Jumpstart webinar - Jumpstart Infrastructure Services, PKI ......–ECRYPT II, FIPS, NIST, ......
Transcript of Jumpstart webinar - Jumpstart Infrastructure Services, PKI ......–ECRYPT II, FIPS, NIST, ......
30 September 2015
09.00-10.00 CET 17.00-18.00 CET
1
JUMPSTART INFRASTRUCTURE SERVICES PKI - STS
1. Security: wider interoperability context #1
• Interoperability frameworks:
– Security is everywhere:
• Horizontal
• Vertical
• Transversal
• Cross-cutting
– Many layers/aspects: from technology to legal
• Data:
• In motion
• Being processed
• At rest
2
1. Security: wider interoperability context #2
• Competing requirements:
– Security strength
– Performance
– Scalability
– Cost
– Complexity
– ...
– Safety
3
1. Security: wider interoperability context #3
• Many technologies, often overlapping functionality
• Lifecycle: hype/mainstream/obsolescence
– Maturity
– Changing threat levels
– Increasing awareness of/for cybersecurity
– SIEM
– Flaws/bugs
4
1. Security: wider interoperability context #4
• Many regulations/standards/frameworks/best practices
– International treaties, regional and national laws, regulations
– ITU, IEC, ISO, ETSI, ...
– ISO 270xx, Cobit 5, ITIL v3, ...
– ECRYPT II, FIPS, NIST, ...
– PCI-DSS, ...
• Need for trust and compatibility of policies
5
2. Security: Identity Management #1
• Security needs: – related to the identities that exchange information: authenticity,
authorisation, integrity, confidentiality, non-repudiation – various classifications
• such as CIA triad, Parkerian Hexad, Microsoft STRIDE, ... • ontology disputes/mapping. Example:
– authenticity could be seen as integrity of origin – authenticity and authorisation could be seen as access control
• Identity Management standards and ontology: – ITU-T X.1250 – X.1279 – ISO/IEC 24760
• Scope: – interoperability and security at the level of the Technical Infrastructure
for data in motion – some of the described mechanisms could be (re)used in other scopes
but this is not part of this Webinar
6
2. Security: Identity Management #2
• Challenges:
– participants that speak the same protocols is one thing
– participants that manage all elements of involved identities to use in the protocols is another:
• at very small scale, all actors can manage all elements of involved identities,
• but at larger scale this becomes increasingly unmanageable
• hence interest for shared/shareable infrastructure: – that helps to avoid multiplication of effort
– whereby the deployment can be organised in a wide variety of forms
7
3. Security: securing the data in motion #1
• Layered model:
– Network, transport and message level
– Solutions for security needs can be provided at different layers and possibly combined
8
3. Security: securing the data in motion #2
Examples of security technology
9
Authentication Authorisation Integrity Confidentiality Non-repudiation
Message (end-to-end)
WS-Security 1.1(.1) (2006/2 - 2012/5)
WS-Security 1.1(.1) (2006/2 - 2012/5)
WS-Security 1.1(.1) (2006/2 - 2012/5)
WS-Security 1.1(.1) (2006/2 - 2012/5)
WS-Security 1.1(.1) (2006/2 - 2012/5)
SAML 2.0 (2005/3 ->) SAML 2.0 (2005/3 ->)
XML Signature 1.1 (2013/4->)
XML Encryption 1.1 (2013/4)
XML Signature 1.1 (2013/4->)
Oauth2 (2012/10) OpenID Connect 1.0 (2014/11 ->)
OpenID Connect 1.0 (2014/11 ->)
OpenID Connect 1.0 (2014/11 ->)
OpenID Connect 1.0 (2014/11 ->)
OpenID Connect 1.0 (2014/11 ->)
JOSE ( <- 2015/5 -> ) JOSE ( <- 2015/5 -> ) JOSE ( <- 2015/5 -> ) JOSE ( <- 2015/5 -> ) JOSE ( <- 2015/5 -> ) HTTP/1.1 Basic Authentication (1999/6)
XACML 3.0 (2013/1 ->)
Transport (point-to-point)
TLS 1.2 (2008/8 ->) TLS 1.2 (2008/8 ->) TLS 1.2 (2008/8 ->)
SSH 2.0 (2006/1 ->) SSH 2.0 (2006/1 ->) SSH 2.0 (2006/1 ->) HTTP/1.1 Basic Authentication (1999/6)
Network (net-to-net, net-to-host, host-to-host)
IPsec (2005/12 ->) IPsec (2005/12 ->) IPsec (2005/12 ->) IPsec (2005/12 ->)
3. Security: securing the data in motion #3
• One size does not fit all:
– Many functionalities
– Many technologies
– Many combinations
– Many changes
– ...
– Many opinions
10
3. Security: securing the data in motion #4
• 2 technology families are selected for SESAR SWIM TI to support identity: – Private/public key based concept:
• Can be used autonomously and provide sufficient protection
• Is used in many other security technologies as an (almost) unavoidable complement.
• Machine to machine communication
– STS based concept:
• Support for claims
• Concept supported by many security technologies
• Suitable for any type of client
• Can mediate and abstract the pace of change
11
3. Security: securing the data in motion #5
• Within each family a specific and limited set of mandated technology :
– PKI, X.509v3 based
– STS, WS-Trust based, Username/SAML/Certificate token profiles
• Within both families capabilities for federation between distinct security domains:
– BCA
– WS-Federation
12
4. Security: Jumpstart Infrastructure Services #1
• Discovery and Demonstration SWIM:
– Not for operational use !
• Low threshold access to Infrastructure Services:
– Autonomous self-paced discovery
– Support your own demonstrations
– Reusable by multiple service consumers and service providers
13
4. Security: Jumpstart Infrastructure Services #2
• Jumpstart Infrastructure Service, Identity Management solution: – PKI supporting X.509v3 certificates based on tooling included in
Windows Server 2012 R2, including: • GUI request interface • secured management interface (issuing, revoke, etc) • AIA and CDP • OCSP responder
– STS based on Open Source tooling provided by Thinktecture,
IdentityServer v2 (latest v2.5), including: • support for WS-Trust and WS-Federation • secured management interface • SAML tokens • token signing • extensible claims management
14
4. Security: Jumpstart Infrastructure Services #3
• Based on existing tooling: “Jumpstart” added value? – A-Z guided and integrated installation documentation/scripts that can
be replayed even with very low prior knowledge
– Infrastructure that is effectively used in Jumpstart Services: • Aligned with Yellow Profile • Services with small code footprint illustrating use of AIXM, FIXM
and IWXXM • Secured using the Identity Management Infrastructure described
in this Webinar • On cloud infrastructure • Subject of another Webinar
– The choice of the configuration is targeted to be extendable. E.g.:
• Multiple CAs, cross-certification • Multiple OCSP responders, on behalf of multiple CAs • Multiple STS, federation • Additional Token types
15
4. Security: Jumpstart Infrastructure Services #4
• Low threshold: – Low upfront experience requirements
– Low financial cost: all-in cloud solution already from 12 EURO per month
– Low time investment: first time run through in about 4 hours, restart from scratch will go (much) faster
– Low maintenance: we have run this configuration quasi unattended for about 1,5 years, with almost no down-time
• Other solutions? – The chosen solutions are not the only solutions available
– Equivalent functionality can be provided on other platforms and by other tools
16