authentication authorisation and accounting aaa framework
play

Authentication, Authorisation and Accounting(AAA) Framework (RFC - PowerPoint PPT Presentation

Oct 28, 2023 •423 likes •617 views

Authentication, Authorisation and Accounting(AAA) Framework (RFC 2904) Vedavyas Duggirala (vyas@vt.edu) CS 6204, Spring 2005 1 Background Not a standard. Establishes requirements for Authentication, Authorization & Accounting(AAA)

  1. Authentication, Authorisation and Accounting(AAA) Framework (RFC 2904) Vedavyas Duggirala (vyas@vt.edu) CS 6204, Spring 2005 1

  2. Background ♦ Not a standard. Establishes requirements for Authentication, Authorization & Accounting(AAA) ♦ Related RFC’s • 2906 – Authorization Requirements • 2905 – Authorization Application Examples ♦ Authentication method and Accounting requirements are outside the scope of this document, except to the extent they influence the authorization process ♦ Sample applications referenced in RFC 2905 • PPP with dialin with roaming • Mobile IP • Bandwidth broker for QoS • Internet Printing • E –commerce • Computer based education and Distance Learning CS 6204, Spring 2005 2

  3. Authorization Entities and Relationships ♦ Entities – User - one who accesses the service or resource – UHO - User Home Organisation. Verifies that user is allowed to access the requested service. May carry information required to authorize the user and this information may not be known to the service provider – Service Provider’s(SP) AAA server - Authorizes a service based on an agreement with UHO & without specific knowledge of individual user. SP and UHO can be either in same or different administrative domain. – Service Equipment(SE) - belongs to Service Provider and provides the actual service e.g. router in QoS, Printer or NAS in dial service ♦ Relationships – Authorization is based on “static” trust agreements between UHO and SP – Trust agreements may be chained between various organisations – Static trust relationships between different entities are used to establish dynamic trust between User and Service Equipment CS 6204, Spring 2005 3

  4. Message Sequences ♦ Single domain - Agent Sequence ♦ AAA server acts as agent between User and Service Equipment Service Provider 1 User AAA Server 4 3 2 Service Equipment 1. User sends request to Service Provider’s AAA server 2. AAA server forwards request to Service Equipment 3. Service Equipment responds to AAA server informing if the service is set up or not 4. AAA server replies to User based on SE’s response CS 6204, Spring 2005 4

  5. Message Sequences ♦ Single domain - Pull Sequence ♦ Service Equipment Pulls authorization information from AAA Server Service Provider AAA Server User 2 4 3 1 Service Equipment 1. User sends request to Service Equipment 2. Service Equipment forwards request to AAA server 3. AAA server responds to Service Equipment if the request can be honored 4. Service Equipment informs User that service is ready (if not, denies the service) CS 6204, Spring 2005 5

  6. Message Sequences ♦ Single domain - Push Sequence ♦ User Pushes authorization obtained from AAA server to Service Equipment Service Provider 1 AAA Server User 2 4 3 Service Equipment 1. User sends request to Service Provider’s AAA server 2. AAA server authorizes the user and gives him a ticket 3. User presents the ticket to Service Equipment 4. Service Equipment verifies the ticket and grants User access to Service CS 6204, Spring 2005 6

  7. Roaming ♦ Roaming - UHO and SP can be different organizations ♦ Agent sequence with roaming ♦ UHO authenticates the user but service is provided by different organization User Home Organization (UHO) 1 User AAA Server 4 3 2 Service Provider AAA Server Service Equipment CS 6204, Spring 2005 7

  8. Roaming ♦ Pull sequence with roaming User Home Organization (UHO) User AAA Server 4 3 2 Service Provider AAA Server 1 Service Equipment CS 6204, Spring 2005 8

  9. Roaming ♦ Push sequence with roaming User Home Organization (UHO) 1 User AAA Server 2 4 Service Provider AAA Server 3 Service Equipment CS 6204, Spring 2005 9

