Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authorization via TLS Welcome! Simon Josefsson – Security advisor to PDC/KTH Middleware Security Group Meeting Stockholm,

Published byReginald Flowers Modified over 8 years ago

Similar presentations

Presentation on theme: "Authorization via TLS Welcome! Simon Josefsson – Security advisor to PDC/KTH Middleware Security Group Meeting Stockholm,"— Presentation transcript:

1 Authorization via TLS Welcome! Simon Josefsson simon@josefsson.org – Security advisor to OMIIEurope @ PDC/KTH Middleware Security Group Meeting Stockholm, 11 June 2007

2 Authorization via TLS ● Agenda – Authentication? Authorization? – Authorization Mechanisms ● X.509 Attribute Certificates ● SAML Assertions – The TLS-AUTHZ protocol ● Protocol idea that may be applicable – Implementation in GnuTLS – Update on patent situation

3 Authentication? Authorization? ● Authentication – Prove who you are. – Typically by proving something related to a digital identity. ● Authorization – Prove that you have access to some service. – Typically depends on that you have already proven who 'you' are (i.e., authentication). ● Implementation confusion – Often both steps are implemented by the same module. Generally not a good design, leads to confusion of the two concepts.

4 Authorization Mechanisms 1/2 ● X.509 Attribute Certificates (“X.509AC”) – IETF RFC 3281. – Typically used together when X.509 Certificates are used for authentication. – May contain group membership, role, or other authorization information associated with the indicated AC holder. – Useless unless you know you are talking, over a secure channel, to the AC holder!

5 Authorization Mechanisms 2/2 ● SAML Assertions (“SAMLAssert”) – OASIS – XML-based markup language

6 ● Discussion: Are these authorization mechanisms sufficient?

7 The TLS-AUTHZ Protocol ● Flexible authorization framework for TLS. ● Client and server negotiate the framework and the authorization method(s) to use – Allows X.509AC and SAMLAssert today, extensible typed-hole to add other authorization mechanisms for the future. – Supports BOTH X.509AC and SAMLAssert. ● Allows you to use X.509AC for authorization against one client, and SAMLAssert against another. – Allows simple transition between one technology to another.

8 The TLS-AUTHZ Protocol ● Why? – Removes the need to specify a protocol on top of TLS to implement authorization services. – Standard method, supports any authorization framework. – Clearly separates authentication from authorization conceptually.

9 The TLS Protocol ClientHello (w/ extensions) --------> ServerHello (w/ extensions) Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data Application Data

10 The TLS-AUTHZ Protocol ClientHello (w/ extensions) --------> client_authz: x509ac, samlassert,... server_authz: x509ac, samlassert,... ServerHello (w/ extensions) client_authz: x509ac, samlassert,... server_authz: x509ac, samlassert,... SupplementalData* x509ac data samlassert data Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone SupplementalData* x509ac data samlassert data Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data Application Data

11 Implementation in GnuTLS /* Authorization extensions, RFC xxxx. */ typedef enum { GNUTLS_AUTHZ_X509_ATTR_CERT = 1, GNUTLS_AUTHZ_SAML_ASSERTION = 2, GNUTLS_AUTHZ_X509_ATTR_CERT_URL = 3, GNUTLS_AUTHZ_SAML_ASSERTION_URL = 4 } gnutls_authz_data_format_type_t; typedef int (*gnutls_authz_recv_callback_func) (gnutls_session_t session, const int *authz_formats, gnutls_datum_t *infos, const int *hashtypes, gnutls_datum_t *hash); typedef int (*gnutls_authz_send_callback_func) (gnutls_session_t session, const int *client_formats, const int *server_formats); void gnutls_authz_enable (gnutls_session_t session, const int *client_formats, const int *server_formats, gnutls_authz_recv_callback_func recv_callback, gnutls_authz_send_callback_func send_callback); int gnutls_authz_send_x509_attr_cert (gnutls_session_t session, const char *data, size_t len); int gnutls_authz_send_saml_assertion (gnutls_session_t session, const char *data, size_t len);

12 Legal trouble ● Unfortunately, there is a patent application that covers these authorization ideas. ● Hopefully the application will not be approved. ● The owner has a 'patent license' on file with the IETF that gives you some rights if you abandon other rights. – Double and triple check with a lawyer before signing anything!

13 Standardization trouble ● The draft may not get published via the IETF due to the legal troubles. ●..however, there is prior art: Stephen Farrell proposed draft- ietf-tls-attr-cert in 1998.

14 Way forward ● Discussion: Do you think the protocol is useful? We can propose a new document based on Stephen Farrel's older protocol.

15 The End ● Thank you for listening! ● Comments or questions: – Simon Josefsson simon@josefsson.org

Download ppt "Authorization via TLS Welcome! Simon Josefsson – Security advisor to PDC/KTH Middleware Security Group Meeting Stockholm,"

Similar presentations

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
ITA, 2.11.2011, 8-TLS.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 8 Transport.

ITA, , 8-TLS.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 8 Transport.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
A Survey of WAP Security Architecture Neil Daswani

A Survey of WAP Security Architecture Neil Daswani
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Secure password-based cipher suite for TLS: The importance of end-to-end security Marie L.S. Dumont CS 265.

Secure password-based cipher suite for TLS: The importance of end-to-end security Marie L.S. Dumont CS 265.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
Web Service Standards, Security & Management Chris Peiris www.ChrisPeiris.com.

Web Service Standards, Security & Management Chris Peiris
11 Secure Sockets Layer (SSL) Protocol (SSL) Protocol Saturday, 08.05. 2010 University of Palestine Applied and Urban Engineering College Information Security.

11 Secure Sockets Layer (SSL) Protocol (SSL) Protocol Saturday, University of Palestine Applied and Urban Engineering College Information Security.
Masud Hasan 03-60-475 SecueEmail VS Hushmail Project 2.

Masud Hasan Secue VS Hushmail Project 2.
Secure Socket Layer (SSL)

Secure Socket Layer (SSL)
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
KAIS T Security architecture in a multi-hop mesh network Conference in France, 2006 2006. 9. 26. Presented by JooBeom Yun.

KAIS T Security architecture in a multi-hop mesh network Conference in France, Presented by JooBeom Yun.
Proposed Transport Layer Security (TLS) Evidence Extensions Russ Housley IETF 67 – TLS WG Session.

Proposed Transport Layer Security (TLS) Evidence Extensions Russ Housley IETF 67 – TLS WG Session.
1 /10 Pascal URIEN, IETF 66 h, Wednesday July 12 th,Montreal, Canada draft-urien-badra-eap-tls-identity-protection-00.txt

1 /10 Pascal URIEN, IETF 66 h, Wednesday July 12 th,Montreal, Canada draft-urien-badra-eap-tls-identity-protection-00.txt
Emergency Contacts (ECON) draft-hardie-ecrit-iris-03 Andrew Newton, VeriSign Ted Hardie, Qualcomm Hannes Tschofenig, Siemens Andrew Newton IETF ECRIT Working.

Emergency Contacts (ECON) draft-hardie-ecrit-iris-03 Andrew Newton, VeriSign Ted Hardie, Qualcomm Hannes Tschofenig, Siemens Andrew Newton IETF ECRIT Working.

Similar presentations

Ads by Google