Presentation is loading. Please wait.

Presentation is loading. Please wait.

SIS: Secure Information Sharing for Windows Systems Osama Khaleel CS526 Semester Project.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "SIS: Secure Information Sharing for Windows Systems Osama Khaleel CS526 Semester Project."— Presentation transcript:

1 SIS: Secure Information Sharing for Windows Systems Osama Khaleel CS526 Semester Project

2 5/1/2006Okhaleel SIS2 Introduction  The Internet is the most dominant place for data exchange and information sharing.  Thus, providing a reliable, secure, and easy-to-use system to access critical information is a crucial thing.  Given that the password based access does not meet with high-level security requirements, we need a stronger approach for access control.

3 5/1/2006Okhaleel SIS3 Goals:  Porting the previous SIS project (Linux/LDAP/Mod_LDAP/Apache) to Windows system with the necessary improvements.  Providing secure access control based on digital and attribute certificates.  Implementing a flexible and scalable Role Based Access Control (RBAC) model.  Building an Access Control Engine (ACE) for IIS to Enforce our RBAC policy. Investigate the framework so that we can build ACE for Instant Messaging, and other network services.  Providing an easy-to use GUI for creating and managing –Public Key Infrastructure (PKI), –Privilege Management Infrastructure (PMI), and –RBAC.

4 5/1/2006Okhaleel SIS4 The Transformation:  Basically, the working environment will be Windows instead of Linux.  Active Directory (AD) is used instead of LDAP server.  Microsoft IIS 6.0 replaces Apache web server  Improving the RBAC policy enforcement from static If-Else checking to a dynamic XML based solution.

5 5/1/2006Okhaleel SIS5 Testbed Configuration  A testbed has been built to test SIS system.  It consists of four machines: –Windows server 2003 with AD (acts as the Domain Controller). –Windows server 2003 with IIS 6.0 (acts as a web server. –Windows XP as a client. –A Gateway running Fedora Core 4 and an IPtables based firewall.

6 5/1/2006Okhaleel SIS6 Local switch NIC1 128.198.162.50 FC4 NIC2 10.0.0.1 Main switch Win-XP 10.0.0.12 IIS 10.0.0.11 Domain-controller 10.0.0.10 128.198.162.51 128.198.162.52 128.198.162.53 Internet SIS Network Topology And IP assignments

7 5/1/2006Okhaleel SIS7 Main SIS Components:  X.509 Digital Certificate: –A Public Key Certificate (PKC) is used as a strong means to prove identities. It binds a public key with the holder subject field (Country, State, City, Organization, e-mail, Common-name, …). –It is signed by the private key of a Certificate Authority (CA), so it can be verified using the known CA’s public key.

8 5/1/2006Okhaleel SIS8 Main SIS Components:  Certificate Authority (CA): –A CA is a trusted entity that is responsible of issuing digital certificates for use by other parties. –A PKC issued by a CA states that “the CA attests that the public key contained in the certificate belongs to the entity noted in that certificate”.

9 5/1/2006Okhaleel SIS9 Main SIS Components:  Attribute Certificate (AC): –It is a new Internet standard RFC3281 that strongly binds a public key with a set of attributes that can specify the holder’s membership, Role, security clearance, or other authorization information. –In our case, we use ACs to store the role information for the holder.

10 5/1/2006Okhaleel SIS10 Main SIS Components:  Active Directory (AD): –A hierarchical framework of objects used as a directory service to store information about the network resources across a domain. –It’s the Microsoft’s implementation of LDAP directory services for use in Windows environment. –It provides central control for three types of objects; Resources (e.g. printers), Services (e.g. e-mail), and Users (accounts and groups). –AD is used to maintain users accounts and store Digital and Attribute certificates.

11 5/1/2006Okhaleel SIS11 Main SIS Components:  Internet Information Services (IIS 6.0): –A Web server that provides a reliable, manageable, and scalable Web application infrastructure for Windows Servers. –SSL mutual authentication based on the client’s digital certificate is used to authenticate users. –An enhanced HTTP module is used to authorize users based on the Role stored in the corresponding Attribute Certificate.

12 5/1/2006Okhaleel SIS12 In details:  We will provide an Admin Tool that has four primary functions; –AD management. –SIS setup. –RBAC setup and management. –Certificates management.  We assume that Windows server 2003, Active Directory, and IIS 6.0 are already installed.

13 5/1/2006Okhaleel SIS13 Active Directory Management  Initialize the active directory.  Create users accounts based on a text file that contains the needed information –first name, last name, country, state, organization, e-mail, and –their role in the organization.  Add, remove, and edit users accounts as needed.

14 5/1/2006Okhaleel SIS14 SIS Setup  Create a root CA that will be used to sign issued certificates.  Issue a server certificate for the IIS web server.  Issue digital and attribute certificates for users, and storing them in the active directory.  OpenSSL and CryptLib packages have been used in this task.

