Silk Security Workshop 2004 21-24 ????, 2004 - PowerPoint PPT Presentation
1 / 42
Title:
Silk Security Workshop 2004 21-24 ????, 2004
Description:
... AC X.509 Role-based PMI AC ... Role Based Access Control - http://csrc.nist.gov/rbac ... (OSI) Reference Model ... – PowerPoint PPT presentation
Number of Views:192
Avg rating:3.0/5.0
Title: Silk Security Workshop 2004 21-24 ????, 2004
1
????????? ? ??????? ???????????? ?????????????? ?
????????????????????? ??????
- Silk Security Workshop 2004 21-24 ????, 2004
- Yuri Demchenko, University of Amsterdam
- ltdemch_at_science.uva.nlgt
2
??????????
- ??????????? ??????????????
- ?????? ?????????????? ???????? ??????
- ??????????? ???????????? ???????? ?????? (ISO
7498-2) - ????????? ???????????? ?????? ?????? ?????? IEEE
802 - ????????? ? ????????? ???????????? ????????
- ????????? ? ??????? ???????????? ?? ????????????
????????? ???????????? - ?????????????? ???????? ?????? PKI
- ?????????? ???????????? ?? ?????? XML
- ??????????? ?????????? ?????????????? ?
???????????
3
??????????? ??????????????
- ISO/IEC, IEEE ?????/????????????? ???????
???????????? - ????????? ISO/IEC, IEEE
- ITU (International Telecommunication Union)
????????? ???????????? ????????????????????
?????? - ????????? X, V, T, H, etc.
- IETF (Internet Engineering Task Force) ?????????
???????????? ???????? (RFC) - OASIS (Organization for the Advancement of
Structured Information Standards) ?????????
???????????? ?? ?????? XML (???
??????-??????????) - NIST, CEN, ETSI ???????????? ? ????????????
????????? ???????????? - ?????? ?????????????????? ??????????? ? ??????
- GGF (Global Grid Forum) - ????????? ???
????-?????????? - Liberty Alliance Project ????????????? ?
????????????? ? ????????
4
????????? ? ??????????? ?????????????? IETF
- ??????? ?????? IETF ?? ???????? ????????????
(2004) - http//www.ietf.org/html.charters/wg-dir.
html - enroll, idwg, inch, ipsec, ipseckey, ipsp, kink,
krbwg, ltans, mobike, msec, openpgp, pki4ipsec,
pkix, sacred, sasl, secsh, smime, stime, syslog,
tls, aaa
5
?????? ?????????????? ???????? ?????? (???)Open
System Interconnection (OSI) Reference Model
ISO 7894-1984/ITU X.200
?????? ???
??????????? ???????
?????????? Application
??????? ?????????? ?????, ??? ???????? ?????? ?
???????? ??????????
???????????????? Presentation
?????????????? ?????? ? ???????????
????????? Session
???????????? ? ??????????? ?????? ?????
???????????? Transport
??????????? ???????? ????? ????????? ???????
??????? Network
???????? ??????? ??????????, ??????? ?????????????
?????? Data Link
???????? ??????, ???????????? ???????, ????????
??????
?????????? Physical
???????? ???????? ?????? ????? ?????
6
?????? ?????????? TCP/IP (1)
7
?????? ?????????? TCP/IP (2)
8
???????? ??????????? ???????? ?????
???????? ???????
???????? ???????
?????????? ??????????
???? - Gateway
7
7
6
6
5
5
4
4
????????????? - Router
??? ?????????? ???
3
3
2
2
????- Bridge
?????????? ???
??????????? Repeater
1
1
???
???
?????????? ?????
?????????? ?????
9
??????? ?????? ? ???
- ?????????????? ??????? ? ????????????????
?????????? - ?????????????? ???????
- ???????????????????? ???????
- ??????? ?????????? ????? ? ??????? ?????????
- ??????????? ?????????? ????????? ????????,
????????, DNS, PKI, LDAP - ?????????????? ???????
- ???????????????? ?????????????
- ???????????????? ??????????
- ?????? ??????????, ????????, ? ????????, ???????
- ?????????? ? ??????? ?????, ????????, ? ?????????
??? ?????? ??????-??????????
