The EC PERMIS Project David Chadwick

Slides:

Advertisements

Similar presentations

4 June 2002© TrueTrust Ltd1 PMI Components Oleksandr Otenko Research Student ISSRG, University of Salford

Advertisements

International Telecommunication Union Workshop on Standardization in E-health Geneva, May 2003 The Use of X.509 in E-Healthcare Professor David W.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

GT 4 Security Goals & Plans Sam Meder

MyProxy: A Multi-Purpose Grid Authentication Service

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Report on Attribute Certificates By Ganesh Godavari.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.

Authz work in GGF David Chadwick

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

Wednesday, June 03, 2015 © 2001 TrueTrust Ltd1 PERMIS PMI David Chadwick.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

SIS: Secure Information Sharing for Windows Systems Osama Khaleel CS526 Semester Project.

21 June 2006Copyright 2006 University of Kent1 Delegation of Authority (DyVOSE project) David Chadwick University of Kent.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

Authorised Global Roaming Offering Accessible Authorization Services to EduRoam David Chadwick, George Beitis, Gareth Owen University of Kent.

Session 11: Security with ASP.NET

A PERMIS-based Authorization Solution between Portlets and Back-end Web Services Hao Yin 1, Sofia Brenes-Barahona 2, Donald F. McMullen * 2, Marlon Pierce.

Key Management with the Voltage Data Protection Server Luther Martin IEEE P May 7, 2007.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

PAPI Points of Access to Providers of Information.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Module 9: Fundamentals of Securing Network Communication.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.

Module 11: Securing a Microsoft ASP.NET Web Application.

JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick

Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.

Shibboleth: Technical Architecture Marlena Erdos and Scott Cantor Revised Oct 2, 2001 Marlena Erdos and Scott Cantor Revised Oct 2, 2001.

1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.

Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Delegation of Authority David Chadwick

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.

Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.

Dynamic Privilege Management Infrastructures Utilising Secure Attribute Exchange Dr John Watt Grid Developer, National e-Science Centre University of Glasgow.

Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.

Web Services Security Patterns Alex Mackman CM Group Ltd

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

PAPI-PERMIS Integration Project Proposal David Chadwick

PAPI 2 Distributed trust model and AA interoperability.

Adding Distributed Trust Management to Shibboleth Srinivasan Iyer Sai Chaitanya.

Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore

4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

GALT 031 Distributed Programmable Authorisation David Chadwick.

e-Infrastructure Workshop 28th March 2006, University of Leeds

Adding Distributed Trust Management to Shibboleth

Computer Science Department

Hao Yin1, Sofia Brenes-Barahona2, Donald F. McMullen

O. Otenko PERMIS Project Salford University © 2002

Presentation transcript:

The EC PERMIS Project David Chadwick

Traditional Applications Authentication and Authorisation are Internal to the Application UserName/ Password Lists Access Control Lists Multiple passwords Multiple usernames Confusion!! Multiple Administrators High cost of administration No overall Security Policy

Enter PKI Authentication is External to the Application Access Control Lists One password or pin to access private key Happy Users! Multiple Administrators High cost of administration No overall Security Policy Digital Signature Public Key Infrastructure Application Gateway

Enter PMI Authentication and Authorisation are External to the Application One password or pin to access private key Happy Users! Fewer Administrators Lower cost of admin Overall Security Policy Digital Signature Public Key Infrastructure Application Gateway Privilege Management Infrastructure

What PERMIS is not It is not an AAA system It does not help in authenticating users, or accounting It does not try to replace PKI, Shibboleth or other institution or inter-realm based authentication mechanisms It is not a protocol for carrying authentication/authorisation tokens e.g. SAML, PAPI, HTTP

What PERMIS is It is a policy based authorisation system, a PMI, that uses X.509 attribute certificates to hold roles/attributes It can work with any and every authentication system (Shibboleth, PAPI, Kerberos, PKI, username/PW, etc.) Given a username, a target and an action, it says whether the user is granted or denied access based on the policy for the target The policy is role/attribute based i.e. users are given roles/attributes. Roles/attributes are given permissions to access targets The policy is written in XML, is similar to XACML, but simpler and produced earlier It can work in push or pull mode (attributes are sent to PERMIS, or PERMIS fetches them itself)

Compliance checker/Policy Enforcement Point X.812|ISO Access Control Framework ADF Initiator Target Submit Access Request Present Access Request Decision Request Decision AEF ADF= application independent Access control Decision Function Internet Target SiteUser’s Site AEF= application dependent Access control Enforcement Function

