14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD

14 May 2002© TrueTrust Ltd2 X.509 Evolution X.509 (1988) - V1 PKCertificates and CRLs X.509 (1993) - V2 PKCertificates and revised V1 CRLs X.509 (1997) - V3 PKCertificates, V2 CRLs and V1 Attribute Certificates X.509 (2000] - V3 PKCertificates and V2 CRLs with additional extensions, plus V2 Attribute Certificates and PMI

14 May 2002© TrueTrust Ltd3 Assigning and Delegating Privileges Resource Owner “I authorise this Privilege Holder to use this resource in the following ways” signed The Resource Owner Privilege Holder “I delegate authority to this End User to use this resource in this limited way” signed The Privilege Holder End User (Privilege Holder) Assigns privilege Delegates privilege

14 May 2002© TrueTrust Ltd4 Privilege Checking “Please purchase this product from company X” signed the End User End User (Privilege Holder) Privilege Verifier Q. “Is this user authorised to purchase these goods?” Issues a command (Asserts Privilege)

14 May 2002© TrueTrust Ltd5 Traditional Applications Authentication and Authorisation are Internal to the Application UserName/ Password Lists Access Control Lists Multiple passwords Multiple usernames Confusion!! Multiple Administrators High cost of administration No overall Security Policy

14 May 2002© TrueTrust Ltd6 Enter PKI Authentication is External to the Application Access Control Lists One password or pin to access private key Happy Users! Multiple Administrators High cost of administration No overall Security Policy Digital Signature Public Key Infrastructure Application Gateway

14 May 2002© TrueTrust Ltd7 Enter PMI Authentication and Authorisation are External to the Application One password or pin to access private key Happy Users! Fewer Administrators Lower cost of admin Overall Security Policy Digital Signature Public Key Infrastructure Application Gateway Privilege Management Infrastructure

14 May 2002© TrueTrust Ltd8 X.509 PMI Entities Source of Authority Attribute Authority Privilege Holder Privilege Verifier Assigns privilege Delegate privilege Trusts Asserts privilege

14 May 2002© TrueTrust Ltd9 Traditional Implementation Discretionary Access Controls –Users may optionally be given access to resources by the resource holder –The privileges are usually held in Access Control Lists in the Resource –Either user first or privilege first User1 r, w, e, d User2 r, e User3,4 r r User3,4 r, e User2 r, w, e, d User1

14 May 2002© TrueTrust Ltd10 DAC with X.509 Attribute Certificates The user (holder) is given an Attribute Certificate which strongly binds his/her name to the privileges being given to him/her The AC is signed by the Attribute Authority (Resource Owner or his delegate) Similar to X.509v3 certificate, only holds a sequence of attributes rather than a public key An attribute certificate can be stored anywhere since it is secure and self contained

14 May 2002© TrueTrust Ltd11 Similarities of PKIs and PMIs Privilege Management Infrastructure (PMI) Source of Authority Attribute Authority Attribute Certificate Att Cert Rev List Att Authority Rev List Public Key Infrastructure (PKI) Root CA/Trust Anchor Certification Authority Public Key Certificate Cert Revocation List Authority Rev List

14 May 2002© TrueTrust Ltd12 X.509 attributeCertificateAttribute Attribute Type Comprises SIGNED SEQUENCE of: –version number of this AC (v1) –the holder (see next slide) –the General Name of the AA issuing this AC, plus optional unique id and pk certificate serial number –the identifier of the algorithm used to sign this AC –the unique serial number of this AC –the validity period of this AC –the sequence of attributes being bound to the holder –any optional extensions

14 May 2002© TrueTrust Ltd13 Attribute Certificate Holder Either GeneralName of the holder, or The holder of a private signing key, pointed to via the corresponding public key (X.509) certificate: –the General Name of the CA issuing the PK certificate –Certificate Serial Number

14 May 2002© TrueTrust Ltd14 General Names otherName - any name of any form rfc822Name - address as per RFC 822 dNSName - Internet domain name as per RFC 1035 x400Address - O/R address as per X.411 directoryName - directory name as per X.501 ediPartyName - format agreed between EDI partners, consists of name of EDI naming authority and name of edi party uniformResourceIdentifier - for the WWW as per RFC 1630 iPAddress - Internet Protocol address as per RFC 791 registeredID - any OID registered as per X.660|ISO

14 May 2002© TrueTrust Ltd15 Version 2 Attribute Certificates The holder and/or the issuer can be identified by a hash value –of their public key certificate, or –if the holder or issuer is a software object e.g. applet, of the object itself The relying party will directly re-calculate the hash in order to authenticate the holder and/or the issuer

14 May 2002© TrueTrust Ltd16 Role based Privilege Management Can simplify the management of privileges People are given a role, and they inherit the privileges assigned to the role Many people can hold the same role e.g. member of project team A Implemented as Role Based Access Controls

14 May 2002© TrueTrust Ltd17 Assigning Privileges to Roles in X.509 Have a Role Specification Attribute Certificate that assigns privileges to a role (the holder is a role name) Then assign roles to people, using the role attribute, either –Add a role to the PK certificate of the subject, in the subjectDirectoryAttributes extension, or –Give the person a Role Assignment Certificate (assigns a role to a AC holder) The role membership and role privileges can be separately administered if wanted

14 May 2002© TrueTrust Ltd18 Extensions to Attribute Certificates Basic privilege management - information about the privilege being asserted Privilege revocation - location of revocation information Roles - location of role specification certificates Source of Authority - information about the SOA Delegation - place constraints on the delegation of the privileges

14 May 2002© TrueTrust Ltd19 Privilege Revocation Extensions CRL distribution points extension points to where ACRL(s) for this AC will be found –different ACs can be posted to different lists, or –ACs can be posted to different lists according to the reasons for their revocation No revocation extension – for short lived privilege that will not be revoked during their validity. Can only be present in privilege holder certificates, and not AA certificates

14 May 2002© TrueTrust Ltd20 Privilege Verifier Resource being protected (object) Environmental variables Privilege policy Privilege Asserter Service Request (object method) Privilege Control Model Directory Certificates and CRLs

14 May 2002© TrueTrust Ltd21 Bootstrapping the Privilege Verifier The resource (privilege verifier) must have available to it –the root of trust of the PKI (public key of root CA) –the root of trust of the PMI (public key of Source of Authority or a valid PK certificate) –privilege policy (rules for handling privileges) –local variables e.g. time of day, account balances –access to revocation information and certificate chains

14 May 2002© TrueTrust Ltd22 Verifying Claimed Privilege Privilege Verifier Bill Alice Bob SOA AA Holder Root CA Signs Alice’s Public Key Bill’s Public Key Bob’s Public Key Issues AC to Issues AC to Issues Command to Checks delegation of privileges Checks all signatures Checks privilege is sufficient

14 May 2002© TrueTrust Ltd23 Further Standardisation Work of SG 17 Q.9 Friends attributes in X.501, X.511 Distributed page results service in X.518 Related Entries in X.501, X.511, X.518 Alignment with IETF LDAP standards Defect reports in entire X.500-series