10
???????????? ? ???????????? ?? ?????????
????????????
- (???????????) ???????????? ???????????? ?????
???????? ??????????? ??????? ? ???, ????????????
?? ??????????? ?????????? ?????? ??????? ???
??????????? ?????????? ???????????? ??????/??????
? ???????? ?????????????? ??????? ???????? ?
??????????? ??? ??????????, ??? ? ???????????? - ? ????????, ???????????? ????? ????????????????/??
????????? ???? - ??? ? ?? ????? ???? ??????????? ????????????
- ???????????? ????? ?????, ? ???? ???????????
???????????? ?????????? ?????? - ???????????? ?? ????????? ???????????? ????????
?????? ??????????? ??????????? ????????????, ????
???????? ?????????? ???????? - ???????? ????? ? ????? ????????????
- ????????????? ?????????
- ?????????????? ??????
11
????????????? ????????? ???????????? ISO 7498-2
- ?????????? ? ????????
- ??????????? ???????? ? ?????????? ????????????
- ?????? ??????????? ???????, ???????????????
???????? ? ?????????? ? ??????? - ????????? ?????????? ???? ??? ?????????? ?????
- ????????? ?????? ?????????? ????? ????????????
- ??????????? ????? ???????????? ? ????????? ??????
- ??????????? ?????????? ???????????? ? ???????
- ???????? ?????????? ????????? ?????? ????????????
- ????? ?????????????? ???????? ???????????
???????????? ?????? ???? ?????????????? - ?????? ???????????? ????? ???????? ????? ??? ??
????? ?????? - ??????? ???????????? ?? ?????? ???????????
???????????? ??????????? ??????? ???????, ?
????????, ???????????? ?? - ?????????? ?????????? ???????????? ?? ??????
???????? ???????????? ??????? - ?????????? ????????????????/????????????? ???????
?????? ???? ?????????????? - ?????? ???????????? ?????? ???? ?????????? ???,
????? ????????? ????????? ?????????? ? ????????
???????? (plugability)
12
??????? ??????? ???????????? ISO 7498-2
- ?????????????????? Confidentiality
- ?????????????? Authentication
- ??????????? Integrity
- ???????? ??????? Access control
- ???????????? (????????????????)
Non-repudiation - ??????????? - Availability
13
????? ????????? ???????????? ISO 7498-2
- ?????????? Encryption
- ???????? ??????? Digital signature
- ??????????? ??????????? (???????) ?????? Data
(stream) integrity - ?????????? ??????? Traffic padding
- ?????????????? Authentication
- ???????? ??????? Access control
- ??????????? - Notarisation
14
????????? ??????c????? TCP/IP (IETF-1)
- One-Time Passwords - ??????????? ??????
- HMAC (Keyed-Hashing for Message Authentication) -
RFC2104 - ???????? ?????????????? ????????? ?? ??????
????????? ?????? - IPSec - RFC2401, RFC2402, RFC2406, RFC2407,
RFC2411 - ??????? ??????? ?????????? ? ??????????????
IP-??????. ??????????? ??? ?????? ????????????
host-to-host, host-to-gateway, gateway-to-gateway.
???????? ??????? ??? VPN (Virtual Private
Network) - TLS (Transport Layer Security) - RFC2246
- ???????????? ?????????????, ?????????????????
?????, ??????? ???????? ?????? TCP. ?????????
????? ?????? ????????????????? ??? ??????
??????????? ????????? ????? (???), ?????? ?????
????? ????? ?????????? ? ???????????? ????????
??????????????. - SASL (Simple Authentication and Security Layer)
RFC 2222 - ???????????? ??????? ???????????? ??? ??????????
?? ?????? ??????????, ? ?????????, BEEP, IMAP,
LDAP, POP, SMTP - GSS-API (Generic Security Service Application
Program Interface) - RFC2744 - ??????????? ????????? ??? ??????????? ??????????
???????? ??????????????, ?????????????, ??????
????????? ? ???????? ????????? ? ??????????????
??????? ? ?????????????? ???????????
15
????????? ??????c????? TCP/IP (2)
- DNSSEC - RFC2535
- ????????? ??????????? DNS-??????, ????????????
