Presentation is loading. Please wait.

Presentation is loading. Please wait.

14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

Published byRebecca Rice Modified over 8 years ago

Similar presentations

Presentation on theme: "14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD."— Presentation transcript:

1 14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD

2 14 May 2002© 2000-02 TrueTrust Ltd2 X.509 Evolution X.509 (1988) - V1 PKCertificates and CRLs X.509 (1993) - V2 PKCertificates and revised V1 CRLs X.509 (1997) - V3 PKCertificates, V2 CRLs and V1 Attribute Certificates X.509 (2000] - V3 PKCertificates and V2 CRLs with additional extensions, plus V2 Attribute Certificates and PMI

3 14 May 2002© 2000-02 TrueTrust Ltd3 Assigning and Delegating Privileges Resource Owner “I authorise this Privilege Holder to use this resource in the following ways” signed The Resource Owner Privilege Holder “I delegate authority to this End User to use this resource in this limited way” signed The Privilege Holder End User (Privilege Holder) Assigns privilege Delegates privilege

4 14 May 2002© 2000-02 TrueTrust Ltd4 Privilege Checking “Please purchase this product from company X” signed the End User End User (Privilege Holder) Privilege Verifier Q. “Is this user authorised to purchase these goods?” Issues a command (Asserts Privilege)

5 14 May 2002© 2000-02 TrueTrust Ltd5 Traditional Applications Authentication and Authorisation are Internal to the Application UserName/ Password Lists Access Control Lists Multiple passwords Multiple usernames Confusion!! Multiple Administrators High cost of administration No overall Security Policy

6 14 May 2002© 2000-02 TrueTrust Ltd6 Enter PKI Authentication is External to the Application Access Control Lists One password or pin to access private key Happy Users! Multiple Administrators High cost of administration No overall Security Policy Digital Signature Public Key Infrastructure Application Gateway

7 14 May 2002© 2000-02 TrueTrust Ltd7 Enter PMI Authentication and Authorisation are External to the Application One password or pin to access private key Happy Users! Fewer Administrators Lower cost of admin Overall Security Policy Digital Signature Public Key Infrastructure Application Gateway Privilege Management Infrastructure

8 14 May 2002© 2000-02 TrueTrust Ltd8 X.509 PMI Entities Source of Authority Attribute Authority Privilege Holder Privilege Verifier Assigns privilege Delegate privilege Trusts Asserts privilege

9 14 May 2002© 2000-02 TrueTrust Ltd9 Traditional Implementation Discretionary Access Controls –Users may optionally be given access to resources by the resource holder –The privileges are usually held in Access Control Lists in the Resource –Either user first or privilege first User1 r, w, e, d User2 r, e User3,4 r r User3,4 r, e User2 r, w, e, d User1

10 14 May 2002© 2000-02 TrueTrust Ltd10 DAC with X.509 Attribute Certificates The user (holder) is given an Attribute Certificate which strongly binds his/her name to the privileges being given to him/her The AC is signed by the Attribute Authority (Resource Owner or his delegate) Similar to X.509v3 certificate, only holds a sequence of attributes rather than a public key An attribute certificate can be stored anywhere since it is secure and self contained

11 14 May 2002© 2000-02 TrueTrust Ltd11 Similarities of PKIs and PMIs Privilege Management Infrastructure (PMI) Source of Authority Attribute Authority Attribute Certificate Att Cert Rev List Att Authority Rev List Public Key Infrastructure (PKI) Root CA/Trust Anchor Certification Authority Public Key Certificate Cert Revocation List Authority Rev List

12 14 May 2002© 2000-02 TrueTrust Ltd12 X.509 attributeCertificateAttribute Attribute Type Comprises SIGNED SEQUENCE of: –version number of this AC (v1) –the holder (see next slide) –the General Name of the AA issuing this AC, plus optional unique id and pk certificate serial number –the identifier of the algorithm used to sign this AC –the unique serial number of this AC –the validity period of this AC –the sequence of attributes being bound to the holder –any optional extensions

13 14 May 2002© 2000-02 TrueTrust Ltd13 Attribute Certificate Holder Either GeneralName of the holder, or The holder of a private signing key, pointed to via the corresponding public key (X.509) certificate: –the General Name of the CA issuing the PK certificate –Certificate Serial Number

