Silk Security Workshop 2004 21-24 ????, 2004 - PowerPoint PPT Presentation

1 / 42
About This Presentation
Title:

Silk Security Workshop 2004 21-24 ????, 2004

Description:

... AC X.509 Role-based PMI AC ... Role Based Access Control - http://csrc.nist.gov/rbac ... (OSI) Reference Model ... – PowerPoint PPT presentation

Number of Views:198
Avg rating:3.0/5.0
Slides: 43
Provided by: uazoneOrg
Learn more at: http://uazone.org
Category:

less

Transcript and Presenter's Notes

Title: Silk Security Workshop 2004 21-24 ????, 2004


1
????????? ? ??????? ???????????? ?????????????? ?
????????????????????? ??????
  • Silk Security Workshop 2004 21-24 ????, 2004
  • Yuri Demchenko, University of Amsterdam
  • ltdemch_at_science.uva.nlgt

2
??????????
  • ??????????? ??????????????
  • ?????? ?????????????? ???????? ??????
  • ??????????? ???????????? ???????? ?????? (ISO
    7498-2)
  • ????????? ???????????? ?????? ?????? ?????? IEEE
    802
  • ????????? ? ????????? ???????????? ????????
  • ????????? ? ??????? ???????????? ?? ????????????
    ????????? ????????????
  • ?????????????? ???????? ?????? PKI
  • ?????????? ???????????? ?? ?????? XML
  • ??????????? ?????????? ?????????????? ?
    ???????????

3
??????????? ??????????????
  • ISO/IEC, IEEE ?????/????????????? ???????
    ????????????
  • ????????? ISO/IEC, IEEE
  • ITU (International Telecommunication Union)
    ????????? ???????????? ????????????????????
    ??????
  • ????????? X, V, T, H, etc.
  • IETF (Internet Engineering Task Force) ?????????
    ???????????? ???????? (RFC)
  • OASIS (Organization for the Advancement of
    Structured Information Standards) ?????????
    ???????????? ?? ?????? XML (???
    ??????-??????????)
  • NIST, CEN, ETSI ???????????? ? ????????????
    ????????? ????????????
  • ?????? ?????????????????? ??????????? ? ??????
  • GGF (Global Grid Forum) - ????????? ???
    ????-??????????
  • Liberty Alliance Project ????????????? ?
    ????????????? ? ????????

4
????????? ? ??????????? ?????????????? IETF
  • ??????? ?????? IETF ?? ???????? ????????????
    (2004) - http//www.ietf.org/html.charters/wg-dir.
    html
  • enroll, idwg, inch, ipsec, ipseckey, ipsp, kink,
    krbwg, ltans, mobike, msec, openpgp, pki4ipsec,
    pkix, sacred, sasl, secsh, smime, stime, syslog,
    tls, aaa

5
?????? ?????????????? ???????? ?????? (???)Open
System Interconnection (OSI) Reference Model
ISO 7894-1984/ITU X.200
?????? ???
??????????? ???????
?????????? Application
??????? ?????????? ?????, ??? ???????? ?????? ?
???????? ??????????
???????????????? Presentation
?????????????? ?????? ? ???????????
????????? Session
???????????? ? ??????????? ?????? ?????
???????????? Transport
??????????? ???????? ????? ????????? ???????
??????? Network
???????? ??????? ??????????, ??????? ?????????????
?????? Data Link
???????? ??????, ???????????? ???????, ????????
??????
?????????? Physical
???????? ???????? ?????? ????? ?????
6
?????? ?????????? TCP/IP (1)
7
?????? ?????????? TCP/IP (2)
8
???????? ??????????? ???????? ?????
???????? ???????
???????? ???????
?????????? ??????????
???? - Gateway
7
7
6
6
5
5
4
4
????????????? - Router
??? ?????????? ???
3
3
2
2
????- Bridge
?????????? ???
??????????? Repeater
1
1
???
???
?????????? ?????
?????????? ?????
9
??????? ?????? ? ???
  • ?????????????? ??????? ? ????????????????
    ??????????
  • ?????????????? ???????
  • ???????????????????? ???????
  • ??????? ?????????? ????? ? ??????? ?????????
  • ??????????? ?????????? ????????? ????????,
    ????????, DNS, PKI, LDAP
  • ?????????????? ???????
  • ???????????????? ?????????????
  • ???????????????? ??????????
  • ?????? ??????????, ????????, ? ????????, ???????
  • ?????????? ? ??????? ?????, ????????, ? ?????????
    ??? ?????? ??????-??????????

