Validity Management in SPKI 24 April 2002 (author) (presentation)

Slides:



Advertisements
Similar presentations
DIGITAL CERTIFICATES Prof. Ravi Sandhu. 2 © Ravi Sandhu PUBLIC-KEY CERTIFICATES reliable distribution of public-keys public-key encryption sender needs.
Advertisements

Introduction of Grid Security
Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
1 Lecture 13: Public Key Infrastructure terms PKI trust models –monopoly with registration authorities with delegated certificate authorities –oligarchy.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
TeSSA 2 Template © 1999 Juho Heikkilä A Revocation, Validation and Authentication Protocol for SPKI Based Delegation Systems Yki.Kortesniemi, Tero.Hasu.
Access control for IP multicast T Petri Jokela
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
 A public-key infrastructure ( PKI ) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store,
Report on Attribute Certificates By Ganesh Godavari.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Grid Security. Typical Grid Scenario Users Resources.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Security Protocols in Automation Dwaine Clarke MIT Laboratory for Computer Science January 8, 2002 With help from: Matt Burnside, Todd.
Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.
ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012.
Trusted Systems Laboratory Hewlett-Packard Laboratories Bristol, UK InfraSec 2002 InfraSec 2002 Bristol, October 2002 Marco Casassa Mont Richard.
Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Certificate revocation list
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
Module 9: Fundamentals of Securing Network Communication.
Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281.
1 Vigil : Enforcing Security in Ubiquitous Environments Authors : Lalana Kagal, Jeffrey Undercoffer, Anupam Joshi, Tim Finin Presented by : Amit Choudhri.
15.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Key Management.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
Security (and privacy) Larry Rudolph With help from Srini Devedas, Dwaine Clark.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Creating and Managing Digital Certificates Chapter Eleven.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Adding Distributed Trust Management to Shibboleth Srinivasan Iyer Sai Chaitanya.
Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.
 Attacks and threats  Security challenge & Solution  Communication Infrastructure  The CA hierarchy  Vehicular Public Key  Certificates.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
CAISO Public Key Infrastructure: Supporting Secure ICCP Leslie DeAnda Senior Information Security Analyst, Information Security, CAISO EMS Users Group.
Public Key Infrastructure. A PKI: 1. binds public keys to entities 2. enables other entities to verify public key bindings 3. provides services for management.
Key management issues in PGP
Grid Security.
Cryptography and Network Security
Authentication Applications
Adding Distributed Trust Management to Shibboleth
کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)
Grid School Module 4: Grid Security
Digital Certificates and X.509
PKI (Public Key Infrastructure)
National Trust Platform
Presentation transcript:

Validity Management in SPKI 24 April 2002 (author) (presentation)

2 Overview Access control Types of certificates (and how the type affects validation and revocation) Validation and revocation methods in SPKI SPKI validity management protocol

3 Phases of access control 3. Changing or revoking the decision 1. Expressing the decision (just once) 2. Enforcing the decision (repeatedly) 0. Making the decision

4 Access control w/certificates 3. Changing or revoking the decision 1. Expressing the decision (just once) 2. Enforcing the decision (repeatedly) 0. Making the decision Validating certificate(s) Modifying external information Writing and issuing certificate(s)

5 Types of certificates KeyAuthorization Name Authorization certificate e.g. SPKI Name or identity certificate e.g. X.509 ACL or attribute certificate Subject (person / computer / software agent) has uses

6 Identity certificates Key - Name - Authorization binding proved during validation –no anonymity Unique name required for each identity across the system –otherwise namesakes share rights –management burden Grouping of rights –revoke just one certificate

7 Authorization certificates Key - Authorization binding proved during validation –more straightforward –performance Anonymity is possible –benefits privacy of users –identity established if required (when acquiring the public key)

8 Identity certificate issuers Capable of establishing identity Considered trustworthy Typically have plenty of resources Small number of issuers (in a system) Small number of CRLs –may be practical to distribute to access control points

9 Authorization certificate issuers Anyone can be an issuer Large number of issuers Large number of CRLs –impractical to distribute in advance –obtain relevant CRLs online when required Verifier can also be the issuer –issuer arranges revocation mechanisms –verifier normally owns protected resource –control revocation to balance risk

10 Validity control in SPKI Has to be considered when issuing a certificate Validity period Online checks –CRL –reval –one-time –limit –renew

11 Lifecycle model suspendedexpired available 9. Renew – a new certificate is issued 2. Validity period OK and usage not denied by crl or reval 7. Expired by time constraint 8. Expired by time constraint 1. Granted 3. Used if not denied by one-time or limit 4. Usage denied by crl or reval 5. Revoked by crl or reval 6. Revoked by crl or reval

12 Validity period suspendedexpired available 2. Validity period OK 7. Expired by time constraint 8. Expired by time constraint 1. Granted 3. Used

13 CRL, Reval, Renew suspendedexpired available 2. Validity period OK and usage not denied by crl or reval 7. Expired by time constraint 8. Expired by time constraint 1. Granted 3. Used 4. Usage denied by crl or reval 5. Revoked by crl or reval 6. Revoked by crl or reval 9. Renew – a new certificate is issued

14 One-time, Limit suspendedexpired available 2. Validity period OK 7. Expired by time constraint 8. Expired by time constraint 1. Granted 3. Used if not denied by one-time or limit

15 Summary of methods MethodTypical use Processing overhead Revocation speed LimitQuotaHighImmediate One-time Limit usage on non-user specific factors ModerateImmediate RevalRevocationLow After current reval validity period CRLRevocationLow After current crl validity period RenewRevocationLow After current certificate expires

16 Management protocol requirements Configuration of SPKI validation server –can be done remotely All SPKI online checks supported Certificate issuer can issue commands –others need to prove permission Status information available –use of limited resource can be followed –there may be multiple entities with revocation ability

17 Management protocol design Two messages: –command –reply Command message –e.g. revoke, re-enable, change quota –static and dynamic rules Defined in XML –signed messages –requires secure transport protocol

18 Command and reply server_update cert, chain?, online_test_hash, delete_request*, test_definition*, status_query*, signature server_reply cert_hash, online_test_hash, delete_reply*, test_definition_reply*, status_reply*,service_status, signature

19 The end Questions? –(hope not)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.