Скачать презентацию SIS Secure Information Sharing for Windows Systems Osama Скачать презентацию SIS Secure Information Sharing for Windows Systems Osama

fd49c47d3699d62ee307aa6042f0f6be.ppt

  • Количество слайдов: 24

SIS: Secure Information Sharing for Windows Systems Osama Khaleel CS 526 Semester Project 5/1/2006 SIS: Secure Information Sharing for Windows Systems Osama Khaleel CS 526 Semester Project 5/1/2006 Okhaleel SIS

Introduction ¨ The Internet is the most dominant place for data exchange and information Introduction ¨ The Internet is the most dominant place for data exchange and information sharing. ¨ Thus, providing a reliable, secure, and easy-to-use system to access critical information is a crucial thing. ¨ Given that the password based access does not meet with high-level security requirements, we need a stronger approach for access control. 5/1/2006 Okhaleel SIS 2

Goals: ¨ Porting the previous SIS project ¨ ¨ (Linux/LDAP/Mod_LDAP/Apache) to Windows system with Goals: ¨ Porting the previous SIS project ¨ ¨ (Linux/LDAP/Mod_LDAP/Apache) to Windows system with the necessary improvements. Providing secure access control based on digital and attribute certificates. Implementing a flexible and scalable Role Based Access Control (RBAC) model. Building an Access Control Engine (ACE) for IIS to Enforce our RBAC policy. Investigate the framework so that we can build ACE for Instant Messaging, and other network services. Providing an easy-to use GUI for creating and managing – Public Key Infrastructure (PKI), – Privilege Management Infrastructure (PMI), and – RBAC. 5/1/2006 Okhaleel SIS 3

The Transformation: ¨ Basically, the working environment will be Windows instead of Linux. ¨ The Transformation: ¨ Basically, the working environment will be Windows instead of Linux. ¨ Active Directory (AD) is used instead of LDAP server. ¨ Microsoft IIS 6. 0 replaces Apache web server ¨ Improving the RBAC policy enforcement from static If-Else checking to a dynamic XML based solution. 5/1/2006 Okhaleel SIS 4

Testbed Configuration ¨ A testbed has been built to test SIS system. ¨ It Testbed Configuration ¨ A testbed has been built to test SIS system. ¨ It consists of four machines: – Windows server 2003 with AD (acts as the Domain Controller). – Windows server 2003 with IIS 6. 0 (acts as a web server. – Windows XP as a client. – A Gateway running Fedora Core 4 and an IPtables based firewall. 5/1/2006 Okhaleel SIS 5

Internet 128. 198. 162. 51 128. 198. 162. 52 128. 198. 162. 53 Main Internet 128. 198. 162. 51 128. 198. 162. 52 128. 198. 162. 53 Main switch SIS Network Topology And IP assignments NIC 1 128. 198. 162. 50 FC 4 NIC 2 10. 0. 0. 1 Local switch Domain-controller 10. 0. 0. 10 IIS 10. 0. 0. 11 Win-XP 10. 0. 0. 12 5/1/2006 Okhaleel SIS 6

Main SIS Components: ¨ X. 509 Digital Certificate: – A Public Key Certificate (PKC) Main SIS Components: ¨ X. 509 Digital Certificate: – A Public Key Certificate (PKC) is used as a strong means to prove identities. It binds a public key with the holder subject field (Country, State, City, Organization, e-mail, Common-name, …). – It is signed by the private key of a Certificate Authority (CA), so it can be verified using the known CA’s public key. 5/1/2006 Okhaleel SIS 7

Main SIS Components: ¨ Certificate Authority (CA): – A CA is a trusted entity Main SIS Components: ¨ Certificate Authority (CA): – A CA is a trusted entity that is responsible of issuing digital certificates for use by other parties. – A PKC issued by a CA states that “the CA attests that the public key contained in the certificate belongs to the entity noted in that certificate”. 5/1/2006 Okhaleel SIS 8

Main SIS Components: ¨ Attribute Certificate (AC): – It is a new Internet standard Main SIS Components: ¨ Attribute Certificate (AC): – It is a new Internet standard RFC 3281 that strongly binds a public key with a set of attributes that can specify the holder’s membership, Role, security clearance, or other authorization information. – In our case, we use ACs to store the role information for the holder. 5/1/2006 Okhaleel SIS 9

Main SIS Components: ¨ Active Directory (AD): – A hierarchical framework of objects used Main SIS Components: ¨ Active Directory (AD): – A hierarchical framework of objects used as a directory service to store information about the network resources across a domain. – It’s the Microsoft’s implementation of LDAP directory services for use in Windows environment. – It provides central control for three types of objects; Resources (e. g. printers), Services (e. g. e-mail), and Users (accounts and groups). – AD is used to maintain users accounts and store Digital and Attribute certificates. 5/1/2006 Okhaleel SIS 10

Main SIS Components: ¨ Internet Information Services (IIS 6. 0): – A Web server Main SIS Components: ¨ Internet Information Services (IIS 6. 0): – A Web server that provides a reliable, manageable, and scalable Web application infrastructure for Windows Servers. – SSL mutual authentication based on the client’s digital certificate is used to authenticate users. – An enhanced HTTP module is used to authorize users based on the Role stored in the corresponding Attribute Certificate. 5/1/2006 Okhaleel SIS 11

