NREN AAA Needs

1
NREN AAA Needs

• Miroslav Milinovic
• University Computing Centre SRCE,Universty of
  Zagreb, Zagreb, Croatia
• miro_at_srce.hr
• 9th CEENet Workshop on Network Technology,
  Budapest, Hungary, August 2004

2
Contents

• Needs challenges
• Middleware scope and activities
• Directories
• AAA proces (problem)
• AA(A) Infrastructure
• PKI

3
Needs

• Network application access
• simple
• reliable
• allow resource owner to
• define who and under what conditions can access
• monitor users / audit activities
• Use combination of remote resources to fulfill a
  task
• computation
• data handling
• information retrieval
• visualization
• collaboration support
• multimedia distribution
• experimentation

4
Challenges

• Different perspectives
• providers (service and/or content)
• intermediaries
• users (individual and/or organisations)
• Different problems
• technical (programming could be difficult)
• non-technical (laws policies, organisational
  and social aspects)

5
What is Middleware?

• history
• RFC1862 (November 1995) Replication and caching
  schemes could form a sort of network "middleware"
  to fulfill a common need of distributed
  services.
• RFC 2768 (February 2000) Network Policy and
  Services A Report of a Workshop on Middleware
• broad definition
• glue between the network infrastructure and
  user applications
• commonly used word (buzzword?) with unclear scope

6
What is Middleware?

• specialized networked services that are shared by
  applications and users
• a set of core software components that permit
  scaling of applications and networks
• tools that take the complexity out of application
  integration
• a second layer of the IT infrastructure, sitting
  above the network
• the intersection of the stuff that network
  engineers dont want to do with the stuff that
  applications developers dont want to do
• (Ken Klingenstein)

7
What is Middleware?

• "glue, a layer of software between the network
  and the applications. This software provides
  services such as identification, authentication,
  authorization, directories, and security.
• In today's Internet, applications usually have to
  provide these services themselves,which leads to
  competing and incompatible standards. By
  promoting standardization and interoperability,
  middleware will make advanced network
  applications much easier to use.
• (http//middleware.internet2.edu/)

8
Scope

• Core middleware
• Identifiers
• Directories
• Authentication, Authorisation, Accounting (AAA)
• Certificates and PKI
• Upper middleware (Upperware)
• services that applications would like to have
  provided for them, rather than having to perform
  these functions themselves
• computing, data repositories, resource discovery,
  multimedia ...

9
Core Middleware Scope

• Identifiers namespaces, identifier mappings,
  ...
• Directories directory services architectures
  and tools, standard object classes, interrealm
  and registry services, ...
• Authentication technologies and policies,
  interrealm interoperability via PKI, Kerberos,
  ...
• Authorisation permissions and access controls,
  delegation, privacy management, ...
• Certificates and PKI technologies (X.509) and
  polices
• Integration Activities common management tools,
  use of virtual, federated and hierarchical
  organisations

10
The OSI Reference Model
11
Middleware Model
Application layer
App and platform specific
Middleware
Lots of different stuff (protocols, ...)
Well defined
Transport layer
12
Activities

• many players projects
• Internet 2 (http//middleware.internet2.edu/)
• Terena (http//www.terena.nl/tech/index_middleware
  .html)
• AR community
• industry
• standardisation bodies
• special focus
• grid community (http//www.globalgridforum.org/)

13
Directories
14
Directories

• specialised databases designed for storing and
  retrieving information about individuals,
  organisations, services, resources, ...
• designed for storing and retrieving information
• fast reading, writing is slower
• static view on the data
• simple updates without transactions
• network protocol for access (X.500, LDAP, ...)
• history used for White pages services

15
Directories Middleware

• essential for almost all middleware services
• move from White pages to Directory Enabled
  Networks
• currently LDAP based directories are considered
  as the best practice
• activities in
• IETF
• TERENA
• Internet 2 Middleware

16
Authentication, Authorisation and Accounting (AAA)
17
AAA

• Authentication (AuthN)
• Authorisation (AuthZ)
• Accounting (Auditing)

18
Authentication

• process of establishing whether or not a
  real-world subject is who or what its identifier
  says it is
• identity can be proven by
• something you know, like a password
• something you have, like a smart cards or
  public-key certificates
• something you are, as with positive photo
  identification, fingerprints, and biometrics
• should be secure, efficient and effective

19
Authorisation

• assume the user is known (successfully
  authenticated)
• the user has attributes determining what he/she
  is allowed to do
• the resource has use conditions set by the
  resource owner
• authorisation process make the access decision
• requires mapping users attributes with
  resources use conditions

20
Steps in AA Process
21
AA Problem
info about user
resource1
info about user
resource2
info about user
resource3
22
Traditional Applications
Userid / Password Lists
Access Control Lists
mulitiple admins no common policy
multiple userids/passwords (confused user)

• Authentication and authorisation are internal to
  the application

23
Ultimate Goal
application
app. gateway
digital signature
manage keys and priviledges
one userid/password or pin to access private key
(happy user)
fewer admins common policy

• Authentication and authorisation are external to
  the application

24
Inter-institutional AA

• disclosing credentials beyond your administrative
  domain
• mobility
• virtual organisations
• publishers, distance education, grids, ...
• increased flexibility
• better than IP address-based authentication
• increased security
• weak userid/passwd replaced by certificate

25
Authentication AuthorisationInfrastructure
26
AA Infrastructure

• solution for (inter-institutional) AA problem
• 3 key elements
• user, home organisation, resource owner
• 3 basic actions
• user AuthN performed by (his) home organisation
• delivery of users authorisation attributes from
  home organisation to resource (owner) set of
  attributes has to be configurable to meet the
  needs of both parties (strong privacy)
• resource owner decides about the access (AuthZ).

