An Introduction to Public Key Infrastructure PKI

1

Distributed Security Architectures
Lawrence Berkeley National Laboratory PI Mary
Thompson Senior Researchers Srilekha Mudumbai,
Abdelilah Essiari
2
Motivation

• Widely distributed computing environments,
  collaborative research environments
• Resources, stakeholders and users are all
  distributed
• Spanning organizational as well as geographical
  boundaries, e.g., DOE Collaboratories, Grids
• Requires a flexible and secure way for
  stakeholders to remotely specify access control
  for their resources
• Requires a flexible but secure way to identify
  users and their attributes

3
Goals

• Access based on policy statements made by
  stakeholders
• Handle multiple independent stakeholders for a
  single resource
• Use Public Key Infrastructure standards to
  identify users and create digitally signed
  certificates
• Leverage off of GSI or SSL authenticated
  connections and use X.509 certificates to
  securely identify users.
• Emphasize usability

4
Approach

• Emphasize usability features
• Public Key Infrastructure (PKI) facilitates
• digitally signed documents for user Identity
  (X.509)
• digitally signed documents for policy
  (UseConditions)
• digitally signed documents for user attributes
• Flexible Architecture

5
Major Challenge is usability

• Usability is critical
• Policy and attributes must be easy for
  stakeholders to generate
• Authorized users must gain access easily
• Non-authorized users must be strongly rejected.
• Designing a authorization system with distributed
  stakeholders and heterogeneous users that is
  simple to use is a major challenge
• Provide a variety of mechanisms to set and review
  policy

6
Public Key Infrastructure State of the Art

• Provides a uniform way for different
  organizations to identify people or other
  entities through X.509 identity certificates
  containing public keys.
• These certificates and keys can be used though
  secured connections (SSL) to positively
  establish the identity of the entities on the
  connection.
• The keys can be used to provide digital
  signatures on documents. The authors and
  contents of signed documents can be verified at
  the time of use.
• Public Key Infrastructure is beginning to be
  widely deployed in terms of organizations running
  Certificate Authorities.

7
Akenti Authorization

• Minimal local Policy Files (authorization files)
  Who to trust, where to look for certificates.
• Based on the following digitally signed
  certificates
• X.509 certificates for user identity and
  authentication
• UseCondition certificates containing stakeholder
  policy
• Attribute certificates in which a trusted party
  attests that a user possesses some attribute,
  e.g. training, group membership
• Can be called from any application that has an
  authenticated users identity certificate and a
  unique resource name, to return that users
  privileges with respect to the resource.

8
Certificate Management

• Users need to generate signed certificates and
  store them in Web accessible places
• Akenti needs to know where to search for
  certificates
• Once a certificate is found, Akenti will cache it
  for a a time not to exceed that specified by the
  stakeholder.

9
Akenti Server Architecture
Cache Manager
Fetch Certificate
DN
Resource Server
Client
Akenti
DN
DN
Identity (X509) certificate on behalf of the user.
Log Server
Internet
Use condition or attribute certificates
LDAP
File Servers
Database Server
Web Server
DN
Identity certificates
Certificate Servers
10

Akenti Certificate Management
Stakeholders
S3
S4
S1
S2
Certificate Generator
C4(S4)
C1(S1)
C2(S2)
C3(S3)
Certificate Servers
Akenti
Hash Generator
Search based on resource name, user DN, and
attribute
11
Required Infrastructure

• Certificate Authority to issue identity
  certificates (required)
• SSLeay provides simple CA for testing
• Netscape CA - moderate cost and effort
• Enterprise solutions - Entrust, Verisign,
• Method to check for revocation of identity
  certificates (required)
• LDAP server - free from Univ. of Mich.. Or comes
  with Netscape CA
• Certificate Revocation lists - supported by most
  CAs
• Network accessible ways for stakeholders to store
  their certificates (optional)
• Web servers
• MSQL web accessible data bases

12
Vulnerabilities

• Primarily denial of service.
• Distributed certificates might not be available
  when needed.
• Independent stakeholders may create a policy that
  is inconsistent with what they intend. Easy to
  deny all access.

13
Collaborations

• Was used by the Diesel Combustion Collaboratory
  to control remote job execution, electronic
  notebooks, and Web based data archive.
• Currently working with the Fusion Collaboratory
  to provide authorization policy for remote job
  access and data access.
• Plan to provide an Akenti authorization server as
  part of the DOE Science Grid infrastructure, for
  applications to experiment with.

14
Significant Results

• Deploy Akenti as a standalone server acting as a
  trusted third party on the DOE Science Grid.
  YR-1
• Expand Use Conditions to include dynamic
  variables such as time-of-day, originating IP
  address, state variables. YR-2
• Integration with GSI YR 1 2
• recognize delegated certificates
• integrate without callouts to Akenti
  authorization
• Add restricted delegation - probably in the form
  of authorization (capability) certificates