PKI Kerberos SAML & Shibboleth OpenID Cardspace & ID 2
< > (= ) password, OTP, bio, smartcard, pki CardSpace, ID What you have.., 2 factor, strong authentication 4
(SSO) Kerberos, OpenID 5
Shared authentication SAML, shibboleth 6
PKI
/ ( / ) N^2 /? or Sender Receiver Plain Message Encryption Encrypted Message Decryption Plain Message 8
( / ) / Sender Public key of Receiver Private key of Receiver Receiver Plain Message Encryption Encrypted Message Decryption Plain Message 9
- =, Message Sender Private key of Sender Public key of Sender Receiver OK Signing Message + Signature Verification 10
-,? 2. Public key of R S 3. 1. Verify ownership R R : 11
- CA (Certificate Authority) CA CA <Certificate> R CA s sign 3. Publish CA 2. Public key of R 4. Verify Cert Sender 0. trust 1. Verify R CA s public Key 12
13 Root CA -KISA KISA 0. CA - 2. 3. 4. RA -KB 1. 0.root CA KISA s public Key
14 :
SSH (Secure Shell) MITM attack ( ) 16
KERBEROS, OPENID
SSO, point UserD B UserD B 18
19 Kerberos ( ) KDC (, ) KDC User 1 2 3 4 5 6 AS Authentication Server TGS Ticket Granting Server KDC Key Distrib ution Center Kerberized Client Kerberized Server
Kerberos 20
Kerberos SSH Kerberos SSH Client Server 21
OpenID Open what? Provider : OP(openid provider) Id : Id OpenID (url) Trust Id pw OP 4.id/pw OpenID: http://myid.com/kimcs 2. 3. Redirection ( ) 5. redirection(assertion) openid 1. ID 22
OpenID Protocol 23
OpenID SSH SSH Client SSH Server OpenID Client shell url OpenID, 24
SAML, SHIBBOLETH
Shared authentication domain -> SAML ID Federation?.. kimcs = cskim 26
Project Liberty.Net Passport Microsoft Kerberos like.. Liberty Project Liberty from M$ Sun, AOL,IBM! ID Federation authentication sharing (ID- FF -> SAML 2.0) Attribute sharing : ID- WSF 27
ID 28 IAM (Identity & Access Management)
ID Federation 29 Kimcs Alias :Mr3tTJ Remote site : Site B Name : dtviir cskim Alias :dtviir Remote site : Site A Name :Mr3tTJ
SSO 1 30
SSO 2 31
SSO- 32 Site B SiteA SiteA LOGIN ID : Password : kimcs ****** SiteB.
/ 33 AuthNRequest RequestID MajorVersion MinorVersion IssueInstant consent Signature ProviderID NameIDPolicy ProtocolProfile RequestAuthnContext AuthnContextClass Ref AuthnContextComparis on RelayState SP Federation : federated SSO :none Artifact POST AuthNResponse ResponseID InResponseTo MajorVersion MinorVersion IssueInstant consent Signature Samlp:Status ProviderID RelayState Assertion AuthNRequest RequestID IDSP ID AuthNRequest RelayState
SAML SSH OpenID http://rnd.feide.no/content/integratin g-ssh-access-saml-20 34
Shibboleth project ( in Internet 2 Middleware) Attribute, Acess control 35
EIDMS(ETRI ID Management System) 36
37 SSO
CARDSPACE, ID
User Centric ID management Personal Identity Framework, : (,.. ), (,..) : password, OTP,, 39
CardSpace Microsoft client side ID / Card Issuer Card Consumer MS Cardspace Client 40
Cardspace SSH SSH CS 41
ID by ETRI 42 ID?,,, ID?,, DB,, ID : ETRI, Microsoft, KISA
43
OTP Bio PKI SmartCard / / 5 / 0/3 4 / 3 /. ->.... User-centric =>, 45
SSO SAML OpenID Kerberos, OpenID.., Open Toolkit.,, 2?? Proven Technologies SSH 46
Beyond SSH Virtual Organization Virtualization 47
PKI : SSO Kerberos : OpenID : SAML : ( ) User Centric or Personal Identity f/w & 48
Q&A 49