SlideShare uma empresa Scribd logo

Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai Abdelilah Essiari Willie Chin

Transferir como PPT, PDF
Information Security Awareness Group
Information Security Awareness Group

Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai Abdelilah Essiari Willie Chin

Educação
1 de 22
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai Abdelilah Essiari Willie Chin Lawrence Berkeley National Laboratory NIST PKI workshop
Distributed Environments Widely distributed computing environments, collaborative research environments Resources, stakeholders and users are all distributed Spanning organizational as well as geographical boundaries, e.g., DOE Collaboratories, Grids, Portals Requires a flexible and secure way for stakeholders to remotely specify access control for their resources Requires a flexible but secure way to identify users and their attributes NIST PKI workshop
Public Key Infrastructure Provides a uniform way for different organizations to identify people or other entities through X.509 identity certificates containing public keys. These certificates and keys can be used though secured connections (SSL) to positively establish the identity of the entities on the connection. The keys can be used to provide digital signatures on documents. The authors and contents of signed documents can be verified at the time of use. Mature Certificate Authority software packages are available and widely deployed. Entrust, Verisign, iPlanet RSA Keon and OpenSSL. NIST PKI workshop
Goals for an Authorization system Use Public Key Infrastructure standards to identify users and create digitally signed certificates Use existing SSL protocol to authenticate users Access based on policy statements made by stakeholders Handle multiple independent stakeholders for a single resource Emphasize usability NIST PKI workshop
Authorization Models Access Control User is authenticated by some means The resource gatekeeper checks the user against a policy to determine access Application needs to pass only an identity token to resource Capability User goes to a policy manager and gets an unforgeable token (capability) that grants the holder rights to some resource The resource gatekeeper verifies the capability and allows the actions specified in the capability Application must get the capability token (short-lived) Application must pass identity token and capability token to the resource Facilitates delegation of rights NIST PKI workshop
Akenti Authorization Minimal local Policy certificates (self-signed) Who to trust, where to look for certificates. Based on the following digitally signed certificates: X.509 certificates for user identity and authentication UseCondition certificates containing stakeholder policy Attribute certificates in which a trusted party attests that a user possesses some attribute, e.g. training, group membership Can be called from any application that has an authenticated user’s identity certificate and a unique resource name, to return that user’s privileges with respect to the resource. NIST PKI workshop
Emphasis on usability Usability is critical: Policy and attributes must be easy for stakeholders to generate and read Minimal change to applications seeking use of resources Simple API for resource gateway to check access Akenti certificate generators provide a user friendly interface for stakeholders to specify the use constraints for their resources. User or stakeholder can see a static view of the policy that controls the use of a resource. Akenti Monitor applet provides a Web interface for a user to check his access to a resource to see why it succeeded or failed. NIST PKI workshop
Certificate Management Users need to generate signed certificates and store them in Web accessible places or be able to upload them securely to the resource gateway. Akenti needs to know where to search for certificates Once a certificate is found, Akenti will cache it for a a time not to exceed that specified by the stakeholder. When an access decision is made, a capability certificate containing the rights is cached and returned to the requester. NIST PKI workshop
Akenti Server Architecture Cache Manager DN Client Fetch Certificate Resource Server Akenti Identity (X509) certificate on behalf of the user. DN DN Internet Log Server Use condition or attribute certificates DN Identity certificates LDAP Database Server Web Server Certificate Servers File Servers
Akenti Certificate Management Stakeholders S1 S2 S3 S4 Certificate Generator C4(S4) C1(S1) C2(S2) C3(S3) Certificate Servers Akenti Search based on resource name, user DN, and attribute Hash Generator
