Presentation is loading. Please wait.

Presentation is loading. Please wait.

ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security.

Published byRylee Sturman Modified over 10 years ago

Similar presentations

Presentation on theme: "ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security."— Presentation transcript:

1 ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security

2 Agenda ABFAB Overview ABFAB for IoT Q&A

3 ABFAB OVERVIEW

4 What is ABFAB? Federated Identity for AuthN/AuthZ for any application/service Designed to take the best of breed of existing technologies, giving: – Security – Flexibility / wide scope – Ease of integration – Scaling

5 Fundamentals of ABFAB ABFAB builds on AAA technologies – EAP (RFC 3748): strong & extensible mutual authentication – RADIUS (RFC 2865) / RadSec (RFC 6614): federation between domains To this, ABFAB adds – SAML (OASIS standard), for rich authorisation semantics – Integration using operating system security APIs SSPI: Windows GSS-API (RFC 2078): Other operating systems SASL (RFC 4422): Windows and other operating systems

6 EAP Extensible Authentication Protocol – Authentication Framework – Decouples actual authn method from your protocol. – Protocol negotiates particular authn method – Many exist (54 values currently registered) e.g. EAP-PSK – Pre-shared key EAP-TLS – X509 EAP-SIM – SIM card authn (GSM uses this) EAP-TTLS – X509 to create tunnel, then further authn within tunnel (e.g. PAP / MSCHAP)

7 RADIUS / RadSec RADIUS - AAA protocol over UDP RadSec – RADIUS over TCP & TLS Can encapsulate EAP

8 AuthZ over AAA EAP is an authn protocol What about authz? RADIUS /RadSec enables authz to be separate from authn – Directly, but may be limited (RADIUS attrs) ABFAB also defines SAML over AAA for finer- grained, flexible, authz information

9 GSS-API / SSPI / SASL How to integrate applications? – GSS-API / SSPI / SASL are ways to abstract security from applications – GS2 (RFC 5801) bridges SASL and GSS-API ABFAB defines a GSS-API EAP mechanism (GSS-EAP)

10 Actors in ABFAB Client – Application/device attempting to access RP Relying Party (RP) – Service that is ABFAB enabled Identity Provider (IdP) – Authenticates users on behalf of that organisation N.B. – Trust relationship between IdP and RP.

11 Protocol Overview Relying Client Identity Party App Provider | (1) | Client Configuration | | | | | | Mechanism Selection | | | |<-----(3)-----<| | NAI transmitted to RP | | | | | Discovery | | | |>=====(5)====================>| Access request from RP to IdP | | | | |< - - (6) - -<| EAP method to Client | | | | | | EAP Exchange to authenticate | | | Client | | | | | (8 & 9) Local Policy Check | | | |<====(10)====================<| IdP Assertion to RP | | | (11) | | RP processes results | | | |>----(12)----->| | Results to client app. ----- = Between Client App and RP ===== = Between RP and IdP - - - = Between Client App and IdP (via RP)

12 Discovery Most EAP methods have inner and outer tunnels – Stuff in outer tunnel is readable by bits in the middle – Stuff in inner tunnel only readable by the endpoints – Outer tunnel contains realm only ( e.g. @mit.edu) This indicates IdP to use. – Inner tunnel contains credentials (e.g. someuser@mit.edu & password)

13 Discovery The RP and IdP need to know where each other are, and have keys for each other – Options: Statically configured bi-lateral trust – RADIUS Statically configured hierarchical trust = RADIUS (e.g. eduroam) Dynamically created trust = Trust Router

14 RadSecRadSec RadSecRadSec GSSGSS EAPEAP EAPEAP Service (Relying Party) Client RP Proxy IdP Proxy Access-AcceptAccess-Accept Access-AcceptAccess-Accept SessionSession Flow with pre-configured keys

15 RadSecRadSec Trust Router RadSecRadSec TPQTPQ Temporary Identity GSSGSS EAPEAP EAPEAP Client Trust Router Trust Router RP Proxy IdP Proxy T.I.T.I. Access-AcceptAccess-Accept Access-AcceptAccess-Accept SessionSession Service (Relying Party) Flow with Trust Router

16 Requirements Client – ABFAB libraries, Identity Selection Mechanism Service – ABFAB libraries, RADSEC RP – ABFAB libraries, RADSEC server IdP – ABFAB libraries, RADSEC server, SAML server (opt)

17 ABFAB libraries? Moonshot – major implementation of ABFAB, from Janet. – Largely open source – Builds on Kerberos & Shibboleth SP code – GSS-API implementation (GSS-EAP)

18 ABFAB AND INTERNET-OF-THINGS

19 Overview An ABFAB-style mechanism seems appropriate – Decoupled AuthN/AuthZ from core protocol In a way that is flexible and extensible – Could use GSS-EAP directly – but thats built for our application/service layer use cases – Or could use a custom ABFAB mechanism that better fits IoT requirements i.e. GSS-less ABFAB E.g. EAP for authn, DTLS

20 ABFAB++ EAPs decoupling of credential types and trust establishment from rest of system ABFAB-style architecture – Separate out AuthN from AuthZ Flexibility about client and AuthZ server. Programmatic way of approaching AuthZ (AAA attributes)

21 ABFAB-- Multiple round trips in EAP – power reqs of this! – Need to optimise EAP – & use appropriate EAP method

22 Making ABFAB better for ACE An EAP method that works well with DICE/DTLS Optimising EAP – Removing unnecessary EAP round trips RADIUS over DTLS with DICE constraints (for authz server on constrained device) Compression/better encoding of authz info New instantiation of ABFAB arch – DTLS based

23 Q&A?

Download ppt "ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security."

Similar presentations

Authentication.

Authentication.
draft-urien-tls-psk-emv-00

draft-urien-tls-psk-emv-00
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
Doc.: IEEE 802.11-01/039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE802.11 System Submitted to IEEE802.11.

Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE
Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.

Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.
Project Moonshot February 2012. Background Project Moonshot 2.

Project Moonshot February Background Project Moonshot 2.
Trust Router. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any.

Trust Router. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any.
Trust Router Overview IETF 86, Orlando, FL Trust Router Bar BOF Margaret Wasserman

Trust Router Overview IETF 86, Orlando, FL Trust Router Bar BOF Margaret Wasserman
A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.

PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.
Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013.

Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013.
Project Moonshot update TF-EMC2 & TF-MNM 14 & 16 February 2011.

Project Moonshot update TF-EMC2 & TF-MNM 14 & 16 February 2011.
© Janet 2012 Project Moonshot Technology, use cases & pilot 17 January, 2012 Haka conference, Helsinki 1.

© Janet 2012 Project Moonshot Technology, use cases & pilot 17 January, 2012 Haka conference, Helsinki 1.
Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF 80 31 March, Prague.

Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF March, Prague.
Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP 802.3802.5802.11 802.1x EAP API.

Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP x EAP API.
OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.

OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.

Similar presentations

Ads by Google