Privilege Management Infrastructure PMI

1
Privilege Management Infrastructure (PMI)

• A. A. Elliott
• October 22nd, 2007

2
Presentation Summary

• Introduction
• extend our PKI analogy to motivate PMI
• put PMI in context and introduce its terminology
• summary and rhetoric
• PMI in Practice
• PMI issues
• PMI Reloaded
• PKI FYIs
• some interesting facts (or not?)
• Questions

3
Introduction (1 of 11) 1

• Public Key Certificates (PKCs)
• ubiquitous for secure web communications
• mandatory for establishing SSL (Secure Sockets
  Layer, https//) connections with web servers
• Public Key Infrastructures (PKIs)
• PKCs are used to strongly authenticate
  communicating parties in a PKI

4
Introduction (2 of 11)
To continue with our analogy we have an
infrastructure (PKI) because we have toasters
5
Introduction (3 of 11)
Or do we have appliances ( applications)
6
Introduction (4 of 11)
Are we going to let everyone we know use our
toaster? Our refrigerator?
7
Introduction (5 of 11)
Although we trust someone are they allowed or
qualified to make our toast?
8
Introduction (6 of 11) 1

• Where did PMI come from?
• PMI is an extension of PKI (which is described in
  X.509)
• X.509
• 1988 first standardized,
• 1993 revision 1,
• 1997 revision 2 and
• 2001 revision 3

9
Introduction (7 of 11)

• Privilege Management Infrastructure (PMI)
• X.509 (2001) revision 3
• who do we trust to make our toast?

10
Introduction (8 of 11) 1

• Primary data structure in a PMI is an X.509
  Attribute Certificate (AC)
• strongly binds a set of attributes to its holder
• attributes are used to describe the various
  privileges of the holder bestowed on it by the
  issuer
• Issuer is termed an Attribute Authority (AA),
  since it is the authoritative provider of the
  attributes given to the holder
• Examples of attributes and issuers
• a degree awarded by a university
• the role of supervisor issued by a manager
• file access permissions issued by a files owner
• The root of trust of a PMI is called the Source
  of Authority (SOA).

11
Introduction (9 of 11) 1

• ACs, AAs and SOAs oh my!
• Attribute Certificates (ACs)
• Attribute Authorities (AAs)
• Source of Authority (SOA).

12
Introduction (10 of 11) 1
Table 1. A Comparison of PKIs and PMIs 1.
13
Introduction (11 of 11) 1

• In essence the public key of a PKC has been
  replaced by a set of attributes in an AC.
• PMI is to authorization what a PKI is to
  authentication
• Rhetorical questions
• Why do we want (need) PMI?
• Is PMI practical?

14
PMI in Practice (1 of 5) 1

• SOAs may have subordinate AAs to which they
  delegate their powers of authorization
• In an organization, the Finance Director might be
  the SOA for allocating the privilege of spending
  corporate money
• He might delegate this privilege to departmental
  managers (subordinate AAs) who can then allocate
  specific spending privileges (ACs) to project
  leaders

15
PMI in Practice (2 of 5)

• John, the project leader, has been delegated
  spending privileges (AC)

16
PMI in Practice (3 of 5)

• When John commits money using a PMI enabled
  application his AC needs to be validated!

17
PMI in Practice (4 of 5)

• Alice, the Departmental Manager (and subordinate
  AA), trusts John to spend money
• Check mark 1

18
PMI in Practice (5 of 5)

• Bob, the Finance Director (and SOA) trusts Alice
• Any friend of Alice is a friend of mine!
• Check mark 2

19
PMI issues(1 of 3) 1

• LDAP standards have generally not supported X.509
  ACs and PKCs very well.
• LDAP?
• PMI implementers must be prepared to design any
  missing features themselves
• Organizations have difficulty agreeing on a
  standard set of attributes (as was and still is
  the case with LDAP)
• There is no standard way of recognizing the
  authority of remote PMI domains

20
PMI issues(2 of 3) 2

• Do you see a potential problem here?

Figure 2. Chaining Attribute Certificates 2.
21
PMI issues(3 of 3) 1

• Knight and Grandy 2
• report that in a reasonable organization with
• 5 levels of delegation and
• only 3 roles
• the number of certificates that need to be
  validated for an access control decision rises to
  110 gt extremely poor performance
• a PMI must have an efficient way of handling the
  delegation of authority

22
PMI Reloaded (1 of 1) 1

• New Features in X.509 (2005)
• additional functionality to improve the
  delegation of authority
• "no assertion" feature (i.e. grant but cant
  e.g. airline manager)
• Delegation Issuing Service (DIS)
• AAs request DIS to issue ACs on their behalf
• full audit database
• simplifies AC chain validation
• additional attributes to support PMIs
• Including XML Support

23
PKI FYIs (1 of 3)

• GoC buy in for PKI?
• http//www.tbs-sct.gc.ca/pki-icp/index_e.asp
• Policy for Public Key Infrastructure Management
  in the Government of Canada
• http//www.tbs-sct.gc.ca/pubs_pol/ciopubs/PKI/pki1
  _e.asp
• Report on the Privilege Management Infrastructure
  (PMI) Proof-of-Concept (POC) Demonstration
• Author Alan Magar (January 2003)
• Defence Research and Development Canada (DRDC)
  project
• RMC attended this demonstration?

24
PKI FYIs (2 of 3)

• Recognized Certification Authorities
• http//www.tbs-sct.gc.ca/pki-icp/sesrca-sesac/sesr
  -sesa_e.asp
• Public Works and Government Services Canada
• CA Name Government Shared Services (GSS) CA
• CA DN ou1CA-AC1, ouGSS-SPG, oGC, cCA
• Contact gc.pki.kmc_at_pwgsc.gc.ca
• Certificate Type Medium Assurance Digital
  Signature
• Certificate Policy OID 2.16.124.101.8.5.1.2.3.4
• Expiry of recognition (2010-03-31)
• Canada Revenue Agency
• CA Name CRA Internal Services CA
• CA DN cn1CA-AC1, ouCCRA-ADRC, oGC, cCA
• Contact PKIAdminICP_at_cra-arc.gc.ca
• Certificate Type CRA Internal Medium Assurance
  Digital Signature
• Certificate Policy OID 2.16.124.101.1.272.3.1.0.1
  .2
• Expiry of recognition (2010-03-31)

25
PKI FYIs (3 of 3)

• PMI Researchers / Vendors
• PERMIS http//www.permis.org/
• OASIS http//www.oasis-open.org/committees/tc_hom
  e.php?wg_abbrevsecurity
• Shibboleth (implements OASIS specification)
  http//shibboleth.internet2.edu/

26
Primary References

• 1 Chadwick, D. The X.509 Privilege Management
  Standard, The European Journal for the
  Informatics Professional, VI(4)41-46, August
  2005.
• 2 S. Knight, C. Grandy. "Scalability Issues in
  PMI Delegation". Pre-Proceedings of the First
  Annual PKI Workshop, Gaithersburg, USA, April
  2002, pp67-77.

27
Questions?

• Why PMI?
• Hint Where PMI
• Thank you!!