Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

Published byLionel Simon Modified over 8 years ago

Similar presentations

Presentation on theme: "Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00."— Presentation transcript:

1 Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00 Göran Selander IETF 89 ACE BOF March 5, 2014

2 Goal: Protected access for authorized client C to resources on RS allowing explicit and dynamic access policies But constrained devices may be unable to handle management and decisions with generic access control polices Client Resource access Architecture sketch Resource Server

3 Authorization Server Client Resource Server Separate authorization decision from enforcement Introduce less constrained node called AS Decision Enforcement Architecture sketch Resource Owner (out of scope)

4 Authorization Server Client Key establishment (out of scope) Information flow: authorization info Resource Server AuthZ info The RS must authenticate the authorization info and that it comes from a trusted AS

5 Authorization Server Client AuthZ info Information flow: resource access Resource Server The RS enforces access control based on authZ info Multiple resource requests as long as authZ info is valid Established keys Resource access

6 Authorization Server Client AuthZ info Resource access Information flow: Keys for protecting resource access Resource Server AuthN info about C AuthN info about RS The RS must be able to verify that a requesting Client is encompassed by the authorization information AS may support key management between C and RS Established keys

7 Authorization Server Client AuthZ info Resource access Alternative information flow Resource Server AuthN Info about C RS and AS may not be connected at the time of the request Established keys AuthN info about RS

8 Authorization Server Client Cross domain Resource Server Resource access AuthN info Established keys AuthN info AuthZ info AuthN info Authorization Server Alternative information flows are possible

9 Design considerations Need multi-party security protocol – Profile existing security protocol? Which protocol? – Consider tradeoffs e.g. between messaging and crypto relevant for constrained environments Session security or object security or hybrid? – E.g. securing transfer of authorization information Symmetric or asymmetric keys – for verifying authorization information? – for establishing security between the parties Is revocation required or is authZ info with short time validity sufficient? – Access to revocation information?

10 Thank you! Questions/comments?

Download ppt "Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00."

Similar presentations

Authentication Authorization Accounting and Auditing

Authentication Authorization Accounting and Auditing
© 2006 Open Grid Forum Security Area OGF19 Standard All Hands.

© 2006 Open Grid Forum Security Area OGF19 Standard All Hands.
Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Chapter 14

Cryptography and Network Security Chapter 14
Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,

Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
11/07/2003IETF-58 MSEC and AAA page 1 George Gross, IdentAware ™ Security IETF-58, Minneapolis, MN November 10 th 2003 Multicast.

11/07/2003IETF-58 MSEC and AAA page 1 George Gross, IdentAware ™ Security IETF-58, Minneapolis, MN November 10 th 2003 Multicast.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
ACE – Design Considerations Corinna Schmitt IETF ACE WG meeting July 23, 2014 1.

ACE – Design Considerations Corinna Schmitt IETF ACE WG meeting July 23,
Chapter 8 Web Security.

Chapter 8 Web Security.
Presented by, Sai Charan Obuladinne MYSEA Technology Demonstration.

Presented by, Sai Charan Obuladinne MYSEA Technology Demonstration.
1 The Cryptographic Token Key Initialization Protocol (CT-KIP) Web Service Description KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty.

1 The Cryptographic Token Key Initialization Protocol (CT-KIP) Web Service Description KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty.
Web services security I

Web services security I

Similar presentations

Ads by Google