210 likes | 222 Views
Online AAI. José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain). Email: monte@lcc.uma.es Web: www.lcc.uma.es/~monte. AAI?. Authentication & Authorization Infrastructure Several possibilities We focused on PKI + PMI Development Background
E N D
Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Email: monte@lcc.uma.es Web: www.lcc.uma.es/~monte
AAI? • Authentication & Authorization Infrastructure • Several possibilities • We focused on PKI + PMI • Development Background • PKI • Cert’eM - Online PKI and more … • X509 ITU-T • PMI • Extending Cert’eM – Online PMI • X509 ITU-T
Key compromised Revocation time CRL Issue CRL Issue Revocation Request Dishonest Use Online AAI? = CRL problem T0 T10 Time CRL = Problem in PKI and exacerbate in PMI, therefore an AAI issue to take into account Online AAI as possible solution
What is Cert’eM? • PKI online • Designed & Implemented in ’98. • Try to solve CRLs problems • OCSP service did not develop yet. • Email based on • X509 usually linked to X500 name • X509 proposal lets links to Email address (Rfc 822) • Use an architecture of CAs that satisfy the needs of near-certification;
c t KSU KSU b.c s.t KSU KSU a.b.c r.s.t KSU KSU alice@a.b.c? alice@a.b.c? ca@a.b.c? ca@a.b.c? alice bob Cca@a.b.c Cca@a.b.c Calice@a.b.c Calice@a.b.c Cert’eM: Certificate Request Information Flow
Certification Authority (KSU lcc.uma.es) Certificate Request Certification Server (lcc.uma.es) Certification Kernel (lcc.uma.es) ongoing request 6 user6@lcc.uma.es Private Key CA 6 5 4 User Data 5 user5@lcc.uma.es principal process 1 4 user4@lcc.uma.es 3 user3@lcc.uma.es pending request 2 user2@lcc.uma.es process N 1 1 user1@lcc.uma.es X509 Certificate close request write write read read Cache Certificates Local Certificates Cert’eM: KSU Elements
Cert’eM: Protocol … • Connection Phase • C : HELLO [<clientID>] • S : +OK {the client has permission} • S : -ERR1 { the client host is not allowed • S : -ERR2 { the client <clientID> is not allowed} • Transaction Phase • C: GETCERT <userID> • S : CERT <cert> <vs> • S : +OK or • S : -NSC {no such certificate}
… Cert’eM: Protocol • Transaction Phase • S : CERT <cert> <vs> • Can be local or external search • Local = Database search • External = Use of Cache mechanism and communication between KSU • Termination Phase • C: EXIT • S : +Ok
Cert’eM: Locating KSUs lcc.uma.es 111.111.222.222 <1> lcc.uma.es correo.lcc.uma.es 111.111.222.222 <2> monte@lcc.uma.es <3> lcc.uma.es certem-tcp.lcc.uma.es 111.111.222.222
Cert’eM Conclusion • guarantees that CAs will only certify those users close to them; • provides real-time revocation of keys (without the need of CRLs); • close to S/MIME • Can provide quality service to GRIDs • slight protocol inter-KSU and user-KSU • provided services to several projects we have been implicated • (not only theoretic solution)
X509 ITU-T PKI • Developed to Spanish Banking Entity (BANESTO) in 2001 • Using only GPL libraries: • OpenSSL • GTK • OpenLDAP
X509 ITU-T PMI (I) • ITU-T proposal defines four PMI models: • General, • Control • Role (PERMIS Project) • Delegation (Our proposal) • We have extended OpenSSL library with attribute certificates management and authorization capabilities, because: • This library is widely deployed • There was no previous experience with the introduction of attribute certificates in OpenSSL • We wanted to approach privilege delegation procedures (we are still in the way) • and … we had already developed a PKI using OpenSSL
Extending Cert’eMz • Cert’eM technology applies to Authorization • + Openssl Attribute certificates • The main elements are the Attribute Certificate Service Units(ACSUs), that integrate attributes certification and management functions: • managed by an Attribute Authority • contains a database to store the attribute certificates of “local” users • updating and revocation of certificates and local operations
PKC AC Request Alice Bob AAI AAI scenario (I) [Alice@a.b.c, operation] SAlice Who is the user ? & What can he do ? 1 AB: Token 2 BAAI:Request 3 AAI B:AC + PKC
AAI scenario (II) How link identity and attribute certificates?
Future Work • Actually working in delegation model • Delegation statements establish a Directed graphs • D. G. offer a global vision of delegation system • Theoretical model apply to PMI, and it work!!!
Thank you Any Question? José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Email: monte@lcc.uma.es Web: www.lcc.uma.es/~monte
bob alice ca@t? ca@c? ca@c? ca@t? Cca@t Cca@t Cca@c Cca@c AAI: Relation to TACAR … TACAR (ca@tacar.org) t c KSU KSU ACSU ACSU b.c s.t KSU KSU ACSU ACSU a.b.c r.s.t KSU ACSU KSU ACSU
… AAI: Relation to TACAR • Remember CA belongs to upper level. • Domain c and t is stored in TACAR • TACAR is common root to “a.b.c” and “r.s.t” tree • How to localize TACAR? • Same way as whichever KSU/ACSU node. • Add ca.c@tacar.org and ca.t@tacar.org certificates to TACAR