RELARN2004 3 ????, 2004

About This Presentation

Title:

RELARN2004 3 ????, 2004

Description:

Title: HTTP CGI Last modified by: Yuri Demchenko Created Date: 6/10/1995 5:31:50 PM Document presentation format: A4 Paper (210x297 mm) Other titles – PowerPoint PPT presentation

Number of Views:64

Avg rating:3.0/5.0

Slides: 45

Provided by: uazoneOrg

Learn more at: http://www.uazone.org

Category:

more less

Transcript and Presenter's Notes

Title: RELARN2004 3 ????, 2004

1
?????????? ? ???????? ??????????????????
?????????????? ? ???????????

RELARN2004 3 ????, 2004
Yuri Demchenko, University of Amsterdam
ltdemch_at_science.uva.nlgt

2
??????????

??????????? ?????????????? (AuthN) ? ???????????
(AuthZ) ? ??????? ? ??????????????? ?????
???????? ??????????
??????????? ???????? AuthN/AuthZ ? Grid
???????????? ??????? ??????????????
?????????????? ? ???????????
?????????????? ?????????????? ??????????????
A-Select
??????? ???????? (Collaboratory.nl, EGEE)
?????????? ??????????
??????????? ???????????? ?? ?????? XML

3
AuthN/AuthZ ? ??????? ? ??????????????? ?????

?????? ? ????????????? ???/???????? ????????
??????????????? cookie (SSO)
?????????????????? ??????? ? ?????? ? ???????
???????? ??? ?????????????? ??????? ??? ???????
?????????????
????????, ???????????? ???????? ??? ??????? ??
?????????????? ??????????????? ??????? ?
????????????? ????????
????-?????? ? ????-??????????
????? ??????????????/????????
????????? ???????????????? ?????? ? ??????
????????????
?????? ?????? (SSO Single Sign On) ? ?????????
???????
?????????? ?????????????/?????????????? ?
?????????? ????????

4
??????????? AuthN/AuthZ ? Grid

??????????? ???????????
????????? ???????????????? ?????? ? ??????
????????????
?????? ????? ???? ???????????????, ?????????? ?
?????????
?????????? ? ?????????????, ??????????? ? ???????
???????????? ???????
????????????? ??????-?????????????
(proxy-credentials) ? ?????????????
??????????? ??????????? (??)
??????? ???????????? ??? ? ? ????????
???????????? (??), ?? ??????????? ???????????
?? ??? ??????????? ????-??????
??????????? ??????????? ? ?????????????
?????? ????? ????? ???????? ?? ?????? ??
??????????????? ???????? ???????????? ????? ?? ?
??

5
??????????? ??????????? ???????? AuthN ? AuthZ

?????????? ? ??????????? ??????????? AuthN/Z
?????????? ???????? ?????????????? (AuthN) ?
??????????? (AuthZ)
?????????????? ? ????????/?????? ???????????
??????????? ????????
??????????????????, ??????????? ? ???????????
?????????? ???????? ?? ?????? ????? (RBAC Role
Based Access Control) ? ????????????? ????????
????????????
????????
????????? ???????/??????? ?? ?????? ??????/????
??????????? ????? ??????? ???????????? ???
????????? ???????????? ???????? ??????
????????? ????????? ???????????? ?????????
??????????
??????? ??????????
LDAP ?????????? ? ?????????????? ??? ??????????
?????? ? ?????????????
??????????? ??????? ???????????

6
????????????? LDAP ? ???????? AuthN/AuthZ

????????? ???????????? ?????? ? LDAP
Person (RFC2256), organisationalPerson (RFC2256),
InetOrgPerson (RFC2798)
EduPerson ?????????? ??? ??????????????
???????????

?????????????? ???????? EduPerson (????? 43)
eduPersonAffiliation
eduPersonNickname
eduPersonOrgDN
eduPersonOrgUnitDN
eduPersonPrimaryAffiliation
eduPersonPrincipalName
eduPersonEntitlement
eduPersonPrimaryOrgUnitDN

???????? ???????? Person objectClass

sn/surName
cn/commonName
givenName
uid, displayName
userPassword
x500uniqueIdentifier
userCertificate
userSMIMECertificate
userPKCS12

postalAddress
o/organizationName
ou/organizationalUnitName
st/stateOrProvinceName
l/localityName
c/country
title,employeeType
mail
photo

7
???????????? ?????????? ?? ?????? XML ?
???????????? ?????? ??????? ???????????

