Presentation is loading. Please wait.

Presentation is loading. Please wait.

DataPower Security Details: Crypto Objects and AAA

Published byEdwin Franklin Modified over 7 years ago

Similar presentations

Presentation on theme: "DataPower Security Details: Crypto Objects and AAA"— Presentation transcript:

1 DataPower Security Details: Crypto Objects and AAA
DataPower Appliances Business Unit, AIM/SWG DataPower Security Details: Crypto Objects and AAA Jonathan Wenocur Confidential | June 20, 2006

2 Crypto Objects The main objects: Less used objects: Crypto Key (“key”)
Crypto Certificate (“cert”) Crypto Identification Credentials (“identcred”, “idcred”) Crypto Validation Credentials (“valcred”) Crypto Profile SSL Proxy Profile Less used objects: Crypto Shared Secret Key (“sskey”) Crypto Firewall Credentials (“fwcred”)

3 Crypto Objects: Crypto Key
A private key Configured from file on the flash PEM : password possible DER PKCS#8 : for private keys; password possible PKCS#12 : key and cert; contains PKCS#7 and PKCS#8; password possible Located in cert:, sharedcert: Protected directories: writable, not readable HSM key: located on HSM Virtual location “hsm:” Password-map : CLI only keygen

4 Crypto Objects: Crypto Certificate
A public key Configured from file PEM DER PKCS#7 PKCS#12 : password possible (contains keys and certs) Located in cert:, sharedcert: Protected directories: writable, not readable File may contain private keys too so that’s why protected pubcert: Publicly available CA certificates Ignore Expiration dates Useful with large valcreds so valcred object stays “up”

5 Crypto Objects: Crypto Identification Credentials
Matching keypair: key + cert == private key + public key Verified at configuration time SSL “identity” sent to peer CA list Starting to use for other crypto operations (sign, encrypt)

6 Crypto Objects: Crypto Validation Credentials
Set of certificates for validating another certificate Validation modes: “Match exact or immediate issuer” “Full certificate chain checking (PKIX)” : SSL only Use Certificate Revocation List (CRL) or not Used anywhere a certificate is received and trust must be checked SSL Digitial signature verification AAA

7 Crypto Objects: Crypto Profile
Describes SSL configuration for one side of the connection (server or client) Identity to use (idcred) valcred for validating peer’s identity Ciphersuite Send peer client CA list Other options, such as SSL version Send Client CA list: for mutual authentication Reusable (though no one seems to do this)

8 Crypto Objects: SSL Proxy Profile
“Top-level” crypto object Describes overall SSL connection Reverse  server Forward  client Two-way  client and server SSL session caching controls Server is a pool Client only needs to be on/off since 1:1 with destinations

9 Crypto Objects: Basic Object Hierarchy

10 Crypto Objects: Crypto Shared Secret Key
Symmetric crypto key Configured from file on the flash String: 0xABCD1234… Justabunchoftext… Located in cert:, sharedcert: Protected directories: writable, not readable Not used much

11 Crypto Objects: Crypto Firewall Credentials
Limits which keys, certs, and sskeys an xmlfirewall uses List of keys List of certs List of sskeys Less important now that there are configuration domains

12 Crypto Objects: Where Objects are Used
SSL, obviously Sign Key : used for signature generation Cert : part of message so receiver can verify the signature Verify Cert : if a cert isn’t specified in the message Valcred : validate the signer’s certificate Encrypt Cert : used for encryption of ephemeral key, and placed in message Decrypt Key : used for decrypting ephemeral key, looked up by matching cert in message to cert in idcred and using corresponding key, or specifying directly AAA : validating signers’ certs, signing SAML Assertions, etc

13 AAA: The 7 Stages AU Cache Extract Identity (EI) Authenticate (AU) Map
Credentials (MC) Authorize (AZ) Audit/Post- Processing (PP) Extract Resource (ER) Map Resource (MR) AZ Cache

14 AAA: Data Passed Between Stages
Input and output XML nodesets XML API for each stage Allows custom processing stylesheets Custom-AAA-Processing.pdf Viewable in Probe Example EI from Probe: <identity> <entry type="http-basic-auth"> <username>fred</username> <password sanitize="true">fred</password> <configured-realm>login</configured-realm> </entry> </identity>

15 AAA: Writing Custom Stylesheets
Use “API” of input and output nodesets Example custom EI stylesheet: <?xml version="1.0"?> <xsl:stylesheet version="1.0“ xmlns:xsl=" <xsl:output method="text"/> <xsl:template match='/'> <xsl:if test="count(//fred/flintstone) > 0"> <username>fred</username> <password>flintstone</password> </xsl:if> </xsl:template> </xsl:stylesheet>

16 AAA: Extension Functions
Some DataPower XSLT extensions which may be useful when writing custom stylesheets: dp:auth-info() dp:get-cert-details() dp:get-cert-issuer() dp:get-cert-serial() dp:get-cert-subject() dp:ldap-authen() And many more!

17 AAA: AU and AZ caching By default AU and AZ results are cached
Cache key based on entire aaapolicy plus relevant data Sometimes tricky to avoid false hits Same underlying caching mechanism as document cache

18 AAA: Benchmarking Currently have no benchmarks
Answer the question: “What is the pure overhead of running AAA?” Compare 2 scenarios: 1) unprocessed tiny message in loopback using persistent connections should get 20,000 transactions/sec 2) preprocessed tiny message with minimal AAA Other interesting scenarios: On-box (local AAAInfo file) vs off-box (LDAP, TAM, etc) AU and AZ Caching on/off

19 AAA: Examples Token translation: BasicAuth  UsernameToken
EI: BasicAuth AU: AAAInfo file MC: none ER: URL MR: none AZ: anyauthenticated PP: generate UsernameToken

Download ppt "DataPower Security Details: Crypto Objects and AAA"

Similar presentations

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CP3397 ECommerce.

CP3397 ECommerce.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.

SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.

Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.
Troubleshooting Federation, AD FS 2.0, and More…

Troubleshooting Federation, AD FS 2.0, and More…
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Similar presentations

Ads by Google