Environmental Council of States

1. Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005

2. What is NAAS? • Network Authentication and Authorization Services (NAAS) are shared and centrally managed security services • NAAS are designed to meet all node security requirements • NAAS cover authentication, authorization, and identity management • NAAS are easy to use and available to all network nodes • NAAS are Web services with Web service description language (WSDL) files

3. Why NAAS? • Simplify implementation • Enhanced security • Cost effective • Highly extensible • Supports single sign-on (SSO) • Security monitoring

4. NAAS Major Services • NAAS Web Service Interface: Simple Object Access Protocol (SOAP) service that exposes user authentication and authorization functions to all state nodes. It is the entry point for all service requests • Network Authentication Service: This is a subsystem for verifying subject (user or machine) identity • Network Authorization Service: This component is for entitlement management. Authorization is typically role- or policy-based. It must be flexible so that a variety of factors can be part of the decision to grant or deny access to specific resources • User Identity Management: This component is responsible for registering users, removing users, and modifying user profiles • Policy Management: The component allows administrators to create or modify rules or policies for resource access • Vulnerability Management: This component tracks instances of security breaches and generates reports that contain specific information about vulnerability and actions taken. A good vulnerability management system helps to prevent security problems from recurring • Network Certificate Authority: This component issues and manages certificates used for secure socket layer (SSL), encryption, and signature • Public Key Management: This component allows users to locate and validate public keys

5. Network Security Infrastructure

6. Delegated Authentication • Nodes delegate authentication task to NAAS • Security Token is validated through NAAS

7. Direct Authentication • Users authenticate at NAAS and obtain Security Token • Users use the Security Token to access a node • Node validates the Security Token at NAAS

8. Delegated Authentication • Convenient to users. Operation and authentication at a single place • Nodes have control over how users can be authenticated • There is a small performance overhead in delegation Direct Authentication • No performance penalty • Best for accessing multiple nodes • Recommended for machine-to-machine interactions • Node local authentication may not be possible Direct and Delegated Authentication Comparison A network node must accept security tokens issued by NAAS in order to participate in the network-wide exchanges.

9. Local Authentication versus Network Authentication • Local authentication can be performed on node own domain users • Locally authenticated users can not access other nodes and the Central Data Exchange (CDX) • Nodes must perform access control over locally authenticated users • Node can perform additional access control after NAAS authorization decisions for network users

10. Advance Authentication Methods • Digest: Use the hash value of the password to authenticate users • HMAC Signature: Sign the authentication message using the password to prove identity • XKMS: Sign the authentication message using a key stored in the key management service • Certificate: Sign the authentication message using a certificate issued by a trusted party

11. Digest Authentication • Password digest is a fingerprint of a password • Digest algorithm is one-way. It is difficult to calculate a password given its digest • Users send password digest to the server and the server calculates the password digest and compares it with the one received • Sha-1 should be used to calculate the password digest • Digest authentication has better protection of user passwords but has many of the same problems as password authentication

12. Hashed Message Authentication Code (HMAC) Signature • Users sign the authentication message using password before sending to NAAS • NAAS uses the user’s password as the key to verify the signature. The user is authenticated if the signature is valid • Much safer than digest, and the message integrity is protected • Still need passwords – known to both client and server

13. XKMS Authentication • XKMS is the XML Key Management Service (2.0 specification is coming out) • Users generate public / private key pair and register the public key at XKMS • Users sign the Authenticate message using the private key before sending to NAAS • NAAS looks up the user’s public key in XKMS and verifies the signature using the public key • User is authenticated if the signature is valid (proof of possession of private key that could not possibly be owned by anyone else)

14. Certificate Authentication • Users obtain certificate from a trusted authority • Users sign the Authenticate message using the private key and insert the certificate in the signature • NAAS validate the certificate through a certificate validation service, possibly the Federal Bridge Certification Authority (FBCA) • NAAS verify the signature in the message • The user is authenticated if both the certificate and the signature are valid

15. Using Advance Authentication • All advanced authentications using the same Authenticate method defined in the node functional specification – they have no impact to the existing nodes and clients • The authenticationMethod parameter can now be digest, XKMS, HMAC, and certificate. • New node clients and Software Development Kit (SDK) will be provided to support and simplify deployment of strong authentication methods • Technical document – Network authentication mechanisms will be released to promote the new methods • We are moving to must stronger authentication using keys, and moving away from password authentications.

16. Questions?