???????????? ?????? ??????? ????????????
(ISO7498-2)
Host-to-host ??? point-to-point ????????????
??????????????? ?? ??????????? ??????/??????
??????????????? ?? ?????????? (connection-oriented
) ? ??? ?????????? (connectionless)
? ????? ?????? ?????? ????????????? ????? (??
?????? PKI)
???????????? ?????????? ?? ?????? XML
???????????? ????? ????????? ??????? ???
???????????? (end-to-end)
??????????????? ?? ???????? (??? ?????????????
??????)
??????? ? ??????? ???????????? ????? ????
????????????? ? ?????????? ??? ?????????? ??? ??
??????
???????????? ?????????? WS-Security ????????????
???????????? ????? ??????? ?????????????????
???????? ? ???????? ????????????
????????? ????????? ???????????? ? ???????????
?????????? ????????????

8
?????????? ???????? ?? ?????? ?????

RBAC Role Based Access Control
???? ????????? ??????? ? ??????????
?????/??????????
????? ?????????? ?????? ? ??????? ? ????????????
??????
???????????? RBAC
????? ????????? ? ??????????????
?????????? ?????????? ????-???????????? ?
????-??????????
???????????????? ? ????????
???????????? ??????? ?????????? ???????????
??????????
???????????? ? ????????????? ??????????/????
????? ???? ????? ???????? ?????????? ???
???????????? ????? ? ?? ???????
???????? ????????? ?????????????

9
?????????????? ?????????? ????????????

PMI Privilege Management Infrastructure
(ISO/IEC 10181-3)
???????? ?? ?????? ???????????? ????????? (AC
Attribute Certificate)
?? ????????? ? ??? ?????????? ?????????? X.509
version 4
??? ???????????? ??? ??????????????, ??
???????????? ??? ???????????
PMI ??? ?????? ??? ?????????? RBAC
?? ????????? ??????? ????????????? ???????????? ?
?????? ? ???? ? ????????????
???????????? ????????????? ??????? RBAC,
???????????? ??????????? ??????????? ???? ?
?????????????? ??????????
???????????? ??????? ?????????????
???????? PMI
???????????? ??? ???????? ??????? ? ???????? ??
?????? ?????
??????? ??????????? ????? ??? ????????????? ?
?????????? ??? ?????
?????????? ???????? ??? ????????, ???????? ?????,
?????????????, ??.

10
???????? ????????? ? ?????? ?????????? ? PMI
PEP (Policy Enforcement Point)/AEF
(authorisation enforcement function) PDP (Policy
Decision Point)/ADF (authorisation decision
function) PIP (Policy Information Point)/AA
(Attribute Authority) PA Policy Authority
11
???????? ???????????????? ???????? ??? AuthN/AuthZ

??????????? ? ?????? ???????? Internet2, FP5 ?
???????????? ??????? ?????
A-Select - http//a-select.surfnet.nl/
Shibboleth - http//shibboleth.internet2.edu/
PAPI - http//www.rediris.es/app/papi/index.en.htm
l
PERMIS (PrivilEge and Role Management
Infrastructure Standards validation) -
http//www.permis.org/
SPOCP - http//www.spocp.org/
??? GRID-??????????
VOMS Virtual Organisation Management System
GAAA Toolkit http//www.aaaarch.org/

12
A-Select (1)

A-Select ???????????? ????? ??????????????
??????? ???-??????? (weblogin) ? ??????????????
cookie
?????????????? ?????? ??????????????
IP address
User/password ????? RADIUS
?????????? ???????? (? ??????? Internet banking
SMS/TAN, Challenge generator)
SMS (mobile phone)
LDAP
PKI (? ???????????)

