Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.

Slides:



Advertisements
Similar presentations
WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Advertisements

Secure Information Sharing Using Attribute Certificates and Role Based Access Control Ganesh Godavari, C. Edward Chow 06/22/2005 University of Colorado.
Chapter 9 Deploying IIS and Active Directory Certificate Services
Microsoft Windows Server 2008 Software Deployment Chris Rutherford EKU Technology: CEN/CET.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Authz work in GGF David Chadwick
Active Directory: Final Solution to Enterprise System Integration
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Wednesday, June 03, 2015 © 2001 TrueTrust Ltd1 PERMIS PMI David Chadwick.
The EC PERMIS Project David Chadwick
SIS: Secure Information Sharing for Windows Systems Osama Khaleel CS526 Semester Project.
1 Secure Information Sharing Manager (SIS-M) Thesis 2007 Stephen D. Wise
4/26/2007okhaleel/Enforce1 EN gine FOR C ontrolling E mergent H ierarchical R ole- B ased A ccess (ENforCE HRBAccess) Osama Khaleel Thesis Defense May.
Security and Policy Enforcement Mark Gibson Dave Northey
Implementing Native Mode and Internet Based Client Management.
Local switch NIC FC4 NIC Main switch Win-XP IIS Domain-controller
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Configuring Active Directory Certificate Services Lesson 13.
Public Key Infrastructure from the Most Trusted Name in e-Security.
JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Clinic Security and Policy Enforcement in Windows Server 2008.
Module 1: Installing Internet Information Services 5.0.
IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
ArcGIS Server and Portal for ArcGIS An Introduction to Security
XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.
Module 9: Fundamentals of Securing Network Communication.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
Grid Chemistry System Architecture Overview Akylbek Zhumabayev.
10/25/20151 Single Sign-On Web Service Supervisors: Viktor Kulikov Alexander Sherman Liana Lipstov Pavel Bilenko.
Building Security into Your System Bill Major Gregory Ponto.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
Hands-On Microsoft Windows Server Implementing Microsoft Internet Information Services Microsoft Internet Information Services (IIS) –Software included.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 11: Securing a Microsoft ASP.NET Web Application.
Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.
SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.
JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick
Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective.
DGC Paris WP2 Summary of Discussions and Plans Peter Z. Kunszt And the WP2 team.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Creating and Managing Digital Certificates Chapter Eleven.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA.
Module 14: Advanced Topics and Troubleshooting. Microsoft ® Windows ® Small Business Server (SBS) 2008 Management Console (Advanced Mode) Managing Windows.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Kelly Whitacre, Kunal Bele, and Mike Gerschefske.
Building Preservation Environments with Data Grid Technology Reagan W. Moore Presenter: Praveen Namburi.
Presented By: Smriti Bhatt
ArcGIS for Server Security: Advanced
NAAS 2.0 Features and Enhancements
Configuring Internet-related services
Public Key Infrastructure from the Most Trusted Name in e-Security
Install AD Certificate Services
Presentation transcript:

Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer Sponsored by TTO Proof of Concept grant

6/26/2006SIS0.22 AgendaAgenda Status of the SIS “porting” project SIS 0.2 Software Architecture. Technologies and Tools/Modules SIS 0.2 prototype Demo of SIS 0.2 prototype Discussion on what to do next. Status of the SIS “porting” project SIS 0.2 Software Architecture. Technologies and Tools/Modules SIS 0.2 prototype Demo of SIS 0.2 prototype Discussion on what to do next.

6/26/2006SIS0.23 What We Have Achieved Develop SIS on Windows Platform. Add new capability on policy management Follow XACML access control standard. Specify/Enforce policies for accessing secure web sites based on role info in attribute certificate For certificates management, develop tools for Create digital and attribute certificates Update/revoke roles by updating certificates in Active Directory Integrate these software modules and demonstrate features on a prototype. Develop SIS on Windows Platform. Add new capability on policy management Follow XACML access control standard. Specify/Enforce policies for accessing secure web sites based on role info in attribute certificate For certificates management, develop tools for Create digital and attribute certificates Update/revoke roles by updating certificates in Active Directory Integrate these software modules and demonstrate features on a prototype.

6/26/2006SIS0.24 SIS Software Architecture Access to important resources (e.g. secure are secured by checking the identity (in digital certificate PKC presented by user) against related role (attribute certificate) on a set of policies. IISWebServer ASP.NET Policy Enforcement Point Policy Decision Point Active Directory User PKC Web Browser PKC AC Secure Web Sites Resource Policies XACML

6/26/2006SIS0.25 Secure Access Step 1: Identity Authentication User installs digital certificate (PKC) in their web browser. Issue request to IIS web server IIS present server certificate and ask user to present client certificate (mutual authentication) User installs digital certificate (PKC) in their web browser. Issue request to IIS web server IIS present server certificate and ask user to present client certificate (mutual authentication) IISWebServer User PKC Web Browser 1. https request 2. Server Certificate 3. Client Certificate

6/26/2006SIS0.26 Secure Access Step 2: Forward ID/URI to PEP ASP.NET intercepts the request and forwards the subject field (containing the identity info) of PKC to Policy Enforcement Point (PEP) User PKC Web Browser ASP.NET IISWebServer Policy Enforcement Point 4. User ID ( /OU) Time/IP https request info

