Online AAI

José A. MontenegroJosé A. MontenegroGISUM Group

Security Information SectionUniversity of Malaga

Malaga (Spain)

Email: monte@lcc.uma.esEmail: monte@lcc.uma.esWeb: www.lcc.uma.es/~monteWeb: www.lcc.uma.es/~monte

2

AAI?

Authentication & Authorization Infrastructure Several possibilities We focused on PKI + PMI

Development Background PKI

Cert’eM - Online PKI and more … X509 ITU-T

PMI Extending Cert’eM – Online PMI X509 ITU-T

3

Online AAI? = CRL problem

CRL Issue

Keycompromised

Revocation Request

Revocation time

T10T0

Time

CRL Issue

Dishonest UseDishonest Use

CRL = Problem in PKI and exacerbate in PMI,

therefore an AAI issue to take into account

Online AAI as possible solution

4

What is Cert’eM?

PKI online Designed & Implemented in ’98. Try to solve CRLs problems

OCSP service did not develop yet.

Email based on X509 usually linked to X500 name X509 proposal lets links to Email address (Rfc 822)

Use an architecture of CAs that satisfy the needs of near-certification;

5

Cert’eM: Hierarchical Email Nodes

•••

••• ••• •••

••• ••• ••• •••

KSU

KSUKSU

KSU KSU KSU KSU

es

uma.es

lcc.uma.es

= END USER

6

Cert’eM: Certificate Request Information Flow

alice@a.b.c?Calice@a.b.c

alice@a.b.c?

Calice@a.b.c

ca@a.b.c?Cca@a.b.c

ca@a.b.c?

Cca@a.b.ca.b.c r.s.t

c

b.c

t

s.t

KSUKSUKSUKSU

KSUKSU

KSUKSU

KSUKSU

KSUKSU

bobalice

7

Cert’eM: KSU ElementsCertification Authority

(KSU lcc.uma.es)

Certification Server (lcc.uma.es)

Certification Kernel (lcc.uma.es)

Private Key CA

User Data

X509 Certificate

read

readwri

te

wri

te

Certificate Request

6

5

4

3

2

1 1

close request

pending request

6 5 4

ongoing requestuser6@lcc.uma.es

user5@lcc.uma.es

user4@lcc.uma.es

user3@lcc.uma.es

user2@lcc.uma.es

user1@lcc.uma.es

process 1process 1

process Nprocess N

principalprincipal

Cache Certificates Local Certificates

8

Cert’eM: Protocol …

Connection Phase C : HELLO [<clientID>] S : +OK {the client has permission} S : -ERR1 { the client host is not allowed S : -ERR2 { the client <clientID> is not allowed}

Transaction Phase C: GETCERT <userID> S : CERT S : CERT <<certcert> <> <vsvs>> S : +OKor S : -NSC {no such certificate}

9

… Cert’eM: Protocol

Transaction Phase S : CERT S : CERT <<certcert> <> <vsvs>>

Can be local or external search Local = Database search External = Use of Cache mechanism and

communication between KSU

Termination Phase C: EXIT S : +Ok

10

Cert’eM: Locating KSUs

lcc.uma.es 111.111.222.222

lcc.uma.es correo.lcc.uma.es 111.111.222.222

lcc.uma.es certem-tcp.lcc.uma.es 111.111.222.222

monte@lcc.uma.es<3>

<2>

<1>

11

Cert’eM Conclusion

guarantees that CAs will only certify those users close to them;

provides real-time revocation of keys (without the need of CRLs);

close to S/MIME

Can provide quality service to GRIDs

slight protocol inter-KSU and user-KSU

provided services to several projects we have been implicated (not only theoretic solution)

12

X509 ITU-T PKI

Developed to Spanish Banking Entity (BANESTO) in 2001

Using only GPL libraries: OpenSSL GTK OpenLDAP

13

X509 ITU-T PMI (I)

ITU-T proposal defines four PMI models: General, Control Role (PERMIS Project) Delegation (Our proposal)

We have extended OpenSSL library with attribute certificates management and authorization capabilities, because:

This library is widely deployed There was no previous experience with the

introduction of attribute certificates in OpenSSL We wanted to approach privilege delegation

procedures (we are still in the way) and … we had already developed a PKI using

OpenSSL

14

X509 ITU-T PMI (II)

15

Extending Cert’eMz

Cert’eM technology applies to Authorization + Openssl Attribute certificates

The main elements are the Attribute Certificate Service Units (ACSUs)(ACSUs), that integrate attributes certification and management functions:

- managed by an Attribute Authority

- contains a database to store the attribute certificates of “local” users

- updating and revocation of certificates and local operations

16

AAI scenario (I)

[Alice@a.b.c, operation] SAlice

Alice Bob

AAI

Who is the user ? &What can he do ?

ACAC PKCPKC 1 AB: TokenToken

2 BAAI: RequestRequest

3 AAI B: AC + PKCAC + PKC

1 AB: TokenToken

2 BAAI: RequestRequest

3 AAI B: AC + PKCAC + PKC

Request

17

AAI scenario (II)

How link identity and attribute certificates?

18

Future Work

Actually working in delegation model

Delegation statements establish a Directed graphs D. G. offer a global vision of delegation system

Theoretical model apply to PMI, and it work!!!

19

Thank you

Any Any QQuueessttiioonn??José A. MontenegroJosé A. Montenegro

GISUM Group Security Information Section

University of Malaga Malaga (Spain)

Email: monte@lcc.uma.esEmail: monte@lcc.uma.es

Web: www.lcc.uma.es/~monteWeb: www.lcc.uma.es/~monte

20

AAI: Relation to TACAR …

c

TACAR (ca@tacar.org)

ACSUACSU

a.b.c

b.c

KSUKSU

KSUKSU

KSUKSU

alice

ACSUACSU

ACSUACSU

t

r.s.t

s.t

KSUKSU

KSUKSU

KSUKSU

bob

ACSUACSU

ACSUACSU

ACSUACSU

ca@c?Cca@c

ca@c?

Cca@c

ca@t?Cca@t

ca@t?

Cca@t

21

… AAI: Relation to TACAR

Remember CA belongs to upper level. Domain c and t is stored in TACAR

TACAR is common root to “a.b.c” and “r.s.t” tree

How to localize TACAR? Same way as whichever KSU/ACSU node. Add ca.c@tacar.org and ca.t@tacar.org

certificates to TACAR