Online AAI - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Online AAI

Description:

C : HELLO [ clientID ] S : OK {the client has permission} ... S : -ERR2 { the client clientID is not allowed} Transaction Phase. C: GETCERT userID ... – PowerPoint PPT presentation

Number of Views:228
Avg rating:3.0/5.0
Slides: 22
Provided by: bic93
Learn more at: http://www.terena.org
Category:
Tags: aai | clientid | online

less

Transcript and Presenter's Notes

Title: Online AAI


1
Online AAI
  • José A. Montenegro
  • GISUM Group
  • Security Information Section
  • University of Malaga
  • Malaga (Spain)

Email monte_at_lcc.uma.es Web www.lcc.uma.es/mont
e
2
AAI?
  • Authentication Authorization Infrastructure
  • Several possibilities
  • We focused on PKI PMI
  • Development Background
  • PKI
  • CerteM - Online PKI and more
  • X509 ITU-T
  • PMI
  • Extending CerteM Online PMI
  • X509 ITU-T

3
Online AAI? CRL problem
T0
T10
Time
CRL Problem in PKI and exacerbate in PMI,
therefore an AAI issue to take into
account Online AAI as possible solution
4
What is CerteM?
  • PKI online
  • Designed Implemented in 98.
  • Try to solve CRLs problems
  • OCSP service did not develop yet.
  • Email based on
  • X509 usually linked to X500 name
  • X509 proposal lets links to Email address (Rfc
    822)
  • Use an architecture of CAs that satisfy the needs
    of near-certification

5
CerteM Hierarchical Email Nodes
6
CerteM Certificate Request Information Flow
7
CerteM KSU Elements
8
CerteM Protocol
  • Connection Phase
  • C HELLO ltclientIDgt
  • S OK the client has permission
  • S -ERR1 the client host is not allowed
  • S -ERR2 the client ltclientIDgt is not allowed
  • Transaction Phase
  • C GETCERT ltuserIDgt
  • S CERT ltcertgt ltvsgt
  • S OK
  • or
  • S -NSC no such certificate

9
CerteM Protocol
  • Transaction Phase
  • S CERT ltcertgt ltvsgt
  • Can be local or external search
  • Local Database search
  • External Use of Cache mechanism and
    communication between KSU
  • Termination Phase
  • C EXIT
  • S Ok

10
CerteM Locating KSUs
lcc.uma.es 111.111.222.222
lt1gt
lcc.uma.es correo.lcc.uma.es 111.111.222.222
lt2gt
monte_at_lcc.uma.es
lt3gt
lcc.uma.es certem-tcp.lcc.uma.es
111.111.222.222
11
CerteM Conclusion
  • guarantees that CAs will only certify those users
    close to them
  • provides real-time revocation of keys (without
    the need of CRLs)
  • close to S/MIME
  • Can provide quality service to GRIDs
  • slight protocol inter-KSU and user-KSU
  • provided services to several projects we have
    been implicated
  • (not only theoretic solution)

12
X509 ITU-T PKI
  • Developed to Spanish Banking Entity (BANESTO) in
    2001
  • Using only GPL libraries
  • OpenSSL
  • GTK
  • OpenLDAP

13
X509 ITU-T PMI (I)
  • ITU-T proposal defines four PMI models
  • General,
  • Control
  • Role (PERMIS Project)
  • Delegation (Our proposal)
  • We have extended OpenSSL library with attribute
    certificates management and authorization
    capabilities, because
  • This library is widely deployed
  • There was no previous experience with the
    introduction of attribute certificates in OpenSSL
  • We wanted to approach privilege delegation
    procedures (we are still in the way)
  • and we had already developed a PKI using OpenSSL

14
X509 ITU-T PMI (II)
15
Extending CerteMz
  • CerteM technology applies to Authorization
  • Openssl Attribute certificates
  • The main elements are the Attribute Certificate
    Service Units (ACSUs), that integrate attributes
    certification and management functions
  • managed by an Attribute Authority
  • contains a database to store the attribute
    certificates of local users
  • updating and revocation of certificates and local
    operations

16
AAI scenario (I)
Alice_at_a.b.c, operation SAlice
Who is the user ? What can he do ?
1 A?B Token 2 B?AAI Request 3 AAI? B AC
PKC
17
AAI scenario (II)
How link identity and attribute certificates?
18
Future Work
  • Actually working in delegation model
  • Delegation statements establish a Directed graphs
  • D. G. offer a global vision of delegation system
  • Theoretical model apply to PMI, and it work!!!

19
Thank you
Any Question?
José A. Montenegro GISUM Group Security
Information Section University of Malaga Malaga
(Spain) Email monte_at_lcc.uma.es Web
www.lcc.uma.es/monte
20
AAI Relation to TACAR
TACAR (ca_at_tacar.org)
t
c
KSU
KSU
ACSU
ACSU
b.c
s.t
KSU
KSU
ACSU
ACSU
a.b.c
r.s.t
KSU
ACSU
KSU
ACSU
21
AAI Relation to TACAR
  • Remember CA belongs to upper level.
  • Domain c and t is stored in TACAR
  • TACAR is common root to a.b.c and r.s.t tree
  • How to localize TACAR?
  • Same way as whichever KSU/ACSU node.
  • Add ca.c_at_tacar.org and ca.t_at_tacar.org
    certificates to TACAR
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Online AAI" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!