??????????? ??????? ??????? DNS ?? ?????
??????????. ???????????? ????? ?????????????? ???
??????????????? ??? - Security/Multipart (S/MIME) RFC1847
- ?????????? ? ???????? ??????? ?????-????????????
????????? ??????????? ????? ?? ?????? PKI - Digital Signatures - ???????? ???????
- OpenPGP RFC2440, RFC3156
- ?????????? ? ???????? ??????? ?????????
??????????? ????? - Firewalls - ??????? ?????? ??? ??????????????
???????? ?????? - Kerberos RFC1510
- ???????? ???????? ?????????????? ? ??????
?????????? ??????? - SSH ?????????? ??????????? ?????????? ?????
???????? ? ????????
16
??????????????? ???????????? ?????????
- ????????? ?????? - Plaintext Passwords
- ?????????????? ?? ?????? IP-?????? -
Address-Based Authentication - ?????????????? ?? ?????? ????????? ????? -
Name-Based Authentication
17
????????? ???????????? ?????? ?????? ?????? IEEE
802
- IEEE 802.10 ????????? ??????????? ????????????
ISO 7498-2 ? ????? ?????????? ????????
???????????? ??????????????, ???????? ??????? ?
??????????? ?????? ? ??????? ?????? ? ???????? - IEEE 802.1X ?????????? ????????? ??????????????
? ?????????????? ??????? ??????, ??????????
???????????? ????????????? ????????? ?????? ???
WEP-??????????. ?????????? EAP ??? ?????????????
? ?????? ?????????? ?????? RADIUS. - IEEE 802.11i ??????? ???????? ????????????,
??????? ?????????? ???????? ?????????????? 802.1X
? ????????? ???????? ?????????? AES. - WPA (Wi-Fi Protected Access) ????????
??????????, ??????? ????????? ?????????? WEP. WPA
????? ?????????? ????????? ?????????????? 802.1X. - EAP (Extensible authentication protocol)
???????? ?????-?????, ??????? ????????????
????????????? ????????? ??????????????. ?????
?????????? ??? ????????? ??. - TKIP (Temporal key integrity protocol)
???????????? ? ?????????? 802.1X ? WPA ???
??????????????. ????????? ???????? WEP. - WEP (Wired equivalent privacy) ????????
???????????? 802.11 ??? ???????????? ?????.
18
Remote Access Dialin User Service (RADIUS)
- RADIUS ?????? ???????????? ??? ???????? ???????
????????? ?????????????, ??????? ??????????????,
??????????? ? ???? (AAA - authentication,
authorization, accounting). - RFC 2865, RFC 2869
- RADIUS ?????????? ??????????? ????????
?????????????? ? ?????? ???????????, ? ?????
??????????? ?????????????????? ????????????
??????? ??????????. - ?????? RADIUS ???????????? ??? ??????????? ??????
??????????????, ??????? ?????? ??? ????? ?????? ?
???? ?????? ????????????? - ?????? ??????? ??????????? ??????
???????????????? ???????????? (????., ???,
??????) ? ????????? ?????? ? ??????? RADIUS - RADIUS ????????? ??????? ??????? ??? ???????????
???????????? (??? ???????, ??? ? ?????? ) ?
?????? ????????????? ? ????????????? ??????? - ????? ??????????? ?????? ??????? RADIUS
- ????????? ????? ??????? ????? ??????? ??????
???????????? ? ????????
19
Authentication, Authorisation, Accounting (AAA)
- ?????? ??????????, ???????????? ??????????? ?
?????????????? ?????????????? ????????
??????????????, ??????????? ? ????? - RFC 2903 - Generic AAA Architecture
- RFC 2904 - AAA Authorization Framework
- RFC 2905 - AAA Authorization Application Examples
- RFC 2906 - AAA Authorization Requirements
- RFC 3334 - Policy based accounting
- ??????? ??????????? ????? ????????? ? ???????????
??? ????????? ??????? ?????????? - ?????????? ???????? ? ??????????? ??????????? ?
???????? ??????? ?? ?????? ????????
20
????????? ? ??????? ???????????? ?? ????????????
????????? ???????????? (1)
- RFC 2196 - Site Security Handbook (?? ??????
