Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States

Network Authentication and Authorization ServicesThe Shared Security Component

February 28, 2005

2

What is NAAS?

• Network Authentication and Authorization Services (NAAS) are shared and centrally managed security services

• NAAS are designed to meet all node security requirements

• NAAS cover authentication, authorization, and identity management

• NAAS are easy to use and available to all network nodes

• NAAS are Web services with Web service description language (WSDL) files

3

Why NAAS?

• Simplify implementation

• Enhanced security

• Cost effective

• Highly extensible

• Supports single sign-on (SSO)

• Security monitoring

4

NAAS Major Services

• NAAS Web Service Interface: Simple Object Access Protocol (SOAP) service that exposes user authentication and authorization functions to all state nodes. It is the entry point for all service requests

• Network Authentication Service: This is a subsystem for verifying subject (user or machine) identity

• Network Authorization Service: This component is for entitlement management. Authorization is typically role- or policy-based. It must be flexible so that a variety of factors can be part of the decision to grant or deny access to specific resources

• User Identity Management: This component is responsible for registering users, removing users, and modifying user profiles

• Policy Management: The component allows administrators to create or modify rules or policies for resource access

• Vulnerability Management: This component tracks instances of security breaches and generates reports that contain specific information about vulnerability and actions taken. A good vulnerability management system helps to prevent security problems from recurring

• Network Certificate Authority: This component issues and manages certificates used for secure socket layer (SSL), encryption, and signature

• Public Key Management: This component allows users to locate and validate public keys

5

Network Security Infrastructure

Netw orkAuthentication

Service

Netw orkIdentity

ManagementService

Integrated SecurityManagements

UserManagement

PolicyManagement

VulnerabilityManagement

Certif icate/PublicKey

Management

NAASWeb Service

Interface

Response

Request

Security PolicyStore

User IdentityStore

Intrusion DetectionRules

Netw orkAuthorization

Service

Public Key Store

6

Delegated Authentication

• Nodes delegate authentication task to NAAS• Security Token is validated through NAAS

Netw ork NodeUser

Netw orkNode

CentralAuthentication

Services

2. Cen

tralA

uth

3. Secu

rity Token

1. Authenticate

4. Security Token

5. Service Request (Security Token)

6. Service Response

7

Direct Authentication

• Users authenticate at NAAS and obtain Security Token• Users use the Security Token to access a node• Node validates the Security Token at NAAS

Netw ork NodeUser

Netw orkNode

NAAS

4. Validate

5.Response

3. Service Request (Securty Token)

6. Service Response

1. Authenticate

2. Security Token

8

Direct and Delegated Authentication Comparison

Delegated Authentication• Convenient to users. Operation

and authentication at a single place

• Nodes have control over how users can be authenticated

• There is a small performance overhead in delegation

Direct Authentication• No performance penalty• Best for accessing multiple

nodes• Recommended for machine-to-

machine interactions• Node local authentication may

not be possible

A network node must accept security tokens issued by NAAS in order to participate in the network-wide exchanges.

9

• Local authentication can be performed on node own domain users

• Locally authenticated users can not access other nodes and the Central Data Exchange (CDX)

• Nodes must perform access control over locally authenticated users

• Node can perform additional access control after NAAS authorization decisions for network users

Local Authentication versus Network Authentication

10

• Digest: Use the hash value of the password to authenticate users

• HMAC Signature: Sign the authentication message using the password to prove identity

• XKMS: Sign the authentication message using a key stored in the key management service

• Certificate: Sign the authentication message using a certificate issued by a trusted party

Advance Authentication Methods

11

• Password digest is a fingerprint of a password

• Digest algorithm is one-way. It is difficult to calculate a password given its digest

• Users send password digest to the server and the server calculates the password digest and compares it with the one received

• Sha-1 should be used to calculate the password digest

• Digest authentication has better protection of user passwords but has many of the same problems as password authentication

Digest Authentication

12

• Users sign the authentication message using password before sending to NAAS

• NAAS uses the user’s password as the key to verify the signature. The user is authenticated if the signature is valid

• Much safer than digest, and the message integrity is protected

• Still need passwords – known to both client and server

Hashed Message Authentication Code (HMAC) Signature

13

• XKMS is the XML Key Management Service (2.0 specification is coming out)

• Users generate public / private key pair and register the public key at XKMS

• Users sign the Authenticate message using the private key before sending to NAAS

• NAAS looks up the user’s public key in XKMS and verifies the signature using the public key

• User is authenticated if the signature is valid (proof of possession of private key that could not possibly be owned by anyone else)

XKMS Authentication

14

• Users obtain certificate from a trusted authority

• Users sign the Authenticate message using the private key and insert the certificate in the signature

• NAAS validate the certificate through a certificate validation service, possibly the Federal Bridge Certification Authority (FBCA)

• NAAS verify the signature in the message

• The user is authenticated if both the certificate and the signature are valid

Certificate Authentication

15

• All advanced authentications using the same Authenticate method defined in the node functional specification – they have no impact to the existing nodes and clients

• The authenticationMethod parameter can now be digest, XKMS, HMAC, and certificate.

• New node clients and Software Development Kit (SDK) will be provided to support and simplify deployment of strong authentication methods

• Technical document – Network authentication mechanisms will be released to promote the new methods

• We are moving to must stronger authentication using keys, and moving away from password authentications.

Using Advance Authentication

16

Questions?