs of near-certification;

5 Cert’eM: Hierarchical Nodes

6 Cert’eM: Certificate Request Information Flow C C C C a.b.cr.s.t c b.c t s.t KSU bob alice

7 Cert’eM: KSU Elements Certification Authority (KSU lcc.uma.es) Certification Server (lcc.uma.es) Certification Kernel (lcc.uma.es) Private Key CA User Data X509 Certificate read write Certificate Request close request pending request 654 ongoing request process 1 process N principal Cache CertificatesLocal Certificates

8 Cert’eM: Protocol …  Connection Phase  C : HELLO [ ]  S : +OK {the client has permission}  S : -ERR1 { the client host is not allowed  S : -ERR2 { the client is not allowed}  Transaction Phase  C: GETCERT  S : CERT  S : CERT  S : +OK or  S : -NSC {no such certificate}

9 … Cert’eM: Protocol  Transaction Phase S : CERT S : CERT  Can be local or external search Local = Database search External = Use of Cache mechanism and communication between KSU  Termination Phase  C: EXIT  S : +Ok

10 Cert’eM: Locating KSUs lcc.uma.es lcc.uma.es correo.lcc.uma.es lcc.uma.es certem-tcp.lcc.uma.es

11 Cert’eM Conclusion  guarantees that CAs will only certify those users close to them;  provides real-time revocation of keys (without the need of CRLs);  close to S/MIME  Can provide quality service to GRIDs  slight protocol inter-KSU and user-KSU  provided services to several projects we have been implicated (not only theoretic solution)

12 X509 ITU-T PKI  Developed to Spanish Banking Entity (BANESTO) in 2001  Using only GPL libraries: OpenSSL GTK OpenLDAP

13 X509 ITU-T PMI (I)  ITU-T proposal defines four PMI models:  General,  Control  Role (PERMIS Project)  Delegation (Our proposal)  We have extended OpenSSL library with attribute certificates management and authorization capabilities, because:  This library is widely deployed  There was no previous experience with the introduction of attribute certificates in OpenSSL  We wanted to approach privilege delegation procedures (we are still in the way)  and … we had already developed a PKI using OpenSSL

14 X509 ITU-T PMI (II)

15 Extending Cert’eMz  Cert’eM technology applies to Authorization + Openssl Attribute certificates (ACSUs)  The main elements are the Attribute Certificate Service Units (ACSUs), that integrate attributes certification and management functions: -managed by an Attribute Authority -contains a database to store the attribute certificates of “local” users -updating and revocation of certificates and local operations

16 AAI scenario (I) operation] S Alice Alice Bob AAI Who is the user ? & What can he do ? AC PKC PKC Token 1 A  B : Token Request 2 B  AAI: Request AC + PKC 3 AAI  B: AC + PKC Token 1 A  B : Token Request 2 B  AAI: Request AC + PKC 3 AAI  B: AC + PKC Request

17 AAI scenario (II) How link identity and attribute certificates?

18 Future Work  Actually working in delegation model  Delegation statements establish a Directed graphs D. G. offer a global vision of delegation system  Theoretical model apply to PMI, and it work!!!

19 Thank you Any Q u e s t i o n ? José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:

20 AAI: Relation to TACAR … c TACAR ACSU a.b.c b.c KSU alice ACSU t r.s.t s.t KSU bob ACSU C C C C

21 … AAI: Relation to TACAR  Remember CA belongs to upper level. Domain c and t is stored in TACAR  TACAR is common root to “a.b.c” and “r.s.t” tree  How to localize TACAR? Same way as whichever KSU/ACSU node. Add and certificates to TACAR