10
???????????? ? ???????????? ?? ?????????
????????????
  • (???????????) ???????????? ???????????? ?????
    ???????? ??????????? ??????? ? ???, ????????????
    ?? ??????????? ?????????? ?????? ??????? ???
    ??????????? ?????????? ???????????? ??????/??????
    ? ???????? ?????????????? ??????? ???????? ?
    ??????????? ??? ??????????, ??? ? ????????????
  • ? ????????, ???????????? ????? ????????????????/??
    ????????? ????
  • ??? ? ?? ????? ???? ??????????? ????????????
  • ???????????? ????? ?????, ? ???? ???????????
    ???????????? ?????????? ??????
  • ???????????? ?? ????????? ???????????? ????????
    ?????? ??????????? ??????????? ????????????, ????
    ???????? ?????????? ????????
  • ???????? ????? ? ????? ????????????
  • ????????????? ?????????
  • ?????????????? ??????

11
????????????? ????????? ???????????? ISO 7498-2
  • ?????????? ? ????????
  • ??????????? ???????? ? ?????????? ????????????
  • ?????? ??????????? ???????, ???????????????
    ???????? ? ?????????? ? ???????
  • ????????? ?????????? ???? ??? ?????????? ?????
  • ????????? ?????? ?????????? ????? ????????????
  • ??????????? ????? ???????????? ? ????????? ??????
  • ??????????? ?????????? ???????????? ? ???????
  • ???????? ?????????? ????????? ?????? ????????????
  • ????? ?????????????? ???????? ???????????
    ???????????? ?????? ???? ??????????????
  • ?????? ???????????? ????? ???????? ????? ??? ??
    ????? ??????
  • ??????? ???????????? ?? ?????? ???????????
    ???????????? ??????????? ??????? ???????, ?
    ????????, ???????????? ??
  • ?????????? ?????????? ???????????? ?? ??????
    ???????? ???????????? ???????
  • ?????????? ????????????????/????????????? ???????
    ?????? ???? ??????????????
  • ?????? ???????????? ?????? ???? ?????????? ???,
    ????? ????????? ????????? ?????????? ? ????????
    ???????? (plugability)

12
??????? ??????? ???????????? ISO 7498-2
  • ?????????????????? Confidentiality
  • ?????????????? Authentication
  • ??????????? Integrity
  • ???????? ??????? Access control
  • ???????????? (????????????????)
    Non-repudiation
  • ??????????? - Availability

13
????? ????????? ???????????? ISO 7498-2
  • ?????????? Encryption
  • ???????? ??????? Digital signature
  • ??????????? ??????????? (???????) ?????? Data
    (stream) integrity
  • ?????????? ??????? Traffic padding
  • ?????????????? Authentication
  • ???????? ??????? Access control
  • ??????????? - Notarisation

