Presentation is loading. Please wait.

Presentation is loading. Please wait.

Providing secure mobile access to information servers with temporary certificates Diego R. López

Published byRussell Shields Modified over 9 years ago

Similar presentations

Presentation on theme: "Providing secure mobile access to information servers with temporary certificates Diego R. López"— Presentation transcript:

1 Providing secure mobile access to information servers with temporary certificates Diego R. López drlopez@cica.es

2 Providing secure mobile access to information servers using temporary certificates Diego R. López - drlopez@cica.es Introduction Objectives of the system Secure access standards and mobility requirements Temporary (short-lived) certificates Characteristics Loading and issuing System implementation Components Authentication protocol The user’s view Conclusions

3 Providing secure mobile access to information servers using temporary certificates Diego R. López - drlopez@cica.es User mobility and secure access l User mobility (not just computer mobility) w Minimal HW/SW requirements w Simplicity of use l Secure access to servers w User authentication w Short-lived “connections”

4 Providing secure mobile access to information servers using temporary certificates Diego R. López - drlopez@cica.es Secure access standards l Based on SSL/TLS l Server and client exchange X.509 certificates l X.509 certificates are assumed to be w Static Ô Associated with an entity’s identity w Valid in the long term Ô Identity is not often subject to change w Permanently stored by browsers and other information clients

5 Providing secure mobile access to information servers using temporary certificates Diego R. López - drlopez@cica.es Mobility requirements l A token is used w Removable w Protected by a secret known to the user l Current standard: PKCS#11 w Used by most common clients w Requires specific software and/or hardware

6 Providing secure mobile access to information servers using temporary certificates Diego R. López - drlopez@cica.es Temporary (short-lived) certificates l Are issued for a short period w Typical validity is a few hours w Time “removes” them l Simplify key generation procedures w Weaker algorithms or shorter key lengths can be employed l Simplify key management procedures w CA key changes only affect servers, not clients

7 Providing secure mobile access to information servers using temporary certificates Diego R. López - drlopez@cica.es Loading temporary certificates l A loading program authenticates the user w The token contains both Ô The loading program Ô The authentication data l Minimal hardware and software requirements w An (almost) universal token: a diskette w An (almost) universal language: Java

8 Providing secure mobile access to information servers using temporary certificates Diego R. López - drlopez@cica.es Issuing temporary certificates l An on-line Certification Authority (CA) has to issue the certificate w Validate the authentication data w Analyze user request Ô Server(s) to be accessed Ô Validity period w Issue the certificate

9 Providing secure mobile access to information servers using temporary certificates Diego R. López - drlopez@cica.es System components (client side) l An Information Reader (IR): w Any information client able to use X.509 certificates w In the current implementation, Netscape 4.xx l A Temporary Certificate Client (TCC): w Negotiates with the service the session parameters w Starts the IR and initiates key generation procedures w The client JAR file is about 700K

10 Providing secure mobile access to information servers using temporary certificates Diego R. López - drlopez@cica.es System components (authentication data) l A PKCS#12 object encrypted with a passphrase w Contains one of the keys (the private key) from a keypair assigned to the user w Included with other configuration data in a text file stored in the token: TCSERVER erika.cica.es:4433:4434 TCS1-CICA URL https://tbidata.cica.es TBI-IDBS TIME 30 USER C=es, O=cica, CN=p4 -----BEGIN CICAP12----- MIIC3AIBAzCABgkqhkiG9w0BBwGggCSABIICvjCCArowggK2Bgsqhki AqCCAqUwggKhMBsGCiqGSIb3DQEMAQYwDQQIrGHBS1QCRGkCAQEEggK XqyG5goN4YYGtiv8/NoLxnRhZG6Jdleybh90uMUmhyaivCxnLFoIKlf XTMohqpPdnl6CS5eF1u8V2dSv9+zAd3jh2E2He1hyWQBeSV7UpHWefb...

11 Providing secure mobile access to information servers using temporary certificates Diego R. López - drlopez@cica.es System components (server side) l A Temporary Certificate Sever (TCS) w Acts as a (set of) on-line CA(s) l A directory that holds data pertaining to users w The other key (the public key) from the keypair assigned to the user w Acceptable session parameters w CAs the user can request certificates from

12 Providing secure mobile access to information servers using temporary certificates Diego R. López - drlopez@cica.es Authentication protocol 5.- Kc2,CA ? 6.- Kc2, CA TCC token 1.- Passphrase 2.-Connect to TCS 3.- Rs 4. Ekc1(Rs,Rc),Kt2 7.-Skca (Kt2) 8.- Acces to information servers Others WWW News E-mail Databases TCSDirectoryIR

13 Providing secure mobile access to information servers using temporary certificates Diego R. López - drlopez@cica.es The user’s view

14 Providing secure mobile access to information servers using temporary certificates Diego R. López - drlopez@cica.es Conclusions l Thin-client based approach to information servers access control w Eases user mobility: Ô Practically any host with Internet access can be employed w Simplifies access control management l Open issues w Generalization of the procedures for other IRs w Finer granularity in access control w Token-less authentication protocol (applet)

Download ppt "Providing secure mobile access to information servers with temporary certificates Diego R. López"

Similar presentations

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
Real-Time Authentication Using Digital Signature Schema Marissa Hollingsworth BOISECRYPT ‘09.

Real-Time Authentication Using Digital Signature Schema Marissa Hollingsworth BOISECRYPT ‘09.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution of public keys –use of public-key.

Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution of public keys –use of public-key.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Asper School of Business University of Manitoba Systems Analysis & Design Instructor: Bob Travica System interfaces Updated: November 2014.

Asper School of Business University of Manitoba Systems Analysis & Design Instructor: Bob Travica System interfaces Updated: November 2014.

Similar presentations

Ads by Google