Presentation is loading. Please wait.

Presentation is loading. Please wait.

Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer."— Presentation transcript:

1 Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer Sponsored by TTO Proof of Concept grant

2 6/26/2006SIS0.22 AgendaAgenda Status of the SIS “porting” project SIS 0.2 Software Architecture. Technologies and Tools/Modules SIS 0.2 prototype Demo of SIS 0.2 prototype Discussion on what to do next. Status of the SIS “porting” project SIS 0.2 Software Architecture. Technologies and Tools/Modules SIS 0.2 prototype Demo of SIS 0.2 prototype Discussion on what to do next.

3 6/26/2006SIS0.23 What We Have Achieved Develop SIS on Windows Platform. Add new capability on policy management Follow XACML access control standard. Specify/Enforce policies for accessing secure web sites based on role info in attribute certificate For certificates management, develop tools for Create digital and attribute certificates Update/revoke roles by updating certificates in Active Directory Integrate these software modules and demonstrate features on a prototype. Develop SIS on Windows Platform. Add new capability on policy management Follow XACML access control standard. Specify/Enforce policies for accessing secure web sites based on role info in attribute certificate For certificates management, develop tools for Create digital and attribute certificates Update/revoke roles by updating certificates in Active Directory Integrate these software modules and demonstrate features on a prototype.

4 6/26/2006SIS0.24 SIS Software Architecture Access to important resources (e.g. secure are secured by checking the identity (in digital certificate PKC presented by user) against related role (attribute certificate) on a set of policies. IISWebServer ASP.NET Policy Enforcement Point Policy Decision Point Active Directory User PKC Web Browser PKC AC Secure Web Sites Resource Policies XACML

5 6/26/2006SIS0.25 Secure Access Step 1: Identity Authentication User installs digital certificate (PKC) in their web browser. Issue request to IIS web server IIS present server certificate and ask user to present client certificate (mutual authentication) User installs digital certificate (PKC) in their web browser. Issue request to IIS web server IIS present server certificate and ask user to present client certificate (mutual authentication) IISWebServer User PKC Web Browser 1. https request 2. Server Certificate 3. Client Certificate

6 6/26/2006SIS0.26 Secure Access Step 2: Forward ID/URI to PEP ASP.NET intercepts the request and forwards the subject field (containing the identity info) of PKC to Policy Enforcement Point (PEP) User PKC Web Browser ASP.NET IISWebServer Policy Enforcement Point 4. User ID (email/OU) Time/IP https request info

7 6/26/2006SIS0.27 Secure Access Step 3: Query Active Directory for Role Info. PEP use ID info (Canonical Name) to query AD for role info contains in the attribute certificate. IISWebServer ASP.NET Policy Enforcement Point Active Directory User PKC Web Browser PKC AC 5. User ID (CN=chow) 6. AC of User with roles (CFO/mgr)

8 6/26/2006SIS0.28 Secure Access Step 4: Consult PDP for Policy Decision PEP then consult Policy Decision Point (PDP) to decide whether the policies the user with such role(s) to access the resource. IISWebServer ASP.NET Policy Enforcement Point Policy Decision Point User PKC Web Browser Policies XACML 7. User ID Role Time/IP request info 8. grant/ reject

9 6/26/2006SIS0.29 Secure Access Step 5: Access Secure Resource Based on PDP decision, PEP informs ASP.NET to grant access or redirect with error web pages. IISWebServer ASP.NET Policy Enforcement Point User PKC Web Browser Secure Web Sites Resource 9. access/ redirect 10. access 11. Return web page

10 6/26/2006SIS0.210 Local switch NIC1 128.198.162.50 FC4 NIC2 10.0.0.1 Main switch Win-XP 10.0.0.12 IIS 10.0.0.11 Domain-controller 10.0.0.10 128.198.162.51 128.198.162.52 128.198.162.53 Internet SIS Network Topology And IP assignments

11 6/26/2006SIS0.211 The Testbed A 4-machine testbed has been built. It contains the following: Windows server 2003 with AD (The Domain Controller). Windows server 2003 with IIS 6.0 (The web server). Windows XP (a client). Fedora Core 4 with IPtables-based firewall (A Gateway). A 4-machine testbed has been built. It contains the following: Windows server 2003 with AD (The Domain Controller). Windows server 2003 with IIS 6.0 (The web server). Windows XP (a client). Fedora Core 4 with IPtables-based firewall (A Gateway).

12 6/26/2006SIS0.212 The SIS Admin Tool An admin tool is being developed to provide an easy-to-use GUI for setting up the SIS environment. C# (C# Express 2005 IDE) has been used. The main three components that we have so far are: Public Key Infrastructure (PKI) setup. Privilege Management Infrastructure (PMI) setup. Certificates Management. An admin tool is being developed to provide an easy-to-use GUI for setting up the SIS environment. C# (C# Express 2005 IDE) has been used. The main three components that we have so far are: Public Key Infrastructure (PKI) setup. Privilege Management Infrastructure (PMI) setup. Certificates Management.

13 6/26/2006SIS0.213 PKI PMI PKI PMI Features: Creating new Certificate Authorities (CAs). Loading an existing CAs. Issuing a single digital cert (DC) and storing it in the AD, based on a GUI form. Issuing a bunch of DCs and storing them in the AD, based on a simple text file. Features: Creating new Certificate Authorities (CAs). Loading an existing CAs. Issuing a single digital cert (DC) and storing it in the AD, based on a GUI form. Issuing a bunch of DCs and storing them in the AD, based on a simple text file. Features: Creating new Attribute Authorities (AAs). Loading an existing AA. Issuing a single attribute cert (AC) and storing it in the AD, based on a GUI form. Issuing a bunch of ACs and storing them in the AD, based on a simple text file.

