Presentation is loading. Please wait.

Presentation is loading. Please wait.

Validity Management in SPKI 24 April 2002 (author) (presentation)

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Validity Management in SPKI 24 April 2002 (author) (presentation)"— Presentation transcript:

1 Validity Management in SPKI 24 April 2002 Yki.Kortesniemi@hut.fi (author) Tero.Hasu@hut.fi (presentation)

2 2 Overview Access control Types of certificates (and how the type affects validation and revocation) Validation and revocation methods in SPKI SPKI validity management protocol

3 3 Phases of access control 3. Changing or revoking the decision 1. Expressing the decision (just once) 2. Enforcing the decision (repeatedly) 0. Making the decision

4 4 Access control w/certificates 3. Changing or revoking the decision 1. Expressing the decision (just once) 2. Enforcing the decision (repeatedly) 0. Making the decision Validating certificate(s) Modifying external information Writing and issuing certificate(s)

5 5 Types of certificates KeyAuthorization Name Authorization certificate e.g. SPKI Name or identity certificate e.g. X.509 ACL or attribute certificate Subject (person / computer / software agent) has uses

6 6 Identity certificates Key - Name - Authorization binding proved during validation –no anonymity Unique name required for each identity across the system –otherwise namesakes share rights –management burden Grouping of rights –revoke just one certificate

7 7 Authorization certificates Key - Authorization binding proved during validation –more straightforward –performance Anonymity is possible –benefits privacy of users –identity established if required (when acquiring the public key)

8 8 Identity certificate issuers Capable of establishing identity Considered trustworthy Typically have plenty of resources Small number of issuers (in a system) Small number of CRLs –may be practical to distribute to access control points

9 9 Authorization certificate issuers Anyone can be an issuer Large number of issuers Large number of CRLs –impractical to distribute in advance –obtain relevant CRLs online when required Verifier can also be the issuer –issuer arranges revocation mechanisms –verifier normally owns protected resource –control revocation to balance risk

10 10 Validity control in SPKI Has to be considered when issuing a certificate Validity period Online checks –CRL –reval –one-time –limit –renew

11 11 Lifecycle model suspendedexpired available 9. Renew – a new certificate is issued 2. Validity period OK and usage not denied by crl or reval 7. Expired by time constraint 8. Expired by time constraint 1. Granted 3. Used if not denied by one-time or limit 4. Usage denied by crl or reval 5. Revoked by crl or reval 6. Revoked by crl or reval

12 12 Validity period suspendedexpired available 2. Validity period OK 7. Expired by time constraint 8. Expired by time constraint 1. Granted 3. Used

13 13 CRL, Reval, Renew suspendedexpired available 2. Validity period OK and usage not denied by crl or reval 7. Expired by time constraint 8. Expired by time constraint 1. Granted 3. Used 4. Usage denied by crl or reval 5. Revoked by crl or reval 6. Revoked by crl or reval 9. Renew – a new certificate is issued

14 14 One-time, Limit suspendedexpired available 2. Validity period OK 7. Expired by time constraint 8. Expired by time constraint 1. Granted 3. Used if not denied by one-time or limit

15 15 Summary of methods MethodTypical use Processing overhead Revocation speed LimitQuotaHighImmediate One-time Limit usage on non-user specific factors ModerateImmediate RevalRevocationLow After current reval validity period CRLRevocationLow After current crl validity period RenewRevocationLow After current certificate expires

16 16 Management protocol requirements Configuration of SPKI validation server –can be done remotely All SPKI online checks supported Certificate issuer can issue commands –others need to prove permission Status information available –use of limited resource can be followed –there may be multiple entities with revocation ability

17 17 Management protocol design Two messages: –command –reply Command message –e.g. revoke, re-enable, change quota –static and dynamic rules Defined in XML –signed messages –requires secure transport protocol

18 18 Command and reply server_update cert, chain?, online_test_hash, delete_request*, test_definition*, status_query*, signature server_reply cert_hash, online_test_hash, delete_reply*, test_definition_reply*, status_reply*,service_status, signature

19 19 The end Questions? –(hope not)

Download ppt "Validity Management in SPKI 24 April 2002 (author) (presentation)"

Similar presentations

DIGITAL CERTIFICATES Prof. Ravi Sandhu. 2 © Ravi Sandhu PUBLIC-KEY CERTIFICATES reliable distribution of public-keys public-key encryption sender needs.

DIGITAL CERTIFICATES Prof. Ravi Sandhu. 2 © Ravi Sandhu PUBLIC-KEY CERTIFICATES reliable distribution of public-keys public-key encryption sender needs.
Introduction of Grid Security

Introduction of Grid Security
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
1 Lecture 13: Public Key Infrastructure terms PKI trust models –monopoly with registration authorities with delegated certificate authorities –oligarchy.

1 Lecture 13: Public Key Infrastructure terms PKI trust models –monopoly with registration authorities with delegated certificate authorities –oligarchy.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
TeSSA 2 Template © 1999 Juho Heikkilä A Revocation, Validation and Authentication Protocol for SPKI Based Delegation Systems Yki.Kortesniemi, Tero.Hasu.

TeSSA 2 Template © 1999 Juho Heikkilä A Revocation, Validation and Authentication Protocol for SPKI Based Delegation Systems Yki.Kortesniemi, Tero.Hasu.
Access control for IP multicast T-110.557 Petri Jokela

Access control for IP multicast T Petri Jokela
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
 A public-key infrastructure ( PKI ) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store,

 A public-key infrastructure ( PKI ) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store,
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Similar presentations

Ads by Google