Required Infrastructure Certificate Authority to issue identity certificates (required) OpenSSL provides simple CA for testing iPlanet CA - moderate cost and effort Enterprise solutions - Entrust, Verisign, … Method to check for revocation of identity certificates (required) LDAP server - free from Univ. of Mich.. Or comes with iPlanet CA Certificate Revocation lists - supported by most CA’s OCSP - not yet widely implemented Network accessible ways for stakeholders to store their certificates (optional) Web servers LDAP servers NIST PKI workshop
Using Akenti for Authorization C++ library that resource gatekeeper can link with Insecure server using TCP and returning rights as strings Use with thin client interface on the same machine Secure server using SSL and returning signed capability certificates containing the rights As an authorization module with the SSLenabled Apache Web server NIST PKI workshop
Mod-Akenti The SSL-enabled Apache Web server can be configured to require Client-side X.509 certificates. Replaces mod-authorization Calls out to Akenti with the user’s identity Uses Akenti policy certificates to make the access decision – allows policy to be set remotely Allows the same access policy to be used for Web accessed resources as other resources NIST PKI workshop
Vulnerabilities Primarily denial of service. Distributed certificates might not be available when needed. Independent stakeholders may create a policy that is inconsistent with what they intend. Easy to deny all access. NIST PKI workshop
Attribute Certificates IETF PKIX Attribute Certificates ASN.1 certificate – holder, attributes, issuer Attribute – type-value pair Some standard types: group, access identity, role, clearance, audit identity, charging identity X.509 identities identified by CA and serial number Optional targeting information SAML (Security Assertion Markup Language) OASIS XML signed certificate asserting that a principal has certain attributes One of a set of XML certificates containing assertions, authentication, authorization decision <Audience Restriction Condition> NIST PKI workshop
KeyNote Trust Management Common language for policies and credentials (ASCII Keyword-value) Uses opaque strings or cryptographic identities – separates secure naming from authorization. Policy assertions are defined for a resource. Can be signed and thus set remotely Requestor provides an identity and credential(s) Compliance checker checks the access M Blaze, J. Feigenbaum, J. Ioannidis, A. Keromytis NIST PKI workshop
Shibboleth Internet2 Project Users have a credential that is a handle back to their home institutions Resource providers ask the home institution for the user’s attributes. E.g. student, facility Need inter-domain trust and common vocabulary Users can get access to resources while remaining anonymous to the resource provider. NIST PKI workshop
CAS Community Authorization Server Globus Project Resources grant bulk access rights to communities of users A CAS controls fine-grained access for community members CAS issues a short-lived delegated credential containing the users rights (X.509 certificate) Users connect to the resource with the CAS delegated credential via GSI/SSL. More scalable than current Globus grid-map-file NIST PKI workshop
Experience Akenti enabled Apache Web Server has been used at LBNL and Sandia for the Diesel Combustion Collaboratory. Controlling Akenti code distribution, secure data/image repository, ORNL electronic notebooks, PRE accessed remote job executions Used with CORBA applications Used by the National Fusion Collaboratory Access to remote code execution started by the Globus job-manager Easy to for applications to use if connections are made over SSL Runs on Solaris and RedHat Linux NIST PKI workshop
Trust Models Resource domain establishes one on one trust with all it users Difficult for users, doesn’t scale Different domains establish mutual trust to allow users of one domain to access resources in another Cross-realm Kerberos trust Shibboleth Delegated trust – Resource trusts a few entities but allows them to delegate their rights to others CAS model Resource domain would like to limit degree of trust Limit actions Audit actions Revoke trust in a timely fasion NIST PKI workshop
Future Directions Further development of Use Conditions that use dynamic variables such as time-of-day, originating IP address, state variables. Recognize restricted delegation credentials Possibly use delegation credentials restricted by the delegator to a specified role Use the XML signature implementation to sign Akenti certificates – XMLSec Library, Aleksey Sanin Implement Akenti as a Web service acting as a trusted third party. Use signed SOAP messages or SOAP over SSL? Consider using new SAML, WS-security standards NIST PKI workshop
Conclusions Leverages off the increasing use of X.509 identity certificates. Akenti/SSL overhead acceptable for medium grained access checking. E.g , starting an operation, making a authenticated connection. Ease of use for stakeholders must be emphasized. Transparency for users and applications is important NIST PKI workshop

