Presentation is loading. Please wait.

Presentation is loading. Please wait.

Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:

Similar presentations


Presentation on theme: "Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:"— Presentation transcript:

1 Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Email: monte@lcc.uma.es Web: www.lcc.uma.es/~monte

2 2 AAI?  Authentication & Authorization Infrastructure Several possibilities We focused on PKI + PMI  Development Background PKI  Cert’eM - Online PKI and more …  X509 ITU-T PMI  Extending Cert’eM – Online PMI  X509 ITU-T

3 3 Online AAI? = CRL problem CRL Issue Key compromised Revocation Request Revocation time T 10 T0T0 Time CRL Issue Dishonest Use CRL = Problem in PKI and exacerbate in PMI, therefore an AAI issue to take into account Online AAI as possible solution

4 4 What is Cert’eM?  PKI online Designed & Implemented in ’98. Try to solve CRLs problems  OCSP service did not develop yet.  Email based on X509 usually linked to X500 name X509 proposal lets links to Email address (Rfc 822)  Use an architecture of CAs that satisfy the needs of near-certification;

5 5 Cert’eM: Hierarchical Email Nodes

6 6 Cert’eM: Certificate Request Information Flow alice@a.b.c? C alice@a.b.c alice@a.b.c? C alice@a.b.c ca@a.b.c? C ca@a.b.c ca@a.b.c? C ca@a.b.c a.b.cr.s.t c b.c t s.t KSU bob alice

7 7 Cert’eM: KSU Elements Certification Authority (KSU lcc.uma.es) Certification Server (lcc.uma.es) Certification Kernel (lcc.uma.es) Private Key CA User Data X509 Certificate read write Certificate Request 6 5 4 3 2 11 close request pending request 654 ongoing request user6@lcc.uma.es user5@lcc.uma.es user4@lcc.uma.es user3@lcc.uma.es user2@lcc.uma.es user1@lcc.uma.es process 1 process N principal Cache CertificatesLocal Certificates

8 8 Cert’eM: Protocol …  Connection Phase  C : HELLO [ ]  S : +OK {the client has permission}  S : -ERR1 { the client host is not allowed  S : -ERR2 { the client is not allowed}  Transaction Phase  C: GETCERT  S : CERT  S : CERT  S : +OK or  S : -NSC {no such certificate}

9 9 … Cert’eM: Protocol  Transaction Phase S : CERT S : CERT  Can be local or external search Local = Database search External = Use of Cache mechanism and communication between KSU  Termination Phase  C: EXIT  S : +Ok

10 10 Cert’eM: Locating KSUs lcc.uma.es 111.111.222.222 lcc.uma.es correo.lcc.uma.es 111.111.222.222 lcc.uma.es certem-tcp.lcc.uma.es 111.111.222.222 monte@lcc.uma.es

11 11 Cert’eM Conclusion  guarantees that CAs will only certify those users close to them;  provides real-time revocation of keys (without the need of CRLs);  close to S/MIME  Can provide quality service to GRIDs  slight protocol inter-KSU and user-KSU  provided services to several projects we have been implicated (not only theoretic solution)

12 12 X509 ITU-T PKI  Developed to Spanish Banking Entity (BANESTO) in 2001  Using only GPL libraries: OpenSSL GTK OpenLDAP

13 13 X509 ITU-T PMI (I)  ITU-T proposal defines four PMI models:  General,  Control  Role (PERMIS Project)  Delegation (Our proposal)  We have extended OpenSSL library with attribute certificates management and authorization capabilities, because:  This library is widely deployed  There was no previous experience with the introduction of attribute certificates in OpenSSL  We wanted to approach privilege delegation procedures (we are still in the way)  and … we had already developed a PKI using OpenSSL

14 14 X509 ITU-T PMI (II)

15 15 Extending Cert’eMz  Cert’eM technology applies to Authorization + Openssl Attribute certificates (ACSUs)  The main elements are the Attribute Certificate Service Units (ACSUs), that integrate attributes certification and management functions: -managed by an Attribute Authority -contains a database to store the attribute certificates of “local” users -updating and revocation of certificates and local operations

16 16 AAI scenario (I) [Alice@a.b.c, operation] S Alice Alice Bob AAI Who is the user ? & What can he do ? AC PKC PKC Token 1 A  B : Token Request 2 B  AAI: Request AC + PKC 3 AAI  B: AC + PKC Token 1 A  B : Token Request 2 B  AAI: Request AC + PKC 3 AAI  B: AC + PKC Request

17 17 AAI scenario (II) How link identity and attribute certificates?

18 18 Future Work  Actually working in delegation model  Delegation statements establish a Directed graphs D. G. offer a global vision of delegation system  Theoretical model apply to PMI, and it work!!!

19 19 Thank you Any Q u e s t i o n ? José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Email: monte@lcc.uma.es Web: www.lcc.uma.es/~monte

20 20 AAI: Relation to TACAR … c TACAR (ca@tacar.org) ACSU a.b.c b.c KSU alice ACSU t r.s.t s.t KSU bob ACSU ca@c? C ca@c ca@c? C ca@c ca@t? C ca@t ca@t? C ca@t

21 21 … AAI: Relation to TACAR  Remember CA belongs to upper level. Domain c and t is stored in TACAR  TACAR is common root to “a.b.c” and “r.s.t” tree  How to localize TACAR? Same way as whichever KSU/ACSU node. Add ca.c@tacar.org and ca.t@tacar.org certificates to TACAR


Download ppt "Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:"

Similar presentations


Ads by Google