Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer Sponsored by TTO Proof of Concept grant
6/26/2006SIS0.22 AgendaAgenda Status of the SIS “porting” project SIS 0.2 Software Architecture. Technologies and Tools/Modules SIS 0.2 prototype Demo of SIS 0.2 prototype Discussion on what to do next. Status of the SIS “porting” project SIS 0.2 Software Architecture. Technologies and Tools/Modules SIS 0.2 prototype Demo of SIS 0.2 prototype Discussion on what to do next.
6/26/2006SIS0.23 What We Have Achieved Develop SIS on Windows Platform. Add new capability on policy management Follow XACML access control standard. Specify/Enforce policies for accessing secure web sites based on role info in attribute certificate For certificates management, develop tools for Create digital and attribute certificates Update/revoke roles by updating certificates in Active Directory Integrate these software modules and demonstrate features on a prototype. Develop SIS on Windows Platform. Add new capability on policy management Follow XACML access control standard. Specify/Enforce policies for accessing secure web sites based on role info in attribute certificate For certificates management, develop tools for Create digital and attribute certificates Update/revoke roles by updating certificates in Active Directory Integrate these software modules and demonstrate features on a prototype.
6/26/2006SIS0.24 SIS Software Architecture Access to important resources (e.g. secure are secured by checking the identity (in digital certificate PKC presented by user) against related role (attribute certificate) on a set of policies. IISWebServer ASP.NET Policy Enforcement Point Policy Decision Point Active Directory User PKC Web Browser PKC AC Secure Web Sites Resource Policies XACML
6/26/2006SIS0.25 Secure Access Step 1: Identity Authentication User installs digital certificate (PKC) in their web browser. Issue request to IIS web server IIS present server certificate and ask user to present client certificate (mutual authentication) User installs digital certificate (PKC) in their web browser. Issue request to IIS web server IIS present server certificate and ask user to present client certificate (mutual authentication) IISWebServer User PKC Web Browser 1. https request 2. Server Certificate 3. Client Certificate
6/26/2006SIS0.26 Secure Access Step 2: Forward ID/URI to PEP ASP.NET intercepts the request and forwards the subject field (containing the identity info) of PKC to Policy Enforcement Point (PEP) User PKC Web Browser ASP.NET IISWebServer Policy Enforcement Point 4. User ID ( /OU) Time/IP https request info
6/26/2006SIS0.27 Secure Access Step 3: Query Active Directory for Role Info. PEP use ID info (Canonical Name) to query AD for role info contains in the attribute certificate. IISWebServer ASP.NET Policy Enforcement Point Active Directory User PKC Web Browser PKC AC 5. User ID (CN=chow) 6. AC of User with roles (CFO/mgr)
6/26/2006SIS0.28 Secure Access Step 4: Consult PDP for Policy Decision PEP then consult Policy Decision Point (PDP) to decide whether the policies the user with such role(s) to access the resource. IISWebServer ASP.NET Policy Enforcement Point Policy Decision Point User PKC Web Browser Policies XACML 7. User ID Role Time/IP request info 8. grant/ reject
6/26/2006SIS0.29 Secure Access Step 5: Access Secure Resource Based on PDP decision, PEP informs ASP.NET to grant access or redirect with error web pages. IISWebServer ASP.NET Policy Enforcement Point User PKC Web Browser Secure Web Sites Resource 9. access/ redirect 10. access 11. Return web page
6/26/2006SIS0.210 Local switch NIC FC4 NIC Main switch Win-XP IIS Domain-controller Internet SIS Network Topology And IP assignments
6/26/2006SIS0.211 The Testbed A 4-machine testbed has been built. It contains the following: Windows server 2003 with AD (The Domain Controller). Windows server 2003 with IIS 6.0 (The web server). Windows XP (a client). Fedora Core 4 with IPtables-based firewall (A Gateway). A 4-machine testbed has been built. It contains the following: Windows server 2003 with AD (The Domain Controller). Windows server 2003 with IIS 6.0 (The web server). Windows XP (a client). Fedora Core 4 with IPtables-based firewall (A Gateway).
6/26/2006SIS0.212 The SIS Admin Tool An admin tool is being developed to provide an easy-to-use GUI for setting up the SIS environment. C# (C# Express 2005 IDE) has been used. The main three components that we have so far are: Public Key Infrastructure (PKI) setup. Privilege Management Infrastructure (PMI) setup. Certificates Management. An admin tool is being developed to provide an easy-to-use GUI for setting up the SIS environment. C# (C# Express 2005 IDE) has been used. The main three components that we have so far are: Public Key Infrastructure (PKI) setup. Privilege Management Infrastructure (PMI) setup. Certificates Management.
6/26/2006SIS0.213 PKI PMI PKI PMI Features: Creating new Certificate Authorities (CAs). Loading an existing CAs. Issuing a single digital cert (DC) and storing it in the AD, based on a GUI form. Issuing a bunch of DCs and storing them in the AD, based on a simple text file. Features: Creating new Certificate Authorities (CAs). Loading an existing CAs. Issuing a single digital cert (DC) and storing it in the AD, based on a GUI form. Issuing a bunch of DCs and storing them in the AD, based on a simple text file. Features: Creating new Attribute Authorities (AAs). Loading an existing AA. Issuing a single attribute cert (AC) and storing it in the AD, based on a GUI form. Issuing a bunch of ACs and storing them in the AD, based on a simple text file.
6/26/2006SIS0.214
6/26/2006SIS0.215 Certificates Management Check & validate a digital certificate. Revoke a digital certificate. Check & validate an attribute certificate. Revoke an attribute certificate. Check & validate a digital certificate. Revoke a digital certificate. Check & validate an attribute certificate. Revoke an attribute certificate.
6/26/2006SIS0.216
6/26/2006SIS0.217 Packages & techniques OpenSSL [ A wrapper compiled in binaries (exe file) has been used to implement the PKI part. JCE-IAIK [ A set of java APIs and implementations of cryptographic functionality that has been used to implement the PMI part. IKVM.NET [ an implementation of Java for the Microsoft.NET Framework that has been used to allow us using the IAIK java- based package in the.NET. CryptLib [ or [ a security toolkit that allows adding encryption and authentication services. * (We faced problems with it [files format & AC errors], therefore, we replaced it with the OpenSSL solution). XACML Open Source from Sun [ Sun’s open source implementation of the OASIS XACML standard, written in the JavaTM programming language. OpenSSL [ A wrapper compiled in binaries (exe file) has been used to implement the PKI part. JCE-IAIK [ A set of java APIs and implementations of cryptographic functionality that has been used to implement the PMI part. IKVM.NET [ an implementation of Java for the Microsoft.NET Framework that has been used to allow us using the IAIK java- based package in the.NET. CryptLib [ or [ a security toolkit that allows adding encryption and authentication services. * (We faced problems with it [files format & AC errors], therefore, we replaced it with the OpenSSL solution). XACML Open Source from Sun [ Sun’s open source implementation of the OASIS XACML standard, written in the JavaTM programming language.
6/26/2006SIS0.218 DemoDemo Secure web access based on role in attribute certificate Update AC when a person gets promoted Revoke AC when a person leaves the company PKC/AC management tool Secure web access based on role in attribute certificate Update AC when a person gets promoted Revoke AC when a person leaves the company PKC/AC management tool
6/26/2006SIS0.219 DiscussionDiscussion What are our next steps?