Transcript NAAS - The Shared Security Component

Environmental Council of States
Network Authentication and Authorization Services
The Shared Security Component
February 28, 2005
What is NAAS?
• Network Authentication and Authorization Services (NAAS) are
shared and centrally managed security services
• NAAS are designed to meet all node security requirements
• NAAS cover authentication, authorization, and identity
management
• NAAS are easy to use and available to all network nodes
• NAAS are Web services with Web service description language
(WSDL) files
2
Why NAAS?
• Simplify implementation
• Enhanced security
• Cost effective
• Highly extensible
• Supports single sign-on (SSO)
• Security monitoring
3
NAAS Major Services
•
•
•
•
•
•
•
•
NAAS Web Service Interface: Simple Object Access Protocol (SOAP)
service that exposes user authentication and authorization functions to all
state nodes. It is the entry point for all service requests
Network Authentication Service: This is a subsystem for verifying subject
(user or machine) identity
Network Authorization Service: This component is for entitlement
management. Authorization is typically role- or policy-based. It must be
flexible so that a variety of factors can be part of the decision to grant or deny
access to specific resources
User Identity Management: This component is responsible for registering
users, removing users, and modifying user profiles
Policy Management: The component allows administrators to create or
modify rules or policies for resource access
Vulnerability Management: This component tracks instances of security
breaches and generates reports that contain specific information about
vulnerability and actions taken. A good vulnerability management system
helps to prevent security problems from recurring
Network Certificate Authority: This component issues and manages
certificates used for secure socket layer (SSL), encryption, and signature
Public Key Management: This component allows users to locate and
validate public keys
4
Network Security Infrastructure
Integrated Security
Managements
Netw ork
Authentication
Service
Request
User
Management
User Identity
Store
Policy
Management
NAAS
Web Service
Interface
Netw ork
Authorization
Service
Security Policy
Store
Vulnerability
Management
Response
Intrusion Detection
Rules
Netw ork
Identity
Management
Service
Certificate/Public
Key
Management
Public Key Store
5
Delegated Authentication
1. Authenticate
4. Security Token
5. Service Request (Security Token)
Netw ork
Node
6. Service Response
3. Security Token
2. Central
Auth
Netw ork Node
User
Central
Authentication
Services
• Nodes delegate authentication task to NAAS
• Security Token is validated through NAAS
6
Direct Authentication
3. Service Request (Securty Token)
6. Service Response
5.Response
4. Validate
Netw ork Node
User
Netw ork
Node
1. Authenticate
2. Security Token
NAAS
• Users authenticate at NAAS and obtain Security Token
• Users use the Security Token to access a node
• Node validates the Security Token at NAAS
7
Direct and Delegated Authentication Comparison
Delegated Authentication
• Convenient to users. Operation
and authentication at a single
place
• Nodes have control over how
users can be authenticated
• There is a small performance
overhead in delegation
Direct Authentication
• No performance penalty
• Best for accessing multiple
nodes
• Recommended for machine-tomachine interactions
• Node local authentication may
not be possible
A network node must accept security tokens issued by
NAAS in order to participate in the network-wide
exchanges.
8
Local Authentication versus Network Authentication
• Local authentication can be performed on node own domain
users
• Locally authenticated users can not access other nodes and
the Central Data Exchange (CDX)
• Nodes must perform access control over locally authenticated
users
• Node can perform additional access control after NAAS
authorization decisions for network users
9
Advance Authentication Methods
• Digest: Use the hash value of the password to authenticate
users
• HMAC Signature: Sign the authentication message using the
password to prove identity
• XKMS: Sign the authentication message using a key stored in
the key management service
• Certificate: Sign the authentication message using a certificate
issued by a trusted party
10
Digest Authentication
• Password digest is a fingerprint of a password
• Digest algorithm is one-way. It is difficult to calculate a
password given its digest
• Users send password digest to the server and the server
calculates the password digest and compares it with the one
received
• Sha-1 should be used to calculate the password digest
• Digest authentication has better protection of user passwords
but has many of the same problems as password
authentication
11
Hashed Message Authentication Code (HMAC) Signature
• Users sign the authentication message using password before
sending to NAAS
• NAAS uses the user’s password as the key to verify the
signature. The user is authenticated if the signature is valid
• Much safer than digest, and the message integrity is protected
• Still need passwords – known to both client and server
12
XKMS Authentication
• XKMS is the XML Key Management Service (2.0 specification
is coming out)
• Users generate public / private key pair and register the public
key at XKMS
• Users sign the Authenticate message using the private key
before sending to NAAS
• NAAS looks up the user’s public key in XKMS and verifies the
signature using the public key
• User is authenticated if the signature is valid (proof of
possession of private key that could not possibly be owned by
anyone else)
13
Certificate Authentication
• Users obtain certificate from a trusted authority
• Users sign the Authenticate message using the private key and
insert the certificate in the signature
• NAAS validate the certificate through a certificate validation
service, possibly the Federal Bridge Certification Authority
(FBCA)
• NAAS verify the signature in the message
• The user is authenticated if both the certificate and the
signature are valid
14
Using Advance Authentication
• All advanced authentications using the same Authenticate
method defined in the node functional specification – they have
no impact to the existing nodes and clients
• The authenticationMethod parameter can now be digest,
XKMS, HMAC, and certificate.
• New node clients and Software Development Kit (SDK) will be
provided to support and simplify deployment of strong
authentication methods
• Technical document – Network authentication mechanisms will
be released to promote the new methods
• We are moving to must stronger authentication using keys, and
moving away from password authentications.
15
Questions?
16