sis: secure information sharing for windows systems osama khaleel cs526 semester project

SIS:Secure Information Sharing

for Windows Systems

Osama Khaleel

CS526 Semester Project

5/1/2006 Okhaleel SIS 2

Introduction The Internet is the most dominant place

for data exchange and information sharing.

Thus, providing a reliable, secure, and easy-to-use system to access critical information is a crucial thing.

Given that the password based access does not meet with high-level security requirements, we need a stronger approach for access control.


Goals: Porting the previous SIS project

(Linux/LDAP/Mod_LDAP/Apache) to Windows system with the necessary improvements.

Providing secure access control based on digital and attribute certificates.

Implementing a flexible and scalable Role Based Access Control (RBAC) model.

Building an Access Control Engine (ACE) for IIS to Enforce our RBAC policy. Investigate the framework so that we can build ACE for Instant Messaging, and other network services.

Providing an easy-to use GUI for creating and managing – Public Key Infrastructure (PKI), – Privilege Management Infrastructure (PMI), and – RBAC.


The Transformation:

Basically, the working environment will be Windows instead of Linux.

Active Directory (AD) is used instead of LDAP server.

Microsoft IIS 6.0 replaces Apache web server

Improving the RBAC policy enforcement from static If-Else checking to a dynamic XML based solution.


Testbed Configuration

A testbed has been built to test SIS system. It consists of four machines:

– Windows server 2003 with AD (acts as the Domain Controller).

– Windows server 2003 with IIS 6.0 (acts as a web server.

– Windows XP as a client.– A Gateway running Fedora Core 4 and an

IPtables based firewall.


Local switch

NIC1 128.198.162.50 FC4 NIC2 10.0.0.1

Main switch

Win-XP 10.0.0.12

IIS 10.0.0.11

Domain-controller 10.0.0.10

128.198.162.51128.198.162.52128.198.162.53

Internet SIS Network Topology

And IP assignments


Main SIS Components: X.509 Digital Certificate:

– A Public Key Certificate (PKC) is used as a strong means to prove identities. It binds a public key with the holder subject field (Country, State, City, Organization, e-mail, Common-name, …).

– It is signed by the private key of a Certificate Authority (CA), so it can be verified using the known CA’s public key.


Main SIS Components:

Certificate Authority (CA): – A CA is a trusted entity that is responsible

of issuing digital certificates for use by other parties.

– A PKC issued by a CA states that “the CA attests that the public key contained in the certificate belongs to the entity noted in that certificate”.



Attribute Certificate (AC):– It is a new Internet standard RFC3281 that

strongly binds a public key with a set of attributes that can specify the holder’s membership, Role, security clearance, or other authorization information.

– In our case, we use ACs to store the role information for the holder.


Main SIS Components: Active Directory (AD):

– A hierarchical framework of objects used as a directory service to store information about the network resources across a domain.

– It’s the Microsoft’s implementation of LDAP directory services for use in Windows environment.

– It provides central control for three types of objects; Resources (e.g. printers), Services (e.g. e-mail), and Users (accounts and groups).

– AD is used to maintain users accounts and store Digital and Attribute certificates.



Internet Information Services (IIS 6.0):– A Web server that provides a reliable,

manageable, and scalable Web application infrastructure for Windows Servers .

– SSL mutual authentication based on the client’s digital certificate is used to authenticate users.

– An enhanced HTTP module is used to authorize users based on the Role stored in the corresponding Attribute Certificate.


In details: We will provide an Admin Tool that has four

primary functions; – AD management.– SIS setup.– RBAC setup and management.– Certificates management.

We assume that Windows server 2003, Active Directory, and IIS 6.0 are already installed.


Active Directory Management

Initialize the active directory. Create users accounts based on a text

file that contains the needed information– first name, last name, country, state,

organization, e-mail, and – their role in the organization.

Add, remove, and edit users accounts as needed.


SIS Setup

Create a root CA that will be used to sign issued certificates.