RFC1244) - ??????????? ?? ??????????? ???????? ????????????
? ?????????????? ??????? ??? ??????, ????????????
? ???????? - RFC 2350 - Expectation for Security Incident
Response Teams - ?????????, ??? ???????????? ???????? ??????
??????? ?? ????? ???????????? ?? ????????????
????????? ????????????. ????????????? ????????
??? ???????????? ????? ???????????? ??
???????????? ????????? ???????????? (CSIRT -
Computer Security Incident Response Team) ?
??????? ????????? ???????? ????????????,
???????? ???????????? ?? ????????? ????????????,
? ?????? - RFC2505 - Users' Security Handbook
- ??????????? ????????????? ?? ???????????
???????????? ??????????, ??????, ?
???????????????? - RFC3013 - Recommended Internet Service Provider
Security Services and Procedures - ????????? ? ????? ?????????????, ??? ????????????
???????? ????? ??????? (? ?????????) ?? ????????
??????- ??????????? - RFC3227 - Guidelines for Evidence Collection and
Archiving - ???????????? ?? ????? ? ???????? ???? ? ??????
??????????, ????????? ? ????????????? ???????????
????????????
21
????????? ? ??????? ???????????? ?? ????????????
????????? ???????????? (2)
- ??????? ??? ???????? ? ?????? ??????????? ?
???????????? ?????????? ???????????? - IDMEF Intrusion Detection Message Exchange
Format - IODEF Incident Object Description and Exchange
Format - RFC3067 - Incident Object Description and
Exchange Format (IODEF) Requirements - ????? RID Real-time Internetwork Defense
(?????????????? US AFC) - ?????????? ???????? ????? ? ?????????? ???
????????? ??????? ????? - RFC 2828 - Internet Security Glossary
- ???????? ??????????? ?????? ???????? ??
???????????? ??? ?? ??????? ???????????? ?
???????????? ?? ???????????? ?????????
????????????, ??? ? ?? ??????? ??????????
???????????? ?????? ? ??????????
22
ISO/IEC 17799-1 Code of Practice for
Information Security Management
- ISO17799 ????????? ????????, ???????????
????????????? ???? ? ?????? ???????????
???????????? ? ????? ???????? ??????? - 1. Business Continuity Planning
- 2. System Access Control
- 3. System Development and Maintenance
- 4. Physical and Environmental Security
- 5. Compliance
- 6. Personnel Security
- 7. Security Organisation
- 8. Computer Network Management
- 9. Asset Classification and Control
- 10. Security Policy
- ISO17799 ?????????? ?????? ??? ?????? ???????
?????? ? ??????? ?????? ???????????? ??????.
23
?????? PKI
- PKI (Public Key Infrastructure) ??????????????
???????? ?????? (???) - RFC 2459, RFC 2560, RFC 3280, RFC 3647,
- ?????? ??? ?????????? ????????? ????? (???, PKC
- Public Key Certificate) ?? ????????? X.509
(ITU-T) - ?????? ?????????? CP Certificate Policy, ? CRL
Certificate Revocation List - ????????? ????????????? (??? ???????????,
distinguished name) ???????? ? ??? ????????
?????? - PKC ????????????? ???????? ???????? ??????
????????????? (CA - Certification Authority) - ?????????? ???
- Identification Service (IS)
- Registration Authority (RA)
- Certification Authority (CA)
- Certificate Repository (CR), normally built on
LDAP
24
PKC vs AC ????
- X.509 PKC ????????? ????????????? ???????? ? ???
???????? ???? - PKC ????????????? ???????? ???????? ??????
????????????? (CA - Certification Authority) - ?????????? ????????? (AC Attribute Certificate)
????????? ????????????? ???????? ? ??? ?????????? - AC ????????????? ???????? ???????? ??????
????????????? ????????? (AA - Attribute
Authority) - AC ???????? ??????????? X.509 Role-based PMI
- AC ?? ???????? ????????? ?????
- AC ????? ????????? ????????, ???????
????????????? ?????????????? ???????? ?
???????????? ??????, ??? ????, ??????? ???????
(security clearance), ??? ?????? ?????????? ???
