Presentation is loading. Please wait.

Presentation is loading. Please wait.

International Telecommunication Union Geneva, 9(pm)-10 February 2009 Identification Services as provided by directories (X.500 incl. X509) Erik Andersen,

Published bySimon Henry Modified over 9 years ago

Similar presentations

Presentation on theme: "International Telecommunication Union Geneva, 9(pm)-10 February 2009 Identification Services as provided by directories (X.500 incl. X509) Erik Andersen,"— Presentation transcript:

1 International Telecommunication Union Geneva, 9(pm)-10 February 2009 Identification Services as provided by directories (X.500 incl. X509) Erik Andersen, Consultant, Andersen’s L-Service Q.11/17 Rapporteur era@x500.euera@x500.eu, www.x500.euwww.x500.eu ITU-T Workshop on “New challenges for Telecommunication Security Standardizations" Geneva, 9(pm)-10 February 2009

2 International Telecommunication Union Geneva, 9(pm)-10 February 2009 2 Why listen to this presentation? How identification services relates to security How directories relate to identification services Why X.500 (and LDAP) is an obvious answer to identification services

3 International Telecommunication Union Geneva, 9(pm)-10 February 2009 3 About the X.500 directory specification First edition in 1988 Been under continuous expansion since to meet new requirements Developed in collaboration with ISO/IEC JTC1/SC6 Within ISO/IEC known as the ISO/IEC 9594 multipart standard Many highly skilled people have participated during the years

4 International Telecommunication Union Geneva, 9(pm)-10 February 2009 4 About the X.500 directory specification (cont.) Six editions so far – the seventh edition on its way Consists of 10 parts (incl. X.509) Defines a naming structure that allows unique naming of all entities Support for distribution and replication Lightweight Directory Access Protocol (LDAP) is a dear child of X.500 (uses the X.500 model)

5 International Telecommunication Union Geneva, 9(pm)-10 February 2009 5 Identity and security IT Security comprises many things: Physical attacks Hacker attacks Spam Denial of service Fraud by employees - - - Identity related security issues

6 International Telecommunication Union Geneva, 9(pm)-10 February 2009 6 Identity Related Security Issues Related to: Information about people and other entities Access to systems and Services Accounts Authorisation Software code

7 International Telecommunication Union Geneva, 9(pm)-10 February 2009 7 Identity Management (IdM) Identity Management (IdM) includes Identification Services It is much in focus within ITU-T Study Group 17 and other committees Considered an important aspect of Next Generation Network (NGN) Not a new issue

8 International Telecommunication Union Geneva, 9(pm)-10 February 2009 8 X500 is (part of) IdM We have been in the Identity Management (IdM) Business since 1984 We got a head start!

9 International Telecommunication Union Geneva, 9(pm)-10 February 2009 9 Butler group report X.500/LDAP basis for most current IdM implementations - In the industry often called Identity and Access Management (IAM)

10 International Telecommunication Union Geneva, 9(pm)-10 February 2009 10 Butler Group list Aladdin BMC Bull Evidian CA Entrust IBM Microsoft Novell Oracle RSA Sun They all uses LDAP as major component in their IdM solutions X.509 also plays a major role for authentication

11 International Telecommunication Union Geneva, 9(pm)-10 February 2009 11 Other vendors Isode Siemens eB2Bcom Critical Path Etc.

12 International Telecommunication Union Geneva, 9(pm)-10 February 2009 12 The requirement for authentication Before giving access to services and information, the identity of the accessing entity must be established Different levels of authentication The required level depends on Sensitivity of service or information Whether interrogation or update

13 International Telecommunication Union Geneva, 9(pm)-10 February 2009 13 Scope of X.500 identity services Storage of identity information Protection of the information in the directory Use of X.509 capabilities outside directories (e.g. required by SSL, used my SAML2, etc.

14 International Telecommunication Union Geneva, 9(pm)-10 February 2009 14 cn=Ole Jensen Root c=DK c=GB o=Fallit A/S ou=Salg o=Broke Ltd ou= Udvikling Name = { cn=Ole Jensen, ou=Salg, o=Fallit A/S, c=DK } Entry representing an object o=ALS cn=Per Yde cn=Ole Jensen Storing identity information in the Directory Information Tree

15 International Telecommunication Union Geneva, 9(pm)-10 February 2009 15 Protecting Directory Identity Information

16 International Telecommunication Union Geneva, 9(pm)-10 February 2009 16 Levels of authentication None Directory Name Directory Name and Password Simple Authentication and Security Layer (SASL) (Also used by LDAP) SPKM - Simple Public-Key Mechanism Strong authentication (use of X.509) X.500 allows the following means of authentication:

