make secure information sharing (sis) easy and an reality
DESCRIPTION
Make Secure Information Sharing (SIS) Easy and an Reality. C. Edward Chow, PI Osama Khaleel Bill Kretschmer. Sponsored by TTO Proof of Concept grant. Agenda. Status of the SIS “porting” project SIS 0.2 Software Architecture. Technologies and Tools/Modules SIS 0.2 prototype - PowerPoint PPT PresentationTRANSCRIPT
Make Secure Information Sharing (SIS)Make Secure Information Sharing (SIS)Easy and an RealityEasy and an RealityMake Secure Information Sharing (SIS)Make Secure Information Sharing (SIS)Easy and an RealityEasy and an Reality
C. Edward Chow, PIC. Edward Chow, PIOsama KhaleelOsama KhaleelBill KretschmerBill Kretschmer
C. Edward Chow, PIC. Edward Chow, PIOsama KhaleelOsama KhaleelBill KretschmerBill Kretschmer
Sponsored by TTO Proof of Concept grantSponsored by TTO Proof of Concept grant
6/26/2006 SIS0.2 2
AgendaAgendaAgendaAgenda
Status of the SIS “porting” projectStatus of the SIS “porting” project
SIS 0.2 Software Architecture.SIS 0.2 Software Architecture.
Technologies and Tools/ModulesTechnologies and Tools/Modules
SIS 0.2 prototypeSIS 0.2 prototype
Demo of SIS 0.2 prototypeDemo of SIS 0.2 prototype
Discussion on what to do next.Discussion on what to do next.
6/26/2006 SIS0.2 3
What We Have AchievedWhat We Have AchievedWhat We Have AchievedWhat We Have Achieved
DevelopDevelop SIS on Windows Platform. SIS on Windows Platform.
Add new capability on Add new capability on policy managementpolicy management
Follow XACML access control standard.Follow XACML access control standard.
Specify/Enforce policies for accessing secure Specify/Enforce policies for accessing secure web sites based on role info in attribute web sites based on role info in attribute certificatecertificate
For certificates management, develop tools forFor certificates management, develop tools for
Create digital and attribute certificatesCreate digital and attribute certificates
Update/revoke roles by updating certificates in Update/revoke roles by updating certificates in Active DirectoryActive Directory
Integrate these software modules and Integrate these software modules and demonstrate features on a prototype.demonstrate features on a prototype.
DevelopDevelop SIS on Windows Platform. SIS on Windows Platform.
Add new capability on Add new capability on policy managementpolicy management
Follow XACML access control standard.Follow XACML access control standard.
Specify/Enforce policies for accessing secure Specify/Enforce policies for accessing secure web sites based on role info in attribute web sites based on role info in attribute certificatecertificate
For certificates management, develop tools forFor certificates management, develop tools for
Create digital and attribute certificatesCreate digital and attribute certificates
Update/revoke roles by updating certificates in Update/revoke roles by updating certificates in Active DirectoryActive Directory
Integrate these software modules and Integrate these software modules and demonstrate features on a prototype.demonstrate features on a prototype.
6/26/2006 SIS0.2 4
SIS Software ArchitectureSIS Software ArchitectureSIS Software ArchitectureSIS Software Architecture
Access to important Access to important resourcesresources (e.g. secure are secured by (e.g. secure are secured by checking the checking the identityidentity (in digital certificate PKC presented (in digital certificate PKC presented by user) against related by user) against related rolerole (attribute certificate) on a set (attribute certificate) on a set of of policiespolicies..
Access to important Access to important resourcesresources (e.g. secure are secured by (e.g. secure are secured by checking the checking the identityidentity (in digital certificate PKC presented (in digital certificate PKC presented by user) against related by user) against related rolerole (attribute certificate) on a set (attribute certificate) on a set of of policiespolicies..