  10. Distributed Services ♦ Distributed Services – Many organizations may be cooperating to offer the service e.g. QoS – Message Sequences between organizations might be different. e.g.User and Org1 use Pull sequence. Org1 and Org2 use Agent sequence – Other message semantics are also possible. Org1 can send a response before verification by Org2. In such case protocol must support revocation. – Roaming and distributed services can be combined leading to SuperOrg and Broker Org1 Org 2 3 AAA AAA Server Server User 6 5 2 8 4 7 1 Service Service Equipment Equipment CS 6204, Spring 2005 10

  11. Authorization Policy ♦ Policy Framework Working Group specifies a way to represent, manage and share policies and policy information in a vendor- independent, interoperable and scalable manner (RFC 3060) • Defines a hierarchical Object based structure (CIM) • LDAP based implementation of CIM ♦ Each organization has policies defined independent of other administrations ♦ Authorization is the result of retrieving, evaluating and enforcement of each independent policy ♦ Policy definitions are stored in a Policy Repository, accessible to the organization that requires them. The Organization requiring the policy is responsible for determining which policy is to be applied CS 6204, Spring 2005 11

  12. Distributed Policy ♦ Policy Retrieval Point (PRP) retrieves policy from Policy Repository ♦ Policy Decision Point (PDP) evaluates the Policy ♦ Policy Enforcement Point (PEP) or Policy Target enforces policy ♦ AAA servers can be PRP and PDP. SE acts like a PEP ♦ Policy Repository can be stored in directories or at AAA server ♦ Policy Information Points contain information against which policy conditions are evaluated ( resource status, session state or time of day) Service Provider PRP UHO PRP AAA Server PIP User PIP PDP AAA Server PDP PRP Service PIP PIP Equipment PEP PDP CS 6204, Spring 2005 12

  13. Policy Evaluation and Enforcement ♦ Policy Decision Point must either – have a way to query remote administration for information necessary to evaluate policy – or forward the local policy to remote administration for evaluation ♦ Policy Enforcement is performed by Service Provider on Service Equipment. SE is same as Policy Target described in PFWG. SP’s AAA server and SE might communicate via a own protocol or use the same protocol used between different AAA servers CS 6204, Spring 2005 13

  14. Attribute Certificates ♦ Attribute Certificate (AC) is like a Public Key Certificate (PKC) except that it contains group membership, role, clearance and other access control information ♦ PEP and PDP has to ensure that AC owner is the one who requested the service. AC can contain a pointer to owner’s PKC ♦ PKC can be considered like a Passport and AC like entry visa ♦ Client can push the AC to server or Server can retrieve AC from a repository ♦ Standards are being defined by PKIX working group CS 6204, Spring 2005 14

  15. Resource Management ♦ Authorization may involve a chain of servers ♦ In many applications authorization results in establishing an “ongoing service” (session) ♦ AAA servers have to keep track of session state and make changes as necessary ♦ AAA server MAY have a Resource Managers. RM tracking a session need to be able to initiate changes and communicate with other peer RMs ♦ Each session is identified by a session identifier(SID) unique to a AAA server. It is desirable that SID is same across all AAA servers CS 6204, Spring 2005 15

  16. Session Management ♦ Service Equipment should be able to notify RM of change in session state. ♦ RM will need to keep state of each session fresh via periodic keep alive messages or querying ♦ Any RM in the chain must have the ability to terminate a Session. Each RM must know atleast its adjacent AAA servers ♦ RM must conceal identity and location of its private internal AAA components from other administrative domains ♦ RM must cooperate with PDP and PEP. It acts like a PIP CS 6204, Spring 2005 16

  17. Message Forwarding and Delivery ♦ AAA server forwards message to a “logical destination address” ♦ Every Application defines the mapping from logical address to network address. e.g. NAI for roaming dialin ♦ When forwarding messages for an established session, messages must be prefixed by Session Identifier ♦ Underlying message delivery system must support • Unicast • Data Integrity and error detection • Reliable data transport • Sequenced data delivery • Responsive to network congestion CS 6204, Spring 2005 17

  18. End to End security ♦ AAA protocols are used to provide security, so they themselves must be free from security holes ♦ End to End message integrity ♦ Confidentiality ♦ Replay protection ♦ Non - repudiation ♦ Ability to secure portion of payload ♦ Intermediate AAA Servers must be able to securely attach local policy information to messages before forwarding ♦ Some applications can provide direct end to end authorization by having the Broker act as certification authority CS 6204, Spring 2005 18

