TNC 2004 – Rhodes (Greece) On a Taxonomy of Authentication and Authorization Solutions (Exploring open problems) José A. Montenegro Javier López Rolf Oppliger Guenther Pernul Authors:

TNC 2004 – Rhodes (Greece) 2 Outline Traditional Problem – Authentication (Is it resolved?) Actual Problem – Authorization (How to resolve it?) Why a Taxonomy now? Taxonomy  Common Elements  Topics  Division General Scope Solutions Web Scope Solutions Framework Solutions Auth Languages and protocols How to deal with Privilege delegation Privilege Delegation (PMI Implementation) AAI – BAAI as an alternative

TNC 2004 – Rhodes (Greece) 3 Traditional Problem – Authentication (Is it resolved?) Cartoon The new Yorker Book Authentication From Passwords to Public Keys

TNC 2004 – Rhodes (Greece) 4 Actual Problem – Authorization (How to resolve it?) Assumption: Everybody knows you are a dog, but What is a What is a dog allowed to do?

TNC 2004 – Rhodes (Greece) 5 Why a Taxonomy now? different scenarios Actual solutions continuously use the traditional ideas in different scenarios. Kerberos: Born in 1988; Microsoft “adopted” it in 2000, 12 years later !!!!!!! PAC used in SESAME (1996) similar to X509 Attribute Certificate (2004), 8 years later !!!! Are we reinventing the wheel? Are we reinventing the wheel? Maybe, we should analyze previous solutions before developing a new one (reuse of a previous one is a possibility)

TNC 2004 – Rhodes (Greece) 6 Taxonomy – Common Elements Solutions that have been analyzed provide common technologies such as:  Mechanism to establish Sign-on,  Mechanism to disable Sign-on or Sign-out,  Trust Relations,  Structures to store and transport credentials  Protocols to carry credentials  Asymmetric Cryptographic Actors that are present in the solutions analyzed:  Client,  Resources,  Resource Provider (Stakeholder),  Authentication System,  Authorization System.

TNC 2004 – Rhodes (Greece) 7 Taxonomy – Topics The taxonomy pretends to obtain the key issues of each proposal:  Goal of the proposal  Role of actors involved  Elements used to store/carry the Auth information  Scheme operation  Advantages, drawbacks or well-known flaws  Other features like: difficulty of use, source code, running environment, etc

TNC 2004 – Rhodes (Greece) 8 Taxonomy - Division Initially, we establish four categories:  General Scope  Web Scope  Framework-based  Auth Languages and Protocols

TNC 2004 – Rhodes (Greece) 9 Taxonomy - General Scope Solutions General Scope Solutions: This category includes the solutions that can be used in whatever auth network scenario.  Kerberos: Standard de facto. Symmetric cryptography  Permis: Based on ITU-T proposal included in this category because it implements a specific model of the ITU-T proposal, that is, the role model  Akenti: Use-condition, Identity and Attribute certificates (see comparative with PERMIS).  Sesame: Use PACs, similar to actual X509 ACs. It deals with delegation, and make use of Role Base Authorization !!!!!!

TNC 2004 – Rhodes (Greece) 10 Taxonomy – Web Scope Solutions … Web Scope Solutions : Enable single sign-on for access to multiple sites Applications are built on top of present-day Internet technology. Although some security issues remain, the protocols exacerbate well-known Internet flaws, including:  Weak Passwords: Poorly-chosen passwords can be particularly problematic in a single sign-on environment  Internet Deployment: Public site + browser crash + failed sign out = hack session  Weak Cryptography: Parts of protocols are based on the use of SSL/TLS Cryptographic export problems: browsers that have weak 40-bit cryptography enabled

TNC 2004 – Rhodes (Greece) 11 Taxonomy - Web Scope Solutions cont Web Scope Solutions :  PAPI: Well Known in TNC  Shibboleth: Well Known in TNC  Microsoft.NET Passport: The most widely used solution  Liberty: No implementation yet.  Web Services Federation Language, or WS-Federation: direct competitor with Liberty (Microsoft and IBM Consortium)

TNC 2004 – Rhodes (Greece) 12 Taxonomy – Framework solutions Framework-based solutions:  X509 v3 Auth, PMI and PKI: PERMIS, ETSI (report).  SPKI/SDSI: S expressions and new point of view about certificates  AAAARCH (Authentication, Authorization and Accounting Architecture) : Project stopped

TNC 2004 – Rhodes (Greece) 13 Taxonomy – Auth Languages and protocols Auth languages and protocols  XML based Security Assertion Markup Language (SAML) XML Access Control Language (XACL) XML Access Control Language (XACML) XML Key Management System (XKMS) XML Trust Assertion Service Specification (XTASS)  SPOCP: Well Known in TNC  SOAP Too many solutions ???

