Download presentation
Presentation is loading. Please wait.
1
The EC PERMIS Project David Chadwick d.w.chadwick@salford.ac.uk
2
Traditional Applications Authentication and Authorisation are Internal to the Application UserName/ Password Lists Access Control Lists Multiple passwords Multiple usernames Confusion!! Multiple Administrators High cost of administration No overall Security Policy
3
Enter PKI Authentication is External to the Application Access Control Lists One password or pin to access private key Happy Users! Multiple Administrators High cost of administration No overall Security Policy Digital Signature Public Key Infrastructure Application Gateway
4
Enter PMI Authentication and Authorisation are External to the Application One password or pin to access private key Happy Users! Fewer Administrators Lower cost of admin Overall Security Policy Digital Signature Public Key Infrastructure Application Gateway Privilege Management Infrastructure
5
What PERMIS is not It is not an AAA system It does not help in authenticating users, or accounting It does not try to replace PKI, Shibboleth or other institution or inter-realm based authentication mechanisms It is not a protocol for carrying authentication/authorisation tokens e.g. SAML, PAPI, HTTP
6
What PERMIS is It is a policy based authorisation system, a PMI, that uses X.509 attribute certificates to hold roles/attributes It can work with any and every authentication system (Shibboleth, PAPI, Kerberos, PKI, username/PW, etc.) Given a username, a target and an action, it says whether the user is granted or denied access based on the policy for the target The policy is role/attribute based i.e. users are given roles/attributes. Roles/attributes are given permissions to access targets The policy is written in XML, is similar to XACML, but simpler and produced earlier It can work in push or pull mode (attributes are sent to PERMIS, or PERMIS fetches them itself)
7
Compliance checker/Policy Enforcement Point X.812|ISO 10181-3 Access Control Framework ADF Initiator Target Submit Access Request Present Access Request Decision Request Decision AEF ADF= application independent Access control Decision Function Internet Target SiteUser’s Site AEF= application dependent Access control Enforcement Function
8
PERMIS API System Structure Initiator Target Submit Access Request Present Access Request Decision Request Decision AEF Authentication Service LDAP Directories Retrieve Policy and Role ACs (pull) PKI ADF The PERMIS PMI API PERMIS API Implementation Retrieve Role ACs (push)
9
Integration with the GRID PKI ADF The PERMIS PMI API User Target TLS Access Request Present Access Request Pass DN + Access Request Grant/ Deny LDAP Directories Retrieve Policy and Role ACs (pull) GRID Appln gateway Check Signature PERMIS API Implementation PKI
10
Integration with the CAS ADF The PERMIS PMI API User Target Access Request with Capability Present Access Request Decision Request + attributes/roles Grant/ Deny LDAP Directory Retrieve Policy Check signature on Capability PERMIS API Implementation PKI CAS Server Capability containing attributes/roles CAS request GRID Appln gateway CAS Policy DB
11
Integration with Shibboleth User LDAP Target 1. User request Handle Server Policy SHAR SHIRE WAYF 2.Re-direct to WAYF 3.Re-direct to HS 4. Handle 5.Handle AA Server 6. AQM 7. ARM with attributes or ACs Resource Gateway ADF The PERMIS PMI API PERMIS API Implementation 9.Grant/Deny 8. Att or AC
12
Integration with PAPI User Authentication Server Keys Hcook- Lcook GPoA GPoAPoA Hcook- Lcook PoA 302+ Hcook 302 + data LDAP Directories Retrieve Policy and Role ACs (pull) PKI ADF The PERMIS PMI API PERMIS API Implementation UserDN from cookie + access request Granted/ denied
13
Integration with A-Select ADF The PERMIS PMI API Initiator Target 1.Submit Access Request Present Access Request 6.DN + Request Grant/Deny LDAP Directories Retrieve Policy and Role ACs (pull) AEF A-Select Agent PERMIS API Implementation PKI Remote Authentication Service Providers Local Authentication Service Providers Local A-Select Server UDB 2.Re-direct user to AS 4.Authenticate 3.Re-direct user to Auth server 5. Provide ticket
14
Integration with Username/PW over SSL LDAP Directories Retrieve Policy and Role ACs (pull) PKI ADF The PERMIS PMI API PERMIS API Implementation User Application gateway with SSL server cert Username/PW Over SSL UN/PW/DN DB DN+ Action Grant/ Deny Target User’s Roles/ Attributes
15
Distributed Management Entities Involved LDAP Directory Policy ADF The PERMIS PMI API PERMIS API Implementation LDAP Directory LDAP Directory Attribute Certificates Target SOA Site based SOAs Push Mode Pull Mode Application Gateway
16
PERMIS Trust Model The Target/Resource is the root of trust (Source Of Authority SOA) for access to itself The Target is configured with its SOA name at start up The Policy is signed by the SOA (Permis checks this) The SOA says in the policy which remote SoAs it trusts to allocate roles The SOA says what roles they can allocate The SOA says what access rights are given to each role The remote SoAs authenticate the users and allocate roles to them
17
PERMIS Policy Components Subject Policy –Specifies subject domains based on LDAP subtrees Role Hierarchy Policy –Specifies hierarchy of role values SOA Policy –Specifies who is trusted to issue ACs Role Assignment Policy –Says which roles can be given to which subjects by which SOAs, with which validity times and whether delegation is allowed
18
PERMIS Policy Components (cont) Target Policy –Specifies the target domains covered by this policy, using LDAP subtrees Action Policy –Specifies the actions (operations) supported by the targets, along with their allowed operands Target Access Policy –Specifies which roles are needed to access which targets for which actions, and under what conditions
19
Current Applications E-tendering at Salford City Council E-planning at Bologna Comune Access to car parking fines database at Barcelona City Electronic Transfer of Prescriptions at University of Salford
20
What PERMIS is not It is not an AAA system It does not help in authenticating users, or accounting It does not try to replace PKI, Shibboleth or other institution or inter-realm based authentication mechanisms It is not a protocol for carrying authentication/authorisation tokens e.g. SAML, PAPI, HTTP
21
What PERMIS is It is an authorisation system, that uses X.509 attribute certificates to hold roles/attributes It can work with any and every authentication system (Shibboleth, PAPI, Kerberos, PKI etc.) Given a username(DN), a target and an action, it says whether the user is granted or denied access based on the policy for the target The policy is role/attribute based i.e. users are given roles/attributes. Roles/attributes are given permissions to access targets The policy is written in XML, is similar to XACML, but simpler and produced earlier It can work in push or pull mode (attributes are sent to PERMIS, or PERMIS fetches them itself)
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.