RELARN2003 19 ????, 2003

About This Presentation

Title:

RELARN2003 19 ????, 2003

Description:

Title: HTTP CGI Last modified by: Ted Lindgreen Created Date: 6/10/1995 5:31:50 PM Document presentation format: A4 Paper (210x297 mm) Other titles – PowerPoint PPT presentation

Number of Views:51

Avg rating:3.0/5.0

Slides: 27

Provided by: uazoneOrg

Learn more at: http://uazone.org

Category:

more less

Transcript and Presenter's Notes

Title: RELARN2003 19 ????, 2003

1
??????????? ???????? ?????????????? ? ???????????
? ??????? ????????????? ? ????????

RELARN2003 19 ????, 2003
Yuri Demchenko, NLnet Labs
ltdemch_at_NLnetLabs.nlgt

2
??????????

?????? ?????????????? (AuthN) ? ???????????
(AuthZ) ? ??????? ? ??????????????? ?????
??????????? ???????????? ?? ?????? XML
?????????? ???????? ?? ?????? ????? (RBAC)
??????? ????????????? ? Liberty Alliance Project
??????? ?????? ?????????????? ?????????????? ?
???????????
??????? ???? ???? ? ????????????
?????????? ??????????

3
AuthN/AuthZ ? ??????? ? ??????????????? ?????

?????? ? ????????????? ???/???????? ????????
??????????????? cookie (SSO)
?????????????????? ??????? ? ?????? ? ???????
???????? ??? ?????????????? ??????? ??? ???????
?????????????
?????????????? ??????????????? ??????? ?
????????????? ????????
????-?????? ? ????-??????????
????????? ???????????????? ?????? ? ??????
????????????
??????????????? (????????????) ??????
???????????? ???????
??????? ?????????????? ????????????? ???????
(IIDS Interactive Intelligent Disctributed
Systems)

4
??????????? ??????????? ???????? AuthN ? AuthZ

????????
????????? ???????/??????? ?? ?????? ??????/????
??????????? ????? ??????? ???????????? ???
????????? ???????????? ???????? ??????
????????? ????????? ???????????? ?????????
??????????
?????????? ? ??????????? ??????????? AuthN/Z
?????????? ???????? ?????????????? (AuthN) ?
??????????? (AuthZ)
?????????????? ? ???????? ???????????
??????????? ????????
??????????????????, ??????????? ? ???????????
?????????? ???????? ?? ?????? ????? ? ????????
???????????? (RBAC)
????????????? ?????????????? ??????????
???????????? (PMI)

5
????? ????????? ???????????? ??????????

???????????? ?????????? ?? ?????? XML ?
???????????? ?????? ??????? ???????????
???????????? ?????? ???????????? (ISO7498-2)
Host-to-host ??? point-to-point security
??????????????? ?? ??????????? Client/server
?????????? ?? ?????????? (connection-oriented) ?
??? (connectionless)
? ????? ?????? ?????? ????????????? ????? (??
?????? PKI)
???????????? ?????????? ?????? XML
???????????? ????? ????????? ??????? ??????????
(End-to-end)
??????????????? ?? ???????? (??? ?????????????
??????)
??????? ? ??????? ???????????? ????? ????
????????????? ? ?????????? ??? ?????????? ??? ??
??????
???????????? ???????? ????? ????????
????????????????? ? ????????????
????????? ????????? ???????????? ? ???????????
??????????

6
?????????? ???????????? XML - ??????????

XML Signature
XML Encryption
?????????? ???????????? (Security Assertions)
SAML (Security Assertion Mark-up Language)
XrML (XML Right Mark-up Language)
XACML (XML Access Control Mark-up Language)
XKMS (XML Key Management Specification)
????????????? ??????????
Web Services Security (WS-Security)
OGSA Security

7
???????? ????? XML-???????

??????????????? ????? ??????????? ???????????
????????? ????? ????????? ??? ?? ??? ? ?????
????????.
XML-???????? ????? ????? ??????? ???????, ???
???? ????????? ????? ?????????? ????? ???????????
? ???????????? ?????????? ?????????? ? ?
????????? ?????
????????? ???????/???????? ????? ????? ??????????
??????????? ?????? ????????? ????? ?????????
????????? ????????? ??????????? ????? ??????
????????? ? ????? ??????????? ???????? ??????
????? ?????????
????????? ???????????? ???????/???????
???????????? ? ????????? ? ??????? ??
????????????? ??????????? ??????????
??????/??????
XML-??????? ???????????? ??????? ???????????? ???
?????????, ?????????? ?? XML
? ????? ?????? ??? ????????? ?????????? ?
?????????