14
????????? ??????c????? TCP/IP (IETF-1)
  • One-Time Passwords - ??????????? ??????
  • HMAC (Keyed-Hashing for Message Authentication) -
    RFC2104
  • ???????? ?????????????? ????????? ?? ??????
    ????????? ??????
  • IPSec - RFC2401, RFC2402, RFC2406, RFC2407,
    RFC2411
  • ??????? ??????? ?????????? ? ??????????????
    IP-??????. ??????????? ??? ?????? ????????????
    host-to-host, host-to-gateway, gateway-to-gateway.
    ???????? ??????? ??? VPN (Virtual Private
    Network)
  • TLS (Transport Layer Security) - RFC2246
  • ???????????? ?????????????, ?????????????????
    ?????, ??????? ???????? ?????? TCP. ?????????
    ????? ?????? ????????????????? ??? ??????
    ??????????? ????????? ????? (???), ?????? ?????
    ????? ????? ?????????? ? ???????????? ????????
    ??????????????.
  • SASL (Simple Authentication and Security Layer)
    RFC 2222
  • ???????????? ??????? ???????????? ??? ??????????
    ?? ?????? ??????????, ? ?????????, BEEP, IMAP,
    LDAP, POP, SMTP
  • GSS-API (Generic Security Service Application
    Program Interface) - RFC2744
  • ??????????? ????????? ??? ??????????? ??????????
    ???????? ??????????????, ?????????????, ??????
    ????????? ? ???????? ????????? ? ??????????????
    ??????? ? ?????????????? ???????????

15
????????? ??????c????? TCP/IP (2)
  • DNSSEC - RFC2535
  • ????????? ??????????? DNS-??????, ????????????
    ??????????? ??????? ??????? DNS ?? ?????
    ??????????. ???????????? ????? ?????????????? ???
    ??????????????? ???
  • Security/Multipart (S/MIME) RFC1847
  • ?????????? ? ???????? ??????? ?????-????????????
    ????????? ??????????? ????? ?? ?????? PKI
  • Digital Signatures - ???????? ???????
  • OpenPGP RFC2440, RFC3156
  • ?????????? ? ???????? ??????? ?????????
    ??????????? ?????
  • Firewalls - ??????? ?????? ??? ??????????????
    ???????? ??????
  • Kerberos RFC1510
  • ???????? ???????? ?????????????? ? ??????
    ?????????? ???????
  • SSH ?????????? ??????????? ?????????? ?????
    ???????? ? ????????

16
??????????????? ???????????? ?????????
  • ????????? ?????? - Plaintext Passwords
  • ?????????????? ?? ?????? IP-?????? -
    Address-Based Authentication
  • ?????????????? ?? ?????? ????????? ????? -
    Name-Based Authentication

17
????????? ???????????? ?????? ?????? ?????? IEEE
802
  • IEEE 802.10 ????????? ??????????? ????????????
    ISO 7498-2 ? ????? ?????????? ????????
    ???????????? ??????????????, ???????? ??????? ?
    ??????????? ?????? ? ??????? ?????? ? ????????
  • IEEE 802.1X ?????????? ????????? ??????????????
    ? ?????????????? ??????? ??????, ??????????
    ???????????? ????????????? ????????? ?????? ???
    WEP-??????????. ?????????? EAP ??? ?????????????
    ? ?????? ?????????? ?????? RADIUS.
  • IEEE 802.11i ??????? ???????? ????????????,
    ??????? ?????????? ???????? ?????????????? 802.1X
    ? ????????? ???????? ?????????? AES.
  • WPA (Wi-Fi Protected Access) ????????
    ??????????, ??????? ????????? ?????????? WEP. WPA
    ????? ?????????? ????????? ?????????????? 802.1X.
  • EAP (Extensible authentication protocol)
    ???????? ?????-?????, ??????? ????????????
    ????????????? ????????? ??????????????. ?????
    ?????????? ??? ????????? ??.
  • TKIP (Temporal key integrity protocol)
    ???????????? ? ?????????? 802.1X ? WPA ???
    ??????????????. ????????? ???????? WEP.
  • WEP (Wired equivalent privacy) ????????
    ???????????? 802.11 ??? ???????????? ?????.

