Download presentation
Presentation is loading. Please wait.
1
SEVA: Securing Extranets Yves ROUDIER, Refik MOLVA Institut Eurécom http://www.eurecom.fr/~nsteam/SEVA/
2
Extranets: Deployment Issues client (browser) server (web) firewall HTTP request User Application Access Control User Management "server" intranet "client" intranet User ? Network Access Control ? ?
3
SEVA: Overview Automated management of access control –configuration and collaboration of security devices –delegation + role based access control Transparent mechanism –retrofitting clients / servers without modification –using a remote network like a local one Strong security –cryptographic mechanisms –fine grained authorizations and resource scoping
4
SEVA: Overall Architecture client (browser) server (web) "server" intranet "client" intranet Initial Agreement (Role-Based Delegation) groups of resources Roles Access Control rules - fine grained - application-level Defines Transparent and automated enforcement
5
Role Based Delegation Handle 1 Admin handle 1 "server" intranet "client" intranet group of resources (Handle = uniform naming) SPKI User or Role URL 2 Server@ SPKI authorization certificate User handle 1 URL 1 Authorization certificate
6
Handle 1 Role Based Delegation Admin Handle 1 "server" intranet "client" intranet Handle 1 Access control User Handle 1 Authorization certificate Handle 1 URL 2 Server@ URL 1 Authorization certificate
7
Scoping of Authorizations Handle 1 Handle 2 Handle 3 Admin Handle 3 "server" intranet "client" intranet Handle 3. Handle 1 Missing in SPKI ! user rights(handle 1) rights(handle 3)
8
Defining Rights Based on SPKI (Simple Public Key Infrastructure) –access-, not identification-centric: key = principal –role-based: group certificates –delegation: access control, key management New in SEVA –agent-based automated issuance –one resolution several accesses (cert (issuer (public-key (rsa-pkcs1 (e #11#) (n |AKfUCx8fOMNPYBHBJDF8GRSEP2+Egg9f3EZ/ry3SN7tyah7+VOMqSHgb hDV8Bl1C0lhDvC2KdEWlJ7iGj5l5cl+4+h4KMXOIiZ//3R2QObuYq7pMM 2aOjDPuPFmeBZZX3w5g0hOFZv4CouGdVO5G3x5OJGxJuIts73rPyHei+h8x|)))) (subject (name SEVA)) (tag (read http://www.eurecom.fr/~nsteam/SEVA/)))
9
Defining Resources Based on CNRI’s handle system (draft IETF) –naming layer: uniform without modifying servers –naming authority responsible for its resources New in SEVA –integrated with SPKI authorizations –navigation protocol modified to verify access rights –Extranet Handle System 10.3245 / jan2001-hs-overview Naming Authority [prefix] Item Identifier [suffix] : 1 : URL : http://www.seva.org/slides/seva.html : {Relative: 24 hours} : public-read, authorized-write : 927314334000 : {empty}
10
User Interface client (browser) server (web) firewall KSKS "server" intranet "client" intranet Smartcard Update access rights Transparent protection -unmodified client / server software -operation similar to local server yet strong security -materialized by smartcard -enforced through traffic tagging Traffic tagging layer
11
Traffic Tagging client (browser) server (web) firewall Traffic tagging Tag verification (access control) "server" intranet "client" intranet Network-Level Access Control -stream authentication Application-Level Access Control: -fine granularity (resource + operation) -application level HTTP request Lightweight Tagging -one-way function
12
SEVA: Current Status Working Prototype –Traffic tagging –Application-level verification mechanism –Role management and delegation –Resource management and scoping Embedded technologies –SPKI –Handle System –Java Card –cryptography: Cryptix (Java), Cryptlib (C), GemXpresso
13
Summary: Classical vs. SEVA Extranets Access Control Management –identity / delegation+role –coarse / fine-grained Access Control Location –definition: network+application / application only –enforcement: network+application / network only Access Control Enforcement –configuration: manual / automated –user authentication: explicit / transparent
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.