1 / 14

Providing secure mobile access to information servers with temporary certificates

Providing secure mobile access to information servers with temporary certificates. Diego R. López drlopez@cica.es. Introduction Objectives of the system Secure access standards and mobility requirements Temporary (short-lived) certificates Characteristics Loading and issuing

eros
Download Presentation

Providing secure mobile access to information servers with temporary certificates

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Providing secure mobile access to information servers with temporary certificates Diego R. López drlopez@cica.es

  2. Introduction Objectives of the system Secure access standards and mobility requirements Temporary (short-lived) certificates Characteristics Loading and issuing System implementation Components Authentication protocol The user’s view Conclusions

  3. User mobility and secure access • User mobility (not just computer mobility) • Minimal HW/SW requirements • Simplicity of use • Secure access to servers • User authentication • Short-lived “connections”

  4. Secure access standards • Based on SSL/TLS • Server and client exchange X.509 certificates • X.509 certificates are assumed to be • Static • Associated with an entity’s identity • Valid in the long term • Identity is not often subject to change • Permanently stored by browsers and other information clients

  5. Mobility requirements • A token is used • Removable • Protected by a secret known to the user • Current standard: PKCS#11 • Used by most common clients • Requires specific software and/or hardware

  6. Temporary (short-lived) certificates • Are issued for a short period • Typical validity is a few hours • Time “removes” them • Simplify key generation procedures • Weaker algorithms or shorter key lengths can be employed • Simplify key management procedures • CA key changes only affect servers, not clients

  7. Loading temporary certificates • A loading program authenticates the user • The token contains both • The loading program • The authentication data • Minimal hardware and software requirements • An (almost) universal token: a diskette • An (almost) universal language: Java

  8. Issuing temporary certificates • An on-line Certification Authority (CA) has to issue the certificate • Validate the authentication data • Analyze user request • Server(s) to be accessed • Validity period • Issue the certificate

  9. System components (client side) • An Information Reader (IR): • Any information client able to use X.509 certificates • In the current implementation, Netscape 4.xx • A Temporary Certificate Client (TCC): • Negotiates with the service the session parameters • Starts the IR and initiates key generation procedures • The client JAR file is about 700K

  10. System components (authentication data) • A PKCS#12 object encrypted with a passphrase • Contains one of the keys (the private key) from a keypair assigned to the user • Included with other configuration data in a text file stored in the token: TCSERVER erika.cica.es:4433:4434 TCS1-CICA URL https://tbidata.cica.es TBI-IDBS TIME 30 USER C=es, O=cica, CN=p4 -----BEGIN CICAP12----- MIIC3AIBAzCABgkqhkiG9w0BBwGggCSABIICvjCCArowggK2Bgsqhki AqCCAqUwggKhMBsGCiqGSIb3DQEMAQYwDQQIrGHBS1QCRGkCAQEEggK XqyG5goN4YYGtiv8/NoLxnRhZG6Jdleybh90uMUmhyaivCxnLFoIKlf XTMohqpPdnl6CS5eF1u8V2dSv9+zAd3jh2E2He1hyWQBeSV7UpHWefb ...

  11. System components (server side) • A Temporary Certificate Sever (TCS) • Acts as a (set of) on-line CA(s) • A directory that holds data pertaining to users • The other key (the publickey) from the keypair assigned to the user • Acceptable session parameters • CAs the user can request certificates from

  12. E-mail News Databases WWW 8.- Acces to information servers Others TCC token 2.-Connect to TCS 5.- Kc2,CA ? 3.- Rs 6.- Kc2, CA 4. Ekc1(Rs,Rc),Kt2 7.-Skca (Kt2) IR TCS Directory Authentication protocol 1.- Passphrase

  13. The user’s view

  14. Conclusions • Thin-client based approach to information servers access control • Eases user mobility: • Practically any host with Internet access can be employed • Simplifies access control management • Open issues • Generalization of the procedures for other IRs • Finer granularity in access control • Token-less authentication protocol (applet)

More Related