Recomendados

317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2dP2PSystem
 
Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization ModelsCSCJournals
 
CISSPills #1.02
CISSPills #1.02CISSPills #1.02
CISSPills #1.02Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card AuthenticationDan Usher
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
 
documentation for identity based secure distrbuted data storage schemes
documentation for identity based secure distrbuted data storage schemesdocumentation for identity based secure distrbuted data storage schemes
documentation for identity based secure distrbuted data storage schemesSahithi Naraparaju
 
Authentication services
Authentication servicesAuthentication services
Authentication servicesGreater Noida Institute Of Technology
 
Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Editor IJARCET
 

Recomendados

317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2dP2PSystem
 
Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization ModelsCSCJournals
 
CISSPills #1.02
CISSPills #1.02CISSPills #1.02
CISSPills #1.02Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card AuthenticationDan Usher
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
 
documentation for identity based secure distrbuted data storage schemes
documentation for identity based secure distrbuted data storage schemesdocumentation for identity based secure distrbuted data storage schemes
documentation for identity based secure distrbuted data storage schemesSahithi Naraparaju
 
Authentication services
Authentication servicesAuthentication services
Authentication servicesGreater Noida Institute Of Technology
 
Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Editor IJARCET
 
x.509-Directory Authentication Service
x.509-Directory Authentication Servicex.509-Directory Authentication Service
x.509-Directory Authentication ServiceSwathy T
 
Certification Authority - Sergio Lietti
Certification Authority - Sergio LiettiCertification Authority - Sergio Lietti
Certification Authority - Sergio LiettiNúcleo de Computação Científica
 
Ch14
Ch14Ch14
Ch14Joe Christensen
 
iaetsd Robots in oil and gas refineries
iaetsd Robots in oil and gas refineriesiaetsd Robots in oil and gas refineries
iaetsd Robots in oil and gas refineriesIaetsd Iaetsd
 
10. grid security
10. grid security10. grid security
10. grid securityDr Sandeep Kumar Poonia
 
Attribute-Based Encryption for Cloud Security
Attribute-Based Encryption for Cloud SecurityAttribute-Based Encryption for Cloud Security
Attribute-Based Encryption for Cloud SecurityMphasis
 
EC PKI Training on-prem and cloud-based PKI
EC PKI Training on-prem and cloud-based PKIEC PKI Training on-prem and cloud-based PKI
EC PKI Training on-prem and cloud-based PKIParnashreeSaha
 
A model for privacy-enhance federated identity management
A model for privacy-enhance federated identity managementA model for privacy-enhance federated identity management
A model for privacy-enhance federated identity managementrhoerbe1
 
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical OverviewShawn Wells
 
PPT FOR IDBSDDS SCHEMES
PPT FOR IDBSDDS SCHEMESPPT FOR IDBSDDS SCHEMES
PPT FOR IDBSDDS SCHEMESSahithi Naraparaju
 
Architecture authorization-constrained
Architecture authorization-constrainedArchitecture authorization-constrained
Architecture authorization-constrainedAhmed Sabeeh
 
Attributes based encryption with verifiable outsourced decryption
Attributes based encryption with verifiable outsourced decryptionAttributes based encryption with verifiable outsourced decryption
Attributes based encryption with verifiable outsourced decryptionKaashivInfoTech Company
 
OpenID Foundation RISC WG Update - 2018-04-02
OpenID Foundation RISC WG Update - 2018-04-02OpenID Foundation RISC WG Update - 2018-04-02
OpenID Foundation RISC WG Update - 2018-04-02MikeLeszcz
 
www.ijerd.com
www.ijerd.comwww.ijerd.com
www.ijerd.comIJERD Editor
 
Attribute based encryption with verifiable outsourced decryption
Attribute based encryption with verifiable outsourced decryptionAttribute based encryption with verifiable outsourced decryption
Attribute based encryption with verifiable outsourced decryptionIEEEFINALYEARPROJECTS
 
Design Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningDesign Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningMike Reams
 
Single Sign-On, Two Factor & more: Advanced Authentication & Authorization at...
Single Sign-On, Two Factor & more: Advanced Authentication & Authorization at...Single Sign-On, Two Factor & more: Advanced Authentication & Authorization at...
Single Sign-On, Two Factor & more: Advanced Authentication & Authorization at...Shumon Huque
 
ISE_Pub
ISE_PubISE_Pub
ISE_PubWill Hatcher
 
Cisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group TaggingCisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group TaggingCisco Canada
 
chaitraresume
chaitraresumechaitraresume
chaitraresumeChaitra Shankar
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresOliver Pfaff
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice ArchitectureMatt McLarty
 

Mais conteúdo relacionado

Mais procurados

x.509-Directory Authentication Service
x.509-Directory Authentication Servicex.509-Directory Authentication Service
x.509-Directory Authentication ServiceSwathy T
 
iaetsd Robots in oil and gas refineries
iaetsd Robots in oil and gas refineriesiaetsd Robots in oil and gas refineries
iaetsd Robots in oil and gas refineriesIaetsd Iaetsd
 
Attribute-Based Encryption for Cloud Security
Attribute-Based Encryption for Cloud SecurityAttribute-Based Encryption for Cloud Security
Attribute-Based Encryption for Cloud SecurityMphasis
 
