SIS: Secure Information Sharing “For Windows Systems”

guideflannelServers

Dec 4, 2013 (3 years and 6 months ago)

75 views

SIS:

Secure Information Sharing


for Windows Systems


Osama Khaleel


CS526 Semester Project

5/1/2006

Okhaleel SIS

2

Introduction


The Internet is the most dominant place
for data exchange and information
sharing.


Thus, providing a reliable, secure, and
easy
-
to
-
use system to access critical
information is a crucial thing.


Given that the password based access
does not meet with high
-
level security
requirements, we need a stronger
approach for access control.

5/1/2006

Okhaleel SIS

3

Goals:


Porting the previous SIS project
(Linux/LDAP/Mod_LDAP/Apache) to Windows system
with the necessary improvements.


Providing secure access control based on digital and
attribute certificates.


Implementing a flexible and scalable Role Based
Access Control (RBAC) model.


Building an Access Control Engine (ACE) for IIS to
Enforce our RBAC policy. Investigate the framework
so that we can build ACE for Instant Messaging, and
other network services.


Providing an
easy
-
to use GUI

for creating and
managing


Public Key Infrastructure (PKI),


Privilege Management Infrastructure (PMI), and


RBAC.

5/1/2006

Okhaleel SIS

4

The Transformation:


Basically, the working environment will
be Windows instead of Linux.


Active Directory (AD) is used instead of
LDAP server.


Microsoft IIS 6.0 replaces Apache web
server


Improving the RBAC policy enforcement
from static If
-
Else checking to a
dynamic XML based solution.

5/1/2006

Okhaleel SIS

5

Testbed Configuration


A testbed has been built to test SIS system.


It consists of four machines:


Windows server 2003 with AD (acts as the
Domain Controller).


Windows server 2003 with IIS 6.0 (acts as a web
server.


Windows XP as a client.


A Gateway running Fedora Core 4 and an

IPtables based firewall.

5/1/2006

Okhaleel SIS

6









Local
switch


NIC1


128.198.162.50



FC4


NIC2 10.0.0.1


Main switch


Win
-
XP


10.0.0.12


IIS


10.0.0.11

Domain
-
controller


10.0.0.10

128.198.162.51

128.198.162.52

128.198.162.53

Internet

SIS Network Topology

And IP assignments

5/1/2006

Okhaleel SIS

7

Main SIS Components:


X.509 Digital Certificate:


A Public Key Certificate (PKC) is used as a
strong means to prove identities. It binds a
public key with the holder subject field
(Country, State, City, Organization, e
-
mail,
Common
-
name, …).


It is signed by the private key of a Certificate
Authority (CA), so it can be verified using the
known CA’s public key.

5/1/2006

Okhaleel SIS

8

Main SIS Components:


Certificate Authority (CA):


A CA is a trusted entity that is responsible
of issuing digital certificates for use by
other parties.


A PKC issued by a CA states that “the CA
attests that the public key contained in the
certificate belongs to the entity noted in
that certificate”.

5/1/2006

Okhaleel SIS

9

Main SIS Components:


Attribute Certificate (AC):


It is a new Internet standard RFC3281 that
strongly binds a public key with a set of
attributes that can specify the holder’s
membership, Role, security clearance, or
other authorization information.


In our case, we use ACs to store the role
information for the holder.

5/1/2006

Okhaleel SIS

10

Main SIS Components:


Active Directory (AD):


A hierarchical framework of objects used as a
directory service to store information about the
network resources across a domain.


It’s the Microsoft’s implementation of LDAP directory
services for use in Windows environment.


It provides central control for three types of objects;
Resources (e.g. printers), Services (e.g. e
-
mail), and
Users (accounts and groups).


AD is used to maintain users accounts and store
Digital and Attribute certificates.

5/1/2006

Okhaleel SIS

11

Main SIS Components:


Internet Information Services (IIS 6.0):


A

Web server that provides a reliable,
manageable, and scalable Web application
infrastructure for Windows Servers .


SSL mutual authentication based on the
client’s digital certificate is used to
authenticate users.


An enhanced HTTP module is used to
authorize users based on the Role stored
in the corresponding Attribute Certificate.


5/1/2006

Okhaleel SIS

12

In details:


We will provide an Admin Tool that has four
primary functions;


AD management.


SIS setup.


RBAC setup and management.


Certificates management.


We assume that Windows server 2003,
Active Directory, and IIS 6.0 are already
installed.

5/1/2006

Okhaleel SIS

13

Active Directory Management


Initialize the active directory.


Create users accounts based on a text
file that contains the needed information


first name, last name, country, state,
organization, e
-
mail, and


their role in the organization.