8
????????? XML-???????

ltSignature ID?gt
ltSignedInfogt ltCanonicalizationMethod/gt
ltSignatureMethod/gt (ltReference URI?
gt (ltTransformsgt)? ltDigestMethodgt ltDigestV
aluegt lt/Referencegt) lt/SignedInfogt
ltSignatureValuegt (ltKeyInfogt)? (ltObject ID?gt)
lt/Signaturegt

9
?????????? ??????????? XML-????????????

WS-Security (Web Services Security)
?????????? ? ??????? ????????? SOAP (Simple
Object Access Protocol)
??????????? ????????? ??? ?????????????? ?
???????????, ??????, ?????????? ????????????,
???????????
?????? ??????????????? ?????????/????????? ?
??????? X.509 PKC, SAML, XrML, XCBF
???????? ???????, ??????????
????????? ??? ??????????? ? ???????????? ??????
??????????? ? ??????????? ???????????
????????????? ???-????????
OGSA Security (Open Grid Services Architecture)
????????? ?? ?????? WS-Security
???????????????? ??? ???????? ???????????
??????????? (??)
????????????? ?????????? (credentials) ?
????????? ??????????????? ????????
???????????/???????????, ?????????? ???
?????????? ????????
????????? ???????????? ????????? ? ?????????
??????????? (transitional stateful processes)

10
?????????? ???????? ?? ?????? ?????

RBAC Role Based Access Control
???? ????????? ???????
????? ?????????? ?????? ? ??????? ? ????????????
??????
???????????? RBAC
????? ????????? ? ??????????????
?????????? ?????????? ????-???????????? ?
????-??????????
????????????????
???????????? ??????? ?????????? ???????????
??????????
???????????? ? ????????????? ??????????/????
??????????? ?????????????

11
?????????????? ?????????? ????????????

PMI Privilege Management Infrastructure
???????? ?? ?????? ???????????? ????????? (AC
Attribute Certificate)
?? ????????? ? ??? ?????????? ?????????? X.509
version 4
??? ???????????? ??? ??????????????, ??
???????????? ??? ???????????
PMI ??? ?????? ??? ?????????? RBAC
?? ????????? ??????? ????????????? ???????????? ?
?????? ? ???? ? ????????????
???????????? ????????????? ??????? RBAC,
???????????? ??????????? ??????????? ???? ?
?????????????? ??????????
???????????? ??????? ?????????????
???????? PMI
???????????? ??? ???????? ??????? ? ???????? ??
?????? ?????
??????? ??????????? ????? ??? ????????????? ?
?????????? ??? ?????????????
?????????? ???????? ??? ????????, SOA, ????????
?????, ?????????????, ??.

12
Liberty Alliance ? ??????? ?????????????

Liberty Alliance Project (LAP)
LAP ?????? ??????? ?????????? ?????????????
(identity provider) ? ????? ??????? (trust
circle)
LAP ???????????? ?????? ???????? ?? ?????
??????????????? ? ????????????/???????????,
??????? ????? ??????????? ????????????
????????????? ?? ????????? ????????????????
???????? ????????????
LAP ?????????? SAML ? ????????? ??? ??????
?????????? ? ???????????
LAP ?????????? ??? ?????? ???????, ?????????? ??
PKI ??? ??????-?????????? ????????, ?????
??????????-??????? ? ????? ??????????
???????? ??????? LAP ????????? ?????????????
????????????? ?????????? ?????????????
?????????????? ????????????? ??????????? ?
????????? ??????????? ?????????? ????? ??
???????

13
O??????? ??????? ??? AuthN/AuthZ

??????????? ? ?????? ???????? Internet2, FP5 ?
???????????? ??????? ?????
PERMIS (PrivilEge and Role Management
Infrastructure Standards validation) -
http//www.permis.org/
Shibboleth - http//shibboleth.internet2.edu/
A-Select - http//a-select.surfnet.nl/
FEIDE (Federated Identity for Education) -
http//www.feide.no/
PAPI - http//www.rediris.es/app/papi/index.en.htm
l
SPOCP - http//www.spocp.org/

14
??????? ???? ???? ? ????????????

LJG, EGEE and RDIG
Technologies for GRID promotion, experience
exchange, implementaion
Virtual Organisations reality vs virtuality
Security technologies for modern networking
infrastrcuture and applications
Terminology on GRID and Security
GLORIAD Project http//www.gloriad.org/
Mailing lists Gloriad_at_gloriad.org -
closedDiscussion_at_gloriad.org - open

15
?????????? ??????????