EC PKI Training on-prem and cloud-based PKI
EC PKI Training on-prem and cloud-based PKIEC PKI Training on-prem and cloud-based PKI
EC PKI Training on-prem and cloud-based PKIParnashreeSaha
 
A model for privacy-enhance federated identity management
A model for privacy-enhance federated identity managementA model for privacy-enhance federated identity management
A model for privacy-enhance federated identity managementrhoerbe1
 
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical OverviewShawn Wells
 
Architecture authorization-constrained
Architecture authorization-constrainedArchitecture authorization-constrained
Architecture authorization-constrainedAhmed Sabeeh
 
Attributes based encryption with verifiable outsourced decryption
Attributes based encryption with verifiable outsourced decryptionAttributes based encryption with verifiable outsourced decryption
Attributes based encryption with verifiable outsourced decryptionKaashivInfoTech Company
 
OpenID Foundation RISC WG Update - 2018-04-02
OpenID Foundation RISC WG Update - 2018-04-02OpenID Foundation RISC WG Update - 2018-04-02
OpenID Foundation RISC WG Update - 2018-04-02MikeLeszcz
 
Attribute based encryption with verifiable outsourced decryption
Attribute based encryption with verifiable outsourced decryptionAttribute based encryption with verifiable outsourced decryption
Attribute based encryption with verifiable outsourced decryptionIEEEFINALYEARPROJECTS
 
Design Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningDesign Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningMike Reams
 
Single Sign-On, Two Factor & more: Advanced Authentication & Authorization at...
Single Sign-On, Two Factor & more: Advanced Authentication & Authorization at...Single Sign-On, Two Factor & more: Advanced Authentication & Authorization at...
Single Sign-On, Two Factor & more: Advanced Authentication & Authorization at...Shumon Huque
 
Cisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group TaggingCisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group TaggingCisco Canada
 

Mais procurados (20)

x.509-Directory Authentication Service
x.509-Directory Authentication Servicex.509-Directory Authentication Service
x.509-Directory Authentication Service
 
Certification Authority - Sergio Lietti
Certification Authority - Sergio LiettiCertification Authority - Sergio Lietti
Certification Authority - Sergio Lietti
 
Ch14
Ch14Ch14
Ch14
 
iaetsd Robots in oil and gas refineries
iaetsd Robots in oil and gas refineriesiaetsd Robots in oil and gas refineries
iaetsd Robots in oil and gas refineries
 
10. grid security
10. grid security10. grid security
10. grid security
 
Attribute-Based Encryption for Cloud Security
Attribute-Based Encryption for Cloud SecurityAttribute-Based Encryption for Cloud Security
Attribute-Based Encryption for Cloud Security
 
EC PKI Training on-prem and cloud-based PKI
EC PKI Training on-prem and cloud-based PKIEC PKI Training on-prem and cloud-based PKI
EC PKI Training on-prem and cloud-based PKI
 
A model for privacy-enhance federated identity management
A model for privacy-enhance federated identity managementA model for privacy-enhance federated identity management
A model for privacy-enhance federated identity management
 
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
 
PPT FOR IDBSDDS SCHEMES
PPT FOR IDBSDDS SCHEMESPPT FOR IDBSDDS SCHEMES
PPT FOR IDBSDDS SCHEMES
 
Architecture authorization-constrained
Architecture authorization-constrainedArchitecture authorization-constrained
Architecture authorization-constrained
 
Attributes based encryption with verifiable outsourced decryption
Attributes based encryption with verifiable outsourced decryptionAttributes based encryption with verifiable outsourced decryption
Attributes based encryption with verifiable outsourced decryption
 
OpenID Foundation RISC WG Update - 2018-04-02
OpenID Foundation RISC WG Update - 2018-04-02OpenID Foundation RISC WG Update - 2018-04-02
OpenID Foundation RISC WG Update - 2018-04-02
 
www.ijerd.com
www.ijerd.comwww.ijerd.com
www.ijerd.com
 
Attribute based encryption with verifiable outsourced decryption
Attribute based encryption with verifiable outsourced decryptionAttribute based encryption with verifiable outsourced decryption
Attribute based encryption with verifiable outsourced decryption
 
Design Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningDesign Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity Provisioning
 
Single Sign-On, Two Factor & more: Advanced Authentication & Authorization at...
Single Sign-On, Two Factor & more: Advanced Authentication & Authorization at...Single Sign-On, Two Factor & more: Advanced Authentication & Authorization at...
Single Sign-On, Two Factor & more: Advanced Authentication & Authorization at...
 
