International Telecommunication Union Geneva, 9(pm)-10 February 2009 Identification Services as provided by directories (X.500 incl. X509) Erik Andersen,

Slides:



Advertisements
Similar presentations
Use of Public-Key Infrastructure (PKI) Erik Andersen Association for the Directory Information and Related Search Industry (EIDQ -
Advertisements

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.
CS526 – Advanced Internet And Web Systems Semester Project Public Key Infrastructure (PKI) By Samatha Sudarshanam.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.
Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Chapter 10: Authentication Guide to Computer Network Security.
Secure Electronic Transaction (SET)
ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Cryptography Encryption/Decryption Franci Tajnik CISA Franci Tajnik.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Unit 1: Protection and Security for Grid Computing Part 2
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Digital Signatures A Brief Overview by Tim Sigmon April, 2001.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
Key Management. Session and Interchange Keys  Key management – distribution of cryptographic keys, mechanisms used to bind an identity to a key, and.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
ELECTROINC COMMERCE TOOLS Chapter 6. Outline 6.0 Introduction 6.1 PUBLIC KEY INFRASTRUCTURE (PKI) AND CERTIFICATE AUTHORITIES (CAs) TRUST
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
DIGITAL SIGNATURE.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.
Directory Services CS5493/7493. Directory Services Directory services represent a technological breakthrough by integrating into a single management tool:
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Encryption and Security Tools for IA Management Nick Hornick COSC 481 Spring 2007.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
1 Directory Services  What is a Directory Service?  Directory Services model  Directory Services naming model  X.500 and LDAP  Implementations of.
Presented by Edith Ngai MPhil Term 3 Presentation
The ITU-T X.500 series and X.509 in a changing world
Advanced Computer Networks
Electronic Payment Security Technologies
National Trust Platform
Presentation transcript:

International Telecommunication Union Geneva, 9(pm)-10 February 2009 Identification Services as provided by directories (X.500 incl. X509) Erik Andersen, Consultant, Andersen’s L-Service Q.11/17 Rapporteur ITU-T Workshop on “New challenges for Telecommunication Security Standardizations" Geneva, 9(pm)-10 February 2009

International Telecommunication Union Geneva, 9(pm)-10 February Why listen to this presentation? How identification services relates to security How directories relate to identification services Why X.500 (and LDAP) is an obvious answer to identification services

International Telecommunication Union Geneva, 9(pm)-10 February About the X.500 directory specification First edition in 1988 Been under continuous expansion since to meet new requirements Developed in collaboration with ISO/IEC JTC1/SC6 Within ISO/IEC known as the ISO/IEC 9594 multipart standard Many highly skilled people have participated during the years

International Telecommunication Union Geneva, 9(pm)-10 February About the X.500 directory specification (cont.) Six editions so far – the seventh edition on its way Consists of 10 parts (incl. X.509) Defines a naming structure that allows unique naming of all entities Support for distribution and replication Lightweight Directory Access Protocol (LDAP) is a dear child of X.500 (uses the X.500 model)

International Telecommunication Union Geneva, 9(pm)-10 February Identity and security IT Security comprises many things: Physical attacks Hacker attacks Spam Denial of service Fraud by employees Identity related security issues

International Telecommunication Union Geneva, 9(pm)-10 February Identity Related Security Issues Related to: Information about people and other entities Access to systems and Services Accounts Authorisation Software code

International Telecommunication Union Geneva, 9(pm)-10 February Identity Management (IdM) Identity Management (IdM) includes Identification Services It is much in focus within ITU-T Study Group 17 and other committees Considered an important aspect of Next Generation Network (NGN) Not a new issue

International Telecommunication Union Geneva, 9(pm)-10 February X500 is (part of) IdM We have been in the Identity Management (IdM) Business since 1984 We got a head start!

International Telecommunication Union Geneva, 9(pm)-10 February Butler group report X.500/LDAP basis for most current IdM implementations - In the industry often called Identity and Access Management (IAM)

International Telecommunication Union Geneva, 9(pm)-10 February Butler Group list Aladdin BMC Bull Evidian CA Entrust IBM Microsoft Novell Oracle RSA Sun They all uses LDAP as major component in their IdM solutions X.509 also plays a major role for authentication

International Telecommunication Union Geneva, 9(pm)-10 February Other vendors Isode Siemens eB2Bcom Critical Path Etc.

International Telecommunication Union Geneva, 9(pm)-10 February The requirement for authentication Before giving access to services and information, the identity of the accessing entity must be established Different levels of authentication The required level depends on Sensitivity of service or information Whether interrogation or update

International Telecommunication Union Geneva, 9(pm)-10 February Scope of X.500 identity services Storage of identity information Protection of the information in the directory Use of X.509 capabilities outside directories (e.g. required by SSL, used my SAML2, etc.