IISIISWeb Web
ServerServer
ASPASP.NET.NET
PolicyPolicyEnforcementEnforcement
PointPoint
PolicyPolicyDecisionDecision
PointPoint
ActiveActiveDirectoryDirectory
UserUserPKCPKCWebWeb
BrowserBrowser
PKCPKCACAC
SecureSecureWeb SitesWeb SitesSecureSecureWeb SitesWeb SitesSecureSecureWeb SitesWeb Sites
ResourceResource
PoliciesPolicies XACMLXACML
6/26/2006 SIS0.2 5
Secure Access Step 1:Secure Access Step 1:Identity AuthenticationIdentity AuthenticationSecure Access Step 1:Secure Access Step 1:Identity AuthenticationIdentity Authentication
User installs digital certificate (PKC) in their web browser.User installs digital certificate (PKC) in their web browser.
Issue request to IIS web serverIssue request to IIS web server
IIS present server certificate and ask user to present client IIS present server certificate and ask user to present client certificate (mutual authentication)certificate (mutual authentication)
User installs digital certificate (PKC) in their web browser.User installs digital certificate (PKC) in their web browser.
Issue request to IIS web serverIssue request to IIS web server
IIS present server certificate and ask user to present client IIS present server certificate and ask user to present client certificate (mutual authentication)certificate (mutual authentication)
IISIISWeb Web
ServerServer
UserUserPKCPKCWebWeb
BrowserBrowser
1. https request1. https request
2. Server Certificate2. Server Certificate
3. Client Certificate3. Client Certificate
6/26/2006 SIS0.2 6
Secure Access Step 2:Secure Access Step 2:Forward ID/URI to PEPForward ID/URI to PEPSecure Access Step 2:Secure Access Step 2:Forward ID/URI to PEPForward ID/URI to PEP
ASP.NET intercepts the request and forwards the ASP.NET intercepts the request and forwards the subject field (containing the identity info) of PKC subject field (containing the identity info) of PKC to Policy Enforcement Point (PEP)to Policy Enforcement Point (PEP)
ASP.NET intercepts the request and forwards the ASP.NET intercepts the request and forwards the subject field (containing the identity info) of PKC subject field (containing the identity info) of PKC to Policy Enforcement Point (PEP)to Policy Enforcement Point (PEP)
UserUserPKCPKCWebWeb
BrowserBrowser
ASPASP.NET.NET
IISIISWeb Web
ServerServer
PolicyPolicyEnforcementEnforcement
PointPoint
4. User ID 4. User ID (email/OU)(email/OU)
Time/IPTime/IPhttps request infohttps request info
6/26/2006 SIS0.2 7
Secure Access Step 3:Secure Access Step 3:Query Active Directory for Role Info.Query Active Directory for Role Info.Secure Access Step 3:Secure Access Step 3:Query Active Directory for Role Info.Query Active Directory for Role Info.
PEP use ID info (Canonical Name) to query AD for PEP use ID info (Canonical Name) to query AD for role info contains in the attribute certificate.role info contains in the attribute certificate.PEP use ID info (Canonical Name) to query AD for PEP use ID info (Canonical Name) to query AD for role info contains in the attribute certificate.role info contains in the attribute certificate.
IISIISWeb Web
ServerServer
ASPASP.NET.NET
PolicyPolicyEnforcementEnforcement
PointPoint
ActiveActiveDirectoryDirectory
UserUserPKCPKCWebWeb
BrowserBrowser
PKCPKCACAC
5. Use
r ID
5. Use
r ID
(CN=ch
ow)
(CN=ch
ow)
6.6. AC of
User
AC of Use
r
with ro
les (CFO
/mgr)
with ro
les (CFO
/mgr)
6/26/2006 SIS0.2 8
Secure Access Step 4:Secure Access Step 4:Consult PDP for Policy DecisionConsult PDP for Policy DecisionSecure Access Step 4:Secure Access Step 4:Consult PDP for Policy DecisionConsult PDP for Policy Decision
PEP then consult Policy Decision Point (PDP) to PEP then consult Policy Decision Point (PDP) to decide whether the policies the user with such decide whether the policies the user with such role(s) to access the resource.role(s) to access the resource.