ISE_Pub
ISE_PubISE_Pub
ISE_Pub
 
Cisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group TaggingCisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group Tagging
 
chaitraresume
chaitraresumechaitraresume
chaitraresume
 

Semelhante a Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai Abdelilah Essiari Willie Chin

Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresOliver Pfaff
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice ArchitectureMatt McLarty
 
Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Editor IJARCET
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfJUSTSTYLISH3B2MOHALI
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3webhostingguy
 
Shifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsShifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsLibbySchulze
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerNovell
 
Define PKI (Public Key Infrastructure) and list and discuss the type.pdf
Define PKI (Public Key Infrastructure) and list and discuss the type.pdfDefine PKI (Public Key Infrastructure) and list and discuss the type.pdf
Define PKI (Public Key Infrastructure) and list and discuss the type.pdfxlynettalampleyxc
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeDigiCert, Inc.
 
Kerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsKerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsIRJET Journal
 
Blockchain PoC For Education
Blockchain PoC For EducationBlockchain PoC For Education
Blockchain PoC For EducationSanjeev Raman
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStackSteve Martinelli
 
20160304 blockchain in fsi client ready raymond
20160304 blockchain in fsi client ready raymond20160304 blockchain in fsi client ready raymond
20160304 blockchain in fsi client ready raymondMeng-Ru (Raymond) Tsai
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...DATA SECURITY SOLUTIONS
 
Cryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone
 
IBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for ProtocolsIBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for ProtocolsSandeep Patil
 

Semelhante a Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai Abdelilah Essiari Willie Chin (20)

Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
 
Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
 
Shifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsShifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environments
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
 
Define PKI (Public Key Infrastructure) and list and discuss the type.pdf
Define PKI (Public Key Infrastructure) and list and discuss the type.pdfDefine PKI (Public Key Infrastructure) and list and discuss the type.pdf
Define PKI (Public Key Infrastructure) and list and discuss the type.pdf
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
 
Kerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsKerberos Security in Distributed Systems
Kerberos Security in Distributed Systems
 
Alpha Education
Alpha EducationAlpha Education
Alpha Education
 
Blockchain PoC For Education
Blockchain PoC For EducationBlockchain PoC For Education
Blockchain PoC For Education
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStack
 
20160304 blockchain in fsi client ready raymond
20160304 blockchain in fsi client ready raymond20160304 blockchain in fsi client ready raymond
20160304 blockchain in fsi client ready raymond
 
Ch08 Authentication
Ch08 AuthenticationCh08 Authentication
Ch08 Authentication
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
 
Cryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined Perimeter
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?
 
presentation_finals
presentation_finalspresentation_finals
presentation_finals
 
IBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for ProtocolsIBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for Protocols
 

Mais de Information Security Awareness Group

Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...Information Security Awareness Group
 
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf... Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...Information Security Awareness Group
 
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...Information Security Awareness Group
 
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...Information Security Awareness Group
 
Big data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceBig data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceInformation Security Awareness Group
 
Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...Information Security Awareness Group
 
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...Information Security Awareness Group
 
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...Information Security Awareness Group
 

Mais de Information Security Awareness Group (20)

Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
 
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf... Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
 
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
 
IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,
 
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
 
Big data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceBig data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security Alliance
 
Big data analysis concepts and references
Big data analysis concepts and referencesBig data analysis concepts and references
Big data analysis concepts and references
 
PKI by Tim Polk
PKI by Tim PolkPKI by Tim Polk
PKI by Tim Polk
 
Pki by Steve Lamb
Pki by Steve LambPki by Steve Lamb
Pki by Steve Lamb
 
PKI by Gene Itkis
PKI by Gene ItkisPKI by Gene Itkis
PKI by Gene Itkis
 
Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...
 
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...
 