13
?????????? A-Select
User
Application
Filter
A-Select Agent
Local A-Select Server
Remote A-Select Server
Remote Authentication Service Providers
UDB
14
A-Select (2)

A-Select ?????????? ??????/?????????, ???????
???????? ???????????????? ???????/?????????????.
???? ??? ???? ?????????
?????????, ????????????? ????????? ("ticket
granting ticket"), ?????????? ????? ????????
????????????? ASP, and
????????? ??????????? ("application ticket"),
??????? ???????? ???????????, ????????????
A-Select.
?????? ?????? (Single-Sign-on) ?????????????? ??
???? ?????????? ????? ??????????? ??????? ?????
??? ?????????, ????????????? ?????????
????????? A-Select ??????????? ??? ??-??????????
(non-persistent) cookie, ??????? ??????????? ?
???????? ???????????? ? ?????? ?????? ???
???????? ??????? ??? ???????

15
PAPI ?????????? ??????? ??????? ???-???????

PAPI ?????????????? ??????? ??????? ? ????????
????????
????? ?????????????? ??? ??? ??????? ??????
?????? ??? ????? ????????
?????????? HTTP/cookie ? PKI

PAPI AuthN
tokens
AuthN
GPoA
Browser
Hcook- Lcook GPoA
Hcook- Lcook PoA
PoA
16
PERMIS (PrivilEge and Role Management
Infrastructure Standards)

PERMIS ???????????? ??????????? ?? ??????
???????? ? ?????????????? ???????????? ?????????
X.509 ??? ???????? ?????????/????? ????????????
????? ???????? ? ????? ???????? AuthN (????????,
username/pswd, PKI,Kerberos, etc.), ???????
???????????? AuthN ? ?????????? ????????
????????????
?? ?????? ?????????????? ???????????? (????????),
??????? ??????? (????), ???????? ??????????
??????? ? ??????? ?? ?????? ???????? ????????
???????????? ??? ?????? ????
???????? ? ???????? ???????????? ????? ????
????????? ????????????? ?? ?? ???????? ?
????????? ?????????
???????? ???????? ?? RBAC ? ??????????? ? ?????
XML ???????? XACML
PERMIS ????? ???????? ? ?????? push ??? pull
(?.?., ???????? ?????????? ? PERMIS, ??? PERMIS
??????????? ???????? ?? ????????? ?????????)

17
SPOCP (Simple Policy Control Protocol)

?????????? S-????????? ??? ??????????
????????????? ??????? ?????? ??????? ??? ?????
????????? ???????????? ????????? ????? ? ????????
??????
???????? (role UmU admin finance) lt (role UmU
admin)
?????? SPOCP ?? ????????? SMTP ???????(spocp
(resource mailrelay)(action mail)(subject
(smtpauth roland)))
SPOCP ???????????? ?????????? ????????? ??????
??????? ? ???????, ? ????? ?????????? ??????
????????? ?? ????????? ?? ?????????? ??????
?????????? XACML ? SAML

18
??????? ??????????? AAA

Policy based Authorization decision
Req AuthNtoken, ResourceCtx, Attr/Roles,
PolicyTypeId
RBE (ReqCtx Policy) gt gt Decision
ResponseAAA, ActionExt
ActionExt ReqAAAExt, ASMcontrol
ResponseAAA AckAAA/RejectAAA, ReqAttr,
ReqAuthN, BindAAA (Resource, Id/Attr)

Translate logDecision gt Action
Translate State gt LogCondition

Defined by Resource owner

19
GAAA Toolkit (1) ?????? ????????

if
( AuthN TrustDomain )
then (
if
( ResourceState RequestResourceContext)
then (
if ((Action action1))
then (
if ((Role role1))
then (
ReplyAnswer.Message "Permit" )
else ( ReplyAnswer.Message "Deny, Role
is not valid" ) )
else ( ReplyAnswer.Message "Deny, Action
is not valid" ) )
else ( ReplyAnswer.Message "Deny, Resource
is not ready" )
else ( ReplyAnswer.Message "Deny, Subject is
not authenticated" )

20
GAAA Toolkit (2)

RBE ??????????? ?? J2EE (????????? Tomcat 4.5/5)
?????? ????????
?????????? GAAA
????? - XACML
?????????????? ????????? ???????? ?? ??????
??????? ???????
?????? ????????? ??????/????? - XACML

21
??????? ???????? - Collaboratory.nl (CNL)

