Privilege Management Infrastructure PMI - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

Privilege Management Infrastructure PMI

Description:

A privilege management infrastructure is a mechanism that can be used to support ... Delegation is the conveyance of a privilege from a subject who holds a privilege ... – PowerPoint PPT presentation

Number of Views:97
Avg rating:3.0/5.0
Slides: 19
Provided by: joeol
Category:

less

Transcript and Presenter's Notes

Title: Privilege Management Infrastructure PMI


1
Privilege Management Infrastructure (PMI)
  • Joe Oldford
  • EE 579
  • 02 Mar 06

2
Mary Queen of Scots
3
Overview
  • PKI vs PMI
  • Attribute Certificates
  • Delegation
  • Types of Attribute Certificates
  • Extending X.509 Role Models
  • Summary

4
PKI Review
  • With a high degree of assurance (warm fuzzy
    feelings) PKI offers
  • Identification
  • Authentication
  • Confidentiality
  • Non-repudiation
  • But what about managing approval or privilege to
    perform a task

5
What is a Privilege Management Infrastructure
  • A privilege management infrastructure is a
    mechanism that can be used to support business
    authority structures (Role Based)
  • PMI is an aspect of PKI and requires underlying
    services for the management of public key
    certificates
  • A PMI should support an organization's authority
    structure

6
When to use a PMI
  • X.509 PKCs have some support for Privilege
    management through subject attributes but this
    support breaks down when
  • The CA is not responsible for assigning
    privileges
  • There are a number of privileges to be assigned
    by different CAs
  • PKC and privilege validity periods differ

7
PKI vs PMI
8
Attribute Certificates
  • ACs are digital certificates that serve
    primarily to enable verifiers to establish
    attributes other than identity
  • ACs do not provide authentication, so they must
    be used in conjunction with an existing PKI
  • ACs are presented to a privilege verifier who
    acts like a reference monitor before access to
    the object is granted

9
Types of Attribute Certificates
  • Role Specification Certificates (RSC)
  • Specific privileges that are associated with a
    particular role
  • Role Assignment Certificates (RAC)
  • Entities are assigned to the role specified in
    the RSC through the use of RACs

10
Delegation
  • Delegation is the conveyance of a privilege from
    a subject who holds a privilege to a subject who
    doesnt

11
How this all works.
12
Extending the X.509 Roles Model
  • X.509 offers no support for complex roles,
    however, recent research proposes a way to
    accomplish such roles.
  • Allow super roles by having role attributes
    within a role specification certificate pointing
    to another role specification certificate

13
What??..
14
Advantages
  • Convenience super roles can be easily built by
    combining elementary roles
  • Allows businesses to tailor their PMI to their
    authority structure
  • Reuse elementary roles can reused by several
    super roles
  • Automatic updating any changes made to
    elementary roles would automatically percolate
    upwards

15
Disadvantages
  • Roles have to be defined with care to ensure the
    super role does not inherit a privilege that role
    is not entitled to

16
Conclusion
  • A PMI is to authorization what a PKI is to
    authentication
  • PMI and PKI together form a system that offers a
    high degree of assurance for both IA and access
    control
  • The roles model in the current X.509 standard is
    compatible with the concept of Role Based Access
    control
  • The extended interpretation allows for greater
    flexibility and hence usability of the X.509
    standard

17
References
  • Knight and Grandy, Scalability Issues in PMI
    Delegation., 1st annual PKI Research Workshop
    Proceedings, Apr 2002
  • D. Chadwick, The X.509 Privilege Management
    System., The European Journal for the
    Informatics Professional, Vol IV Issue 4, Aug 2005

18
Questions?
Write a Comment
User Comments (0)
About PowerShow.com