30 September 2015

09.00-10.00 CET 17.00-18.00 CET

1

JUMPSTART INFRASTRUCTURE SERVICES PKI - STS

1. Security: wider interoperability context #1

• Interoperability frameworks:

– Security is everywhere:

• Horizontal

• Vertical

• Transversal

• Cross-cutting

– Many layers/aspects: from technology to legal

• Data:

• In motion

• Being processed

• At rest

2

1. Security: wider interoperability context #2

• Competing requirements:

– Security strength

– Performance

– Scalability

– Cost

– Complexity

– ...

– Safety

3

1. Security: wider interoperability context #3

• Many technologies, often overlapping functionality

• Lifecycle: hype/mainstream/obsolescence

– Maturity

– Changing threat levels

– Increasing awareness of/for cybersecurity

– SIEM

– Flaws/bugs

4

1. Security: wider interoperability context #4

• Many regulations/standards/frameworks/best practices

– International treaties, regional and national laws, regulations

– ITU, IEC, ISO, ETSI, ...

– ISO 270xx, Cobit 5, ITIL v3, ...

– ECRYPT II, FIPS, NIST, ...

– PCI-DSS, ...

• Need for trust and compatibility of policies

5

2. Security: Identity Management #1

• Security needs: – related to the identities that exchange information: authenticity,

authorisation, integrity, confidentiality, non-repudiation – various classifications

• such as CIA triad, Parkerian Hexad, Microsoft STRIDE, ... • ontology disputes/mapping. Example:

– authenticity could be seen as integrity of origin – authenticity and authorisation could be seen as access control

• Identity Management standards and ontology: – ITU-T X.1250 – X.1279 – ISO/IEC 24760

• Scope: – interoperability and security at the level of the Technical Infrastructure

for data in motion – some of the described mechanisms could be (re)used in other scopes

but this is not part of this Webinar

6

2. Security: Identity Management #2

• Challenges:

– participants that speak the same protocols is one thing

– participants that manage all elements of involved identities to use in the protocols is another:

• at very small scale, all actors can manage all elements of involved identities,

• but at larger scale this becomes increasingly unmanageable

• hence interest for shared/shareable infrastructure: – that helps to avoid multiplication of effort

– whereby the deployment can be organised in a wide variety of forms

7

3. Security: securing the data in motion #1

• Layered model:

– Network, transport and message level

– Solutions for security needs can be provided at different layers and possibly combined

8

3. Security: securing the data in motion #2

Examples of security technology

9

Authentication Authorisation Integrity Confidentiality Non-repudiation

Message (end-to-end)

WS-Security 1.1(.1) (2006/2 - 2012/5)

WS-Security 1.1(.1) (2006/2 - 2012/5)

WS-Security 1.1(.1) (2006/2 - 2012/5)

WS-Security 1.1(.1) (2006/2 - 2012/5)

WS-Security 1.1(.1) (2006/2 - 2012/5)

SAML 2.0 (2005/3 ->) SAML 2.0 (2005/3 ->)

XML Signature 1.1 (2013/4->)

XML Encryption 1.1 (2013/4)

XML Signature 1.1 (2013/4->)

Oauth2 (2012/10) OpenID Connect 1.0 (2014/11 ->)

OpenID Connect 1.0 (2014/11 ->)

OpenID Connect 1.0 (2014/11 ->)

OpenID Connect 1.0 (2014/11 ->)

OpenID Connect 1.0 (2014/11 ->)

JOSE ( <- 2015/5 -> ) JOSE ( <- 2015/5 -> ) JOSE ( <- 2015/5 -> ) JOSE ( <- 2015/5 -> ) JOSE ( <- 2015/5 -> ) HTTP/1.1 Basic Authentication (1999/6)

XACML 3.0 (2013/1 ->)

Transport (point-to-point)

TLS 1.2 (2008/8 ->) TLS 1.2 (2008/8 ->) TLS 1.2 (2008/8 ->)

SSH 2.0 (2006/1 ->) SSH 2.0 (2006/1 ->) SSH 2.0 (2006/1 ->) HTTP/1.1 Basic Authentication (1999/6)

Network (net-to-net, net-to-host, host-to-host)

IPsec (2005/12 ->) IPsec (2005/12 ->) IPsec (2005/12 ->) IPsec (2005/12 ->)

3. Security: securing the data in motion #3

• One size does not fit all:

– Many functionalities

– Many technologies

– Many combinations

– Many changes

– ...

– Many opinions

10

3. Security: securing the data in motion #4

• 2 technology families are selected for SESAR SWIM TI to support identity: – Private/public key based concept:

• Can be used autonomously and provide sufficient protection

• Is used in many other security technologies as an (almost) unavoidable complement.

• Machine to machine communication

– STS based concept:

• Support for claims

• Concept supported by many security technologies

• Suitable for any type of client

• Can mediate and abstract the pace of change

11

3. Security: securing the data in motion #5

• Within each family a specific and limited set of mandated technology :

– PKI, X.509v3 based

– STS, WS-Trust based, Username/SAML/Certificate token profiles

• Within both families capabilities for federation between distinct security domains:

– BCA

– WS-Federation

12

4. Security: Jumpstart Infrastructure Services #1

• Discovery and Demonstration SWIM:

– Not for operational use !

• Low threshold access to Infrastructure Services:

– Autonomous self-paced discovery

– Support your own demonstrations

– Reusable by multiple service consumers and service providers

13

4. Security: Jumpstart Infrastructure Services #2

• Jumpstart Infrastructure Service, Identity Management solution: – PKI supporting X.509v3 certificates based on tooling included in

Windows Server 2012 R2, including: • GUI request interface • secured management interface (issuing, revoke, etc) • AIA and CDP • OCSP responder

– STS based on Open Source tooling provided by Thinktecture,

IdentityServer v2 (latest v2.5), including: • support for WS-Trust and WS-Federation • secured management interface • SAML tokens • token signing • extensible claims management

14

4. Security: Jumpstart Infrastructure Services #3

• Based on existing tooling: “Jumpstart” added value? – A-Z guided and integrated installation documentation/scripts that can

be replayed even with very low prior knowledge

– Infrastructure that is effectively used in Jumpstart Services: • Aligned with Yellow Profile • Services with small code footprint illustrating use of AIXM, FIXM

and IWXXM • Secured using the Identity Management Infrastructure described

in this Webinar • On cloud infrastructure • Subject of another Webinar

– The choice of the configuration is targeted to be extendable. E.g.:

• Multiple CAs, cross-certification • Multiple OCSP responders, on behalf of multiple CAs • Multiple STS, federation • Additional Token types

15

4. Security: Jumpstart Infrastructure Services #4

• Low threshold: – Low upfront experience requirements

– Low financial cost: all-in cloud solution already from 12 EURO per month

– Low time investment: first time run through in about 4 hours, restart from scratch will go (much) faster

– Low maintenance: we have run this configuration quasi unattended for about 1,5 years, with almost no down-time

• Other solutions? – The chosen solutions are not the only solutions available

– Equivalent functionality can be provided on other platforms and by other tools

16