?????????? DSM, Corus, Philips, FEI, TI, UvA
???????? ?????????? ????? ??? ??????????????
?????????? ??????? ?????????????
?????/?????????????
??????? ????????????? XML Security, Web Services,
Grid-??????????
??????????? ???????????? ?? ?????? ??????????????
???????? ??????/??????
?????????????? ?????????????? ???????
?????????? ?????????????? ????????????? (Identity
Management) ?? ?????? ??????????? ???????????
(??)
????????????? A-Select
?????????? ???????? ?? ?????? ????? ? ????????
???????
??????????? AAA ? ???? ??? ?????????? ????????
XACML

22
?????????? ???????????? CNL
?????? ????? ???????????? 1 - ???????/???????????
???????? ??????? ???????????? ???????? ?????? 2
???????????? ????????? ????????????
???????????? ???????? XML-????????? 3 ????????
???????????????????????? ?????????? ????????
???????????? ???????? ??? ?????????? ???
?????????? ????? ???????????? 4 ????????????
??????? ???????????? ???????? ???????/????????
??????? ????????????, ??????? AuthN, AuthZ, ?? ???
?????? ???????????? ???? ?????????? ??????? PKI,
?????????? ??????????????, ?????????? ?????????
????????????, ??????????? ????????? ? ???? ?
???????????? ?? ????????? ????????????
23
CNL ?????????? ???????????? ?? ?????? ????????
??????

???????? ?????? JobDescr ???????? ?????????????
????????, ???????????? ???????? ??????,
?????o?????? ? ???????? ????????????
??????? ?????????? ???????????? XML, ???????????
?????? ?????????????? ???????
????????????? ????? ????????????
??????-??????????? (BA - Business Agreement) ???
??????????? ? ??????? (TA - Trust Agreement)
??????????? ???/PKI

24
CNL ???????? AuthN/AuthZ

PEP/AuthZ ????????? ?????? ?? ??????? ???
???????????? ? ? ??????????? ????? ???????? ???
PDP/PBE PDP/PBE ????????? ??????? ? ??????? ??
?????? ??????? (???????, ??????, ????????) ?
???????? UserDB ?????? ?????????? ?
???????????? ??? AuthN (??????, ???) ?
????????/???? ???????????? ??? AuthZ PolicyDB
?? ???????? ???????????? ??? ?????????
???????? RBAC/PMI AdminIF ????????????????
????????? ??? ?????????? ???????? ?????????????
25
?????????? ????? ? XML-??????????
??????. ???? (pubK B)
?????? ???????????? B ????? ????????? FileA ???
?????? privK B
FileA/Doc
FileA/DocA
??????.?privK B
????.?/??? pubK B
User B
???????????? A(????? pubK B)
???????????? B ????? ?????????? ???? Doc1 ?
??????????? ?????? ????? B
Doc1
???????privK B
XMLDoc1
????????????????. ????? ??? ???????.
??????????
??????.???????. ?????
B
???????????? C ????? ?????????? ???? Doc1 ?
??????????? ?????? ????? C
Doc1
???????privK C
C
D
???????????? A(????? pubK B,C, D)

??? ?????-????????????????? ?????????? Document
????? ????????? ???? ??? ?????????? (????????????
??? ?????????????), ????????????? ??? ?????? ??
???? ??????? ???????????

26
?????????? ????????? ? ?????????? ??? ??????
XMLSig
Signed selected parts
Signed selected parts
Signed selected parts
Signed selected parts
XMLDoc1/JobDescr
SigB
SigB
SigB
SigB
SigC
SigC
SigC
XMLSigA
SigD
SigD
????????????/??????? A??????? XML Doc1 ?
??????????? ??? ? SigA
XMLSigA
XMLSigA
XMLSigA
XMLSigA

???????????? B, C, D ??????????? ????????????
????? ????????? ?????? ?????????? ??????? privK
B, C, D
????? ?????????? ????? ???? ????????? ? ????????
???????? ? ?????
??????? ????? ????? ???????? ?????? ???????

?????????? ????????? ??????????? XML Doc1
??????????? ???????? ???????? ????????

XML Signature ????????? ??????????? ?????????
????? ?????????
?????? ??? ???????????? ? ??????????? (Integrity
and Authenticity)
?????????? ????????? ???????????? ? ???? ?
?????????? ??? ??? ???????