14 14 May 2002© 2000-02 TrueTrust Ltd14 General Names otherName - any name of any form rfc822Name - e-mail address as per RFC 822 dNSName - Internet domain name as per RFC 1035 x400Address - O/R address as per X.411 directoryName - directory name as per X.501 ediPartyName - format agreed between EDI partners, consists of name of EDI naming authority and name of edi party uniformResourceIdentifier - for the WWW as per RFC 1630 iPAddress - Internet Protocol address as per RFC 791 registeredID - any OID registered as per X.660|ISO 9834-1

15 14 May 2002© 2000-02 TrueTrust Ltd15 Version 2 Attribute Certificates The holder and/or the issuer can be identified by a hash value –of their public key certificate, or –if the holder or issuer is a software object e.g. applet, of the object itself The relying party will directly re-calculate the hash in order to authenticate the holder and/or the issuer

16 14 May 2002© 2000-02 TrueTrust Ltd16 Role based Privilege Management Can simplify the management of privileges People are given a role, and they inherit the privileges assigned to the role Many people can hold the same role e.g. member of project team A Implemented as Role Based Access Controls

17 14 May 2002© 2000-02 TrueTrust Ltd17 Assigning Privileges to Roles in X.509 Have a Role Specification Attribute Certificate that assigns privileges to a role (the holder is a role name) Then assign roles to people, using the role attribute, either –Add a role to the PK certificate of the subject, in the subjectDirectoryAttributes extension, or –Give the person a Role Assignment Certificate (assigns a role to a AC holder) The role membership and role privileges can be separately administered if wanted

18 14 May 2002© 2000-02 TrueTrust Ltd18 Extensions to Attribute Certificates Basic privilege management - information about the privilege being asserted Privilege revocation - location of revocation information Roles - location of role specification certificates Source of Authority - information about the SOA Delegation - place constraints on the delegation of the privileges

19 14 May 2002© 2000-02 TrueTrust Ltd19 Privilege Revocation Extensions CRL distribution points extension points to where ACRL(s) for this AC will be found –different ACs can be posted to different lists, or –ACs can be posted to different lists according to the reasons for their revocation No revocation extension – for short lived privilege that will not be revoked during their validity. Can only be present in privilege holder certificates, and not AA certificates

20 14 May 2002© 2000-02 TrueTrust Ltd20 Privilege Verifier Resource being protected (object) Environmental variables Privilege policy Privilege Asserter Service Request (object method) Privilege Control Model Directory Certificates and CRLs

21 14 May 2002© 2000-02 TrueTrust Ltd21 Bootstrapping the Privilege Verifier The resource (privilege verifier) must have available to it –the root of trust of the PKI (public key of root CA) –the root of trust of the PMI (public key of Source of Authority or a valid PK certificate) –privilege policy (rules for handling privileges) –local variables e.g. time of day, account balances –access to revocation information and certificate chains

22 14 May 2002© 2000-02 TrueTrust Ltd22 Verifying Claimed Privilege Privilege Verifier Bill Alice Bob SOA AA Holder Root CA Signs Alice’s Public Key Bill’s Public Key Bob’s Public Key Issues AC to Issues AC to Issues Command to Checks delegation of privileges Checks all signatures Checks privilege is sufficient

23 14 May 2002© 2000-02 TrueTrust Ltd23 Further Standardisation Work of SG 17 Q.9 Friends attributes in X.501, X.511 Distributed page results service in X.518 Related Entries in X.501, X.511, X.518 Alignment with IETF LDAP standards Defect reports in entire X.500-series

Download ppt "14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD."

Similar presentations

4 June 2002© 2001-2 TrueTrust Ltd1 PMI Components Oleksandr Otenko Research Student ISSRG, University of Salford

4 June 2002© TrueTrust Ltd1 PMI Components Oleksandr Otenko Research Student ISSRG, University of Salford
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.

CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Network Security Essentials Chapter 4

Network Security Essentials Chapter 4
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
 A public-key infrastructure ( PKI ) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store,

 A public-key infrastructure ( PKI ) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store,
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Similar presentations

Ads by Google