Add, remove, and edit users accounts
as needed.

5/1/2006

Okhaleel SIS

14

SIS Setup


Create a root CA that will be used to
sign issued certificates.


Issue a server certificate for the IIS web
server.


Issue digital and attribute certificates for
users, and storing them in the active
directory.


OpenSSL and CryptLib packages have
been used in this task.

5/1/2006

Okhaleel SIS

15

RBAC Setup & Management


Idea


A flexible way to enforce the role
based access policy.

namely, to dynamically check whether a
certain
ROLE

has the required
permissions to perform certain
OPERATIONS

on some
RESOURCES.


We have come up with a solution that
uses two XML files; Resources and
Roles.


5/1/2006

Okhaleel SIS

16

RBAC XML files:


Resources.xml:

<Resource>


<ID> 1 </ID>


<URI> http://domain/path1
</URI>


<DESC> description 1
</DESC>

</Resource>


<Resource>


<ID> 2 </ID>


<URI>
http://domain/path2</URI>


<DESC> description 2
</DESC>

</Resource>


.


.


.


Roles.xml

<Role id = “manager”>


<operation list = “GET, POST”>
</operation>


<Resource list = “1,3,4,5,7,8,9”>
</Resource>


<Validity>



<Days> * </Days>



<Time> * </Time>


</Validity>

</Role>


<Role id = “TeamLeader”>


<operation list = “GET”> </operation>


<Resource list = “1,3,5”> </Resource>


<Validity>



<Days> Sun,Tues,Wed </Days>



<Time> 11:00 am


5:00 pm </Time>


</Validity>

</Role>

5/1/2006

Okhaleel SIS

17

Certificates Management

Manage issued certificates:


Update users digital and attribute
certificates.


Revoke Certificates.


Check certificates validity dates.


5/1/2006

Okhaleel SIS

18

The Big Image:

Client

request

IIS SIS Module

SSL

Authenticated

Get request info, and

the certificate subject field

NO

reject

Active

Directory

Query AD to get the

corresponding AC

This Role

has Permissions to Perform

the Operation on the

requested resource

NO

reject

Grant

Access

YES

5/1/2006

Okhaleel SIS

19

Conclusion


A secure information sharing system for
Windows environment is being developed
with an admin tool to setup and manage AD,
PKI, and RBAC.


Clients are authenticated by the PKCs issued
to them, and Authorized by the ACs stored in
the AD using the RBAC model.


The system can be used as a secure
information infrastructure for an emergent
taskforce due to the quickness in system
setup, and the easy
-
to
-
use Admin Tool.


5/1/2006

Okhaleel SIS

20

Some learnt lessons:


In terms of the programming language, I have
used C# with Visual C# Express 2005 IDE.
Since we are porting to windows system, C#
is one of the most powerful languages
supported in the .NET framework.


At the beginning I used the CryptLib package
to deal with certificates. This package
generates two kinds of files; (.CER) that
contains the certificate, and (.P15) that has
the private key in PKCS#15 structure. But
after I had tried to test those certificates, it
turned out that MS IE and IIS need (.P12)
kind of file. Thus I switched to OpenSSL
package instead.

5/1/2006

Okhaleel SIS

21

Some learnt lessons:


Now, the good thing in CryptLib is that it
supports attribute certificates, so I will be
using it to deal with ACs.


For RBAC XML based solution, I found out
that the use of simple C# XMLReader and
XMLWriter is slow especially for a large file.
So, I will use Xpath technique for this task.


As we learned in the certificate assignment,
we can specify the certificates we want to
allow in the Apache password file by putting
the whole subject field in it. So, now I am
searching for an equivalent feature in IIS.

5/1/2006

Okhaleel SIS

22

Future Work:


Integrating more services in the ACE
such as Instant Messaging, E
-
mail,
Wireless access, VOIP …


Enhancing the system to work in a
multiple agency environment.


Expanding the system usability to other
operating systems.

5/1/2006

Okhaleel SIS

23

References:


OpenSSL; a wrapper compiled in binaries (.exe file) from
http://www.stunnel.org/download/binaries.html

has been used,
2006.


CryptLib package that supports attribute certificates,
http://www.cryptlib.com
, 2006


Network Security with OpenSSL by John Viega, Matt Messier,
and Pravir Chandra. O’Reilly

First Edition, 2002.


http://httpd.apache.org/docs/2.2/ssl/ssl_intro.html
,
2006.


Linux based SIS, by Ganesh Godavari and Edward Chow,

http://cs.uccs.edu/~infoshare/doc/smc05/PaperFormatOrg.pdf

,
2005.


5/1/2006

Okhaleel SIS

24

?