international telecommunication union geneva, 9(pm)-10 february 2009 identification services as...
TRANSCRIPT
Geneva, 9(pm)-10 February 2009
InternationalTelecommunicationUnion
Identification Servicesas provided by directories
(X.500 incl. X509)
Erik Andersen,Consultant, Andersen’s L-Service
Q.11/17 [email protected], www.x500.eu
ITU-T Workshop on“New challenges for Telecommunication
Security Standardizations"
Geneva, 9(pm)-10 February 2009
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 2
Why listen to this presentation?
How identification services relates to securityHow directories relate to identification servicesWhy X.500 (and LDAP) is an obvious answer to identification services
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 3
About the X.500 directory specification
First edition in 1988Been under continuous expansion since to meet new requirementsDeveloped in collaboration with ISO/IEC JTC1/SC6Within ISO/IEC known as the ISO/IEC 9594 multipart standard Many highly skilled people have participated during the years
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 4
About the X.500 directory specification (cont.)
Six editions so far – the seventh edition on its wayConsists of 10 parts (incl. X.509)Defines a naming structure that allows unique naming of all entitiesSupport for distribution and replicationLightweight Directory Access Protocol (LDAP) is a dear child of X.500 (uses the X.500 model)
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 5
Identity and security
IT Security comprises many things:Physical attacksHacker attacksSpamDenial of serviceFraud by employees- - -Identity related security issues
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 6
Identity Related Security Issues
Related to:Information about people and other entitiesAccess to systems and ServicesAccountsAuthorisationSoftware code
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 7
Identity Management (IdM)
Identity Management (IdM) includes Identification ServicesIt is much in focus within ITU-T Study Group 17 and other committeesConsidered an important aspect of Next Generation Network (NGN)Not a new issue
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 8
X500 is (part of) IdM
We have been in the Identity Management (IdM) Business
since 1984
We got a head start!
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 9
Butler group report
X.500/LDAP basis for most current
IdM implementations
-In the industry often called
Identity and Access Management (IAM)
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 10
Butler Group list
AladdinBMCBull EvidianCAEntrustIBM
MicrosoftNovellOracleRSASun
They all uses LDAP as major component in their IdM solutions
X.509 also plays a major role for authentication
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 11
Other vendors
Isode
Siemens
eB2Bcom
Critical Path
Etc.
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 12
The requirement for authentication
Before giving access to services and information, the identity of the accessing entity must be establishedDifferent levels of authenticationThe required level depends on
Sensitivity of service or informationWhether interrogation or update
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 13
Scope of X.500 identity services
Storage of identity information
Protection of the information in the directory
Use of X.509 capabilities outside directories (e.g. required by SSL, used my SAML2, etc.
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 14
cn=OleJensen
Root
c=DK c=GB
o=Fallit A/S
ou=Salg
o=Broke Ltd
ou=Udvikling
Name = { cn=Ole Jensen, ou=Salg, o=Fallit A/S, c=DK }
Entry representingan object
o=ALS
cn=PerYde
cn=OleJensen
Storing identity information in the Directory Information Tree
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 15
Protecting Directory Identity Information
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 16
Levels of authentication
None Directory NameDirectory Name and PasswordSimple Authentication and Security Layer (SASL) (Also used by LDAP)SPKM - Simple Public-Key Mechanism Strong authentication (use of X.509)
X.500 allows the following means of authentication:
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 17
Use of Password
Password is widely used for identity authenticationIf transmitted over encrypted connection (e.g. SSL) and stored encrypted in the directory, it gives a reasonable protec-tion in many situationsWork on Password management and policy is in progress within X.500 to be also ported to LDAP
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 18
Strong authentication
Based on electronic signatures
Requires the presence of a Public Key Infrastructure (PKI)
ITU-T X.509 is herethe key specification
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 19
Access Control for Directory information
Who may do what or not do what based on the level of authenticationWho:
Owner of informationSpecific useruser groupall usersSubtree (specific name structure)
What:All information about an entityFragments
LDAP has no access control
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 20
Levels of protection
Anything goes
Protection of individual entries based onright-to-know (traditional access control)
Protection of individual entries based onright-to-know and need-to-know (service view)
Protection against information trawling
Protection against devious searches
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 22
Basic X.509 Concepts
Public-key conceptPublic-Key Infrastructure (PKI)Privilege Management Infrastructure (PMI) Certificates
Public-key certificates (part of PKI)Attribute certificates (part of PMI)
Digital Signatures
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 23
Public Key concept
A B
AB
A B
Encryption using
private key ADecryption using
public key A
Encryption using
public key B
Decrypt using
private key B
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 24
Digital signature
Verifies senderEnsures integrity of messageSigning of
MessagesSoftware codeDocumentsEtc
DATA SignatureAlgo-rithms
Hashingplus
encryptionwith private key
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 25
Certifying the identity usingpublic-key certificates
Certification Authority
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 26
Checking the credentials
A passport is a type of certificate binding a picture to an IDHas to be issued by a trustworthy authorityA passport may be falseIt is checked by the “service provider”, also called the relying partyA certificate is issued by a Certification Authority (CA)
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 29
Establishing the infrastructure
To validate a certificate a Public-Key Infrastructure (PKI) is required:
To establish a trust anchorTo establish a repository for revoked certificates
The X.509 provides a framework for PKISupplementary specifications required
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 30
PKI forums and peer groups
Electronic Signatures and Infrastructures (ESI) by ETSI
Certification Authority/Browser Forum
Public-Key Infrastructure (X.509) (PKIX) within IETF
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 31
Privilege Management
Attribute certificates are used for assigning privileges to the holder of the certificateThe holder is identified, e.g., by a pointer to a public-key certificateAn attribute certificate is issued by an Attribute Authority (AA)A special Privilege Management Infrastructure (PMI) may be establishedRecent work allows privileges established in one domain to be applied in other domains
Geneva, 9(pm)-10 February 2009InternationalTelecommunicationUnion 32
The challenges
Extending X.500 support to meet new identity management requirementsMake the community aware of the X.500 capabilitiesGet new blood into the processAt times up against the NIH syndrome
NIH – Not Invented Here