14 6/26/2006SIS0.214

15 6/26/2006SIS0.215 Certificates Management Check & validate a digital certificate. Revoke a digital certificate. Check & validate an attribute certificate. Revoke an attribute certificate. Check & validate a digital certificate. Revoke a digital certificate. Check & validate an attribute certificate. Revoke an attribute certificate.

16 6/26/2006SIS0.216

17 6/26/2006SIS0.217 Packages & techniques OpenSSL [http://www.stunnel.org/download/binaries.html]: A wrapper compiled in binaries (exe file) has been used to implement the PKI part.http://www.stunnel.org/download/binaries.html JCE-IAIK [http://jce.iaik.tugraz.at/]: A set of java APIs and implementations of cryptographic functionality that has been used to implement the PMI part.http://jce.iaik.tugraz.at/ IKVM.NET [http://www.ikvm.net]: an implementation of Java for the Microsoft.NET Framework that has been used to allow us using the IAIK java- based package in the.NET.http://www.ikvm.net CryptLib [http://www.cs.auckland.ac.nz/~pgut001/cryptlib/] or [http://www.cryptlib.com]: a security toolkit that allows adding encryption and authentication services.http://www.cs.auckland.ac.nz/~pgut001/cryptlib/http://www.cryptlib.com * (We faced problems with it [files format & AC errors], therefore, we replaced it with the OpenSSL solution). XACML Open Source from Sun [ http://sunxacml.sourceforge.net]: Sun’s open source implementation of the OASIS XACML standard, written in the JavaTM programming language. http://sunxacml.sourceforge.netOASISXACML OpenSSL [http://www.stunnel.org/download/binaries.html]: A wrapper compiled in binaries (exe file) has been used to implement the PKI part.http://www.stunnel.org/download/binaries.html JCE-IAIK [http://jce.iaik.tugraz.at/]: A set of java APIs and implementations of cryptographic functionality that has been used to implement the PMI part.http://jce.iaik.tugraz.at/ IKVM.NET [http://www.ikvm.net]: an implementation of Java for the Microsoft.NET Framework that has been used to allow us using the IAIK java- based package in the.NET.http://www.ikvm.net CryptLib [http://www.cs.auckland.ac.nz/~pgut001/cryptlib/] or [http://www.cryptlib.com]: a security toolkit that allows adding encryption and authentication services.http://www.cs.auckland.ac.nz/~pgut001/cryptlib/http://www.cryptlib.com * (We faced problems with it [files format & AC errors], therefore, we replaced it with the OpenSSL solution). XACML Open Source from Sun [ http://sunxacml.sourceforge.net]: Sun’s open source implementation of the OASIS XACML standard, written in the JavaTM programming language. http://sunxacml.sourceforge.netOASISXACML

18 6/26/2006SIS0.218 DemoDemo Secure web access based on role in attribute certificate Update AC when a person gets promoted Revoke AC when a person leaves the company PKC/AC management tool Secure web access based on role in attribute certificate Update AC when a person gets promoted Revoke AC when a person leaves the company PKC/AC management tool

19 6/26/2006SIS0.219 DiscussionDiscussion What are our next steps?

Download ppt "Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer."

Similar presentations

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Secure Information Sharing Using Attribute Certificates and Role Based Access Control Ganesh Godavari, C. Edward Chow 06/22/2005 University of Colorado.

Secure Information Sharing Using Attribute Certificates and Role Based Access Control Ganesh Godavari, C. Edward Chow 06/22/2005 University of Colorado.
Chapter 9 Deploying IIS and Active Directory Certificate Services

Chapter 9 Deploying IIS and Active Directory Certificate Services
Microsoft Windows Server 2008 Software Deployment Chris Rutherford EKU Technology: CEN/CET.

Microsoft Windows Server 2008 Software Deployment Chris Rutherford EKU Technology: CEN/CET.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Wednesday, June 03, 2015 © 2001 TrueTrust Ltd1 PERMIS PMI David Chadwick.

Wednesday, June 03, 2015 © 2001 TrueTrust Ltd1 PERMIS PMI David Chadwick.
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
SIS: Secure Information Sharing for Windows Systems Osama Khaleel CS526 Semester Project.

SIS: Secure Information Sharing for Windows Systems Osama Khaleel CS526 Semester Project.
1 Secure Information Sharing Manager (SIS-M) Thesis 2007 Stephen D. Wise

1 Secure Information Sharing Manager (SIS-M) Thesis 2007 Stephen D. Wise
4/26/2007okhaleel/Enforce1 EN gine FOR C ontrolling E mergent H ierarchical R ole- B ased A ccess (ENforCE HRBAccess) Osama Khaleel Thesis Defense May.

4/26/2007okhaleel/Enforce1 EN gine FOR C ontrolling E mergent H ierarchical R ole- B ased A ccess (ENforCE HRBAccess) Osama Khaleel Thesis Defense May.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Implementing Native Mode and Internet Based Client Management.

Implementing Native Mode and Internet Based Client Management.
Local switch NIC1 128.198.162.50 FC4 NIC2 10.0.0.1 Main switch Win-XP 10.0.0.12 IIS 10.0.0.11 Domain-controller 10.0.0.10 128.198.162.51 128.198.162.52.

Local switch NIC FC4 NIC Main switch Win-XP IIS Domain-controller
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.

Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.

Similar presentations

Ads by Google