18
Remote Access Dialin User Service (RADIUS)
  • RADIUS ?????? ???????????? ??? ???????? ???????
    ????????? ?????????????, ??????? ??????????????,
    ??????????? ? ???? (AAA - authentication,
    authorization, accounting).
  • RFC 2865, RFC 2869
  • RADIUS ?????????? ??????????? ????????
    ?????????????? ? ?????? ???????????, ? ?????
    ??????????? ?????????????????? ????????????
    ??????? ??????????. 
  • ?????? RADIUS ???????????? ??? ??????????? ??????
    ??????????????, ??????? ?????? ??? ????? ?????? ?
    ???? ?????? ?????????????
  • ?????? ??????? ??????????? ??????
    ???????????????? ???????????? (????., ???,
    ??????) ? ????????? ?????? ? ??????? RADIUS
  • RADIUS ????????? ??????? ??????? ??? ???????????
    ???????????? (??? ???????, ??? ? ?????? ) ?
    ?????? ????????????? ? ????????????? ???????
  • ????? ??????????? ?????? ??????? RADIUS
  • ????????? ????? ??????? ????? ??????? ??????
    ???????????? ? ????????

19
Authentication, Authorisation, Accounting (AAA)
  • ?????? ??????????, ???????????? ??????????? ?
    ?????????????? ?????????????? ????????
    ??????????????, ??????????? ? ?????
  • RFC 2903 - Generic AAA Architecture
  • RFC 2904 - AAA Authorization Framework
  • RFC 2905 - AAA Authorization Application Examples
  • RFC 2906 - AAA Authorization Requirements
  • RFC 3334 - Policy based accounting
  • ??????? ??????????? ????? ????????? ? ???????????
    ??? ????????? ??????? ??????????
  • ?????????? ???????? ? ??????????? ??????????? ?
    ???????? ??????? ?? ?????? ????????

20
????????? ? ??????? ???????????? ?? ????????????
????????? ???????????? (1)
  • RFC 2196 - Site Security Handbook (?? ??????
    RFC1244)
  • ??????????? ?? ??????????? ???????? ????????????
    ? ?????????????? ??????? ??? ??????, ????????????
    ? ????????
  • RFC 2350 - Expectation for Security Incident
    Response Teams
  • ?????????, ??? ???????????? ???????? ??????
    ??????? ?? ????? ???????????? ?? ????????????
    ????????? ????????????. ????????????? ????????
    ??? ???????????? ????? ???????????? ??
    ???????????? ????????? ???????????? (CSIRT -
    Computer Security Incident Response Team) ?
    ??????? ????????? ???????? ????????????,
    ???????? ???????????? ?? ????????? ????????????,
    ? ??????
  • RFC2505 - Users' Security Handbook
  • ??????????? ????????????? ?? ???????????
    ???????????? ??????????, ??????, ?
    ????????????????
  • RFC3013 - Recommended Internet Service Provider
    Security Services and Procedures
  • ????????? ? ????? ?????????????, ??? ????????????
    ???????? ????? ??????? (? ?????????) ?? ????????
    ??????- ???????????
  • RFC3227 - Guidelines for Evidence Collection and
    Archiving
  • ???????????? ?? ????? ? ???????? ???? ? ??????
    ??????????, ????????? ? ????????????? ???????????
    ????????????

21
????????? ? ??????? ???????????? ?? ????????????
????????? ???????????? (2)
  • ??????? ??? ???????? ? ?????? ??????????? ?
    ???????????? ?????????? ????????????
  • IDMEF Intrusion Detection Message Exchange
    Format
  • IODEF Incident Object Description and Exchange
    Format
  • RFC3067 - Incident Object Description and
    Exchange Format (IODEF) Requirements
  • ????? RID Real-time Internetwork Defense
    (?????????????? US AFC)
  • ?????????? ???????? ????? ? ?????????? ???
    ????????? ??????? ?????
  • RFC 2828 - Internet Security Glossary
  • ???????? ??????????? ?????? ???????? ??
    ???????????? ??? ?? ??????? ???????????? ?
    ???????????? ?? ???????????? ?????????
    ????????????, ??? ? ?? ??????? ??????????
    ???????????? ?????? ? ??????????