PEP then consult Policy Decision Point (PDP) to PEP then consult Policy Decision Point (PDP) to decide whether the policies the user with such decide whether the policies the user with such role(s) to access the resource.role(s) to access the resource.
IISIISWeb Web
ServerServer
ASPASP.NET.NET
PolicyPolicyEnforcementEnforcement
PointPoint
PolicyPolicyDecisionDecision
PointPoint
UserUserPKCPKCWebWeb
BrowserBrowser
PoliciesPolicies XACMLXACML
7. User ID 7. User ID RoleRole
Time/IPTime/IPrequest inforequest info
8.8. grant/grant/rejectreject
6/26/2006 SIS0.2 9
Secure Access Step 5:Secure Access Step 5:Access Secure ResourceAccess Secure ResourceSecure Access Step 5:Secure Access Step 5:Access Secure ResourceAccess Secure Resource
Based on PDP decision, PEP informs ASP.NET to Based on PDP decision, PEP informs ASP.NET to grant access or redirect with error web pages.grant access or redirect with error web pages.Based on PDP decision, PEP informs ASP.NET to Based on PDP decision, PEP informs ASP.NET to grant access or redirect with error web pages.grant access or redirect with error web pages.
IISIISWeb Web
ServerServer
ASPASP.NET.NET
PolicyPolicyEnforcementEnforcement
PointPoint
UserUserPKCPKCWebWeb
BrowserBrowser
SecureSecureWeb SitesWeb SitesSecureSecureWeb SitesWeb SitesSecureSecureWeb SitesWeb Sites
ResourceResource
9.9. access/access/redirectredirect
10.
10. a
ccess
acce
ss
11.11. Return web page
Return web page
6/26/2006 SIS0.2 10
Local switch
NIC1 128.198.162.50 FC4 NIC2
10.0.0.1
Main switch
Win-XP 10.0.0.12
IIS 10.0.0.11
Domain-controller 10.0.0.10
128.198.162.51128.198.162.52128.198.162.53
Internet SIS Network Topology
And IP assignments
6/26/2006 SIS0.2 11
The TestbedThe TestbedThe TestbedThe Testbed
A 4-machine testbed has been built.A 4-machine testbed has been built.
It contains the following:It contains the following:Windows server 2003 with AD (The Domain Windows server 2003 with AD (The Domain Controller).Controller).
Windows server 2003 with IIS 6.0 (The web server).Windows server 2003 with IIS 6.0 (The web server).
Windows XP (a client).Windows XP (a client).
Fedora Core 4 with IPtables-based firewall (A Fedora Core 4 with IPtables-based firewall (A Gateway).Gateway).
6/26/2006 SIS0.2 12
The SIS Admin ToolThe SIS Admin ToolThe SIS Admin ToolThe SIS Admin Tool
An admin tool is being developed to provide an easy-to-An admin tool is being developed to provide an easy-to-use GUI for setting up the SIS environment.use GUI for setting up the SIS environment.
C# (C# Express 2005 IDE) has been used.C# (C# Express 2005 IDE) has been used.
The main three components that we have so far are:The main three components that we have so far are:
Public Key Infrastructure (PKI) setup.Public Key Infrastructure (PKI) setup.
Privilege Management Infrastructure (PMI) setup.Privilege Management Infrastructure (PMI) setup.
Certificates Management.Certificates Management.
6/26/2006 SIS0.2 13
PKIPKI PMI PMI PKIPKI PMI PMIFeatures:Features:
Creating new Creating new Certificate Authorities Certificate Authorities (CAs).(CAs).
Loading an existing Loading an existing CAs.CAs.
Issuing a single digital Issuing a single digital cert (DC) and storing it cert (DC) and storing it in the AD, based on a in the AD, based on a GUI form.GUI form.
Issuing a bunch of DCs Issuing a bunch of DCs and storing them in the and storing them in the AD, based on a simple AD, based on a simple text file.text file.
