1 / 33

Identification Services as provided by directories (X.500 incl. X509)

ITU-T Workshop on “New challenges for Telecommunication Security Standardizations" Geneva, 9(pm)-10 February 2009. Identification Services as provided by directories (X.500 incl. X509). Erik Andersen, Consultant, Andersen’s L-Service Q.11/17 Rapporteur era@x500.eu , www.x500.eu.

saki
Télécharger la présentation

Identification Services as provided by directories (X.500 incl. X509)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ITU-T Workshop on“New challenges for Telecommunication Security Standardizations"Geneva, 9(pm)-10 February 2009 Identification Servicesas provided by directories(X.500 incl. X509) Erik Andersen, Consultant, Andersen’s L-Service Q.11/17 Rapporteur era@x500.eu, www.x500.eu

  2. Why listen to this presentation? • How identification services relates to security • How directories relate to identification services • Why X.500 (and LDAP) is an obvious answer to identification services

  3. About the X.500 directory specification • First edition in 1988 • Been under continuous expansion since to meet new requirements • Developed in collaboration with ISO/IEC JTC1/SC6 • Within ISO/IEC known as the ISO/IEC 9594 multipart standard • Many highly skilled people have participated during the years

  4. About the X.500 directory specification (cont.) • Six editions so far – the seventh edition on its way • Consists of 10 parts (incl. X.509) • Defines a naming structure that allows unique naming of all entities • Support for distribution and replication • Lightweight Directory Access Protocol (LDAP) is a dear child of X.500 (uses the X.500 model)

  5. Identity and security IT Security comprises many things: • Physical attacks • Hacker attacks • Spam • Denial of service • Fraud by employees • - - - • Identity related security issues

  6. Identity Related Security Issues Related to: • Information about people and other entities • Access to systems and Services • Accounts • Authorisation • Software code

  7. Identity Management (IdM) • Identity Management (IdM) includes Identification Services • It is much in focus within ITU-T Study Group 17 and other committees • Considered an important aspect of Next Generation Network (NGN) • Not a new issue

  8. X500 is (part of) IdM We have been in the Identity Management (IdM) Business since 1984 We got a head start!

  9. Butler group report X.500/LDAP basis for most current IdM implementations - In the industry often called Identity and Access Management (IAM)

  10. Butler Group list Aladdin BMC Bull Evidian CA Entrust IBM Microsoft Novell Oracle RSA Sun They all uses LDAP as major component in their IdM solutions X.509 also plays a major role for authentication

  11. Other vendors • Isode • Siemens • eB2Bcom • Critical Path • Etc.

  12. The requirement for authentication • Before giving access to services and information, the identity of the accessing entity must be established • Different levels of authentication • The required level depends on • Sensitivity of service or information • Whether interrogation or update

  13. Scope of X.500 identity services • Storage of identity information • Protection of the information in the directory • Use of X.509 capabilities outside directories (e.g. required by SSL, used my SAML2, etc.

  14. Storing identity information in the Directory InformationTree Root Entry representing an object c=GB c=DK o=ALS o=Fallit A/S o=Broke Ltd ou= Udvikling ou=Salg cn=Ole Jensen cn=Per Yde cn=Ole Jensen Name = { cn=Ole Jensen, ou=Salg, o=Fallit A/S, c=DK }

  15. Protecting Directory Identity Information Protecting Directory Identity information

  16. Levels of authentication X.500 allows the following means of authentication: • None • Directory Name • Directory Name and Password • Simple Authentication and Security Layer (SASL) (Also used by LDAP) • SPKM - Simple Public-Key Mechanism • Strong authentication (use of X.509)

  17. Use of Password • Password is widely used for identity authentication • If transmitted over encrypted connection (e.g. SSL) and stored encrypted in the directory, it gives a reasonable protec-tion in many situations • Work on Password management and policy is in progress within X.500 to be also ported to LDAP

  18. Strong authentication • Based on electronic signatures • Requires the presence of a Public Key Infrastructure (PKI) ITU-T X.509 is herethe key specification

  19. Access Control for Directory information • Who may do what or not do what based on the level of authentication • Who: • Owner of information • Specific user • user group • all users • Subtree (specific name structure) • What: • All information about an entity • Fragments • LDAP has no access control

  20. Levels of protection Protection of individual entries based onright-to-know (traditional access control) Protection of individual entries based onright-to-know and need-to-know (service view) Protection against devious searches Protection against information trawling Anything goes

  21. Protection by X.509 X.509

  22. Basic X.509 Concepts • Public-key concept • Public-Key Infrastructure (PKI) • Privilege Management Infrastructure (PMI) • Certificates • Public-key certificates (part of PKI) • Attribute certificates (part of PMI) • Digital Signatures

  23. Public Key concept A B B A A B Encryption usingprivate key A Decryption using public key A Encryption using public key B Decrypt using private key B

  24. Digital signature Algo- rithms Signature DATA • Verifies sender • Ensures integrity of message • Signing of • Messages • Software code • Documents • Etc Hashing plus encryption with private key

  25. Certifying the identity usingpublic-key certificates Certification Authority Anna

  26. Checking the credentials • A passport is a type of certificate binding a picture to an ID • Has to be issued by a trustworthy authority • A passport may be false • It is checked by the “service provider”, also called the relying party • A certificate is issued by a Certification Authority (CA)

  27. X.509 at work - 1

  28. X.509 at work - 2

  29. Establishing the infrastructure • To validate a certificate a Public-Key Infrastructure (PKI) is required: • To establish a trust anchor • To establish a repository for revoked certificates • The X.509 provides a framework for PKI • Supplementary specifications required

  30. PKI forums and peer groups • Electronic Signatures and Infrastructures (ESI) by ETSI • Certification Authority/Browser Forum • Public-Key Infrastructure (X.509) (PKIX) within IETF

  31. Privilege Management • Attribute certificates are used for assigning privileges to the holder of the certificate • The holder is identified, e.g., by a pointer to a public-key certificate • An attribute certificate is issued by an Attribute Authority (AA) • A special Privilege Management Infrastructure (PMI) may be established • Recent work allows privileges established in one domain to be applied in other domains

  32. The challenges • Extending X.500 support to meet new identity management requirements • Make the community aware of the X.500 capabilities • Get new blood into the process • At times up against the NIH syndrome NIH – Not Invented Here

  33. Where to go X.500 IdentityManagement The central source for information on theX.500 Directory Standard. www.x500standard.com

More Related