22
ISO/IEC 17799-1 Code of Practice for
Information Security Management
  • ISO17799 ????????? ????????, ???????????
    ????????????? ???? ? ?????? ???????????
    ???????????? ? ????? ???????? ???????
  • 1. Business Continuity Planning
  • 2. System Access Control
  • 3. System Development and Maintenance
  • 4. Physical and Environmental Security
  • 5. Compliance
  • 6. Personnel Security
  • 7. Security Organisation
  • 8. Computer Network Management
  • 9. Asset Classification and Control
  • 10. Security Policy
  • ISO17799 ?????????? ?????? ??? ?????? ???????
    ?????? ? ??????? ?????? ???????????? ??????.

23
?????? PKI
  • PKI (Public Key Infrastructure) ??????????????
    ???????? ?????? (???)
  • RFC 2459, RFC 2560, RFC 3280, RFC 3647,
  • ?????? ??? ?????????? ????????? ????? (???, PKC
    - Public Key Certificate) ?? ????????? X.509
    (ITU-T)
  • ?????? ?????????? CP Certificate Policy, ? CRL
    Certificate Revocation List
  • ????????? ????????????? (??? ???????????,
    distinguished name) ???????? ? ??? ????????
    ??????
  • PKC ????????????? ???????? ???????? ??????
    ????????????? (CA - Certification Authority)
  • ?????????? ???
  • Identification Service (IS)
  • Registration Authority (RA)
  • Certification Authority (CA)
  • Certificate Repository (CR), normally built on
    LDAP

24
PKC vs AC ????
  • X.509 PKC ????????? ????????????? ???????? ? ???
    ???????? ????
  • PKC ????????????? ???????? ???????? ??????
    ????????????? (CA - Certification Authority)
  • ?????????? ????????? (AC Attribute Certificate)
    ????????? ????????????? ???????? ? ??? ??????????
  • AC ????????????? ???????? ???????? ??????
    ????????????? ????????? (AA - Attribute
    Authority)
  • AC ???????? ??????????? X.509 Role-based PMI
  • AC ?? ???????? ????????? ?????
  • AC ????? ????????? ????????, ???????
    ????????????? ?????????????? ???????? ?
    ???????????? ??????, ??? ????, ??????? ???????
    (security clearance), ??? ?????? ?????????? ???
    ???????????
  • PKC ???????????? ??? ??????????????, ? AC ???
    ???????????
  • AC ????? ??????????? ? ?????? ???????
    ??????????????
  • ???????? PKC - ??? ???????, ? AC ??? ????

25
PKC vs AC Certificates structure
  • X.509 PKC
  • Version
  • Serial number
  • Signature
  • Issuer
  • Validity
  • Subject
  • Subject Public key info
  • Issuer unique identifier
  • Extensions
  • X.509 AC
  • Version
  • Holder
  • Issuer
  • Signature
  • Serial number
  • Validity
  • Attributes
  • Issuer unique ID
  • Extensions

26
X.509 PKC Fields and Extensions RFC 3280
  • X.509 PKC Fields
  • Serial Number
  • Subject
  • Subject Public Key
  • Issuer Unique ID
  • Subject Unique ID
  • X.509 PKC Extensions
  • Standard Extensions
  • Authority Key Identifier
  • Subject Key Identifier
  • Key Usage
  • Extended Key Usage
  • CRL Distribution List
  • Private Key Usage Period
  • Certificate Policies
  • Policy Mappings
  • Subject Alternative Name
  • Issuer Alternative Name
  • Subject Directory Attributes
  • Basic Constraints
  • Name Constraints
  • X.509 PKC Fields
  • Private Extensions
  • Authority Information Access
  • Subject Information Access
  • Custom Extensions

27
AC Attribute Types and AC Extensions
  • AC Attribute Types
  • Service Authentication Information
  • Access Identity
  • Charging Identity
  • Group
  • Role
  • Clearance
  • Profile of AC
  • AC Extensions
  • Audit Identity
  • To protect privacy and provide anonymity
  • May be traceable via AC issuer
  • AC Targeting
  • Authority Key Identifier
  • Authority Information Access
  • CRL Distribution Points