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
 
THE OPEN SCIENCE GRID Ruth Pordes
THE OPEN SCIENCE GRID Ruth PordesTHE OPEN SCIENCE GRID Ruth Pordes
THE OPEN SCIENCE GRID Ruth Pordes
 
Open Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob CowlesOpen Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob Cowles
 
Security Open Science Grid Doug Olson
Security Open Science Grid Doug OlsonSecurity Open Science Grid Doug Olson
Security Open Science Grid Doug Olson
 
Open Science Group Security Kevin Hill
Open Science Group Security Kevin HillOpen Science Group Security Kevin Hill
Open Science Group Security Kevin Hill
 
Xrootd proxies Andrew Hanushevsky
Xrootd proxies Andrew HanushevskyXrootd proxies Andrew Hanushevsky
Xrootd proxies Andrew Hanushevsky
 
Privilege Project Vikram Andem
Privilege Project Vikram AndemPrivilege Project Vikram Andem
Privilege Project Vikram Andem
 
DES Block Cipher Hao Qi
DES Block Cipher Hao QiDES Block Cipher Hao Qi
DES Block Cipher Hao Qi
 

Último

Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 

Último (20)

Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 

Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai Abdelilah Essiari Willie Chin

  • 1. Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai Abdelilah Essiari Willie Chin Lawrence Berkeley National Laboratory NIST PKI workshop
  • 2. Distributed Environments Widely distributed computing environments, collaborative research environments Resources, stakeholders and users are all distributed Spanning organizational as well as geographical boundaries, e.g., DOE Collaboratories, Grids, Portals Requires a flexible and secure way for stakeholders to remotely specify access control for their resources Requires a flexible but secure way to identify users and their attributes NIST PKI workshop
  • 3. Public Key Infrastructure Provides a uniform way for different organizations to identify people or other entities through X.509 identity certificates containing public keys. These certificates and keys can be used though secured connections (SSL) to positively establish the identity of the entities on the connection. The keys can be used to provide digital signatures on documents. The authors and contents of signed documents can be verified at the time of use. Mature Certificate Authority software packages are available and widely deployed. Entrust, Verisign, iPlanet RSA Keon and OpenSSL. NIST PKI workshop
  • 4. Goals for an Authorization system Use Public Key Infrastructure standards to identify users and create digitally signed certificates Use existing SSL protocol to authenticate users Access based on policy statements made by stakeholders Handle multiple independent stakeholders for a single resource Emphasize usability NIST PKI workshop
  • 5. Authorization Models Access Control User is authenticated by some means The resource gatekeeper checks the user against a policy to determine access Application needs to pass only an identity token to resource Capability User goes to a policy manager and gets an unforgeable token (capability) that grants the holder rights to some resource The resource gatekeeper verifies the capability and allows the actions specified in the capability Application must get the capability token (short-lived) Application must pass identity token and capability token to the resource Facilitates delegation of rights NIST PKI workshop
  • 6. Akenti Authorization Minimal local Policy certificates (self-signed) Who to trust, where to look for certificates. Based on the following digitally signed certificates: X.509 certificates for user identity and authentication UseCondition certificates containing stakeholder policy Attribute certificates in which a trusted party attests that a user possesses some attribute, e.g. training, group membership Can be called from any application that has an authenticated user’s identity certificate and a unique resource name, to return that user’s privileges with respect to the resource. NIST PKI workshop
  • 7. Emphasis on usability Usability is critical: Policy and attributes must be easy for stakeholders to generate and read Minimal change to applications seeking use of resources Simple API for resource gateway to check access Akenti certificate generators provide a user friendly interface for stakeholders to specify the use constraints for their resources. User or stakeholder can see a static view of the policy that controls the use of a resource. Akenti Monitor applet provides a Web interface for a user to check his access to a resource to see why it succeeded or failed. NIST PKI workshop
  • 8. Certificate Management Users need to generate signed certificates and store them in Web accessible places or be able to upload them securely to the resource gateway. Akenti needs to know where to search for certificates Once a certificate is found, Akenti will cache it for a a time not to exceed that specified by the stakeholder. When an access decision is made, a capability certificate containing the rights is cached and returned to the requester. NIST PKI workshop
  • 9. Akenti Server Architecture Cache Manager DN Client Fetch Certificate Resource Server Akenti Identity (X509) certificate on behalf of the user. DN DN Internet Log Server Use condition or attribute certificates DN Identity certificates LDAP Database Server Web Server Certificate Servers File Servers