27
AAI Model
Home
Resource
organisation
owner
AuthN system
access
authorisation
rights
attributes
directory
delivery
resource
authorisation attributes
Access
control
AuthN
acess request
user
28
AAI Challenges

• AAI phases
• AuthN, AuthZ, (Control of Session, proxy
  frontend element)
• description
• architecture review
• elements involved
• centralised vs. distributed infrastructure

29
Authentication Phase

• many solutions
• most common user password, in combination with
  different elements (LDAP, ...)
• other one time password, digital certificates
  (key cards, tokens), biometrics, face pictures
  recognition,...
• not difficult to adapt a new AuthZ

30
Authorisation Phase

• based on rules that implement access control
  policies
• uses origin address of the request, clients
  identity, clients attributes, time ranges, ...
• possible use of external authorisation server or
  authorisation engine
• in distributed AAI (sometimes) it is necessary to
  have an identification manager to know who are
  you , where may I ask about you

31
Control of Session

• allows to identify the client of the request
• improves performance of a AAI
• allows AAI not to repeat a heavy AuthZ process in
  each request
• problems
• very dependent of apps and protocol
• security problems
• Web browser (HTTP)
• Cookies
• Reference parameter
• Codes into URLs

32
Access Control Proxy Element

• helps to integrate the new technology with old
  services
• for the home organization
• controls the access of home users to external
  organizations resources
• useful for content providers
• for the resource owner
• firewall for services
• centralises the access control policies for all
  the resources of the organisation
• helps in the integration between different
  solutions

33
Centralised Solutions

• common servers or services for all the
  organizations involved
• advantages
• No inter-organizations trust problem
• No client (or home site) identification problem
• disadvantages
• scalability
• difficult management
• flexibility (?)

34
Distributed Solutions

• elements may stay in different organizations,
  even in third trust parties
• advantages
• flexibility
• scalability
• disadvantages
• inter-organizations trust
• client (or home site) identification
• common attribute schemas

35
AAI for Network Access
36
AAI ? PKI
37
PKI - Concept

• enhanced security
• Public keys / certificates replace weak
  user/password based AA
• Public Key Infrastructure (PKI) is a combination
  of
• software,
• protocols,
• legal agreements
• that are necessary to effectively use
  certificates.
• X.509 standard for certificates is used

38
Asymmetric Encryption
Cleartext
Public Key
Private Key
Asymmetric Encryption
Ciphertext
Asymmetric Decryption
Cleartext
39
Digital Signature
Information to be signed
Private Key
Hashfunction
Asymmetric Encryption
Hashvalue
Digital Signature
40
Verification of a Digital Signature
Digital Signature
Signed Information
Asymmetric Encryption
Hashfunction
Public Key
Decrypted Signature
Hashvalue
41
PKI Components

• Certificate Authority (CA), that manages and
  signs certificates for an institution
• Registration Authorities (RA), operating under
  the auspices of the CA, that validate users as
  having been issued certificates
• PKI management tools, including software to
  manage revocations, validations and renewals
• Directories to store certificates, public keys,
  and certificate management information
• Databases and key-management software to store
  escrowed and archived keys
• Applications that can make use of certificates
  and can seek validation of others' certificates
• Trust models that extend the realm of secure
  communications beyond the original CA
• Policies that identify how an institution manages
  certificates, including legal liabilities and
  limitations, standards on contents of
  certificates, and actual campus practices

42
PKI Components
Infrastructure System
End User System
43
PKI in Real Life

• European directives
• Digital Signatures Directive
• European Signature Standardization Initiative
• Qualified Certificates (not for NRENs?)
• National differences
• Deployment started not all issues well
  understood
• Start bottom up
• Client cert for SSL (http, imap, ipsec, )
• Integration with directories (LDAP / X.509)
• Bottom line is trust

44
Inter-organization Trust Problem

• Federation
• PKI based on public key technology
• Vertical trust based on delegation
• Horizontal trust common root or cross keys
  (certificates)
• Servers hierarchy relations based on virtual
  connections parent-children and brothers (usually
  cross keys or shared secret)
• Mix
• vertical trust based on servers hierarchy
• horizontal trust based on cross key or PKI

45
More Info...

• TERENA (http//www.terena.nl/tech/)
• Internet 2 (http//middleware.internet2.edu/)
• A-select (http//a-select.surfnet.nl)
• GSI (http//www.globus.org/security/)
• PAPI (http//www.rediris.es/app/papi/index.en.html
  )
• Shibboleth (http//shibboleth.internet2.edu/)
• Permis (http//www.permis.org/)
• Athens (http//www.athensams.net/)
• ...

Do not forget the problem!
46
Contents

• Needs challenges
• Middleware scope and activities
• Directories
• AAA proces (problem)
• AA(A) Infrastructure
• PKI