international telecommunication union geneva, 9(pm)-10 february 2009 identification services as...

Geneva, 9(pm)-10 February 2009

InternationalTelecommunicationUnion

Identification Servicesas provided by directories

(X.500 incl. X509)

Erik Andersen,Consultant, Andersen’s L-Service

Q.11/17 [email protected], www.x500.eu

ITU-T Workshop on“New challenges for Telecommunication

Security Standardizations"

Geneva, 9(pm)-10 February 2009

Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 2

Why listen to this presentation?

How identification services relates to securityHow directories relate to identification servicesWhy X.500 (and LDAP) is an obvious answer to identification services


About the X.500 directory specification

First edition in 1988Been under continuous expansion since to meet new requirementsDeveloped in collaboration with ISO/IEC JTC1/SC6Within ISO/IEC known as the ISO/IEC 9594 multipart standard Many highly skilled people have participated during the years


About the X.500 directory specification (cont.)

Six editions so far – the seventh edition on its wayConsists of 10 parts (incl. X.509)Defines a naming structure that allows unique naming of all entitiesSupport for distribution and replicationLightweight Directory Access Protocol (LDAP) is a dear child of X.500 (uses the X.500 model)


Identity and security

IT Security comprises many things:Physical attacksHacker attacksSpamDenial of serviceFraud by employees- - -Identity related security issues


Identity Related Security Issues

Related to:Information about people and other entitiesAccess to systems and ServicesAccountsAuthorisationSoftware code


Identity Management (IdM)

Identity Management (IdM) includes Identification ServicesIt is much in focus within ITU-T Study Group 17 and other committeesConsidered an important aspect of Next Generation Network (NGN)Not a new issue


X500 is (part of) IdM

We have been in the Identity Management (IdM) Business

since 1984

We got a head start!


Butler group report

X.500/LDAP basis for most current

IdM implementations

-In the industry often called

Identity and Access Management (IAM)


Butler Group list

AladdinBMCBull EvidianCAEntrustIBM

MicrosoftNovellOracleRSASun

They all uses LDAP as major component in their IdM solutions

X.509 also plays a major role for authentication


Other vendors

Isode

Siemens

eB2Bcom

Critical Path

Etc.


The requirement for authentication

Before giving access to services and information, the identity of the accessing entity must be establishedDifferent levels of authenticationThe required level depends on

Sensitivity of service or informationWhether interrogation or update


Scope of X.500 identity services

Storage of identity information

Protection of the information in the directory

Use of X.509 capabilities outside directories (e.g. required by SSL, used my SAML2, etc.


cn=OleJensen

Root

c=DK c=GB

o=Fallit A/S

ou=Salg

o=Broke Ltd

ou=Udvikling

Name = { cn=Ole Jensen, ou=Salg, o=Fallit A/S, c=DK }

Entry representingan object

o=ALS

cn=PerYde

cn=OleJensen

Storing identity information in the Directory Information Tree


Protecting Directory Identity Information


Levels of authentication

None Directory NameDirectory Name and PasswordSimple Authentication and Security Layer (SASL) (Also used by LDAP)SPKM - Simple Public-Key Mechanism Strong authentication (use of X.509)

X.500 allows the following means of authentication:


Use of Password

Password is widely used for identity authenticationIf transmitted over encrypted connection (e.g. SSL) and stored encrypted in the directory, it gives a reasonable protec-tion in many situationsWork on Password management and policy is in progress within X.500 to be also ported to LDAP


Strong authentication

Based on electronic signatures

Requires the presence of a Public Key Infrastructure (PKI)

ITU-T X.509 is herethe key specification


Access Control for Directory information

Who may do what or not do what based on the level of authenticationWho:

Owner of informationSpecific useruser groupall usersSubtree (specific name structure)

What:All information about an entityFragments

LDAP has no access control


Levels of protection

Anything goes

Protection of individual entries based onright-to-know (traditional access control)

Protection of individual entries based onright-to-know and need-to-know (service view)

Protection against information trawling

Protection against devious searches


Protection by X.509


Basic X.509 Concepts

Public-key conceptPublic-Key Infrastructure (PKI)Privilege Management Infrastructure (PMI) Certificates

Public-key certificates (part of PKI)Attribute certificates (part of PMI)

Digital Signatures


Public Key concept

A B

AB

A B

Encryption using

private key ADecryption using

public key A

Encryption using

public key B

Decrypt using

private key B


Digital signature

Verifies senderEnsures integrity of messageSigning of

MessagesSoftware codeDocumentsEtc

DATA SignatureAlgo-rithms

Hashingplus

encryptionwith private key


Certifying the identity usingpublic-key certificates

Certification Authority


Checking the credentials

A passport is a type of certificate binding a picture to an IDHas to be issued by a trustworthy authorityA passport may be falseIt is checked by the “service provider”, also called the relying partyA certificate is issued by a Certification Authority (CA)


X.509 at work - 1


X.509 at work - 2


Establishing the infrastructure

To validate a certificate a Public-Key Infrastructure (PKI) is required:

To establish a trust anchorTo establish a repository for revoked certificates

The X.509 provides a framework for PKISupplementary specifications required


PKI forums and peer groups

Electronic Signatures and Infrastructures (ESI) by ETSI

Certification Authority/Browser Forum

Public-Key Infrastructure (X.509) (PKIX) within IETF


Privilege Management

Attribute certificates are used for assigning privileges to the holder of the certificateThe holder is identified, e.g., by a pointer to a public-key certificateAn attribute certificate is issued by an Attribute Authority (AA)A special Privilege Management Infrastructure (PMI) may be establishedRecent work allows privileges established in one domain to be applied in other domains


The challenges

Extending X.500 support to meet new identity management requirementsMake the community aware of the X.500 capabilitiesGet new blood into the processAt times up against the NIH syndrome

NIH – Not Invented Here


Where to go

The central source for information on theX.500 Directory Standard.

www.x500standard.com

IdentityManagement

X.500