1 / 5

PKI interfaces with other security systems

This document discusses the integration of Public Key Infrastructure (PKI) with various security systems, focusing on authentication services like Kerberos and network layer security protocols including IPsec. It highlights the ability to use PK certificates for obtaining Kerberos credentials and managing user identities without separate registrations. Additionally, it addresses the importance of authorization management policies, separating policy from mechanism, and facilitating credential transport through interfaces like the Generic Authorization and Access Control API (GAA-API). The aim is to streamline security management in applications by simplifying authentication processes.

marius
Download Presentation

PKI interfaces with other security systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PKI interfaces with other security systems B. Clifford Neuman University of Southern California Information Sciences Institute

  2. Security Services Integration with PKI • Authentication • Other authentication services e.g. Kerberos • Network layer security services • IPSEC • Secure Messaging • S/MIME, etc • Authorization • Generic Authorization and Access Control API • Really the only piece that should be visible to the application.

  3. Kerberos mediated services • Use PK certificates to obtain initial Kerberos credentials via PKINIT • These credentials usable in same manner as if client was registered as traditional Kerberos user • Allows management of users through PKI, without separate Kerberos regsitration. • KDC can check revocation lists at time of initial authentication.

  4. Integrating Authorization • Focus on authorization and the management of policies used in the authorization decision. • Applications shouldn’t care about authentication or identity. • Separate policy from mechanism • Authorization may be easier to integrate with applications. • Hide the calls to the key management and authentication functions.

  5. Credential transport is needed • The GAA-API gets user & connection info from Security Context: • Evaluated and unevaluated credentials • Delegated authority • Cross-calls to transport to retrieve additional creds • The security context is provided as: • Output from GSS-API (requires many calls) • Credentials from transport or session protocols • SSL, ARDP • Other extensions are needed: • IPSec, pulled from Kernel, other extensions

More Related