??????????? - PKC ???????????? ??? ??????????????, ? AC ???
??????????? - AC ????? ??????????? ? ?????? ???????
?????????????? - ???????? PKC - ??? ???????, ? AC ??? ????
25
PKC vs AC Certificates structure
- X.509 PKC
- Version
- Serial number
- Signature
- Issuer
- Validity
- Subject
- Subject Public key info
- Issuer unique identifier
- Extensions
- X.509 AC
- Version
- Holder
- Issuer
- Signature
- Serial number
- Validity
- Attributes
- Issuer unique ID
- Extensions
26
X.509 PKC Fields and Extensions RFC 3280
- X.509 PKC Fields
- Serial Number
- Subject
- Subject Public Key
- Issuer Unique ID
- Subject Unique ID
- X.509 PKC Extensions
- Standard Extensions
- Authority Key Identifier
- Subject Key Identifier
- Key Usage
- Extended Key Usage
- CRL Distribution List
- Private Key Usage Period
- Certificate Policies
- Policy Mappings
- Subject Alternative Name
- Issuer Alternative Name
- Subject Directory Attributes
- Basic Constraints
- Name Constraints
- X.509 PKC Fields
- Private Extensions
- Authority Information Access
- Subject Information Access
- Custom Extensions
27
AC Attribute Types and AC Extensions
- AC Attribute Types
- Service Authentication Information
- Access Identity
- Charging Identity
- Group
- Role
- Clearance
- Profile of AC
- AC Extensions
- Audit Identity
- To protect privacy and provide anonymity
- May be traceable via AC issuer
- AC Targeting
- Authority Key Identifier
- Authority Information Access
- CRL Distribution Points
28
???????????? ?????????? ?? ?????? XML ?
???????????? ?????? ??????? ????????????
- ???????????? ?????? ??????? ????????????
(ISO7498-2) - Host-to-host ??? point-to-point ????????????
- ??????????????? ?? ??????????? ??????/??????
- ??????????????? ?? ???????????? ? ???????????
(connection-oriented) ??? ??? ??????????
(connectionless) - ? ????? ?????? ?????? ????????????? ????? (??
?????? PKI) - ???????????? ?????????? ?? ?????? XML
- ???????????? ????? ????????? ??????? ???
???????????? (end-to-end) - ?????????????? ?? ???????? (??? ?????????????
??????) - ??????? ? ??????? ???????????? ????? ????
????????????? ? ?????????? ??? ?????????? ??? ??
?????? - ???????????? ?????????? WS-Security ????????????
???????????? ????? ??????? ?????????????????
???????? ? ???????? ???????????? - ????????? ????????? ???????????? ? ???????????
?????????? ????????????
29
?????????? ???????????? XML - ??????????
- XML Signature
- XML Encryption
- ?????????? ???????????? (Security Assertions)
- SAML (Security Assertion Mark-up Language)
- XACML (XML Access Control Mark-up Language)
- XKMS (XML Key Management Specification)
- ????????????? ??????????
- Web Services Security (WS-Security)
- OGSA Security
30
???????? ????? XML-???????
- ??????????????? ????? ??????????? ???????????
????????? ????? ????????? ??? ?? ??? ? ?????
????????. - XML-???????? ????? ????? ??????? ???????, ???
???? ????????? ????? ????????? ????? ???????????
? ???????????? ?????????? ?????????? ? ?
????????? ????? - ????????? ???????/???????? ????? ????? ??????????
??????????? ?????? ????????? ????? ????????? - ????????? ????????? ??????????? ????? ??????
????????? ? ????? ??????????? ???????? ??????
????? ????????? - ????????? ???????????? ???????/???????
???????????? ? ????????? ? ??????? ??
????????????? ??????????? ??????????
??????/?????? - XML-??????? ???????????? ??????? ???????????? ???
??????????, ?????????? ?? XML - ? ????? ?????? ??? ????????? ?????????? ?
?????????, ????????? ????????????, ???????
(???????? ???????)
31
?????????? ????? ? XML-??????????
??????. ???? (pubK B)
?????? ???????????? B ????? ????????? FileA ???