International Telecommunication Union Geneva, 9(pm)-10 February cn=Ole Jensen Root c=DK c=GB o=Fallit A/S ou=Salg o=Broke Ltd ou= Udvikling Name = { cn=Ole Jensen, ou=Salg, o=Fallit A/S, c=DK } Entry representing an object o=ALS cn=Per Yde cn=Ole Jensen Storing identity information in the Directory Information Tree

International Telecommunication Union Geneva, 9(pm)-10 February Protecting Directory Identity Information

International Telecommunication Union Geneva, 9(pm)-10 February Levels of authentication None Directory Name Directory Name and Password Simple Authentication and Security Layer (SASL) (Also used by LDAP) SPKM - Simple Public-Key Mechanism Strong authentication (use of X.509) X.500 allows the following means of authentication:

International Telecommunication Union Geneva, 9(pm)-10 February Use of Password Password is widely used for identity authentication If transmitted over encrypted connection (e.g. SSL) and stored encrypted in the directory, it gives a reasonable protec- tion in many situations Work on Password management and policy is in progress within X.500 to be also ported to LDAP

International Telecommunication Union Geneva, 9(pm)-10 February Strong authentication Based on electronic signatures Requires the presence of a Public Key Infrastructure (PKI) ITU-T X.509 is here the key specification

International Telecommunication Union Geneva, 9(pm)-10 February Access Control for Directory information Who may do what or not do what based on the level of authentication Who: Owner of information Specific user user group all users Subtree (specific name structure) What: All information about an entity Fragments LDAP has no access control

International Telecommunication Union Geneva, 9(pm)-10 February Levels of protection Anything goes Protection of individual entries based on right-to-know (traditional access control) Protection of individual entries based on right-to-know and need-to-know (service view) Protection against information trawlingProtection against devious searches

International Telecommunication Union Geneva, 9(pm)-10 February Protection by X.509

International Telecommunication Union Geneva, 9(pm)-10 February Basic X.509 Concepts Public-key concept Public-Key Infrastructure (PKI) Privilege Management Infrastructure (PMI) Certificates Public-key certificates (part of PKI) Attribute certificates (part of PMI) Digital Signatures

International Telecommunication Union Geneva, 9(pm)-10 February Public Key concept AB A B A B Encryption using private key A Decryption using public key A Encryption using public key B Decrypt using private key B

International Telecommunication Union Geneva, 9(pm)-10 February Digital signature Verifies sender Ensures integrity of message Signing of Messages Software code Documents Etc DATA Signature Algo- rithms Hashing plus encryption with private key

International Telecommunication Union Geneva, 9(pm)-10 February Certifying the identity using public-key certificates Certification Authority

International Telecommunication Union Geneva, 9(pm)-10 February Checking the credentials A passport is a type of certificate binding a picture to an ID Has to be issued by a trustworthy authority A passport may be false It is checked by the “service provider”, also called the relying party A certificate is issued by a Certification Authority (CA)

International Telecommunication Union Geneva, 9(pm)-10 February X.509 at work - 1

International Telecommunication Union Geneva, 9(pm)-10 February X.509 at work - 2

International Telecommunication Union Geneva, 9(pm)-10 February Establishing the infrastructure To validate a certificate a Public-Key Infrastructure (PKI) is required: To establish a trust anchor To establish a repository for revoked certificates The X.509 provides a framework for PKI Supplementary specifications required

International Telecommunication Union Geneva, 9(pm)-10 February PKI forums and peer groups Electronic Signatures and Infrastructures (ESI) by ETSI Certification Authority/Browser Forum Public-Key Infrastructure (X.509) (PKIX) within IETF

International Telecommunication Union Geneva, 9(pm)-10 February Privilege Management Attribute certificates are used for assigning privileges to the holder of the certificate The holder is identified, e.g., by a pointer to a public-key certificate An attribute certificate is issued by an Attribute Authority (AA) A special Privilege Management Infrastructure (PMI) may be established Recent work allows privileges established in one domain to be applied in other domains

International Telecommunication Union Geneva, 9(pm)-10 February The challenges Extending X.500 support to meet new identity management requirements Make the community aware of the X.500 capabilities Get new blood into the process At times up against the NIH syndrome NIH – Not Invented Here

International Telecommunication Union Geneva, 9(pm)-10 February Where to go The central source for information on the X.500 Directory Standard. Identity Management X.500

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.