1 / 5

PKI interfaces with other security systems

PKI interfaces with other security systems. B. Clifford Neuman University of Southern California Information Sciences Institute. Security Services Integration with PKI. Authentication Other authentication services e.g. Kerberos Network layer security services IPSEC Secure Messaging

marius
Télécharger la présentation

PKI interfaces with other security systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PKI interfaces with other security systems B. Clifford Neuman University of Southern California Information Sciences Institute

  2. Security Services Integration with PKI • Authentication • Other authentication services e.g. Kerberos • Network layer security services • IPSEC • Secure Messaging • S/MIME, etc • Authorization • Generic Authorization and Access Control API • Really the only piece that should be visible to the application.

  3. Kerberos mediated services • Use PK certificates to obtain initial Kerberos credentials via PKINIT • These credentials usable in same manner as if client was registered as traditional Kerberos user • Allows management of users through PKI, without separate Kerberos regsitration. • KDC can check revocation lists at time of initial authentication.

  4. Integrating Authorization • Focus on authorization and the management of policies used in the authorization decision. • Applications shouldn’t care about authentication or identity. • Separate policy from mechanism • Authorization may be easier to integrate with applications. • Hide the calls to the key management and authentication functions.

  5. Credential transport is needed • The GAA-API gets user & connection info from Security Context: • Evaluated and unevaluated credentials • Delegated authority • Cross-calls to transport to retrieve additional creds • The security context is provided as: • Output from GSS-API (requires many calls) • Credentials from transport or session protocols • SSL, ARDP • Other extensions are needed: • IPSec, pulled from Kernel, other extensions

More Related