1 / 19

Make Secure Information Sharing (SIS) Easy and an Reality

Make Secure Information Sharing (SIS) Easy and an Reality. C. Edward Chow, PI Osama Khaleel Bill Kretschmer. Sponsored by TTO Proof of Concept grant. Agenda. Status of the SIS “porting” project SIS 0.2 Software Architecture. Technologies and Tools/Modules SIS 0.2 prototype

Download Presentation

Make Secure Information Sharing (SIS) Easy and an Reality

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Make Secure Information Sharing (SIS)Easy and an Reality C. Edward Chow, PIOsama Khaleel Bill Kretschmer Sponsored by TTO Proof of Concept grant

  2. Agenda • Status of the SIS “porting” project • SIS 0.2 Software Architecture. • Technologies and Tools/Modules • SIS 0.2 prototype • Demo of SIS 0.2 prototype • Discussion on what to do next. SIS0.2

  3. What We Have Achieved • Develop SIS on Windows Platform. • Add new capability on policy management • Follow XACML access control standard. • Specify/Enforce policies for accessing secure web sites based on role info in attribute certificate • For certificates management, develop tools for • Create digital and attribute certificates • Update/revoke roles by updating certificates in Active Directory • Integrate these software modules and demonstrate features on a prototype. SIS0.2

  4. SIS Software Architecture • Access to important resources (e.g. secure are secured by checking the identity (in digital certificate PKC presented by user) against related role(attribute certificate) on a set of policies. SecureWeb Sites ActiveDirectory SecureWeb Sites SecureWeb Sites PKCAC Resource UserPKCWebBrowser IIS Web Server ASP.NET PolicyEnforcementPoint PolicyDecisionPoint Policies XACML SIS0.2

  5. Secure Access Step 1:Identity Authentication • User installs digital certificate (PKC) in their web browser. • Issue request to IIS web server • IIS present server certificate and ask user to present client certificate (mutual authentication) IIS Web Server 1. https request UserPKCWebBrowser 2. Server Certificate 3. Client Certificate SIS0.2

  6. Secure Access Step 2:Forward ID/URI to PEP • ASP.NET intercepts the request and forwards the subject field (containing the identity info) of PKC to Policy Enforcement Point (PEP) ASP.NET PolicyEnforcementPoint 4. User ID (email/OU)Time/IPhttps request info IIS Web Server UserPKCWebBrowser SIS0.2

  7. Secure Access Step 3:Query Active Directory for Role Info. • PEP use ID info (Canonical Name) to query AD for role info contains in the attribute certificate. ActiveDirectory PKCAC 5. User ID (CN=chow) 6.AC of Userwith roles (CFO/mgr) UserPKCWebBrowser IIS Web Server ASP.NET PolicyEnforcementPoint SIS0.2

  8. Secure Access Step 4:Consult PDP for Policy Decision • PEP then consult Policy Decision Point (PDP) to decide whether the policies the user with such role(s) to access the resource. 7. User ID RoleTime/IPrequest info PolicyDecisionPoint PolicyEnforcementPoint UserPKCWebBrowser IIS Web Server ASP.NET 8.grant/reject Policies XACML SIS0.2

  9. Secure Access Step 5:Access Secure Resource • Based on PDP decision, PEP informs ASP.NET to grant access or redirect with error web pages. SecureWeb Sites SecureWeb Sites SecureWeb Sites Resource UserPKCWebBrowser 10.access 11.Return web page PolicyEnforcementPoint 9.access/redirect IIS Web Server ASP.NET SIS0.2

  10. Internet SIS Network Topology And IP assignments Main switch 128.198.162.51 128.198.162.52 128.198.162.53 NIC1 128.198.162.50 FC4 NIC2 10.0.0.1 Local switch Domain-controller 10.0.0.10 IIS 10.0.0.11 Win-XP 10.0.0.12 SIS0.2

  11. The Testbed • A 4-machine testbed has been built. • It contains the following: • Windows server 2003 with AD (The Domain Controller). • Windows server 2003 with IIS 6.0 (The web server). • Windows XP (a client). • Fedora Core 4 with IPtables-based firewall (A Gateway). SIS0.2

  12. The SIS Admin Tool • An admin tool is being developed to provide an easy-to-use GUI for setting up the SIS environment. • C# (C# Express 2005 IDE) has been used. • The main three components that we have so far are: • Public Key Infrastructure (PKI) setup. • Privilege Management Infrastructure (PMI) setup. • Certificates Management. SIS0.2

  13. Features: Creating new Certificate Authorities (CAs). Loading an existing CAs. Issuing a single digital cert (DC) and storing it in the AD, based on a GUI form. Issuing a bunch of DCs and storing them in the AD, based on a simple text file. Features: Creating new Attribute Authorities (AAs). Loading an existing AA. Issuing a single attribute cert (AC) and storing it in the AD, based on a GUI form. Issuing a bunch of ACs and storing them in the AD, based on a simple text file. PKI PMI SIS0.2

  14. SIS0.2

  15. Certificates Management • Check & validate a digital certificate. • Revoke a digital certificate. • Check & validate an attribute certificate. • Revoke an attribute certificate. SIS0.2

  16. SIS0.2

  17. Packages & techniques • OpenSSL [http://www.stunnel.org/download/binaries.html]: A wrapper compiled in binaries (exe file) has been used to implement the PKI part. • JCE-IAIK[http://jce.iaik.tugraz.at/]: A set of java APIs and implementations of cryptographic functionality that has been used to implement the PMI part. • IKVM.NET [http://www.ikvm.net]: an implementation of Java for the Microsoft .NET Framework that has been used to allow us using the IAIK java-based package in the .NET. • CryptLib [http://www.cs.auckland.ac.nz/~pgut001/cryptlib/] or [http://www.cryptlib.com]: a security toolkit that allows adding encryption and authentication services. * (We faced problems with it [files format & AC errors], therefore, we replaced it with the OpenSSL solution). • XACML Open Source from Sun [http://sunxacml.sourceforge.net]: Sun’s open source implementation of the OASISXACML standard, written in the JavaTM programming language. SIS0.2

  18. Demo • Secure web access based on role in attribute certificate • Update AC when a person gets promoted • Revoke AC when a person leaves the company • PKC/AC management tool SIS0.2

  19. Discussion • What are our next steps? SIS0.2

More Related