1 / 16

Environmental Council of States

Environmental Council of States. Network Authentication and Authorization Services The Shared Security Component February 28, 2005. What is NAAS?. Network Authentication and Authorization Services (NAAS) are shared and centrally managed security services

jenniferkmoore
Télécharger la présentation

Environmental Council of States

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005

  2. What is NAAS? • Network Authentication and Authorization Services (NAAS) are shared and centrally managed security services • NAAS are designed to meet all node security requirements • NAAS cover authentication, authorization, and identity management • NAAS are easy to use and available to all network nodes • NAAS are Web services with Web service description language (WSDL) files

  3. Why NAAS? • Simplify implementation • Enhanced security • Cost effective • Highly extensible • Supports single sign-on (SSO) • Security monitoring

  4. NAAS Major Services • NAAS Web Service Interface: Simple Object Access Protocol (SOAP) service that exposes user authentication and authorization functions to all state nodes. It is the entry point for all service requests • Network Authentication Service: This is a subsystem for verifying subject (user or machine) identity • Network Authorization Service: This component is for entitlement management. Authorization is typically role- or policy-based. It must be flexible so that a variety of factors can be part of the decision to grant or deny access to specific resources • User Identity Management: This component is responsible for registering users, removing users, and modifying user profiles • Policy Management: The component allows administrators to create or modify rules or policies for resource access • Vulnerability Management: This component tracks instances of security breaches and generates reports that contain specific information about vulnerability and actions taken. A good vulnerability management system helps to prevent security problems from recurring • Network Certificate Authority: This component issues and manages certificates used for secure socket layer (SSL), encryption, and signature • Public Key Management: This component allows users to locate and validate public keys

  5. Network Security Infrastructure

  6. Delegated Authentication • Nodes delegate authentication task to NAAS • Security Token is validated through NAAS

  7. Direct Authentication • Users authenticate at NAAS and obtain Security Token • Users use the Security Token to access a node • Node validates the Security Token at NAAS

  8. Delegated Authentication • Convenient to users. Operation and authentication at a single place • Nodes have control over how users can be authenticated • There is a small performance overhead in delegation Direct Authentication • No performance penalty • Best for accessing multiple nodes • Recommended for machine-to-machine interactions • Node local authentication may not be possible Direct and Delegated Authentication Comparison A network node must accept security tokens issued by NAAS in order to participate in the network-wide exchanges.

  9. Local Authentication versus Network Authentication • Local authentication can be performed on node own domain users • Locally authenticated users can not access other nodes and the Central Data Exchange (CDX) • Nodes must perform access control over locally authenticated users • Node can perform additional access control after NAAS authorization decisions for network users

  10. Advance Authentication Methods • Digest: Use the hash value of the password to authenticate users • HMAC Signature: Sign the authentication message using the password to prove identity • XKMS: Sign the authentication message using a key stored in the key management service • Certificate: Sign the authentication message using a certificate issued by a trusted party

  11. Digest Authentication • Password digest is a fingerprint of a password • Digest algorithm is one-way. It is difficult to calculate a password given its digest • Users send password digest to the server and the server calculates the password digest and compares it with the one received • Sha-1 should be used to calculate the password digest • Digest authentication has better protection of user passwords but has many of the same problems as password authentication

  12. Hashed Message Authentication Code (HMAC) Signature • Users sign the authentication message using password before sending to NAAS • NAAS uses the user’s password as the key to verify the signature. The user is authenticated if the signature is valid • Much safer than digest, and the message integrity is protected • Still need passwords – known to both client and server

  13. XKMS Authentication • XKMS is the XML Key Management Service (2.0 specification is coming out) • Users generate public / private key pair and register the public key at XKMS • Users sign the Authenticate message using the private key before sending to NAAS • NAAS looks up the user’s public key in XKMS and verifies the signature using the public key • User is authenticated if the signature is valid (proof of possession of private key that could not possibly be owned by anyone else)

  14. Certificate Authentication • Users obtain certificate from a trusted authority • Users sign the Authenticate message using the private key and insert the certificate in the signature • NAAS validate the certificate through a certificate validation service, possibly the Federal Bridge Certification Authority (FBCA) • NAAS verify the signature in the message • The user is authenticated if both the certificate and the signature are valid

  15. Using Advance Authentication • All advanced authentications using the same Authenticate method defined in the node functional specification – they have no impact to the existing nodes and clients • The authenticationMethod parameter can now be digest, XKMS, HMAC, and certificate. • New node clients and Software Development Kit (SDK) will be provided to support and simplify deployment of strong authentication methods • Technical document – Network authentication mechanisms will be released to promote the new methods • We are moving to must stronger authentication using keys, and moving away from password authentications.

  16. Questions?

More Related