28
???????????? ?????????? ?? ?????? XML ?
???????????? ?????? ??????? ????????????
  • ???????????? ?????? ??????? ????????????
    (ISO7498-2)
  • Host-to-host ??? point-to-point ????????????
  • ??????????????? ?? ??????????? ??????/??????
  • ??????????????? ?? ???????????? ? ???????????
    (connection-oriented) ??? ??? ??????????
    (connectionless)
  • ? ????? ?????? ?????? ????????????? ????? (??
    ?????? PKI)
  • ???????????? ?????????? ?? ?????? XML
  • ???????????? ????? ????????? ??????? ???
    ???????????? (end-to-end)
  • ?????????????? ?? ???????? (??? ?????????????
    ??????)
  • ??????? ? ??????? ???????????? ????? ????
    ????????????? ? ?????????? ??? ?????????? ??? ??
    ??????
  • ???????????? ?????????? WS-Security ????????????
    ???????????? ????? ??????? ?????????????????
    ???????? ? ???????? ????????????
  • ????????? ????????? ???????????? ? ???????????
    ?????????? ????????????

29
?????????? ???????????? XML - ??????????
  • XML Signature
  • XML Encryption
  • ?????????? ???????????? (Security Assertions)
  • SAML (Security Assertion Mark-up Language)
  • XACML (XML Access Control Mark-up Language)
  • XKMS (XML Key Management Specification)
  • ????????????? ??????????
  • Web Services Security (WS-Security)
  • OGSA Security

30
???????? ????? XML-???????
  • ??????????????? ????? ??????????? ???????????
    ????????? ????? ????????? ??? ?? ??? ? ?????
    ????????.
  • XML-???????? ????? ????? ??????? ???????, ???
    ???? ????????? ????? ????????? ????? ???????????
    ? ???????????? ?????????? ?????????? ? ?
    ????????? ?????
  • ????????? ???????/???????? ????? ????? ??????????
    ??????????? ?????? ????????? ????? ?????????
  • ????????? ????????? ??????????? ????? ??????
    ????????? ? ????? ??????????? ???????? ??????
    ????? ?????????
  • ????????? ???????????? ???????/???????
    ???????????? ? ????????? ? ??????? ??
    ????????????? ??????????? ??????????
    ??????/??????
  • XML-??????? ???????????? ??????? ???????????? ???
    ??????????, ?????????? ?? XML
  • ? ????? ?????? ??? ????????? ?????????? ?
    ?????????, ????????? ????????????, ???????
    (???????? ???????)

31
?????????? ????? ? XML-??????????
??????. ???? (pubK B)
?????? ???????????? B ????? ????????? FileA ???
?????? privK B
FileA/Doc
FileA/DocA
??????.?privK B
????.?/??? pubK B
User B
???????????? A(????? pubK B)
???????????? B ????? ?????????? ???? Doc1 ?
??????????? ?????? ????? B
Doc1
???????privK B
XMLDoc1
????????????????. ????? ??? ???????.
??????????
??????.???????. ?????
B
???????????? C ????? ????????? ???? Doc1 ?
??????????? ?????? ????? C
Doc1
???????privK C
C
D
???????????? A(????? pubK B,C, D)
  • ??? ?????-????????????????? ?????????? Document
    ????? ????????? ???? ??? ?????????? (????????????
    ??? ?????????????), ????????????? ??? ?????? ??
    ???? ??????? ???????????

32
?????????? ????????? ? ?????????? ??? ??????
XMLSig
Signed selected parts
Signed selected parts
Signed selected parts
Signed selected parts
XMLDoc1/JobDescr
SigB
SigB
SigB
SigB
SigC
SigC
SigC
XMLSigA
SigD
SigD
????????????/??????? A??????? XML Doc1 ?
??????????? ??? ? SigA
XMLSigA
XMLSigA
XMLSigA
XMLSigA
  • ???????????? B, C, D ??????????? ????????????
    ????? ????????? ?????? ?????????? ??????? privK
    B, C, D
  • ????? ?????????? ????? ???? ????????? ? ????????
    ???????? ? ?????
  • ??????? ????? ????? ???????? ?????? ???????