27
??????? ???????? EGEE

JRA3 Security Architecture and Services
??????
??????????? ?????????? ? ?????? ????????
?????????
???????????
???????? ????????????? ?????? ? ?????? ?????????
SOAP over HTTPS ??? SOAP-XML Security over HTTP
?????????????
WSDL PortType
???????? ????????????
?????????? ? ????-????????? ?? ?????? ????????
WSDL
?????????????? ??????? ???????? ? ???????????
???????????
????????? ?????????????? ????????

28
??????? ???????? ???????????? ? EGEE
processspace
Trustanchors
Trustanchors
GRAM LCMAPS
Credstore
VOMS
VOpolicy
Revo- cation
Revo- cation
EDG CRLscripts
Policybased authZ
Accesscontrol
Accesscontrol
SAMLXACML
service
Proxycert
Sitepolicy
Sitepolicy
EDG LCAS
gSoap
delegation
Audit
Audit
HTTPG
Provisioning
Intrusion
???
29
?????????? ??????????

?????????? XML Security
XML Web Services
WS-Security
OGSA Security

30
?????????? ???????????? XML - ??????????

XML Signature
XML Encryption
?????????? ???????????? (Security Assertions)
SAML (Security Assertion Mark-up Language)
XrML (XML Right Mark-up Language)
XACML (XML Access Control Mark-up Language)
XKMS (XML Key Management Specification)
????????????? ??????????
Web Services Security (WS-Security)
OGSA Security

31
???????? ????? XML-???????

??????????????? ????? ??????????? ???????????
????????? ????? ????????? ??? ?? ??? ? ?????
????????.
XML-???????? ????? ????? ??????? ???????, ???
???? ????????? ????? ?????????? ????? ???????????
? ???????????? ?????????? ?????????? ? ?
????????? ?????
????????? ???????/???????? ????? ????? ??????????
??????????? ?????? ????????? ????? ?????????
????????? ????????? ??????????? ????? ??????
????????? ? ????? ??????????? ???????? ??????
????? ?????????
????????? ???????????? ???????/???????
???????????? ? ????????? ? ??????? ??
????????????? ??????????? ??????????
??????/??????
XML-??????? ???????????? ??????? ???????????? ???
?????????, ?????????? ?? XML
? ????? ?????? ??? ????????? ?????????? ?
?????????

32
????????? XML-???????

ltSignature ID?gt
ltSignedInfogt ltCanonicalizationMethod/gt
ltSignatureMethod/gt (ltReference URI?
gt (ltTransformsgt)? ltDigestMethodgt ltDigestV
aluegt lt/Referencegt) lt/SignedInfogt
ltSignatureValuegt (ltKeyInfogt)? (ltObject ID?gt)
lt/Signaturegt

33
?????????? ??????????? XML-????????????

WS-Security (Web Services Security)
?????????? ? ??????? ????????? SOAP (Simple
Object Access Protocol)
??????????? ????????? ??? ?????????????? ?
???????????, ??????, ?????????? ????????????,
???????????
?????? ??????????????? ?????????/????????? ?
??????? X.509 PKC, SAML, XrML, XCBF
???????? ???????, ??????????
????????? ??? ??????????? ? ???????????? ??????
??????????? ? ??????????? ???????????
????????????? ???-????????
OGSA Security (Open Grid Services Architecture)
????????? ?? ?????? WS-Security
???????????????? ??? ???????? ???????????
??????????? (??)
????????????? ?????????? (credentials) ?
????????? ??????????????? ????????
???????????/???????????, ?????????? ???
?????????? ????????
????????? ???????????? ????????? ? ?????????
??????????? (transitional stateful processes)

34
Liberty Alliance ? ??????? ?????????????

Liberty Alliance Project (LAP)
LAP ?????? ??????? ?????????? ?????????????
(identity provider) ? ????? ??????? (trust
circle)
LAP ???????????? ?????? ???????? ?? ?????
??????????????? ? ????????????/???????????,
??????? ????? ??????????? ????????????
????????????? ?? ????????? ????????????????
???????? ????????????
LAP ?????????? SAML ? ????????? ??? ??????
?????????? ? ???????????
LAP ?????????? ??? ?????? ???????, ?????????? ??
PKI ??? ??????-?????????? ????????, ?????
??????????-??????? ? ????? ??????????
???????? ??????? LAP ????????? ?????????????
????????????? ?????????? ?????????????
?????????????? ????????????? ??????????? ?
????????? ??????????? ?????????? ????? ??
???????