17 International Telecommunication Union Geneva, 9(pm)-10 February 2009 17 Use of Password Password is widely used for identity authentication If transmitted over encrypted connection (e.g. SSL) and stored encrypted in the directory, it gives a reasonable protec- tion in many situations Work on Password management and policy is in progress within X.500 to be also ported to LDAP

18 International Telecommunication Union Geneva, 9(pm)-10 February 2009 18 Strong authentication Based on electronic signatures Requires the presence of a Public Key Infrastructure (PKI) ITU-T X.509 is here the key specification

19 International Telecommunication Union Geneva, 9(pm)-10 February 2009 19 Access Control for Directory information Who may do what or not do what based on the level of authentication Who: Owner of information Specific user user group all users Subtree (specific name structure) What: All information about an entity Fragments LDAP has no access control

20 International Telecommunication Union Geneva, 9(pm)-10 February 2009 20 Levels of protection Anything goes Protection of individual entries based on right-to-know (traditional access control) Protection of individual entries based on right-to-know and need-to-know (service view) Protection against information trawlingProtection against devious searches

21 International Telecommunication Union Geneva, 9(pm)-10 February 2009 21 Protection by X.509

22 International Telecommunication Union Geneva, 9(pm)-10 February 2009 22 Basic X.509 Concepts Public-key concept Public-Key Infrastructure (PKI) Privilege Management Infrastructure (PMI) Certificates Public-key certificates (part of PKI) Attribute certificates (part of PMI) Digital Signatures

23 International Telecommunication Union Geneva, 9(pm)-10 February 2009 23 Public Key concept AB A B A B Encryption using private key A Decryption using public key A Encryption using public key B Decrypt using private key B

24 International Telecommunication Union Geneva, 9(pm)-10 February 2009 24 Digital signature Verifies sender Ensures integrity of message Signing of Messages Software code Documents Etc DATA Signature Algo- rithms Hashing plus encryption with private key

25 International Telecommunication Union Geneva, 9(pm)-10 February 2009 25 Certifying the identity using public-key certificates Certification Authority

26 International Telecommunication Union Geneva, 9(pm)-10 February 2009 26 Checking the credentials A passport is a type of certificate binding a picture to an ID Has to be issued by a trustworthy authority A passport may be false It is checked by the “service provider”, also called the relying party A certificate is issued by a Certification Authority (CA)

27 International Telecommunication Union Geneva, 9(pm)-10 February 2009 27 X.509 at work - 1

28 International Telecommunication Union Geneva, 9(pm)-10 February 2009 28 X.509 at work - 2

29 International Telecommunication Union Geneva, 9(pm)-10 February 2009 29 Establishing the infrastructure To validate a certificate a Public-Key Infrastructure (PKI) is required: To establish a trust anchor To establish a repository for revoked certificates The X.509 provides a framework for PKI Supplementary specifications required

30 International Telecommunication Union Geneva, 9(pm)-10 February 2009 30 PKI forums and peer groups Electronic Signatures and Infrastructures (ESI) by ETSI Certification Authority/Browser Forum Public-Key Infrastructure (X.509) (PKIX) within IETF

31 International Telecommunication Union Geneva, 9(pm)-10 February 2009 31 Privilege Management Attribute certificates are used for assigning privileges to the holder of the certificate The holder is identified, e.g., by a pointer to a public-key certificate An attribute certificate is issued by an Attribute Authority (AA) A special Privilege Management Infrastructure (PMI) may be established Recent work allows privileges established in one domain to be applied in other domains

32 International Telecommunication Union Geneva, 9(pm)-10 February 2009 32 The challenges Extending X.500 support to meet new identity management requirements Make the community aware of the X.500 capabilities Get new blood into the process At times up against the NIH syndrome NIH – Not Invented Here

33 International Telecommunication Union Geneva, 9(pm)-10 February 2009 33 Where to go The central source for information on the X.500 Directory Standard. www.x500standard.com Identity Management X.500

Download ppt "International Telecommunication Union Geneva, 9(pm)-10 February 2009 Identification Services as provided by directories (X.500 incl. X509) Erik Andersen,"

Similar presentations

Use of Public-Key Infrastructure (PKI) Erik Andersen Association for the Directory Information and Related Search Industry (EIDQ -

Use of Public-Key Infrastructure (PKI) Erik Andersen Association for the Directory Information and Related Search Industry (EIDQ -
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.

Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.

E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

Similar presentations

Ads by Google