?????????? ????????? ??????????? XML Doc1
??????????? ???????? ???????? ????????
  • XML Signature ????????? ??????????? ?????????
    ????? ?????????
  • ?????? ??? ???????????? ? ??????????? (Integrity
    and Authenticity)
  • ?????????? ????????? ???????????? ? ???? ?
    ?????????? ??? ??? ???????

33
??????????? ??????????? ???????? AuthN ? AuthZ
  • ?????????? ? ??????????? ??????????? AuthN/Z
  • ?????????? ???????? ?????????????? (AuthN) ?
    ??????????? (AuthZ)
  • ?????????????? ? ????????/?????? ???????????
  • ??????????? ?????????????? ????????
  • ??????????????????, ??????????? ? ???????????
  • ?????????? ???????? ?? ?????? ????? (RBAC Role
    Based Access Control) ? ????????????? ????????
    ???????
  • ????????
  • ????????? ???????/??????? ?? ?????? ??????/????
  • ??????????? ????? ??????? ???????????? ???
    ????????? ???????????? ???????? ??????
  • ????????? ????????? ???????????? ?????????
    ??????????
  • ??????? ??????????
  • LDAP ?????????? ? ?????????????? ??? ????????
    ?????? ? ?????????????
  • ??????????? ??????? ???????????

34
???????????? AuthN/AuthZ ? ??????? ?
??????????????? ?????
  • ?????? ? ????????????? ???/???????? ????????
  • ??????????????? cookie (SSO)
  • ?????????????????? ??????? ? ?????? ? ???????
    ???????? ??? ?????????????? ??????? ??? ???????
    ?????????????
  • ????????, ???????????? ???????? ??? ??????? ??
  • ?????????????? ??????????????? ??????? ?
    ????????????? ????????
  • ????-?????? ? ????-??????????
  • ????? ??????????????/????????
  • ????????? ???????????????? ?????? ? ??????
    ????????????
  • ?????? ?????? (SSO Single Sign On) ? ?????????
    ???????
  • ?????????? ?????????????/?????????????? ?
    ?????????? ????????

35
????????????? LDAP ? ???????? AuthN/AuthZ
  • ????????? ???????????? ?????? ? LDAP
  • Person (RFC2256), organisationalPerson (RFC2256),
    InetOrgPerson (RFC2798)
  • EduPerson ?????????? ??? ???????????????
    ???????????
  • ?????????????? ???????? EduPerson (????? 43)
  • eduPersonAffiliation
  • eduPersonNickname
  • eduPersonOrgDN
  • eduPersonOrgUnitDN
  • eduPersonPrimaryAffiliation
  • eduPersonPrincipalName
  • eduPersonEntitlement
  • eduPersonPrimaryOrgUnitDN

???????? ???????? Person objectClass
  • sn/surName
  • cn/commonName
  • givenName
  • uid, displayName
  • userPassword
  • x500uniqueIdentifier
  • userCertificate
  • userSMIMECertificate
  • userPKCS12
  • postalAddress
  • o/organizationName
  • ou/organizationalUnitName
  • st/stateOrProvinceName
  • l/localityName
  • c/country
  • title,employeeType
  • mail
  • photo

36
?????????? ???????? ?? ?????? ?????
  • RBAC Role Based Access Control -
    http//csrc.nist.gov/rbac/
  • ???? ????????? ??????? ? ??????????
    ?????/??????????
  • ????? ?????????? ?????? ? ??????? ? ????????????
    ??????
  • ???????????? RBAC
  • ????? ????????? ? ??????????????
  • ?????????? ?????????? ????-???????????? ?
    ????-??????????
  • ???????????????? ? ????????
  • ???????????? ??????? ?????????? ???????????
    ??????????
  • ???????????? ? ????????????? ??????????/????
  • ????? ???? ????? ???????? ?????????? ???
    ???????????? ????? ? ?? ???????
  • ???????? ????????? ?????????????

