1 / 21

Online AAI

Online AAI. José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain). Email: monte@lcc.uma.es Web: www.lcc.uma.es/~monte. AAI?. Authentication & Authorization Infrastructure Several possibilities We focused on PKI + PMI Development Background

nedrap
Download Presentation

Online AAI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Email: monte@lcc.uma.es Web: www.lcc.uma.es/~monte

  2. AAI? • Authentication & Authorization Infrastructure • Several possibilities • We focused on PKI + PMI • Development Background • PKI • Cert’eM - Online PKI and more … • X509 ITU-T • PMI • Extending Cert’eM – Online PMI • X509 ITU-T

  3. Key compromised Revocation time CRL Issue CRL Issue Revocation Request Dishonest Use Online AAI? = CRL problem T0 T10 Time CRL = Problem in PKI and exacerbate in PMI, therefore an AAI issue to take into account Online AAI as possible solution

  4. What is Cert’eM? • PKI online • Designed & Implemented in ’98. • Try to solve CRLs problems • OCSP service did not develop yet. • Email based on • X509 usually linked to X500 name • X509 proposal lets links to Email address (Rfc 822) • Use an architecture of CAs that satisfy the needs of near-certification;

  5. Cert’eM: Hierarchical Email Nodes

  6. c t KSU KSU b.c s.t KSU KSU a.b.c r.s.t KSU KSU alice@a.b.c? alice@a.b.c? ca@a.b.c? ca@a.b.c? alice bob Cca@a.b.c Cca@a.b.c Calice@a.b.c Calice@a.b.c Cert’eM: Certificate Request Information Flow

  7. Certification Authority (KSU lcc.uma.es) Certificate Request Certification Server (lcc.uma.es) Certification Kernel (lcc.uma.es) ongoing request 6 user6@lcc.uma.es Private Key CA 6 5 4 User Data 5 user5@lcc.uma.es principal process 1 4 user4@lcc.uma.es 3 user3@lcc.uma.es pending request 2 user2@lcc.uma.es process N 1 1 user1@lcc.uma.es X509 Certificate close request write write read read Cache Certificates Local Certificates Cert’eM: KSU Elements

  8. Cert’eM: Protocol … • Connection Phase • C : HELLO [<clientID>] • S : +OK {the client has permission} • S : -ERR1 { the client host is not allowed • S : -ERR2 { the client <clientID> is not allowed} • Transaction Phase • C: GETCERT <userID> • S : CERT <cert> <vs> • S : +OK or • S : -NSC {no such certificate}

  9. … Cert’eM: Protocol • Transaction Phase • S : CERT <cert> <vs> • Can be local or external search • Local = Database search • External = Use of Cache mechanism and communication between KSU • Termination Phase • C: EXIT • S : +Ok

  10. Cert’eM: Locating KSUs lcc.uma.es 111.111.222.222 <1> lcc.uma.es correo.lcc.uma.es 111.111.222.222 <2> monte@lcc.uma.es <3> lcc.uma.es certem-tcp.lcc.uma.es 111.111.222.222

  11. Cert’eM Conclusion • guarantees that CAs will only certify those users close to them; • provides real-time revocation of keys (without the need of CRLs); • close to S/MIME • Can provide quality service to GRIDs • slight protocol inter-KSU and user-KSU • provided services to several projects we have been implicated • (not only theoretic solution)

  12. X509 ITU-T PKI • Developed to Spanish Banking Entity (BANESTO) in 2001 • Using only GPL libraries: • OpenSSL • GTK • OpenLDAP

  13. X509 ITU-T PMI (I) • ITU-T proposal defines four PMI models: • General, • Control • Role (PERMIS Project) • Delegation (Our proposal) • We have extended OpenSSL library with attribute certificates management and authorization capabilities, because: • This library is widely deployed • There was no previous experience with the introduction of attribute certificates in OpenSSL • We wanted to approach privilege delegation procedures (we are still in the way) • and … we had already developed a PKI using OpenSSL

  14. X509 ITU-T PMI (II)

  15. Extending Cert’eMz • Cert’eM technology applies to Authorization • + Openssl Attribute certificates • The main elements are the Attribute Certificate Service Units(ACSUs), that integrate attributes certification and management functions: • managed by an Attribute Authority • contains a database to store the attribute certificates of “local” users • updating and revocation of certificates and local operations

  16. PKC AC Request Alice Bob AAI AAI scenario (I) [Alice@a.b.c, operation] SAlice Who is the user ? & What can he do ? 1 AB: Token 2 BAAI:Request 3 AAI B:AC + PKC

  17. AAI scenario (II) How link identity and attribute certificates?

  18. Future Work • Actually working in delegation model • Delegation statements establish a Directed graphs • D. G. offer a global vision of delegation system • Theoretical model apply to PMI, and it work!!!

  19. Thank you Any Question? José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Email: monte@lcc.uma.es Web: www.lcc.uma.es/~monte

  20. bob alice ca@t? ca@c? ca@c? ca@t? Cca@t Cca@t Cca@c Cca@c AAI: Relation to TACAR … TACAR (ca@tacar.org) t c KSU KSU ACSU ACSU b.c s.t KSU KSU ACSU ACSU a.b.c r.s.t KSU ACSU KSU ACSU

  21. … AAI: Relation to TACAR • Remember CA belongs to upper level. • Domain c and t is stored in TACAR • TACAR is common root to “a.b.c” and “r.s.t” tree • How to localize TACAR? • Same way as whichever KSU/ACSU node. • Add ca.c@tacar.org and ca.t@tacar.org certificates to TACAR

More Related