  19. Possible attacks ♦ Authorization protocols must be impervious to replay attacks ♦ If proxying is used, man-in-the-middle attacks must be avoided ♦ If Push model is used, the ticket must not be hijackable by third party ♦ In multi-party authorization,sensitive information should be protected from unauthorized parties involved in making decision ♦ Should guard against Denial of Service attacks CS 6204, Spring 2005 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Authentication, Authorisation and Accounting in a Distributed Multimedia Content Delivery System

Authentication, Authorisation and Accounting in a Distributed Multimedia Content Delivery System

Authentication, Authorisation and Accounting in a Distributed Multimedia Content Delivery System Miros aw Czyrnek (majrek@man.poznan.pl) Marcin Lubo ski (laser@man.poznan.pl) Cezary Mazurek (mazurek@man.poznan.pl) AGENDA AGENDA

447 views • 22 slides
Grid Authentication and Authorisation Issues kos Frohner at CERN Overview Setting the

Grid Authentication and Authorisation Issues kos Frohner at CERN Overview Setting the

Grid Authentication and Authorisation Issues kos Frohner at CERN Overview Setting the scene: requirements Old style authorisation: DN based gridmap-files Overview of the EDG components VO user management: VOMS

384 views • 21 slides
SRA Authorisation Rules & New Firm Authorisation - Guidance for new & existing firms

SRA Authorisation Rules & New Firm Authorisation - Guidance for new & existing firms

SRA Authorisation Rules & New Firm Authorisation - Guidance for new & existing firms Presenters Rachel Lewis Director of Authorisation at the SRA Also responsible for the SRA Contact Centre & Business Support Services Has

525 views • 30 slides
Companies Framework Guide to assist through the process for authorisation and registration in

Companies Framework Guide to assist through the process for authorisation and registration in

Collective Investment Management Companies Framework Guide to assist through the process for authorisation and registration in Portugal 1 Collective Investment Management Companies Framework 1 Supervision model in Portugal Regulatory

424 views • 13 slides
Marketing Authorisation: Marketing Authorisation: The Evaluation Process The Evaluation Process

Marketing Authorisation: Marketing Authorisation: The Evaluation Process The Evaluation Process

1 st EMEA Workshop for Micro, Small and Medium- Sized Enterprises (SMEs) Navigating the Regulatory Maze Marketing Authorisation: Marketing Authorisation: The Evaluation Process The Evaluation Process Dr Evdokia Korakianiti Scientific

474 views • 21 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
Accounting framework breakout discussion Marcelo Rocha and Marcel Berk CCXG Global Forum 19

Accounting framework breakout discussion Marcelo Rocha and Marcel Berk CCXG Global Forum 19

Accounting framework breakout discussion Marcelo Rocha and Marcel Berk CCXG Global Forum 19 September 2013 Climate Change Expert Group www.oecd.org/env/cc/ccxg.htm Two part discussion 1. General issues and elements of an accounting framework

473 views • 9 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Evaluation of methodological issues in the EPA Accounting Framework for Biogenetic Carbon

Evaluation of methodological issues in the EPA Accounting Framework for Biogenetic Carbon

Evaluation of methodological issues in the EPA Accounting Framework for Biogenetic Carbon Dioxide Emissions study By Roger A. Sedjo Resources for the Future October 25, 2011 Evaluation of methodological issues in the Accounting

492 views • 23 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
applications Jan Wijmenga Directorate for Environmental safety and Risks Structure of

applications Jan Wijmenga Directorate for Environmental safety and Risks Structure of

Dutch framework - assessing authorisation applications Jan Wijmenga Directorate for Environmental safety and Risks Structure of presentation The REACH process o Registration Evaluation Authorisation Restriction o

278 views • 14 slides
Authentication Scenarios India Ramachandran India 1.2 billion residents -640,000 villages

Authentication Scenarios India Ramachandran India 1.2 billion residents -640,000 villages

Authentication Scenarios India Ramachandran India 1.2 billion residents -640,000 villages -~800 million mobile, ~200-300 mn migrant workers Authentication Scenarios Government e-praman authentication framework - PKI In

639 views • 35 slides
Groundwater Management Program Update Water Accounting Framework Update Groundwater Level

Groundwater Management Program Update Water Accounting Framework Update Groundwater Level

Groundwater Management Program Update Water Accounting Framework Update Groundwater Level Monitoring Groundwater Data Request Need for a Framework SGA formed : To maintain the long-term sustainable yield of the North Area Basin.

