Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
CS5204 – Operating Systems 1 A Private Key System KERBEROS.
Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.
MyProxy: A Multi-Purpose Grid Authentication Service
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Draft-lemonade-imap-submit-01.txt “Forward without Download” Allow IMAP client to include previously- received message (or parts) in or as new message.
Modifying Managed Objects Alan Frindell 3/29/2011.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications
Introducing Windows Server 2012 R2 Work Folders:
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
 background and intro  client deployment  system Architecture and server deployment  behind the scenes  data protection and security  multi-server.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.
Chapter 10: Authentication Guide to Computer Network Security.
1/28/2010 Network Plus Security Review Identify and Describe Security Risks People –Phishing –Passwords Transmissions –Man in middle –Packet sniffing.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
Survey of Identity Repository Security Models JSR 351, Sep 2012.
70-411: Administering Windows Server 2012
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.
 background and intro  client deployment  system Architecture and server deployment  behind the scenes  data protection and security  multi-server.
Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization and Delegation ADINA RIPOSAN Applied Information Technology.
Harshavardhan Achrekar - Grad Student Umass Lowell presents 1 Scenarios Authentication Patterns Direct Authentication v/s Brokered Authentication Kerberos.
Kerberos. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open source or in supported commercial software.
All Rights Reserved © Alcatel-Lucent 2007, ##### 1 | Presentation Title | January 2007 UMB Security Evolution Proposal Abstract: This contribution proposes.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
Adxstudio Portals Training
Web Services Security Patterns Alex Mackman CM Group Ltd
API Auth By Kyle Bradley. Role Definitions  User (Resource Owner)  The resource owner is the person who is giving access to some portion of their account.
© SafeNet Confidential and Proprietary KMIP Entity Object and Client Registration Alan Frindell Contributors: Robert Haas, Indra Fitzgerald SafeNet, Inc.
KMIP PKCS#12 February 2014 Tim Hudson – 1.
Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell 2/18/2011.
Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell Denis Pochuev 4/26/2011.
Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell Denis Pochuev 4/27/2011.
Draft-lemonade-imap-submit-00.txt “Forward without Download” Allow IMAP client to include previously- received message (or parts) in or as new message.
Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell Denis Pochuev 4/26/2011.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
1 Example security systems n Kerberos n Secure shell.
A National e-Authentication Service
EDC Process Proposal Brian Brandaw Manager of IT Common Platforms
CAS and Web Single Sign-on at UConn
Cryptography and Network Security
A secure and traceable E-DRM system based on mobile device
Authentication.
Radius, LDAP, Radius used in Authenticating Users
Addressing the Beast: Single Sign-On II
KMIP Client Registration Ideas for Discussion
WI / XA Integration with NetScaler Gateway: How it works
KMIP Entity Object and Client Registration
Operating Systems Security
Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls
X-Road as a Platform to Exchange MyData
A Private Key System KERBEROS.
Office 365 Development.
Agenda Create certificates for the GlobalProtect Portal, internal gateway, and external gateway. Attach certificates to a SSL-TLS Service Profile. Configure.
Grid Security Infrastructure
Azure AD Simon May Technical Evangelist.
Presentation transcript:

Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)

List of the open issues  Username vs. Entity Name  Implicit Registration response  “Locate self” – parameter or attribute?  Which Locate operations should be allowed on Entities?  Device Credential  Proxy Registration/Authentication  CSR Credential 2

Username vs. Entity Name Entity UUID: ABCD-1234 Attribute Attribute Name: “Credential” Attribute Value: … Attribute Attribute Name: “Name” Attribute Value: user1 3 KMIP ClientKMIP Server Auth Request + Create Entity Register Entity Entity UUID Create Object Obj UUIDCreate Object KMIP Client Authentication Credential Credential Type: Username and Password Credential Value: Username: “user1” Password: “password” Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Username and Password Credential Value: Username: “user1” Password: “password”

Implicit Registration Response 4 KMIP ClientKMIP Server Auth Request + Create Entity + Create Object Entity UUID + Obj UUID Create Object Obj UUIDCreate Object Authentication Credential Credential Type: Transport Certificate Credential Value:  Implicit self-registration with cert (+2 object creations)  What if we did not return Entity UUID  No Error => Both Entity and Object were created  Use “Locate self” to get Entity UUID

Locate Self – parameter or attribute? 5  Alternative 1: Part of Locate Entity Identifier, see A enumeration object used by the client to locate Entities with special properties Locate Entity Identifier = Self  Alternative 2: New attribute Locate Attribute Attribute Name = Entity Identifier Attribute Value = Self

What Locate operations should be allowed on Entities?  Find all Entities with Transport Certificate Credentials: Locate Credential Credential Type: Transport Certificate  Find an Entity by its transport certificate: Locate Credential Credential Type: Transport Certificate Credential Value: Certificate:  Find yourself: Locate Entity Identifier = Self  Find all objects owned by : Locate Owner = 6

Device Credential 7 Credential/Subject TypeValue Username and Password (KMIP v1) Username Device World Wide Name Distinguished Name SAML Subject Open ID Authentication Information Type Value Password X.509 Certificate Kerberos Ticket Extensions8XXXXXXX  Part of an earlier proposal  Needs “secret” part to protect against entity impersonation

Proxy Registration/Authentication 8  Important use-case KMIP participants Single proxy is responsible for establishment and running of the TLS tunnel Multiple lightweight KMIP clients are connected through the proxy to the server  Should it be a part of the current proposal?  Support for devices that cannot save their own UUIDs

Optional Entity in Authentication Header 9  Current assumption: 1-to-1 mapping between Credential and Entity (only one Entity corresponds to a given Credential)  Adding attributes to Entity registration + sending Entity UUID in Authentication header addresses that issue KMIP ClientKMIP Server Auth Request + Create Entity Register Entity Entity UUID Create Object Obj UUIDCreate Object Authentication Credential Credential Type: Transport Certificate Credential Value: Entity UUID=0x172b45a435890c de KMIP Client Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Transport Certificate Credential Value: Certificate Certificate Type: X.509 Certificate Value: Attribute id=0xb34a32b23a43093d Attribute ip-addr= Attribute mac-addr=02:ba:d0:ca:fe:99

Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Certificate Request Credential Value: Certificate Certificate Type: X.509 Certificate Value: CSR Certificate Server Request Credential 10  Client wants to register an entity and receive a signed Transport Certificate KMIP Server Auth Request + Create Entity Register Entity Entity UUID Create Object Obj UUID Create Object KMIP Client using new certificate Authentication Credential Credential Type: Transport Certificate Credential Value: Get Certificate Obj UUID

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.