XML Web Services
WS-Security
OGSA basics
OGSA Security

16
??????????? ?? ?????? XML Web Service

???????? ?? ?????? WSDL (Web Services Description
Language)
????? ??????????? ? ??????? SOAP ??? ??????
?????????? HTTP, SMTP, TCP, etc.
?????????? ? ????? ??????????? UDDI

???-?????? ??????????? ???????,
???????????????? URI, ????????? ???????? ???????
??????? and bindings ??????????? ??? ?????? XML.
?????? ??????????? ??????? ????? ???????????? ?
????????????????? ? ???-????????? ? ????????????
? ?? ????????? ?? ?????? ?????????????
XML-????????? ??????????? ?????????? ????????.
17
?????? ???????????? Web Services

Security token types
Username/password
X.509 PKC
SAML
XrML
XCBF

WS-Security describes how to attach signature
and encryption headers to SOAP messages. In
addition, it describes how to attach security
tokens, including binary security tokens such as
X.509 certificates, SAML, Kerberos tickets and
others, to messages. Core Specification - Web
Services Security SOAP Message
Security http//www.oasis-open.org/committees/down
load.php/1043/WSS-SOAPMessageSecurity-11-0303.pdf
18
WS-Security ?????????? ? ??????? SOAP

URI http//schemas.xmlsoap.org/ws/2002/04/secext
???????????? ????, ???????????? ? WS-Security
SOAP S http//www.w3.org/2001/12/soap-envelo
pe
XML Digital Sign ds http//www.w3.org/2000/0
9/xmldsig
XML Encryption xenc http//www.w3.org/2001/04/xmle
nc
XML/SOAP Routing m http//schemas.xmlsoap.org
/rp
WSSL wsse
http//schemas.xmlsoap.org/ws/2002/04/secext

???????? ????????????
????????? ?????????? ????????? ??????????/????????
???
??????????? ????????????? ?????????/??????????
????? ?????????

19
Open Grid Services Architecture (OGSA)

WSDL extensions to describe specifics of Grid
Services
Defines new portType - GridService
Provides mechanism to create Virtual Organisation
Provides mechanism to create transient services -
Factories
Provides soft-state registration of GSH -
Registry
Grid services can maintain internal state for the
lifetime of the service. The existence of state
distinguishes one instance of a service from
another that provides the same interface.
OGSA services can be created and destroyed
dynamically
Grid Service is assigned globally (persistent)
unique name, the Grid service handle (GSH)
Grid services may be upgraded during their
lifetime and referenced by Grid (dynamic) service
reference (GSR)

20
??????????? ???????????? OGSA Security

????????? ?? ?????? WS-Security

21
Proxy Certificate Profile

Impersonation used for Single-Sign-On and
Delegation
Unrestricted Impersonation
Restricted Impersonation defined by policy
Proxy with Unique Name
Allows using in conjunction with Attribute Cert
Used when proxy identity is referenced to 3rd
party, or interact with VO policy
Limited validity time approx. 24 hours
Proxy Certificate (PC) properties
It is signed by either an X.509 End Entity
Certificate (EEC), or by another PC. This EEC or
PC is referred to as the Proxy Issuer (PI).
It can sign only another PC. It cannot sign an
EEC.
It has its own public and private key pair,
distinct from any other EEC or PC.
It has an identity derived from the identity of
the EEC that signed the PC.
Although its identity is derived from the EEC's
identity, it is also unique.
It contains a new X.509 extension to identify it
as a PC and to place policies on the use of the
PC. This new extension, along with other X.509
fields and extensions, are used to enable proper
path validation and use of the PC.

22
Reference PKI Basics

PKI (Public Key Infrastructure) ??????????????
???????? ?????? (???)
????????? ????????????? (??? ???????????,
distinguished name) ???????? ? ??? ????????
??????
?????? ??? ?????????? ????????? ????? (???, PKC
- Public Key Certificate)
CRL Certificate Revocation List
?????????? ???
Identification Service (IS)
Registration Authority (RA)
Certification Authority (CA)
Certificate Repository (CR), normally built on
LDAP

23
Reference PKC vs AC Purposes

X.509 PKC binds an identity and a public key
AC is a component of X.509 Role-based PMI
AC contains no public key
AC may contain attributes that specify group
membership, role, security clearance, or other
authorisation information associated with the AC
holder
Analogy PKC is like passport, and AC is like
entry visa
PKC is used for Authentication and AC is used for
Authorisation
AC may be included into Authentication message
PKC relies on Certification Authority and AC
requires Attribute Authority (AA)

24
PKC vs AC Certificates structure