6/26/2006SIS0.27 Secure Access Step 3: Query Active Directory for Role Info. PEP use ID info (Canonical Name) to query AD for role info contains in the attribute certificate. IISWebServer ASP.NET Policy Enforcement Point Active Directory User PKC Web Browser PKC AC 5. User ID (CN=chow) 6. AC of User with roles (CFO/mgr)

6/26/2006SIS0.28 Secure Access Step 4: Consult PDP for Policy Decision PEP then consult Policy Decision Point (PDP) to decide whether the policies the user with such role(s) to access the resource. IISWebServer ASP.NET Policy Enforcement Point Policy Decision Point User PKC Web Browser Policies XACML 7. User ID Role Time/IP request info 8. grant/ reject

6/26/2006SIS0.29 Secure Access Step 5: Access Secure Resource Based on PDP decision, PEP informs ASP.NET to grant access or redirect with error web pages. IISWebServer ASP.NET Policy Enforcement Point User PKC Web Browser Secure Web Sites Resource 9. access/ redirect 10. access 11. Return web page

6/26/2006SIS0.210 Local switch NIC FC4 NIC Main switch Win-XP IIS Domain-controller Internet SIS Network Topology And IP assignments

6/26/2006SIS0.211 The Testbed A 4-machine testbed has been built. It contains the following: Windows server 2003 with AD (The Domain Controller). Windows server 2003 with IIS 6.0 (The web server). Windows XP (a client). Fedora Core 4 with IPtables-based firewall (A Gateway). A 4-machine testbed has been built. It contains the following: Windows server 2003 with AD (The Domain Controller). Windows server 2003 with IIS 6.0 (The web server). Windows XP (a client). Fedora Core 4 with IPtables-based firewall (A Gateway).

6/26/2006SIS0.212 The SIS Admin Tool An admin tool is being developed to provide an easy-to-use GUI for setting up the SIS environment. C# (C# Express 2005 IDE) has been used. The main three components that we have so far are: Public Key Infrastructure (PKI) setup. Privilege Management Infrastructure (PMI) setup. Certificates Management. An admin tool is being developed to provide an easy-to-use GUI for setting up the SIS environment. C# (C# Express 2005 IDE) has been used. The main three components that we have so far are: Public Key Infrastructure (PKI) setup. Privilege Management Infrastructure (PMI) setup. Certificates Management.

6/26/2006SIS0.213 PKI PMI PKI PMI Features: Creating new Certificate Authorities (CAs). Loading an existing CAs. Issuing a single digital cert (DC) and storing it in the AD, based on a GUI form. Issuing a bunch of DCs and storing them in the AD, based on a simple text file. Features: Creating new Certificate Authorities (CAs). Loading an existing CAs. Issuing a single digital cert (DC) and storing it in the AD, based on a GUI form. Issuing a bunch of DCs and storing them in the AD, based on a simple text file. Features: Creating new Attribute Authorities (AAs). Loading an existing AA. Issuing a single attribute cert (AC) and storing it in the AD, based on a GUI form. Issuing a bunch of ACs and storing them in the AD, based on a simple text file.

6/26/2006SIS0.214

6/26/2006SIS0.215 Certificates Management Check & validate a digital certificate. Revoke a digital certificate. Check & validate an attribute certificate. Revoke an attribute certificate. Check & validate a digital certificate. Revoke a digital certificate. Check & validate an attribute certificate. Revoke an attribute certificate.

6/26/2006SIS0.216

6/26/2006SIS0.217 Packages & techniques OpenSSL [ A wrapper compiled in binaries (exe file) has been used to implement the PKI part. JCE-IAIK [ A set of java APIs and implementations of cryptographic functionality that has been used to implement the PMI part. IKVM.NET [ an implementation of Java for the Microsoft.NET Framework that has been used to allow us using the IAIK java- based package in the.NET. CryptLib [ or [ a security toolkit that allows adding encryption and authentication services. * (We faced problems with it [files format & AC errors], therefore, we replaced it with the OpenSSL solution). XACML Open Source from Sun [ Sun’s open source implementation of the OASIS XACML standard, written in the JavaTM programming language. OpenSSL [ A wrapper compiled in binaries (exe file) has been used to implement the PKI part. JCE-IAIK [ A set of java APIs and implementations of cryptographic functionality that has been used to implement the PMI part. IKVM.NET [ an implementation of Java for the Microsoft.NET Framework that has been used to allow us using the IAIK java- based package in the.NET. CryptLib [ or [ a security toolkit that allows adding encryption and authentication services. * (We faced problems with it [files format & AC errors], therefore, we replaced it with the OpenSSL solution). XACML Open Source from Sun [ Sun’s open source implementation of the OASIS XACML standard, written in the JavaTM programming language.

6/26/2006SIS0.218 DemoDemo Secure web access based on role in attribute certificate Update AC when a person gets promoted Revoke AC when a person leaves the company PKC/AC management tool Secure web access based on role in attribute certificate Update AC when a person gets promoted Revoke AC when a person leaves the company PKC/AC management tool

6/26/2006SIS0.219 DiscussionDiscussion What are our next steps?