Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

Published byBrian Cross Modified over 9 years ago

Similar presentations

Presentation on theme: "Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle."— Presentation transcript:

1 Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle

2 Agenda Security and privacy for the Smart Grid Key management standards for the Smart Grid Authentication and authorization standards for the Smart Grid

3 OASIS Standards to be Described SAML: Security Assertion Markup Language – A framework for the exchange of security-related information between trusting parties – The key standard for federated identity systems – Widely used today for cross-domain single sign-on XACML: eXtensible Access Control Markup Language – Language for expressing Access Control Policies – Also defines Network Req/Resp Protocol for Access decisions – Technology and domain-specific profiles SAML 2.0 & XACML 2.0 are also ITU-T Recommendations

4 SAML assertions Assertions are declarations of fact, according to a trusted party XML Format SAML defines assertions about: – Authentication – Attribute – Authorization decision SAML can be extended to express other types of facts Assertions can be digitally signed and/or encrypted All SAML assertions have the same header info

5 SAML Architectural Entities Identity- relying entities Identity- wielding entities Identity- attesting entities Identity data Identity Provider (IdP) User Service Provider (SP)

6 SAML components and how they relate to each other Profiles Combinations of assertions, protocols, and bindings to support a defined use case (also attribute profiles) Bindings Mappings of SAML protocols onto standard messaging and communication protocols Protocols Requests and responses for obtaining assertions and doing identity management Assertions Authentication, attribute, and entitlement information Metadata Configuration data for identity and service providers Authentication Context Detailed data on types and strengths of authentication

7 SAML protocol for getting assertions

8 SAML Features Multiple Web SSO Profiles Robust identity federation and management Identity provider discovery Basic session management and global logout Fine-grained description of authentication mechanisms Standard Attribute Profiles Metadata for simplified configuration Federation with Privacy protections Name Identifier Update Protocol

9 SAML in Web Services Security (WSS) Provides protection of SOAP messages SOAP header element Digital signatures and encryption Greater flexibility than SSL/TLS Supports multiple Security Token types – Username/password – Binary: X.509 and Kerberos – XML: SAML with or without keys

10 Additional SAML Profiles - 1 Metadata Profiles Third-Party Requests Protocol Requesting Authentication Context Shared Credentials Challenge/Response Authentication X.500/LDAP/X.509 Profiles Simplified Digital SIgnatures

11 Additional SAML Profiles - 2 Identity Provider Discovery Service Protocol Kerberos Profiles XSPA (Healthcare) Profile Delegation Restriction SSL/TLS Profiles Identity Assurance

12 What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Superset of Permissions, ACLs, RBAC, etc Ability to use any available information Scales from PDA to Internet Federated policy administration

13 Powerful Policy Expression “Anyone can use web servers with the ‘spare’ property between 12:00 AM and 4:00 AM” “Salespeople can create orders, but if the total cost is greater that $1M, a supervisor must approve” “Anyone view their own 401K information, but nobody else’s” “The print formatting service can access printers and temporary storage on behalf of any user with the print attribute” “The primary physician can have any of her patients’ medical records sent to a specialist in the same practice.”

14 XACML Benefits Standard Policy Language – Investment protection – Skills reuse Leverage XML tools Policy not in application code – Reduce cost of changes – Consistent application – Enable audit

15 XACML Architecture PDP Decision Application Administration Policy Repository PEP Enforcement Client Authorities Attribute Repositories PDP

16 XACML Current Status XACML 2.0 OASIS Standard – Feb 2005 XACML 3.0 In progress – Core & base profiles currently in 2nd Public Review Administration/delegation {New} Hierarchical resource {Enhanced} Multiple resource {Enhanced} SAML {Enhanced} Digital Signature Privacy RBAC – Additional profiles under development XSPA, Obligation families, Export Compliance, Policy Distribution, Metadata, WS-XACML OGC GeoXACML Standard Profiles and Extends XACML

17 OpenAZ Open Source Project AzAPI – API for requesting access decisions – Not specified by XACML Standard – Multiple languages (Java & C++ so far) – Enable full power of XACML Attribute Manifest Format (AMF) – Specifies attributes needed for access decision – Additional attribute type information for tools Goal is to provide ready to use code examples

18 Authorization API Benefits Needed for call to local PDP – Local PDP required for low latency calls – Inefficient to serialize data to and from XML – XML form not required by the standard Also useful to have standard API for remote requests – Common code to build message API can be used over legacy authorization schemes – JAAC, proprietary, etc. – Facilitates deployment: Application 1 st or Infrastructure 1st

19 The Input Attributes Problem XACML Policies operate on data provided Only PDP sees/evaluates policies What attributes should be provided? Where can attributes be obtained from? How can the proper instance value be obtained?

20 Attribute Manifest File File in XML format identifies attributes to be added to Request Context Name of Attribute, Issuer, datatype, location, access method, other attribute to use as key Not all fields may be present Three usecases: – PDP advertizes required attributes – PIPs are configured to add attributes to Request Context – Policy authoring tools use attribute name & format

21 For More Information OASIS Security Services Technical Committee – http://www.oasis-open.org/committees/security OASIS XACML Technical Committee – http://www.oasis-open.org/committees/xacml OpenAZ Open Source Project – http://www.openliberty.org/wiki/index.php/Main_P age#OpenAz

22 Questions? Jamie.Clark@oasis-open.org Robert.Griffin@rsa.com Hal Lockhart@oracle.com

Download ppt "Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle."

Similar presentations

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
XML Security Standards — Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

XML Security Standards — Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
CS 522 WebServices -Sujeeth Narayan -Ankur Patwa.

CS 522 WebServices -Sujeeth Narayan -Ankur Patwa.
Web services security I

Web services security I
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.

XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

Similar presentations

Ads by Google