35
??????????? ?? ?????? XML Web Service

???????? ?? ?????? WSDL (Web Services Description
Language)
????? ??????????? ? ??????? SOAP ??? ??????
?????????? HTTP, SMTP, TCP, etc.
?????????? ? ????? ??????????? UDDI

???-?????? ??????????? ???????,
???????????????? URI, ????????? ???????? ???????
??????? and bindings ??????????? ??? ?????? XML.
?????? ??????????? ??????? ????? ???????????? ?
????????????????? ? ???-????????? ? ????????????
? ?? ????????? ?? ?????? ?????????????
XML-????????? ??????????? ?????????? ????????.
36
?????? ???????????? Web Services

Security token types
Username/password
X.509 PKC
SAML
XrML
XCBF

WS-Security describes how to attach signature
and encryption headers to SOAP messages. In
addition, it describes how to attach security
tokens, including binary security tokens such as
X.509 certificates, SAML, Kerberos tickets and
others, to messages. Core Specification - Web
Services Security SOAP Message
Security http//www.oasis-open.org/committees/down
load.php/1043/WSS-SOAPMessageSecurity-11-0303.pdf
37
WS-Security ?????????? ? ??????? SOAP

URI http//schemas.xmlsoap.org/ws/2002/04/secext
???????????? ????, ???????????? ? WS-Security
SOAP S http//www.w3.org/2001/12/soap-envelo
pe
XML Digital Sign ds http//www.w3.org/2000/0
9/xmldsig
XML Encryption xenc http//www.w3.org/2001/04/xmle
nc
XML/SOAP Routing m http//schemas.xmlsoap.org
/rp
WSSL wsse
http//schemas.xmlsoap.org/ws/2002/04/secext

???????? ????????????
????????? ?????????? ????????? ??????????/????????
???
??????????? ????????????? ?????????/??????????
????? ?????????

38
??????????? ???????????? OGSA Security

????????? ?? ?????? WS-Security

39
Proxy Certificate Profile

Impersonation used for Single-Sign-On and
Delegation
Unrestricted Impersonation
Restricted Impersonation defined by policy
Proxy with Unique Name
Allows using in conjunction with Attribute Cert
Used when proxy identity is referenced to 3rd
party, or interact with VO policy
Limited validity time approx. 24 hours
Proxy Certificate (PC) properties
It is signed by either an X.509 End Entity
Certificate (EEC), or by another PC. This EEC or
PC is referred to as the Proxy Issuer (PI).
It can sign only another PC. It cannot sign an
EEC.
It has its own public and private key pair,
distinct from any other EEC or PC.
It has an identity derived from the identity of
the EEC that signed the PC.
Although its identity is derived from the EEC's
identity, it is also unique.
It contains a new X.509 extension to identify it
as a PC and to place policies on the use of the
PC. This new extension, along with other X.509
fields and extensions, are used to enable proper
path validation and use of the PC.

40
Reference PKI Basics

PKI (Public Key Infrastructure) ??????????????
???????? ?????? (???)
????????? ????????????? (??? ???????????,
distinguished name) ???????? ? ??? ????????
??????
?????? ??? ?????????? ????????? ????? (???, PKC
- Public Key Certificate)
CRL Certificate Revocation List
?????????? ???
Identification Service (IS)
Registration Authority (RA)
Certification Authority (CA)
Certificate Repository (CR), normally built on
LDAP

41
Reference PKC vs AC Purposes

X.509 PKC binds an identity and a public key
AC is a component of X.509 Role-based PMI
AC contains no public key
AC may contain attributes that specify group
membership, role, security clearance, or other
authorisation information associated with the AC
holder
Analogy PKC is like passport, and AC is like
entry visa
PKC is used for Authentication and AC is used for
Authorisation
AC may be included into Authentication message
PKC relies on Certification Authority and AC
requires Attribute Authority (AA)

42
PKC vs AC Certificates structure