37
?????????????? ?????????? ????????????
  • PMI Privilege Management Infrastructure
    (ISO/IEC 10181-3)
  • ???????? ?? ?????? ???????????? ????????? (AC
    Attribute Certificate)
  • ?? ????????? ? ??? ?????????? ?????????? X.509
    version 4
  • ??? ???????????? ??? ??????????????, ??
    ???????????? ??? ???????????
  • PMI ??? ?????? ??? ?????????? RBAC
  • ?? ????????? ??????? ????????????? ???????????? ?
    ?????? ? ???? ? ????????????
  • ???????????? ????????????? ??????? RBAC,
    ???????????? ??????????? ??????????? ???? ?
    ?????????????? ??????????
  • ???????????? ??????? ?????????????
  • ???????? PMI
  • ???????????? ??? ???????? ??????? ? ???????? ??
    ?????? ?????
  • ??????? ??????????? ????? ??? ????????????? ?
    ?????????? ??? ?????
  • ?????????? ???????? ??? ????????, ???????? ?????,
    ?????????????, ??.

38
???????? ????????? ? ?????? ?????????? ? PMI
PEP (Policy Enforcement Point)/AEF
(authorisation enforcement function) PDP (Policy
Decision Point)/ADF (authorisation decision
function) PIP (Policy Information Point)/AA
(Attribute Authority) PA Policy Authority
39
???????? ???????????????? ???????? ??? AuthN/AuthZ
  • ??????????? ? ?????? ???????? Internet2, FP5 ?
    ???????????? ??????? ?????
  • A-Select - http//a-select.surfnet.nl/
  • Shibboleth - http//shibboleth.internet2.edu/
  • PAPI - http//www.rediris.es/app/papi/index.en.htm
    l
  • PERMIS (PrivilEge and Role Management
    Infrastructure Standards validation) -
    http//www.permis.org/
  • SPOCP - http//www.spocp.org/
  • ??? GRID-??????????
  • VOMS Virtual Organisation Management System
  • GAAA Toolkit http//www.aaaarch.org/

40
A-Select - http//a-select.surfnet.nl/
  • A-Select ???????????? ????? ??????????????
    ??????? ???-??????? (weblogin) ? ??????????????
    cookie
  • ?????????????? ?????? ??????????????
  • IP address
  • User/password ????? RADIUS
  • ?????????? ???????? (? ??????? Internet banking
    SMS/TAN, Challenge generator)
  • SMS (mobile phone)
  • LDAP
  • PKI (? ???????????)
  • A-Select ?????????? ?????????, ??????? ????????
    ???????????????? ???????/??????????????. ??? ????
    ?????????
  • ?????????, ????????????? ????????? ("ticket
    granting ticket"), ?????????? ????? ????????
    ????????????? ASP, and
  • ????????? ??????????? ("application ticket"),
    ??????? ???????? ???????????, ????????????
    A-Select.
  • ?????? ?????? (Single-Sign-on) ?????????????? ??
    ???? ?????????? ????? ??????????? ??????? ?????
    ??? ?????????, ????????????? ?????????
  • ????????? A-Select ??????????? ??? ??-??????????
    (non-persistent) cookie, ??????? ??????????? ?
    ???????? ???????????? ? ?????? ?????? ???
    ???????? ??????? ??? ???????
  • ?????????? SURFnet - http//www.surfnet.nl/

41
?????????? A-Select
User
Impl. Platform Java Apache Tomcat 4.5/5
Application
Filter
A-Select Agent
Local A-Select Server
Remote A-Select Server
Remote Authentication Service Providers
UDB
42
  • ??????? ? ????????????
Write a Comment
User Comments (0)
About PowerShow.com