Issue a server certificate for the IIS web server.

Issue digital and attribute certificates for users, and storing them in the active directory.OpenSSL and CryptLib packages have

been used in this task.


RBAC Setup & Management

Idea A flexible way to enforce the role based access policy. namely, to dynamically check whether a certain ROLE has the required permissions to perform certain OPERATIONS on some RESOURCES.

We have come up with a solution that uses two XML files; Resources and Roles.


RBAC XML files: Resources.xml:<Resource>

<ID> 1 </ID><URI> http://domain/path1 </URI><DESC> description 1 </DESC>

</Resource>

<Resource><ID> 2 </ID><URI> http://domain/path2</URI><DESC> description 2 </DESC>

</Resource>...

Roles.xml<Role id = “manager”> <operation list = “GET, POST”>

</operation> <Resource list = “1,3,4,5,7,8,9”>

</Resource><Validity> <Days> * </Days> <Time> * </Time></Validity>

</Role>

<Role id = “TeamLeader”> <operation list = “GET”> </operation> <Resource list = “1,3,5”> </Resource>

<Validity> <Days> Sun,Tues,Wed </Days> <Time> 11:00 am – 5:00 pm </Time></Validity>

</Role>


Certificates Management

Manage issued certificates: Update users digital and attribute

certificates. Revoke Certificates. Check certificates validity dates.


The Big Image:Clientrequest

IIS SIS Module

SSLAuthenticated

Get request info, and the certificate subject field

NO

reject

ActiveDirectory

Query AD to get the corresponding AC

This Role has Permissions to Perform

the Operation on the requested resource

NO

reject

Grant Access

YES


Conclusion A secure information sharing system for

Windows environment is being developed with an admin tool to setup and manage AD, PKI, and RBAC.

Clients are authenticated by the PKCs issued to them, and Authorized by the ACs stored in the AD using the RBAC model.

The system can be used as a secure information infrastructure for an emergent taskforce due to the quickness in system setup, and the easy-to-use Admin Tool.


Some learnt lessons: In terms of the programming language, I have

used C# with Visual C# Express 2005 IDE. Since we are porting to windows system, C# is one of the most powerful languages supported in the .NET framework.

At the beginning I used the CryptLib package to deal with certificates. This package generates two kinds of files; (.CER) that contains the certificate, and (.P15) that has the private key in PKCS#15 structure. But after I had tried to test those certificates, it turned out that MS IE and IIS need (.P12) kind of file. Thus I switched to OpenSSL package instead.


Some learnt lessons: Now, the good thing in CryptLib is that it

supports attribute certificates, so I will be using it to deal with ACs.

For RBAC XML based solution, I found out that the use of simple C# XMLReader and XMLWriter is slow especially for a large file. So, I will use Xpath technique for this task.

As we learned in the certificate assignment, we can specify the certificates we want to allow in the Apache password file by putting the whole subject field in it. So, now I am searching for an equivalent feature in IIS.


Future Work:

Integrating more services in the ACE such as Instant Messaging, E-mail, Wireless access, VOIP …

Enhancing the system to work in a multiple agency environment.

Expanding the system usability to other operating systems.


References: OpenSSL; a wrapper compiled in binaries (.exe file) from

http://www.stunnel.org/download/binaries.html has been used, 2006.

CryptLib package that supports attribute certificates, http://www.cryptlib.com, 2006

Network Security with OpenSSL by John Viega, Matt Messier, and Pravir Chandra. O’Reilly–First Edition, 2002.

http://httpd.apache.org/docs/2.2/ssl/ssl_intro.html, 2006. Linux based SIS, by Ganesh Godavari and Edward Chow,

http://cs.uccs.edu/~infoshare/doc/smc05/PaperFormatOrg.pdf , 2005.


?

sis: secure information sharing for windows systems osama khaleel cs526 semester project

Documents

sis system

public key certificate

windows server

okhaleel sis4

certificate authority

role information

secure access control

public key infrastructure