Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell Denis Pochuev 4/27/2011.

Slides:



Advertisements
Similar presentations
Suchin Rengan Principal Technical Architect Salesforce.com
Advertisements

April 23, XKMS Requirements Update Frederick Hirsch, Mike Just April 23, 2002 Goals Requirements Summary –General, Security Last Call Issues –For.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.
MyProxy: A Multi-Purpose Grid Authentication Service
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Report on Attribute Certificates By Ganesh Godavari.
Modifying Managed Objects Alan Frindell 3/29/2011.
KMIP Vendor Extension Management KMIP supports ‘extensions’ but provides no mechanism for coordination of values between clients and servers or between.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Overview What are the provisioning methods used in the Australian registry system? How are these provisioning systems secured?
Chapter 10: Authentication Guide to Computer Network Security.
Sanzi-1 CSE5 810 CSE5810: Intro to Biomedical Informatics Dynamically Generated Adaptive Credentials for Health Information Exchange Eugene Sanzi.
1 DoD Cardholder Self Registration November 21, 2008.
© 2010 IBM Corporation 23 September 2015 KMIP Server-to-server: use-cases and status Marko Vukolic Robert Haas
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.
Project Moonshot update ABFAB, IETF 80. About Moonshot Moonshot is implementing ABFAB Developer meeting, 24 March 2011 Testing event, 25 March 2011 A.
Data Encryption using SSL Topic 5, Chapter 15 Network Programming Kansas State University at Salina.
Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)
Instructor User Student User Course Registration Form (#8) Grade report (#14)Class list (#13) Grade Entry Form (#10)
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 herbert van de sompel CS 502 Computing Methods for Digital Libraries Cornell University – Computer Science Herbert Van de Sompel
The FIDO Approach to Privacy Hannes Tschofenig, ARM Limited 1.
Data Acquisition in a PACS Weina Ma Sep 24 th, 2013.
VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
Services Security A. Casajus R. Graciani. 12/12/ Overview DIRAC Security Infrastructure HSGE Transport Authentication Authorization DIRAC Authorization.
Constraints Lesson 8. Skills Matrix Constraints Domain Integrity: A domain refers to a column in a table. Domain integrity includes data types, rules,
Adxstudio Portals Training
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Get Random Proposal John Leiseboer 11 October 2012.
Security Solutions Rachana Ananthakrishnan University of Chicago.
Advance Caching Techniques Keen Haynes MKAD SCCFUG Winter 2002 Conference.
SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.
©2009 HP Confidential1 Proposal to OASIS KMIP TC Stan Feather and Indra Fitzgerald Hewlett-Packard Co. 23 September, 2010 Encoding Options for Key Wrap.
©2009 HP Confidential1 Proposal to OASIS KMIP TC Stan Feather and Indra Fitzgerald Hewlett-Packard Co. 26 October, 2010 Encoding Options for Key Wrap of.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E MyAPNIC Project Features & Facilities Prototype Demo.
© SafeNet Confidential and Proprietary KMIP Entity Object and Client Registration Alan Frindell Contributors: Robert Haas, Indra Fitzgerald SafeNet, Inc.
KMIP PKCS#12 February 2014 Tim Hudson – 1.
Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell 2/18/2011.
Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell Denis Pochuev 4/26/2011.
Server to Server Group Requirements Simplifying key management between multiple vendor implementations.
AuthZ WG Conceptual Grid Authorization Framework document Presentation of Chapter 2 GGF8 Seattle June 25th 2003 Document AID 222 draft-ggf-authz-framework pdf.
Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell Denis Pochuev 4/26/2011.
OGF 43, Washington 26 March FELIX background information Authorization NSI Proposed solution Summary.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Schritt 1: Wahl der Methode LDAP oder Database:
Microsoft Passport and Windows Hello Developer’s Guide to Windows 10 Build SDK Update Andy Wigley
OGF PGI – EDGI Security Use Case and Requirements
WMarket For Developers API && Authorization.
Cryptography and Network Security
KMIP Client Registration Ideas for Discussion
Login & administration page
Security in ebXML Messaging
KMIP Entity Object and Client Registration
JavaScript Form Validation
How do I register and log in to the WBT?
CORBA Programming B.Ramamurthy Chapter 3 5/2/2019.
WSP-ATR Submission Process 2019.
WSP-ATR Submission Process 2019.
National Trust Platform
Presentation transcript:

Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell Denis Pochuev 4/27/2011

Summary of updates since Feb F2F  Complex structures scrapped for simpler ones with better v1.0 compatibility  More discretion left to server implementers  Credential is now a “first class” Attribute in addition to a base object Facilitates Credential updates with minimal spec angst  Minor updates based on F2F feedback 2

Certificate Entity: Implicit self-registration  Server implicitly creates Entity record as a side effect of another KMIP request  No special TTLV required – KMIP server extracts needed values from TLS certificate  Client MAY already have a cert signed by a CA trusted by KMIP server  Resulting Object: Entity UUID: ABCD-1234 Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Transport Certificate Credential Value: Certificate Certificate Type: X.509 Certificate Value: 3

Certificate Entity: Explicit self-registration Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Transport Certificate Credential Value:  Certificate fields extracted from TLS 4

Certificate Entity: Registration Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Transport Certificate Credential Value: Certificate Certificate Type: X.509 Certificate Value:  Assumption: Registering Entity has privilege to register Entities 5

Certificate Entity: Authentication and Access Control Authentication Credential Credential Type: Transport Certificate Credential Value:  Server looks up Entity based on TLS certificate information Server policy: may be dynamic mapping or exact match  For access control, server checks authenticated Entity UUID against request object Owner attribute 6

Username/Password User: Registration Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Username and Password Credential Value: Username: “user1” Password: “password”  Resulting Object: Entity UUID: ABCD-1234 Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Username and Password Credential Value: Username: “user1” Password: “password” 7

Username/Password User: Authentication and Access Control  Same as v1.0 Authentication Credential Credential Type: Username and Password Credential Value: Username: “user1” Password: “password”  Server looks up Entity based on Credential (username)  For access control, server checks authenticated Entity UUID against request object Owner attribute 8

Multi-factor Entity: Registration Register Object Type=Entity Template-Attribute Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Transport Certificate Credential Value: Certificate Certificate Type: X.509 Certificate Value: Attribute Attribute Name: “Credential” Attribute Value: Credential Type: Username and Password Credential Value: Username: “user1” Password: “password” 9

Multi-factor Entity: Authentication Authentication Credential Credential Type: Transport Certificate Credential Value: Credential Credential Type: Username and Password Credential Value: Username: “user1” Password: “password”  Server looks up Entity based on each Credential – all must resolve to the same Entity  For access control, server checks authenticated Entity UUID against request object Owner attribute 10

Locate Entity and Objects by Entity  Find all Entities with Transport Certificate Credentials: Locate Credential Credential Type: Transport Certificate  Find an Entity by its transport certificate: Locate Credential Credential Type: Transport Certificate Credential Value: Certificate:  Find yourself: Locate Entity Identifier = Self  Find all objects owned by : Locate Owner = 11

Credential Refresh Modify Attribute Attribute: “Credential” Attribute Index: N Attribute Value: Credential Type: Transport Certificate Credential Value: Certificate: Modify Attribute Attribute: “Credential” Attribute Index: N Attribute Value: Credential Type: Username and Password Credential Value: Username: “user1” Password: “new-password” 12

Other operations  Get Entity Info Locate Entity Identifier = Self Get Attributes Attribute Name: “Credential”  Server is not allowed to return Password values in Username and Password structure  Destroy Entity Destroy UUID: “ABCD-1234” 13

Future work  Define error handling behavior and update respective chapter in the specification  Update Usage Guide and Use-Case documents  Define another Credential Type for explicit two-factor authentication (if needed and if the proof of possession issue is resolved) 14

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.