In details: ¨ We will provide an Admin Tool that has four primary functions; In details: ¨ We will provide an Admin Tool that has four primary functions; – AD management. – SIS setup. – RBAC setup and management. – Certificates management. ¨ We assume that Windows server 2003, Active Directory, and IIS 6. 0 are already installed. 5/1/2006 Okhaleel SIS 12

Active Directory Management ¨ Initialize the active directory. ¨ Create users accounts based on Active Directory Management ¨ Initialize the active directory. ¨ Create users accounts based on a text file that contains the needed information – first name, last name, country, state, organization, e-mail, and – their role in the organization. ¨ Add, remove, and edit users accounts as needed. 5/1/2006 Okhaleel SIS 13

SIS Setup ¨ Create a root CA that will be used to sign issued SIS Setup ¨ Create a root CA that will be used to sign issued certificates. ¨ Issue a server certificate for the IIS web server. ¨ Issue digital and attribute certificates for users, and storing them in the active directory. 1. Open. SSL and Crypt. Lib packages have been used in this task. 5/1/2006 Okhaleel SIS 14

RBAC Setup & Management ¨ Idea A flexible way to enforce the role based RBAC Setup & Management ¨ Idea A flexible way to enforce the role based access policy. namely, to dynamically check whether a certain ROLE has the required permissions to perform certain OPERATIONS on some RESOURCES. ¨ We have come up with a solution that uses two XML files; Resources and Roles. 5/1/2006 Okhaleel SIS 15

RBAC XML files: ¨ Resources. xml: <Resource> <ID> 1 </ID> <URI> http: //domain/path 1 RBAC XML files: ¨ Resources. xml: 1 http: //domain/path 1 description 1 2 http: //domain/path 2 description 2 . . . 5/1/2006 ¨ Roles. xml * Sun, Tues, Wed Okhaleel SIS 16

Certificates Management Manage issued certificates: ¨ Update users digital and attribute certificates. ¨ Revoke Certificates Management Manage issued certificates: ¨ Update users digital and attribute certificates. ¨ Revoke Certificates. ¨ Check certificates validity dates. 5/1/2006 Okhaleel SIS 17

The Big Image: Client request IIS SIS Module reject NO SSL Authenticated Get request The Big Image: Client request IIS SIS Module reject NO SSL Authenticated Get request info, and the certificate subject field Query AD to get the corresponding AC reject 5/1/2006 NO This Role has Permissions to Perform the Operation on the requested resource Okhaleel SIS Active Directory YES Grant Access 18

Conclusion ¨ A secure information sharing system for Windows environment is being developed with Conclusion ¨ A secure information sharing system for Windows environment is being developed with an admin tool to setup and manage AD, PKI, and RBAC. ¨ Clients are authenticated by the PKCs issued to them, and Authorized by the ACs stored in the AD using the RBAC model. ¨ The system can be used as a secure information infrastructure for an emergent taskforce due to the quickness in system setup, and the easy-to-use Admin Tool. 5/1/2006 Okhaleel SIS 19

Some learnt lessons: ¨ In terms of the programming language, I have used C# Some learnt lessons: ¨ In terms of the programming language, I have used C# with Visual C# Express 2005 IDE. Since we are porting to windows system, C# is one of the most powerful languages supported in the. NET framework. ¨ At the beginning I used the Crypt. Lib package to deal with certificates. This package generates two kinds of files; (. CER) that contains the certificate, and (. P 15) that has the private key in PKCS#15 structure. But after I had tried to test those certificates, it turned out that MS IE and IIS need (. P 12) kind of file. Thus I switched to Open. SSL package instead. 5/1/2006 Okhaleel SIS 20

Some learnt lessons: ¨ Now, the good thing in Crypt. Lib is that it Some learnt lessons: ¨ Now, the good thing in Crypt. Lib is that it supports attribute certificates, so I will be using it to deal with ACs. ¨ For RBAC XML based solution, I found out that the use of simple C# XMLReader and XMLWriter is slow especially for a large file. So, I will use Xpath technique for this task. ¨ As we learned in the certificate assignment, we can specify the certificates we want to allow in the Apache password file by putting the whole subject field in it. So, now I am searching for an equivalent feature in IIS. 5/1/2006 Okhaleel SIS 21

Future Work: Ø Integrating more services in the ACE such as Instant Messaging, E-mail, Future Work: Ø Integrating more services in the ACE such as Instant Messaging, E-mail, Wireless access, VOIP … Ø Enhancing the system to work in a multiple agency environment. Ø Expanding the system usability to other operating systems. 5/1/2006 Okhaleel SIS 22

References: ¨ Open. SSL; a wrapper compiled in binaries (. exe file) from ¨ References: ¨ Open. SSL; a wrapper compiled in binaries (. exe file) from ¨ ¨ http: //www. stunnel. org/download/binaries. html has been used, 2006. Crypt. Lib package that supports attribute certificates, http: //www. cryptlib. com, 2006 Network Security with Open. SSL by John Viega, Matt Messier, and Pravir Chandra. O’Reilly–First Edition, 2002. http: //httpd. apache. org/docs/2. 2/ssl_intro. html, 2006. Linux based SIS, by Ganesh Godavari and Edward Chow, http: //cs. uccs. edu/~infoshare/doc/smc 05/Paper. Format. Org. pdf , 2005. 5/1/2006 Okhaleel SIS 23

? 5/1/2006 Okhaleel SIS 24 ? 5/1/2006 Okhaleel SIS 24