?????? privK B
FileA/Doc
FileA/DocA
??????.?privK B
????.?/??? pubK B
User B
???????????? A(????? pubK B)
???????????? B ????? ?????????? ???? Doc1 ?
??????????? ?????? ????? B
Doc1
???????privK B
XMLDoc1
????????????????. ????? ??? ???????.
??????????
??????.???????. ?????
B
???????????? C ????? ????????? ???? Doc1 ?
??????????? ?????? ????? C
Doc1
???????privK C
C
D
???????????? A(????? pubK B,C, D)
- ??? ?????-????????????????? ?????????? Document
????? ????????? ???? ??? ?????????? (????????????
??? ?????????????), ????????????? ??? ?????? ??
???? ??????? ???????????
32
?????????? ????????? ? ?????????? ??? ??????
XMLSig
Signed selected parts
Signed selected parts
Signed selected parts
Signed selected parts
XMLDoc1/JobDescr
SigB
SigB
SigB
SigB
SigC
SigC
SigC
XMLSigA
SigD
SigD
????????????/??????? A??????? XML Doc1 ?
??????????? ??? ? SigA
XMLSigA
XMLSigA
XMLSigA
XMLSigA
- ???????????? B, C, D ??????????? ????????????
????? ????????? ?????? ?????????? ??????? privK
B, C, D - ????? ?????????? ????? ???? ????????? ? ????????
???????? ? ????? - ??????? ????? ????? ???????? ?????? ???????
?????????? ????????? ??????????? XML Doc1
??????????? ???????? ???????? ????????
- XML Signature ????????? ??????????? ?????????
????? ????????? - ?????? ??? ???????????? ? ??????????? (Integrity
and Authenticity) - ?????????? ????????? ???????????? ? ???? ?
?????????? ??? ??? ???????
33
??????????? ??????????? ???????? AuthN ? AuthZ
- ?????????? ? ??????????? ??????????? AuthN/Z
- ?????????? ???????? ?????????????? (AuthN) ?
??????????? (AuthZ) - ?????????????? ? ????????/?????? ???????????
- ??????????? ?????????????? ????????
- ??????????????????, ??????????? ? ???????????
- ?????????? ???????? ?? ?????? ????? (RBAC Role
Based Access Control) ? ????????????? ????????
??????? - ????????
- ????????? ???????/??????? ?? ?????? ??????/????
- ??????????? ????? ??????? ???????????? ???
????????? ???????????? ???????? ?????? - ????????? ????????? ???????????? ?????????
?????????? - ??????? ??????????
- LDAP ?????????? ? ?????????????? ??? ????????
?????? ? ????????????? - ??????????? ??????? ???????????
34
???????????? AuthN/AuthZ ? ??????? ?
??????????????? ?????
- ?????? ? ????????????? ???/???????? ????????
- ??????????????? cookie (SSO)
- ?????????????????? ??????? ? ?????? ? ???????
???????? ??? ?????????????? ??????? ??? ???????
????????????? - ????????, ???????????? ???????? ??? ??????? ??
- ?????????????? ??????????????? ??????? ?
????????????? ???????? - ????-?????? ? ????-??????????
- ????? ??????????????/????????
- ????????? ???????????????? ?????? ? ??????
???????????? - ?????? ?????? (SSO Single Sign On) ? ?????????
??????? - ?????????? ?????????????/?????????????? ?
?????????? ????????
35
????????????? LDAP ? ???????? AuthN/AuthZ
- ????????? ???????????? ?????? ? LDAP
- Person (RFC2256), organisationalPerson (RFC2256),
InetOrgPerson (RFC2798) - EduPerson ?????????? ??? ???????????????
???????????
- ?????????????? ???????? EduPerson (????? 43)
- eduPersonAffiliation
- eduPersonNickname
- eduPersonOrgDN
- eduPersonOrgUnitDN
- eduPersonPrimaryAffiliation
- eduPersonPrincipalName
- eduPersonEntitlement
- eduPersonPrimaryOrgUnitDN
???????? ???????? Person objectClass
- sn/surName
- cn/commonName
- givenName
- uid, displayName
- userPassword
- x500uniqueIdentifier
- userCertificate
- userSMIMECertificate
- userPKCS12
- postalAddress
- o/organizationName
- ou/organizationalUnitName
- st/stateOrProvinceName
- l/localityName
- c/country
- title,employeeType
- photo
36
?????????? ???????? ?? ?????? ?????
- RBAC Role Based Access Control -
http//csrc.nist.gov/rbac/ - ???? ????????? ??????? ? ??????????
?????/?????????? - ????? ?????????? ?????? ? ??????? ? ????????????
?????? - ???????????? RBAC
- ????? ????????? ? ??????????????
- ?????????? ?????????? ????-???????????? ?
????-?????????? - ???????????????? ? ????????
- ???????????? ??????? ?????????? ???????????
?????????? - ???????????? ? ????????????? ??????????/????
- ????? ???? ????? ???????? ?????????? ???
???????????? ????? ? ?? ??????? - ???????? ????????? ?????????????
37
?????????????? ?????????? ????????????
- PMI Privilege Management Infrastructure
(ISO/IEC 10181-3) - ???????? ?? ?????? ???????????? ????????? (AC
Attribute Certificate) - ?? ????????? ? ??? ?????????? ?????????? X.509
version 4 - ??? ???????????? ??? ??????????????, ??
???????????? ??? ??????????? - PMI ??? ?????? ??? ?????????? RBAC
- ?? ????????? ??????? ????????????? ???????????? ?
?????? ? ???? ? ???????????? - ???????????? ????????????? ??????? RBAC,
???????????? ??????????? ??????????? ???? ?
?????????????? ?????????? - ???????????? ??????? ?????????????
- ???????? PMI
- ???????????? ??? ???????? ??????? ? ???????? ??
?????? ????? - ??????? ??????????? ????? ??? ????????????? ?
?????????? ??? ????? - ?????????? ???????? ??? ????????, ???????? ?????,
?????????????, ??.
38
???????? ????????? ? ?????? ?????????? ? PMI
PEP (Policy Enforcement Point)/AEF
(authorisation enforcement function) PDP (Policy
Decision Point)/ADF (authorisation decision
function) PIP (Policy Information Point)/AA
(Attribute Authority) PA Policy Authority
39
???????? ???????????????? ???????? ??? AuthN/AuthZ
- ??????????? ? ?????? ???????? Internet2, FP5 ?
???????????? ??????? ????? - A-Select - http//a-select.surfnet.nl/
- Shibboleth - http//shibboleth.internet2.edu/
- PAPI - http//www.rediris.es/app/papi/index.en.htm
l - PERMIS (PrivilEge and Role Management
Infrastructure Standards validation) -
http//www.permis.org/ - SPOCP - http//www.spocp.org/
- ??? GRID-??????????
- VOMS Virtual Organisation Management System
- GAAA Toolkit http//www.aaaarch.org/
40
A-Select - http//a-select.surfnet.nl/
- A-Select ???????????? ????? ??????????????
??????? ???-??????? (weblogin) ? ??????????????
cookie - ?????????????? ?????? ??????????????
- IP address
- User/password ????? RADIUS
- ?????????? ???????? (? ??????? Internet banking
SMS/TAN, Challenge generator) - SMS (mobile phone)
- LDAP
- PKI (? ???????????)
- A-Select ?????????? ?????????, ??????? ????????
???????????????? ???????/??????????????. ??? ????
????????? - ?????????, ????????????? ????????? ("ticket
granting ticket"), ?????????? ????? ????????
????????????? ASP, and - ????????? ??????????? ("application ticket"),
??????? ???????? ???????????, ????????????
A-Select. - ?????? ?????? (Single-Sign-on) ?????????????? ??
???? ?????????? ????? ??????????? ??????? ?????
??? ?????????, ????????????? ????????? - ????????? A-Select ??????????? ??? ??-??????????
(non-persistent) cookie, ??????? ??????????? ?
???????? ???????????? ? ?????? ?????? ???
???????? ??????? ??? ??????? - ?????????? SURFnet - http//www.surfnet.nl/
41
?????????? A-Select
User
Impl. Platform Java Apache Tomcat 4.5/5
Application
Filter
A-Select Agent
Local A-Select Server
Remote A-Select Server
Remote Authentication Service Providers
UDB
42
- ??????? ? ????????????
