Presentation is loading. Please wait.

Presentation is loading. Please wait.

SEVA: Securing Extranets Yves ROUDIER, Refik MOLVA Institut Eurécom

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "SEVA: Securing Extranets Yves ROUDIER, Refik MOLVA Institut Eurécom"— Presentation transcript:

1 SEVA: Securing Extranets Yves ROUDIER, Refik MOLVA Institut Eurécom http://www.eurecom.fr/~nsteam/SEVA/

2 Extranets: Deployment Issues client (browser) server (web) firewall HTTP request User Application Access Control User Management "server" intranet "client" intranet User ? Network Access Control ? ?

3 SEVA: Overview Automated management of access control –configuration and collaboration of security devices –delegation + role based access control Transparent mechanism –retrofitting clients / servers without modification –using a remote network like a local one Strong security –cryptographic mechanisms –fine grained authorizations and resource scoping

4 SEVA: Overall Architecture client (browser) server (web) "server" intranet "client" intranet Initial Agreement (Role-Based Delegation) groups of resources Roles Access Control rules - fine grained - application-level Defines Transparent and automated enforcement

5 Role Based Delegation Handle 1 Admin handle 1 "server" intranet "client" intranet group of resources (Handle = uniform naming) SPKI User or Role URL 2 Server@ SPKI authorization certificate User handle 1 URL 1 Authorization certificate

6 Handle 1 Role Based Delegation Admin Handle 1 "server" intranet "client" intranet Handle 1 Access control User Handle 1 Authorization certificate Handle 1 URL 2 Server@ URL 1 Authorization certificate

7 Scoping of Authorizations Handle 1 Handle 2 Handle 3 Admin Handle 3 "server" intranet "client" intranet Handle 3. Handle 1 Missing in SPKI ! user rights(handle 1)  rights(handle 3)

8 Defining Rights Based on SPKI (Simple Public Key Infrastructure) –access-, not identification-centric: key = principal –role-based: group certificates –delegation: access control, key management New in SEVA –agent-based automated issuance –one resolution  several accesses (cert (issuer (public-key (rsa-pkcs1 (e #11#) (n |AKfUCx8fOMNPYBHBJDF8GRSEP2+Egg9f3EZ/ry3SN7tyah7+VOMqSHgb hDV8Bl1C0lhDvC2KdEWlJ7iGj5l5cl+4+h4KMXOIiZ//3R2QObuYq7pMM 2aOjDPuPFmeBZZX3w5g0hOFZv4CouGdVO5G3x5OJGxJuIts73rPyHei+h8x|)))) (subject (name SEVA)) (tag (read http://www.eurecom.fr/~nsteam/SEVA/)))

9 Defining Resources Based on CNRI’s handle system (draft IETF) –naming layer: uniform without modifying servers –naming authority responsible for its resources New in SEVA –integrated with SPKI authorizations –navigation protocol modified to verify access rights –Extranet  Handle System 10.3245 / jan2001-hs-overview Naming Authority [prefix] Item Identifier [suffix] : 1 : URL : http://www.seva.org/slides/seva.html : {Relative: 24 hours} : public-read, authorized-write : 927314334000 : {empty}

10 User Interface client (browser) server (web) firewall KSKS "server" intranet "client" intranet Smartcard Update access rights Transparent protection -unmodified client / server software -operation similar to local server yet strong security -materialized by smartcard -enforced through traffic tagging Traffic tagging layer

11 Traffic Tagging client (browser) server (web) firewall Traffic tagging Tag verification (access control) "server" intranet "client" intranet Network-Level Access Control -stream authentication Application-Level Access Control: -fine granularity (resource + operation) -application level HTTP request Lightweight Tagging -one-way function

12 SEVA: Current Status Working Prototype –Traffic tagging –Application-level verification mechanism –Role management and delegation –Resource management and scoping Embedded technologies –SPKI –Handle System –Java Card –cryptography: Cryptix (Java), Cryptlib (C), GemXpresso

13 Summary: Classical vs. SEVA Extranets Access Control Management –identity / delegation+role –coarse / fine-grained Access Control Location –definition: network+application / application only –enforcement: network+application / network only Access Control Enforcement –configuration: manual / automated –user authentication: explicit / transparent

Download ppt "SEVA: Securing Extranets Yves ROUDIER, Refik MOLVA Institut Eurécom"

Similar presentations

New Security Services Based on PKI

New Security Services Based on PKI
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Internet Security CS457 Seminar Zhao Cheng. Security attacks interruption, interception, modification, fabrication passive attack, active attack.

Internet Security CS457 Seminar Zhao Cheng. Security attacks interruption, interception, modification, fabrication passive attack, active attack.
PKI Implementation in the Real World

PKI Implementation in the Real World
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
10/20/2011Pomcor 1 Deployment and Usability of Cryptographic Credentials Francisco Corella Karen Lewison Pomcor.

10/20/2011Pomcor 1 Deployment and Usability of Cryptographic Credentials Francisco Corella Karen Lewison Pomcor.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Abdelilah Essiari Gary Hoo Keith Jackson William Johnston Srilekha Mudumbai Mary Thompson Akenti - Certificate-based Access Control for Widely Distributed.

Abdelilah Essiari Gary Hoo Keith Jackson William Johnston Srilekha Mudumbai Mary Thompson Akenti - Certificate-based Access Control for Widely Distributed.
Chapter 11: Active Directory Certificate Services

Chapter 11: Active Directory Certificate Services
Using Digital Credentials On The World-Wide Web M. Winslett.

Using Digital Credentials On The World-Wide Web M. Winslett.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Data Security in Local Networks using Distributed Firewalls

Data Security in Local Networks using Distributed Firewalls

Similar presentations

Ads by Google