PERMIS API System Structure Initiator Target Submit Access Request Present Access Request Decision Request Decision AEF Authentication Service LDAP Directories Retrieve Policy and Role ACs (pull) PKI ADF The PERMIS PMI API PERMIS API Implementation Retrieve Role ACs (push)

Integration with the GRID PKI ADF The PERMIS PMI API User Target TLS Access Request Present Access Request Pass DN + Access Request Grant/ Deny LDAP Directories Retrieve Policy and Role ACs (pull) GRID Appln gateway Check Signature PERMIS API Implementation PKI

Integration with the CAS ADF The PERMIS PMI API User Target Access Request with Capability Present Access Request Decision Request + attributes/roles Grant/ Deny LDAP Directory Retrieve Policy Check signature on Capability PERMIS API Implementation PKI CAS Server Capability containing attributes/roles CAS request GRID Appln gateway CAS Policy DB

Integration with Shibboleth User LDAP Target 1. User request Handle Server Policy SHAR SHIRE WAYF 2.Re-direct to WAYF 3.Re-direct to HS 4. Handle 5.Handle AA Server 6. AQM 7. ARM with attributes or ACs Resource Gateway ADF The PERMIS PMI API PERMIS API Implementation 9.Grant/Deny 8. Att or AC

Integration with PAPI User Authentication Server Keys Hcook- Lcook GPoA GPoAPoA Hcook- Lcook PoA 302+ Hcook data LDAP Directories Retrieve Policy and Role ACs (pull) PKI ADF The PERMIS PMI API PERMIS API Implementation UserDN from cookie + access request Granted/ denied

Integration with A-Select ADF The PERMIS PMI API Initiator Target 1.Submit Access Request Present Access Request 6.DN + Request Grant/Deny LDAP Directories Retrieve Policy and Role ACs (pull) AEF A-Select Agent PERMIS API Implementation PKI Remote Authentication Service Providers Local Authentication Service Providers Local A-Select Server UDB 2.Re-direct user to AS 4.Authenticate 3.Re-direct user to Auth server 5. Provide ticket

Integration with Username/PW over SSL LDAP Directories Retrieve Policy and Role ACs (pull) PKI ADF The PERMIS PMI API PERMIS API Implementation User Application gateway with SSL server cert Username/PW Over SSL UN/PW/DN DB DN+ Action Grant/ Deny Target User’s Roles/ Attributes

Distributed Management Entities Involved LDAP Directory Policy ADF The PERMIS PMI API PERMIS API Implementation LDAP Directory LDAP Directory Attribute Certificates Target SOA Site based SOAs Push Mode Pull Mode Application Gateway

PERMIS Trust Model The Target/Resource is the root of trust (Source Of Authority SOA) for access to itself The Target is configured with its SOA name at start up The Policy is signed by the SOA (Permis checks this) The SOA says in the policy which remote SoAs it trusts to allocate roles The SOA says what roles they can allocate The SOA says what access rights are given to each role The remote SoAs authenticate the users and allocate roles to them

PERMIS Policy Components Subject Policy –Specifies subject domains based on LDAP subtrees Role Hierarchy Policy –Specifies hierarchy of role values SOA Policy –Specifies who is trusted to issue ACs Role Assignment Policy –Says which roles can be given to which subjects by which SOAs, with which validity times and whether delegation is allowed

PERMIS Policy Components (cont) Target Policy –Specifies the target domains covered by this policy, using LDAP subtrees Action Policy –Specifies the actions (operations) supported by the targets, along with their allowed operands Target Access Policy –Specifies which roles are needed to access which targets for which actions, and under what conditions

Current Applications E-tendering at Salford City Council E-planning at Bologna Comune Access to car parking fines database at Barcelona City Electronic Transfer of Prescriptions at University of Salford

What PERMIS is not It is not an AAA system It does not help in authenticating users, or accounting It does not try to replace PKI, Shibboleth or other institution or inter-realm based authentication mechanisms It is not a protocol for carrying authentication/authorisation tokens e.g. SAML, PAPI, HTTP

What PERMIS is It is an authorisation system, that uses X.509 attribute certificates to hold roles/attributes It can work with any and every authentication system (Shibboleth, PAPI, Kerberos, PKI etc.) Given a username(DN), a target and an action, it says whether the user is granted or denied access based on the policy for the target The policy is role/attribute based i.e. users are given roles/attributes. Roles/attributes are given permissions to access targets The policy is written in XML, is similar to XACML, but simpler and produced earlier It can work in push or pull mode (attributes are sent to PERMIS, or PERMIS fetches them itself)