  • 10. Akenti Certificate Management Stakeholders S1 S2 S3 S4 Certificate Generator C4(S4) C1(S1) C2(S2) C3(S3) Certificate Servers Akenti Search based on resource name, user DN, and attribute Hash Generator
  • 11. Required Infrastructure Certificate Authority to issue identity certificates (required) OpenSSL provides simple CA for testing iPlanet CA - moderate cost and effort Enterprise solutions - Entrust, Verisign, … Method to check for revocation of identity certificates (required) LDAP server - free from Univ. of Mich.. Or comes with iPlanet CA Certificate Revocation lists - supported by most CA’s OCSP - not yet widely implemented Network accessible ways for stakeholders to store their certificates (optional) Web servers LDAP servers NIST PKI workshop
  • 12. Using Akenti for Authorization C++ library that resource gatekeeper can link with Insecure server using TCP and returning rights as strings Use with thin client interface on the same machine Secure server using SSL and returning signed capability certificates containing the rights As an authorization module with the SSLenabled Apache Web server NIST PKI workshop
  • 13. Mod-Akenti The SSL-enabled Apache Web server can be configured to require Client-side X.509 certificates. Replaces mod-authorization Calls out to Akenti with the user’s identity Uses Akenti policy certificates to make the access decision – allows policy to be set remotely Allows the same access policy to be used for Web accessed resources as other resources NIST PKI workshop
  • 14. Vulnerabilities Primarily denial of service. Distributed certificates might not be available when needed. Independent stakeholders may create a policy that is inconsistent with what they intend. Easy to deny all access. NIST PKI workshop
  • 15. Attribute Certificates IETF PKIX Attribute Certificates ASN.1 certificate – holder, attributes, issuer Attribute – type-value pair Some standard types: group, access identity, role, clearance, audit identity, charging identity X.509 identities identified by CA and serial number Optional targeting information SAML (Security Assertion Markup Language) OASIS XML signed certificate asserting that a principal has certain attributes One of a set of XML certificates containing assertions, authentication, authorization decision <Audience Restriction Condition> NIST PKI workshop
  • 16. KeyNote Trust Management Common language for policies and credentials (ASCII Keyword-value) Uses opaque strings or cryptographic identities – separates secure naming from authorization. Policy assertions are defined for a resource. Can be signed and thus set remotely Requestor provides an identity and credential(s) Compliance checker checks the access M Blaze, J. Feigenbaum, J. Ioannidis, A. Keromytis NIST PKI workshop
  • 17. Shibboleth Internet2 Project Users have a credential that is a handle back to their home institutions Resource providers ask the home institution for the user’s attributes. E.g. student, facility Need inter-domain trust and common vocabulary Users can get access to resources while remaining anonymous to the resource provider. NIST PKI workshop
  • 18. CAS Community Authorization Server Globus Project Resources grant bulk access rights to communities of users A CAS controls fine-grained access for community members CAS issues a short-lived delegated credential containing the users rights (X.509 certificate) Users connect to the resource with the CAS delegated credential via GSI/SSL. More scalable than current Globus grid-map-file NIST PKI workshop
  • 19. Experience Akenti enabled Apache Web Server has been used at LBNL and Sandia for the Diesel Combustion Collaboratory. Controlling Akenti code distribution, secure data/image repository, ORNL electronic notebooks, PRE accessed remote job executions Used with CORBA applications Used by the National Fusion Collaboratory Access to remote code execution started by the Globus job-manager Easy to for applications to use if connections are made over SSL Runs on Solaris and RedHat Linux NIST PKI workshop
  • 20. Trust Models Resource domain establishes one on one trust with all it users Difficult for users, doesn’t scale Different domains establish mutual trust to allow users of one domain to access resources in another Cross-realm Kerberos trust Shibboleth Delegated trust – Resource trusts a few entities but allows them to delegate their rights to others CAS model Resource domain would like to limit degree of trust Limit actions Audit actions Revoke trust in a timely fasion NIST PKI workshop
  • 21. Future Directions Further development of Use Conditions that use dynamic variables such as time-of-day, originating IP address, state variables. Recognize restricted delegation credentials Possibly use delegation credentials restricted by the delegator to a specified role Use the XML signature implementation to sign Akenti certificates – XMLSec Library, Aleksey Sanin Implement Akenti as a Web service acting as a trusted third party. Use signed SOAP messages or SOAP over SSL? Consider using new SAML, WS-security standards NIST PKI workshop
  • 22. Conclusions Leverages off the increasing use of X.509 identity certificates. Akenti/SSL overhead acceptable for medium grained access checking. E.g , starting an operation, making a authenticated connection. Ease of use for stakeholders must be emphasized. Transparency for users and applications is important NIST PKI workshop