Presentation is loading. Please wait.

Presentation is loading. Please wait.

The EC PERMIS Project David Chadwick

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "The EC PERMIS Project David Chadwick"— Presentation transcript:

1 The EC PERMIS Project David Chadwick d.w.chadwick@salford.ac.uk

2 Traditional Applications Authentication and Authorisation are Internal to the Application UserName/ Password Lists Access Control Lists Multiple passwords Multiple usernames Confusion!! Multiple Administrators High cost of administration No overall Security Policy

3 Enter PKI Authentication is External to the Application Access Control Lists One password or pin to access private key Happy Users! Multiple Administrators High cost of administration No overall Security Policy Digital Signature Public Key Infrastructure Application Gateway

4 Enter PMI Authentication and Authorisation are External to the Application One password or pin to access private key Happy Users! Fewer Administrators Lower cost of admin Overall Security Policy Digital Signature Public Key Infrastructure Application Gateway Privilege Management Infrastructure

5 What PERMIS is not It is not an AAA system It does not help in authenticating users, or accounting It does not try to replace PKI, Shibboleth or other institution or inter-realm based authentication mechanisms It is not a protocol for carrying authentication/authorisation tokens e.g. SAML, PAPI, HTTP

6 What PERMIS is It is a policy based authorisation system, a PMI, that uses X.509 attribute certificates to hold roles/attributes It can work with any and every authentication system (Shibboleth, PAPI, Kerberos, PKI, username/PW, etc.) Given a username, a target and an action, it says whether the user is granted or denied access based on the policy for the target The policy is role/attribute based i.e. users are given roles/attributes. Roles/attributes are given permissions to access targets The policy is written in XML, is similar to XACML, but simpler and produced earlier It can work in push or pull mode (attributes are sent to PERMIS, or PERMIS fetches them itself)

7 Compliance checker/Policy Enforcement Point X.812|ISO 10181-3 Access Control Framework ADF Initiator Target Submit Access Request Present Access Request Decision Request Decision AEF ADF= application independent Access control Decision Function Internet Target SiteUser’s Site AEF= application dependent Access control Enforcement Function

8 PERMIS API System Structure Initiator Target Submit Access Request Present Access Request Decision Request Decision AEF Authentication Service LDAP Directories Retrieve Policy and Role ACs (pull) PKI ADF The PERMIS PMI API PERMIS API Implementation Retrieve Role ACs (push)

9 Integration with the GRID PKI ADF The PERMIS PMI API User Target TLS Access Request Present Access Request Pass DN + Access Request Grant/ Deny LDAP Directories Retrieve Policy and Role ACs (pull) GRID Appln gateway Check Signature PERMIS API Implementation PKI

10 Integration with the CAS ADF The PERMIS PMI API User Target Access Request with Capability Present Access Request Decision Request + attributes/roles Grant/ Deny LDAP Directory Retrieve Policy Check signature on Capability PERMIS API Implementation PKI CAS Server Capability containing attributes/roles CAS request GRID Appln gateway CAS Policy DB

11 Integration with Shibboleth User LDAP Target 1. User request Handle Server Policy SHAR SHIRE WAYF 2.Re-direct to WAYF 3.Re-direct to HS 4. Handle 5.Handle AA Server 6. AQM 7. ARM with attributes or ACs Resource Gateway ADF The PERMIS PMI API PERMIS API Implementation 9.Grant/Deny 8. Att or AC

12 Integration with PAPI User Authentication Server Keys Hcook- Lcook GPoA GPoAPoA Hcook- Lcook PoA 302+ Hcook 302 + data LDAP Directories Retrieve Policy and Role ACs (pull) PKI ADF The PERMIS PMI API PERMIS API Implementation UserDN from cookie + access request Granted/ denied

13 Integration with A-Select ADF The PERMIS PMI API Initiator Target 1.Submit Access Request Present Access Request 6.DN + Request Grant/Deny LDAP Directories Retrieve Policy and Role ACs (pull) AEF A-Select Agent PERMIS API Implementation PKI Remote Authentication Service Providers Local Authentication Service Providers Local A-Select Server UDB 2.Re-direct user to AS 4.Authenticate 3.Re-direct user to Auth server 5. Provide ticket

14 Integration with Username/PW over SSL LDAP Directories Retrieve Policy and Role ACs (pull) PKI ADF The PERMIS PMI API PERMIS API Implementation User Application gateway with SSL server cert Username/PW Over SSL UN/PW/DN DB DN+ Action Grant/ Deny Target User’s Roles/ Attributes

15 Distributed Management Entities Involved LDAP Directory Policy ADF The PERMIS PMI API PERMIS API Implementation LDAP Directory LDAP Directory Attribute Certificates Target SOA Site based SOAs Push Mode Pull Mode Application Gateway

16 PERMIS Trust Model The Target/Resource is the root of trust (Source Of Authority SOA) for access to itself The Target is configured with its SOA name at start up The Policy is signed by the SOA (Permis checks this) The SOA says in the policy which remote SoAs it trusts to allocate roles The SOA says what roles they can allocate The SOA says what access rights are given to each role The remote SoAs authenticate the users and allocate roles to them

17 PERMIS Policy Components Subject Policy –Specifies subject domains based on LDAP subtrees Role Hierarchy Policy –Specifies hierarchy of role values SOA Policy –Specifies who is trusted to issue ACs Role Assignment Policy –Says which roles can be given to which subjects by which SOAs, with which validity times and whether delegation is allowed

18 PERMIS Policy Components (cont) Target Policy –Specifies the target domains covered by this policy, using LDAP subtrees Action Policy –Specifies the actions (operations) supported by the targets, along with their allowed operands Target Access Policy –Specifies which roles are needed to access which targets for which actions, and under what conditions

19 Current Applications E-tendering at Salford City Council E-planning at Bologna Comune Access to car parking fines database at Barcelona City Electronic Transfer of Prescriptions at University of Salford

20 What PERMIS is not It is not an AAA system It does not help in authenticating users, or accounting It does not try to replace PKI, Shibboleth or other institution or inter-realm based authentication mechanisms It is not a protocol for carrying authentication/authorisation tokens e.g. SAML, PAPI, HTTP

21 What PERMIS is It is an authorisation system, that uses X.509 attribute certificates to hold roles/attributes It can work with any and every authentication system (Shibboleth, PAPI, Kerberos, PKI etc.) Given a username(DN), a target and an action, it says whether the user is granted or denied access based on the policy for the target The policy is role/attribute based i.e. users are given roles/attributes. Roles/attributes are given permissions to access targets The policy is written in XML, is similar to XACML, but simpler and produced earlier It can work in push or pull mode (attributes are sent to PERMIS, or PERMIS fetches them itself)

Download ppt "The EC PERMIS Project David Chadwick"

Similar presentations

4 June 2002© 2001-2 TrueTrust Ltd1 PMI Components Oleksandr Otenko Research Student ISSRG, University of Salford

4 June 2002© TrueTrust Ltd1 PMI Components Oleksandr Otenko Research Student ISSRG, University of Salford
International Telecommunication Union Workshop on Standardization in E-health Geneva, 23-25 May 2003 The Use of X.509 in E-Healthcare Professor David W.

International Telecommunication Union Workshop on Standardization in E-health Geneva, May 2003 The Use of X.509 in E-Healthcare Professor David W.
FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.

Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

Similar presentations

Ads by Google