TNC 2004 – Rhodes (Greece) 14 Taxonomy - Conclusions Different solutions provide either Authentication or Authorization services (or both) Sometimes it is necessary to merge two different solutions to provide an Authentication- and-Authorization Infrastructure (AAI) Best solutions are not the most used (Kerberos), and widely used solutions are not the best (Passport) Complex problems must be resolved, such as delegation ….

TNC 2004 – Rhodes (Greece) 15 Actual Problem, How treat the Privilege delegation Father  User Assistant  Delegated User Toy  Token Child  Authz Engine Authorization decision : NO

TNC 2004 – Rhodes (Greece) 16 Privilege Delegation (PMI Implementation) … There are numerous theoretical solutions, but no one implemented Analysis of solutions provides us the input to develop a new AAI infrastructure:  Previous work: PKI prototype  Work Extension: We have designed and developed a PMI prototype. It focuses on the PMI Delegation Model, though it supports the other Models (Role based model and Access Control model)  The implementation has used open source libraries such as OpenSSL, GTK and OpenLDAP  Main issue: Adding Attribute Certificate to OpenSSL

TNC 2004 – Rhodes (Greece) 17 Privilege Delegation (PMI Implementation) cont.

TNC 2004 – Rhodes (Greece) 18 Alternative AAI - BAAI Basics for development: PKI Kerberos Possibilities for AAIs based on PKI: PKI + PMI PKI + identity certificates extensions PKI + database system (DBMS) Our PMI implementation is the support for another proposal: Biometrics + PMI (BAAI)

TNC 2004 – Rhodes (Greece) 19 BAAI details - How make VAC, X509 v3 Version Number SerialNumber Signature Algorithm Issuer Validity Period Holder Attributes Issuer Unique Identifier AASignature Extensions Version Number SerialNumber Signature Algorithm Issuer Validity Period Holder Attributes Issuer Unique Identifier AASignature Extensions Version Number SerialNumber Signature Algorithm Issuer Validity Period Holder Attributes Issuer Unique Identifier AASignature Holder ::= SEQUENCE { baseCertificateID[0] IssuerSerial OPTIONAL, entityName[1] GeneralNames OPTIONAL, objectDigestInfo[2] ObjectDigestInfoOPTIONAL } Visual Attribute Certificate(VAC) - Basic Item in a BAAI Visual Attribute Certificate (VAC) - Basic Item in a BAAI (1), (2), ObjectDigestInfo ::= SEQUENCE publicKey(0), publicKeyCert otherObjectTypes otherObjectTypeIDOBJECT IDENTIFIER OPTIONAL, digestAlgorithmAlgorithmIdentifier, objectDigestBIT STRING } { digestedObjectType ENUMERATED { }

TNC 2004 – Rhodes (Greece) 20 BAAI details - How make VAC, Creation Process Certificate Holder entity Name cn=user,dn=uma,dn=es objectDigest hash(MSB(image)) Authorization Certificate Identity Identity and AuthorizationVAC Steganography A B Visual Attribute Certificate(VAC) - Basic Item in a BAAI Visual Attribute Certificate (VAC) - Basic Item in a BAAI

TNC 2004 – Rhodes (Greece) 21 BAAI details - How make VAC, Verification Process = ? Biometric Certificate Steganography CCTV 1 23 Visual Attribute Certificate(VAC) - Basic Item in a BAAI Visual Attribute Certificate (VAC) - Basic Item in a BAAI

TNC 2004 – Rhodes (Greece) 22 Questions ? Thanks for you attention José Antonio Montenegro Web: