Docstoc

NAAS - The Shared Security Component

Document Sample
NAAS - The Shared Security Component Powered By Docstoc
					Environmental Council of States

Network Authentication and Authorization Services
The Shared Security Component

February 28, 2005
                        What is NAAS?

• Network Authentication and Authorization Services (NAAS) are
  shared and centrally managed security services
• NAAS are designed to meet all node security requirements
• NAAS cover authentication, authorization, and identity
  management
• NAAS are easy to use and available to all network nodes
• NAAS are Web services with Web service description language
  (WSDL) files




                                                                 2
                            Why NAAS?

• Simplify implementation
• Enhanced security
• Cost effective
• Highly extensible
• Supports single sign-on (SSO)
• Security monitoring




                                        3
                            NAAS Major Services
•   NAAS Web Service Interface: Simple Object Access Protocol (SOAP)
    service that exposes user authentication and authorization functions to all
    state nodes. It is the entry point for all service requests
•   Network Authentication Service: This is a subsystem for verifying subject
    (user or machine) identity
•   Network Authorization Service: This component is for entitlement
    management. Authorization is typically role- or policy-based. It must be
    flexible so that a variety of factors can be part of the decision to grant or deny
    access to specific resources
•   User Identity Management: This component is responsible for registering
    users, removing users, and modifying user profiles
•   Policy Management: The component allows administrators to create or
    modify rules or policies for resource access
•   Vulnerability Management: This component tracks instances of security
    breaches and generates reports that contain specific information about
    vulnerability and actions taken. A good vulnerability management system
    helps to prevent security problems from recurring
•   Network Certificate Authority: This component issues and manages
    certificates used for secure socket layer (SSL), encryption, and signature
•   Public Key Management: This component allows users to locate and
    validate public keys




                                                                                         4
                 Network Security Infrastructure

                                          Integrated Security
                                             Managements

                           Netw ork
                         Authentication
                                               User
Request                     Service         Management

                                                                  User Identity
                                                                     Store



                                               Policy
                                            Management

              NAAS         Netw ork
           Web Service   Authorization                           Security Policy
            Interface      Service                                   Store



                                            Vulnerability
                                            Management


Response                                                        Intrusion Detection
                                                                       Rules
                          Netw ork
                           Identity       Certificate/Public
                         Management              Key
                           Service         Management


                                                                Public Key Store




                                                                                      5
                        Delegated Authentication

                                    1. Authenticate

                                   4. Security Token
                                                                       Netw ork
                          5. Service Request (Security Token)           Node

                                 6. Service Response




                                                                                  3. Security Token
        Netw ork Node




                                                                2. Central
            User




                                                                   Auth
                                                                   Central
                                                                Authentication
                                                                  Services



• Nodes delegate authentication task to NAAS
• Security Token is validated through NAAS




                                                                                                      6
                       Direct Authentication


                       3. Service Request (Securty Token)
                                                               Netw ork
                             6. Service Response                Node




                                                                           5.Response
       Netw ork Node




                                                            4. Validate
           User




                                1. Authenticate
                                                                    NAAS
                               2. Security Token


• Users authenticate at NAAS and obtain Security Token
• Users use the Security Token to access a node
• Node validates the Security Token at NAAS



                                                                                        7
   Direct and Delegated Authentication Comparison

Delegated Authentication            Direct Authentication
• Convenient to users. Operation    • No performance penalty
   and authentication at a single   • Best for accessing multiple
   place                               nodes
• Nodes have control over how       • Recommended for machine-to-
   users can be authenticated          machine interactions
• There is a small performance      • Node local authentication may
   overhead in delegation              not be possible



A network node must accept security tokens issued by
NAAS in order to participate in the network-wide
exchanges.




                                                                      8
     Local Authentication versus Network Authentication

• Local authentication can be performed on node own domain
  users
• Locally authenticated users can not access other nodes and
  the Central Data Exchange (CDX)
• Nodes must perform access control over locally authenticated
  users
• Node can perform additional access control after NAAS
  authorization decisions for network users




                                                                 9
                Advance Authentication Methods

• Digest: Use the hash value of the password to authenticate
  users
• HMAC Signature: Sign the authentication message using the
  password to prove identity
• XKMS: Sign the authentication message using a key stored in
  the key management service
• Certificate: Sign the authentication message using a certificate
  issued by a trusted party




                                                                     10
                         Digest Authentication

• Password digest is a fingerprint of a password
• Digest algorithm is one-way. It is difficult to calculate a
  password given its digest
• Users send password digest to the server and the server
  calculates the password digest and compares it with the one
  received
• Sha-1 should be used to calculate the password digest
• Digest authentication has better protection of user passwords
  but has many of the same problems as password
  authentication




                                                                  11
  Hashed Message Authentication Code (HMAC) Signature

• Users sign the authentication message using password before
  sending to NAAS
• NAAS uses the user’s password as the key to verify the
  signature. The user is authenticated if the signature is valid
• Much safer than digest, and the message integrity is protected
• Still need passwords – known to both client and server




                                                                   12
                        XKMS Authentication

• XKMS is the XML Key Management Service (2.0 specification
  is coming out)
• Users generate public / private key pair and register the public
  key at XKMS
• Users sign the Authenticate message using the private key
  before sending to NAAS
• NAAS looks up the user’s public key in XKMS and verifies the
  signature using the public key
• User is authenticated if the signature is valid (proof of
  possession of private key that could not possibly be owned by
  anyone else)




                                                                     13
                     Certificate Authentication

• Users obtain certificate from a trusted authority
• Users sign the Authenticate message using the private key and
  insert the certificate in the signature
• NAAS validate the certificate through a certificate validation
  service, possibly the Federal Bridge Certification Authority
  (FBCA)
• NAAS verify the signature in the message
• The user is authenticated if both the certificate and the
  signature are valid




                                                                   14
                 Using Advance Authentication

• All advanced authentications using the same Authenticate
  method defined in the node functional specification – they have
  no impact to the existing nodes and clients
• The authenticationMethod parameter can now be digest,
  XKMS, HMAC, and certificate.
• New node clients and Software Development Kit (SDK) will be
  provided to support and simplify deployment of strong
  authentication methods
• Technical document – Network authentication mechanisms will
  be released to promote the new methods
• We are moving to must stronger authentication using keys, and
  moving away from password authentications.




                                                                    15
Questions?




             16

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:2
posted:12/3/2011
language:English
pages:16
liamei12345 liamei12345 http://
About