Presentation is loading. Please wait.

Presentation is loading. Please wait.

Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:

Published byGarry Merritt Modified over 8 years ago

Similar presentations

Presentation on theme: "Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:"— Presentation transcript:

1 Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Email: monte@lcc.uma.es Web: www.lcc.uma.es/~monte

2 2 AAI?  Authentication & Authorization Infrastructure Several possibilities We focused on PKI + PMI  Development Background PKI  Cert’eM - Online PKI and more …  X509 ITU-T PMI  Extending Cert’eM – Online PMI  X509 ITU-T

3 3 Online AAI? = CRL problem CRL Issue Key compromised Revocation Request Revocation time T 10 T0T0 Time CRL Issue Dishonest Use CRL = Problem in PKI and exacerbate in PMI, therefore an AAI issue to take into account Online AAI as possible solution

4 4 What is Cert’eM?  PKI online Designed & Implemented in ’98. Try to solve CRLs problems  OCSP service did not develop yet.  Email based on X509 usually linked to X500 name X509 proposal lets links to Email address (Rfc 822)  Use an architecture of CAs that satisfy the needs of near-certification;

5 5 Cert’eM: Hierarchical Email Nodes

6 6 Cert’eM: Certificate Request Information Flow alice@a.b.c? C alice@a.b.c alice@a.b.c? C alice@a.b.c ca@a.b.c? C ca@a.b.c ca@a.b.c? C ca@a.b.c a.b.cr.s.t c b.c t s.t KSU bob alice

7 7 Cert’eM: KSU Elements Certification Authority (KSU lcc.uma.es) Certification Server (lcc.uma.es) Certification Kernel (lcc.uma.es) Private Key CA User Data X509 Certificate read write Certificate Request 6 5 4 3 2 11 close request pending request 654 ongoing request user6@lcc.uma.es user5@lcc.uma.es user4@lcc.uma.es user3@lcc.uma.es user2@lcc.uma.es user1@lcc.uma.es process 1 process N principal Cache CertificatesLocal Certificates

8 8 Cert’eM: Protocol …  Connection Phase  C : HELLO [ ]  S : +OK {the client has permission}  S : -ERR1 { the client host is not allowed  S : -ERR2 { the client is not allowed}  Transaction Phase  C: GETCERT  S : CERT  S : CERT  S : +OK or  S : -NSC {no such certificate}

9 9 … Cert’eM: Protocol  Transaction Phase S : CERT S : CERT  Can be local or external search Local = Database search External = Use of Cache mechanism and communication between KSU  Termination Phase  C: EXIT  S : +Ok

10 10 Cert’eM: Locating KSUs lcc.uma.es 111.111.222.222 lcc.uma.es correo.lcc.uma.es 111.111.222.222 lcc.uma.es certem-tcp.lcc.uma.es 111.111.222.222 monte@lcc.uma.es

11 11 Cert’eM Conclusion  guarantees that CAs will only certify those users close to them;  provides real-time revocation of keys (without the need of CRLs);  close to S/MIME  Can provide quality service to GRIDs  slight protocol inter-KSU and user-KSU  provided services to several projects we have been implicated (not only theoretic solution)

12 12 X509 ITU-T PKI  Developed to Spanish Banking Entity (BANESTO) in 2001  Using only GPL libraries: OpenSSL GTK OpenLDAP

13 13 X509 ITU-T PMI (I)  ITU-T proposal defines four PMI models:  General,  Control  Role (PERMIS Project)  Delegation (Our proposal)  We have extended OpenSSL library with attribute certificates management and authorization capabilities, because:  This library is widely deployed  There was no previous experience with the introduction of attribute certificates in OpenSSL  We wanted to approach privilege delegation procedures (we are still in the way)  and … we had already developed a PKI using OpenSSL

14 14 X509 ITU-T PMI (II)

15 15 Extending Cert’eMz  Cert’eM technology applies to Authorization + Openssl Attribute certificates (ACSUs)  The main elements are the Attribute Certificate Service Units (ACSUs), that integrate attributes certification and management functions: -managed by an Attribute Authority -contains a database to store the attribute certificates of “local” users -updating and revocation of certificates and local operations

16 16 AAI scenario (I) [Alice@a.b.c, operation] S Alice Alice Bob AAI Who is the user ? & What can he do ? AC PKC PKC Token 1 A  B : Token Request 2 B  AAI: Request AC + PKC 3 AAI  B: AC + PKC Token 1 A  B : Token Request 2 B  AAI: Request AC + PKC 3 AAI  B: AC + PKC Request

17 17 AAI scenario (II) How link identity and attribute certificates?

18 18 Future Work  Actually working in delegation model  Delegation statements establish a Directed graphs D. G. offer a global vision of delegation system  Theoretical model apply to PMI, and it work!!!

19 19 Thank you Any Q u e s t i o n ? José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Email: monte@lcc.uma.es Web: www.lcc.uma.es/~monte

20 20 AAI: Relation to TACAR … c TACAR (ca@tacar.org) ACSU a.b.c b.c KSU alice ACSU t r.s.t s.t KSU bob ACSU ca@c? C ca@c ca@c? C ca@c ca@t? C ca@t ca@t? C ca@t

21 21 … AAI: Relation to TACAR  Remember CA belongs to upper level. Domain c and t is stored in TACAR  TACAR is common root to “a.b.c” and “r.s.t” tree  How to localize TACAR? Same way as whichever KSU/ACSU node. Add ca.c@tacar.org and ca.t@tacar.org certificates to TACAR

Download ppt "Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:"

Similar presentations

PKIX BASED CERTIFICATION INFRASTRUCTURE IMPLEMENTATION ADAPTED TO NON PERSONAL END ENTITIES Jacob E., Liberal F., Unzilla J. {jtpjatae, jtplimaf,

PKIX BASED CERTIFICATION INFRASTRUCTURE IMPLEMENTATION ADAPTED TO NON PERSONAL END ENTITIES Jacob E., Liberal F., Unzilla J. {jtpjatae, jtplimaf,
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation 23-25 May 2012, Kish Island, I.R.IRAN.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
1 ISA 562 Information Systems Theory and Practice 10. Digital Certificates.

1 ISA 562 Information Systems Theory and Practice 10. Digital Certificates.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Chapter 9 Deploying IIS and Active Directory Certificate Services

Chapter 9 Deploying IIS and Active Directory Certificate Services
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.

Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.
SIS: Secure Information Sharing for Windows Systems Osama Khaleel CS526 Semester Project.

SIS: Secure Information Sharing for Windows Systems Osama Khaleel CS526 Semester Project.
Interoperation Between a Conventional PKI and an ID-Based Infrastructure Geraint Price Royal Holloway University of London joint work with Chris Mitchell.

Interoperation Between a Conventional PKI and an ID-Based Infrastructure Geraint Price Royal Holloway University of London joint work with Chris Mitchell.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

Similar presentations

Ads by Google