Online AAI
José A. MontenegroJosé A. MontenegroGISUM Group
Security Information SectionUniversity of Malaga
Malaga (Spain)
Email: [email protected]: [email protected]: www.lcc.uma.es/~monteWeb: www.lcc.uma.es/~monte
2
AAI?
Authentication & Authorization Infrastructure Several possibilities We focused on PKI + PMI
Development Background PKI
Cert’eM - Online PKI and more … X509 ITU-T
PMI Extending Cert’eM – Online PMI X509 ITU-T
3
Online AAI? = CRL problem
CRL Issue
Keycompromised
Revocation Request
Revocation time
T10T0
Time
CRL Issue
Dishonest UseDishonest Use
CRL = Problem in PKI and exacerbate in PMI,
therefore an AAI issue to take into account
Online AAI as possible solution
4
What is Cert’eM?
PKI online Designed & Implemented in ’98. Try to solve CRLs problems
OCSP service did not develop yet.
Email based on X509 usually linked to X500 name X509 proposal lets links to Email address (Rfc 822)
Use an architecture of CAs that satisfy the needs of near-certification;
5
Cert’eM: Hierarchical Email Nodes
•••
••• ••• •••
••• ••• ••• •••
KSU
KSUKSU
KSU KSU KSU KSU
es
uma.es
lcc.uma.es
= END USER
6
Cert’eM: Certificate Request Information Flow
[email protected][email protected]
[email protected][email protected]
[email protected] r.s.t
c
b.c
t
s.t
KSUKSUKSUKSU
KSUKSU
KSUKSU
KSUKSU
KSUKSU
bobalice
7
Cert’eM: KSU ElementsCertification Authority
(KSU lcc.uma.es)
Certification Server (lcc.uma.es)
Certification Kernel (lcc.uma.es)
Private Key CA
User Data
X509 Certificate
read
readwri
te
wri
te
Certificate Request
6
5
4
3
2
1 1
close request
pending request
6 5 4
ongoing [email protected]
process 1process 1
process Nprocess N
principalprincipal
Cache Certificates Local Certificates
8
Cert’eM: Protocol …
Connection Phase C : HELLO [<clientID>] S : +OK {the client has permission} S : -ERR1 { the client host is not allowed S : -ERR2 { the client <clientID> is not allowed}
Transaction Phase C: GETCERT <userID> S : CERT S : CERT <<certcert> <> <vsvs>> S : +OKor S : -NSC {no such certificate}
9
… Cert’eM: Protocol
Transaction Phase S : CERT S : CERT <<certcert> <> <vsvs>>
Can be local or external search Local = Database search External = Use of Cache mechanism and
communication between KSU
Termination Phase C: EXIT S : +Ok
10
Cert’eM: Locating KSUs
lcc.uma.es 111.111.222.222
lcc.uma.es correo.lcc.uma.es 111.111.222.222
lcc.uma.es certem-tcp.lcc.uma.es 111.111.222.222
<2>
<1>
11
Cert’eM Conclusion
guarantees that CAs will only certify those users close to them;
provides real-time revocation of keys (without the need of CRLs);
close to S/MIME
Can provide quality service to GRIDs
slight protocol inter-KSU and user-KSU
provided services to several projects we have been implicated (not only theoretic solution)
12
X509 ITU-T PKI
Developed to Spanish Banking Entity (BANESTO) in 2001
Using only GPL libraries: OpenSSL GTK OpenLDAP
13
X509 ITU-T PMI (I)
ITU-T proposal defines four PMI models: General, Control Role (PERMIS Project) Delegation (Our proposal)
We have extended OpenSSL library with attribute certificates management and authorization capabilities, because:
This library is widely deployed There was no previous experience with the
introduction of attribute certificates in OpenSSL We wanted to approach privilege delegation
procedures (we are still in the way) and … we had already developed a PKI using
OpenSSL
14
X509 ITU-T PMI (II)
15
Extending Cert’eMz
Cert’eM technology applies to Authorization + Openssl Attribute certificates
The main elements are the Attribute Certificate Service Units (ACSUs)(ACSUs), that integrate attributes certification and management functions:
- managed by an Attribute Authority
- contains a database to store the attribute certificates of “local” users
- updating and revocation of certificates and local operations
16
AAI scenario (I)
[[email protected], operation] SAlice
Alice Bob
AAI
Who is the user ? &What can he do ?
ACAC PKCPKC 1 AB: TokenToken
2 BAAI: RequestRequest
3 AAI B: AC + PKCAC + PKC
1 AB: TokenToken
2 BAAI: RequestRequest
3 AAI B: AC + PKCAC + PKC
Request
17
AAI scenario (II)
How link identity and attribute certificates?
18
Future Work
Actually working in delegation model
Delegation statements establish a Directed graphs D. G. offer a global vision of delegation system
Theoretical model apply to PMI, and it work!!!
19
Thank you
Any Any QQuueessttiioonn??José A. MontenegroJosé A. Montenegro
GISUM Group Security Information Section
University of Malaga Malaga (Spain)
Email: [email protected]: [email protected]
Web: www.lcc.uma.es/~monteWeb: www.lcc.uma.es/~monte
20
AAI: Relation to TACAR …
c
TACAR ([email protected])
ACSUACSU
a.b.c
b.c
KSUKSU
KSUKSU
KSUKSU
alice
ACSUACSU
ACSUACSU
t
r.s.t
s.t
KSUKSU
KSUKSU
KSUKSU
bob
ACSUACSU
ACSUACSU
ACSUACSU
ca@c?Cca@c
ca@c?
Cca@c
ca@t?Cca@t
ca@t?
Cca@t
21
… AAI: Relation to TACAR
Remember CA belongs to upper level. Domain c and t is stored in TACAR
TACAR is common root to “a.b.c” and “r.s.t” tree
How to localize TACAR? Same way as whichever KSU/ACSU node. Add [email protected] and [email protected]
certificates to TACAR