589 views • 15 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
INTRODUCTION TO ACCOUNTING Session 01 Session Outline Definition of Accounting History

INTRODUCTION TO ACCOUNTING Session 01 Session Outline Definition of Accounting History

INTRODUCTION TO ACCOUNTING Session 01 Session Outline Definition of Accounting History of Accounting Objectives of Accounting Users of Accounting Information Book-keeping vs. Accounting Financial Accounting vs. Management

625 views • 14 slides
International Student Employment & Degree Level Changes Topics to Cover > Background on

International Student Employment & Degree Level Changes Topics to Cover > Background on

International Student Employment & Degree Level Changes Topics to Cover > Background on International Student Services (ISS) > Newcomers Intro to International Student Employment Background on CPT & OPT Recent OPT Changes

870 views • 54 slides
Authorization, Security, and Privacy 5DV119 Introduction to Database Management Ume a

Authorization, Security, and Privacy 5DV119 Introduction to Database Management Ume a

Authorization, Security, and Privacy 5DV119 Introduction to Database Management Ume a University Department of Computing Science Stephen J. Hegner hegner@cs.umu.se http://www.cs.umu.se/~hegner Authorization, Security, and Privacy

537 views • 40 slides
Creating Objects in Flexible Authorization Framework Nicola Zannone, Sushil Jajodia,

Creating Objects in Flexible Authorization Framework Nicola Zannone, Sushil Jajodia,

Dept of Information and Communication Technology Creating Objects in Flexible Authorization Framework Nicola Zannone, Sushil Jajodia, Duminda Wijesekera Dep. of Information and Communication Technology, University of Trento

675 views • 19 slides
Security and Authorization CS430/630 Lecture 18 Slides based on Database Management Systems

Security and Authorization CS430/630 Lecture 18 Slides based on Database Management Systems

Security and Authorization CS430/630 Lecture 18 Slides based on Database Management Systems 3 rd ed, Ramakrishnan and Gehrke Definitions Security policy specifies who is authorized to do what Security mechanism allows to

892 views • 26 slides
Knocking Down the Big Door Breaking Authentication and Segregation of Production and

Knocking Down the Big Door Breaking Authentication and Segregation of Production and

Knocking Down the Big Door Breaking Authentication and Segregation of Production and Non-Production Environments Nahuel Grisola Cinta Infinita, Founder / CEO @cintainfinita Buenos Aires, 27 de Abril 2018 nahuel@cintainfinita.com.ar

961 views • 83 slides
Little Brother is watching - we know all your secrets! Siegfried Rasthofer | Fraunhofer SIT,

Little Brother is watching - we know all your secrets! Siegfried Rasthofer | Fraunhofer SIT,

Little Brother is watching - we know all your secrets! Siegfried Rasthofer | Fraunhofer SIT, Germany Steven Arzt | Fraunhofer SIT, Germany Stephan Huber | Fraunhofer SIT, Germany With the help of: Alexander Traud, Benedikt Hiemenz, Daniel

1.23k views • 95 slides
Work Authorization Documents Work Authorization Document Control Account Information Control

Work Authorization Documents Work Authorization Document Control Account Information Control

Work Authorization Documents https://cametoolbox.fnal.gov/Project/WADReports?ProjectName=HL-L... Work Authorization Documents Work Authorization Document Control Account Information Control Account Manager: 10629N Nobrega, Fred Control

56 views • 5 slides
Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

5/24/2017 Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity of our software and systems 12B. Authentication millions of lines of code, thousands of developers rich and powerful protocols

533 views • 14 slides

More recommend