15 5/1/2006Okhaleel SIS15 RBAC Setup & Management  Idea  A flexible way to enforce the role based access policy. namely, to dynamically check whether a certain ROLE has the required permissions to perform certain OPERATIONS on some RESOURCES.  We have come up with a solution that uses two XML files; Resources and Roles.

16 5/1/2006Okhaleel SIS16 RBAC XML files:  Resources.xml: 1 http://domain/path1 description 1 2 http://domain/path2 description 2.  Roles.xml * Sun,Tues,Wed 11:00 am – 5:00 pm

17 5/1/2006Okhaleel SIS17 Certificates Management Manage issued certificates:  Update users digital and attribute certificates.  Revoke Certificates.  Check certificates validity dates.

18 5/1/2006Okhaleel SIS18 The Big Image: Client request IIS SIS Module SSL Authenticated Get request info, and the certificate subject field NO reject Active Directory Query AD to get the corresponding AC This Role has Permissions to Perform the Operation on the requested resource NO reject Grant Access YES

19 5/1/2006Okhaleel SIS19 Conclusion  A secure information sharing system for Windows environment is being developed with an admin tool to setup and manage AD, PKI, and RBAC.  Clients are authenticated by the PKCs issued to them, and Authorized by the ACs stored in the AD using the RBAC model.  The system can be used as a secure information infrastructure for an emergent taskforce due to the quickness in system setup, and the easy-to-use Admin Tool.

20 5/1/2006Okhaleel SIS20 Some learnt lessons:  In terms of the programming language, I have used C# with Visual C# Express 2005 IDE. Since we are porting to windows system, C# is one of the most powerful languages supported in the.NET framework.  At the beginning I used the CryptLib package to deal with certificates. This package generates two kinds of files; (.CER) that contains the certificate, and (.P15) that has the private key in PKCS#15 structure. But after I had tried to test those certificates, it turned out that MS IE and IIS need (.P12) kind of file. Thus I switched to OpenSSL package instead.

21 5/1/2006Okhaleel SIS21 Some learnt lessons:  Now, the good thing in CryptLib is that it supports attribute certificates, so I will be using it to deal with ACs.  For RBAC XML based solution, I found out that the use of simple C# XMLReader and XMLWriter is slow especially for a large file. So, I will use Xpath technique for this task.  As we learned in the certificate assignment, we can specify the certificates we want to allow in the Apache password file by putting the whole subject field in it. So, now I am searching for an equivalent feature in IIS.

22 5/1/2006Okhaleel SIS22 Future Work:  Integrating more services in the ACE such as Instant Messaging, E-mail, Wireless access, VOIP …  Enhancing the system to work in a multiple agency environment.  Expanding the system usability to other operating systems.

23 5/1/2006Okhaleel SIS23 References:  OpenSSL; a wrapper compiled in binaries (.exe file) from http://www.stunnel.org/download/binaries.html has been used, 2006. http://www.stunnel.org/download/binaries.html  CryptLib package that supports attribute certificates, http://www.cryptlib.com, 2006 http://www.cryptlib.com  Network Security with OpenSSL by John Viega, Matt Messier, and Pravir Chandra. O’Reilly–First Edition, 2002.  http://httpd.apache.org/docs/2.2/ssl/ssl_intro.html, 2006. http://httpd.apache.org/docs/2.2/ssl/ssl_intro.html  Linux based SIS, by Ganesh Godavari and Edward Chow, http://cs.uccs.edu/~infoshare/doc/smc05/PaperFormatOrg.pdf, 2005. http://cs.uccs.edu/~infoshare/doc/smc05/PaperFormatOrg.pdf

24 5/1/2006Okhaleel SIS24 ?

Download ppt "SIS: Secure Information Sharing for Windows Systems Osama Khaleel CS526 Semester Project."

Similar presentations

Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Secure Information Sharing Using Attribute Certificates and Role Based Access Control Ganesh Godavari, C. Edward Chow 06/22/2005 University of Colorado.

Secure Information Sharing Using Attribute Certificates and Role Based Access Control Ganesh Godavari, C. Edward Chow 06/22/2005 University of Colorado.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.

Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
Understanding Active Directory

Understanding Active Directory
Abdelilah Essiari Gary Hoo Keith Jackson William Johnston Srilekha Mudumbai Mary Thompson Akenti - Certificate-based Access Control for Widely Distributed.

Abdelilah Essiari Gary Hoo Keith Jackson William Johnston Srilekha Mudumbai Mary Thompson Akenti - Certificate-based Access Control for Widely Distributed.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Local switch NIC1 128.198.162.50 FC4 NIC2 10.0.0.1 Main switch Win-XP 10.0.0.12 IIS 10.0.0.11 Domain-controller 10.0.0.10 128.198.162.51 128.198.162.52.

Local switch NIC FC4 NIC Main switch Win-XP IIS Domain-controller
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Exchange server 2003. Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

Similar presentations

Ads by Google