Features:Features:
Creating new Creating new Certificate Authorities Certificate Authorities (CAs).(CAs).
Loading an existing Loading an existing CAs.CAs.
Issuing a single digital Issuing a single digital cert (DC) and storing it cert (DC) and storing it in the AD, based on a in the AD, based on a GUI form.GUI form.
Issuing a bunch of DCs Issuing a bunch of DCs and storing them in the and storing them in the AD, based on a simple AD, based on a simple text file.text file.
Features:Features:
Creating new Attribute Creating new Attribute Authorities (AAs).Authorities (AAs).
Loading an existing AA.Loading an existing AA.
Issuing a single attribute Issuing a single attribute cert (AC) and storing it in cert (AC) and storing it in the AD, based on a GUI the AD, based on a GUI form.form.
Issuing a bunch of ACs Issuing a bunch of ACs and storing them in the and storing them in the AD, based on a simple AD, based on a simple text file.text file.
Features:Features:
Creating new Attribute Creating new Attribute Authorities (AAs).Authorities (AAs).
Loading an existing AA.Loading an existing AA.
Issuing a single attribute Issuing a single attribute cert (AC) and storing it in cert (AC) and storing it in the AD, based on a GUI the AD, based on a GUI form.form.
Issuing a bunch of ACs Issuing a bunch of ACs and storing them in the and storing them in the AD, based on a simple AD, based on a simple text file.text file.
6/26/2006 SIS0.2 14
6/26/2006 SIS0.2 15
Certificates Certificates ManagementManagementCertificates Certificates ManagementManagement
Check & validate a digital certificate.Check & validate a digital certificate.
Revoke a digital certificate.Revoke a digital certificate.
Check & validate an attribute certificate.Check & validate an attribute certificate.
Revoke an attribute certificate.Revoke an attribute certificate.
Check & validate a digital certificate.Check & validate a digital certificate.
Revoke a digital certificate.Revoke a digital certificate.
Check & validate an attribute certificate.Check & validate an attribute certificate.
Revoke an attribute certificate.Revoke an attribute certificate.
6/26/2006 SIS0.2 16
6/26/2006 SIS0.2 17
Packages & techniquesPackages & techniquesPackages & techniquesPackages & techniquesOpenSSL [http://www.stunnel.org/download/binaries.html]: A wrapper compiled in binaries (exe file) has been used to implement the PKI part.
JCE-IAIK[http://jce.iaik.tugraz.at/]: A set of java APIs and implementations of cryptographic functionality that has been used to implement the PMI part.
IKVM.NET [http://www.ikvm.net]: an implementation of Java for the Microsoft .NET Framework that has been used to allow us using the IAIK java-based package in the .NET.
CryptLib [http://www.cs.auckland.ac.nz/~pgut001/cryptlib/] or [http://www.cryptlib.com]: a security toolkit that allows adding encryption and authentication services. * (We faced problems with it [files format & AC errors], therefore, we replaced it with the OpenSSL solution).
XACML Open Source from Sun
[http://sunxacml.sourceforge.net]: Sun’s open source implementation of the OASIS XACML standard, written in the JavaTM programming language.
6/26/2006 SIS0.2 18
DemoDemoDemoDemo
Secure web access based on role in attribute Secure web access based on role in attribute certificatecertificate
Update AC when a person gets promotedUpdate AC when a person gets promoted
Revoke AC when a person leaves the companyRevoke AC when a person leaves the company
PKC/AC management toolPKC/AC management tool
Secure web access based on role in attribute Secure web access based on role in attribute certificatecertificate
Update AC when a person gets promotedUpdate AC when a person gets promoted
Revoke AC when a person leaves the companyRevoke AC when a person leaves the company
PKC/AC management toolPKC/AC management tool
6/26/2006 SIS0.2 19
DiscussionDiscussionDiscussionDiscussion
What are our next steps?What are our next steps?What are our next steps?What are our next steps?