??????????? ???????? ?????????????? ? ??????????? ? ??????? ????????????? ? ????????
Architecture of Authentication and Authorisation services and Network Identity

???? ????????
NLnet Labs, ?????????
demch@nlnetlabs.nl

?????????
? ??????? ??????????????? ??????????? ?????????? ?????????? ???????? ????????????? ? ??????????? ??? ???????? ?????????? ? ????????????? ??????? ????????????? ??? ??????? ????? ? ???????????? ??????? ??????????. ???????? ???????? ????????? ????????????? ??????????? ?????????? ??? ??????????? ??????????? ?????????????? ?????????????? ??????? ??????????, ?????????? ?? XML (SAML, Liberty, XML Signature, ? ??.). ????????? ??????? ???????????? ?????? ??? ?????????????? ?????????????? ? ???????????.


1. ????????
2. ??????????? ??????????? ???????? ?????????????? ? ???????????
3. C?????? ????????????? ? Single-Sign-On (SSO)
4. ??????? ?????? ?????????????? ?????????????? ? ???????????
5. ??????
6 ??????????


1. ????????

??????????? ?????????? ???????? ?????????????? ? ??????????? (AuthN, AuthZ) ???????? ?????? ???????? ?????????? ??????????? ???-?????????? ?, ? ?????????, ???-???????? (Web Services). ??????????? ??????????? ???-?????????? ?????????? ????????? ????????? ????????, ????? ?????????????? ????????????? ? ? ????. ????????????? ?????????????? ????????????/??????? ?????? ?? ?????????? ??? ?????????????? ??????????? ????? ?????????? ????????? ??????????? ??? ???????????? ???????????? ??????? (? ?????????, B2B-??????????). ? ???? ??????? ???????? ???-????????, ??????? ????? ?????? ??????? ???? ?? ?????, ? ???????? ?????? ?????? ??????????? ?????? ?????????????? ???????????? ??? ????? ???????/???????, ?????????????? ????? ???-???????.

??????????? ???????????? ? ?????????????? ??????? ???????? ?? ????????????? ?????????????? ???????? ?????? (PKI ? Public Key Infrastructure), ?????????????? ??????? ????????????? ????????????, ?????????? ? ????????????? ?? ????-?????????? (? ??????????? ??????? ?? ?????? LDAP), ??????????? ?????????????? ??????? ?????????????? ???????????? ? ?????????? ?????????????? ??????????????? ????????????. ?????? ????? ??????? ???????? ?????? ? ?????????????? PKI-?????????? ? ? ???????? ?????? ????????????????? ??? ?????????????? ?????? (trust domain), ? ? ??????????? ??????? ?????? ? ?????? ?????? ???????????, ???? ? ???????????????. ??? ??????? ???????????? ? ???????????? ???????? ??? ???????? ? ????? ??????? ????????? ??? ?????????????? ??????? ??????? ??????? ??? ???????, ??? ????? ?????????? ?? ????????????? ???????? (credentials), ?????????????? ???????? (identity) ????????????.

2. ??????????? ??????????? ???????? ?????????????? ? ???????????

??????????? ??????? ???????? ????????????? ????????????? ????????????? ??????? ????????? ???????? ????????? ? ?????????? ?????????????? ???????????? ??????????, ?????????? ?? ???-????????, ?? ????????? ? ???????????? ???????????? ???????????? ??????? ??????????, ?????????? ?? ISO7498-2. ??????? ??????? ??????? ? ???, ??? ???????????? ??????????? ???????????? ????????????? ?? ?????????????? ??????? ???????? ??? ?????????, ??????? ????? ???? ??????????, ?????, ????????????, ??????? ??? ???????, ? ???????????? ???????????? ???????????? ????? ????????? ??????? (end-to-end ??? peer-to-peer). ? ??? ????? ??? ?????????????? ??????? ?????????? ? ???-??????? ? ??????????????? ????????? ??????? ????? ??????????? ????????????, ??????? ? ?????? ??????????? ?????? ????????????? ?????? - ????????, ?????????, ???????, ????????? ? ?????????????? ?? ????????? ??? ?????? ???????????, - ??????? ????? ???????????? ????? ?????????????? ?????????, ????????? ? ?????????????? ????????.

?????? ?????? ????? ??????????? ????????????, ??????????????? ?? ???-???????, ???????? ?????????? ??????? ?????????????? ? ??????????? ? ????????????? ?????????????? ?????????? ????????????, ?????????? ?? ???????? ? ?????????? ???????? ?? ?????? ????? (Policy/Role Based Access Control (RBAC) ? Privilege Management Infrastructure (PMI)), ???????????? ?????, ??? ? PKI, ?????????? X.509, ? ????? ISO 10181-3 Access Control Framework. ?????????? ????? ??????????? ????????: ??????/??????? ?????????????? (AuthN), ??????? ???????? ??????? (Access Enforcement Function (AEF) ??? Policy Enforcement Point (PEP)), ??????? ???????? ??????? ? ??????? (Access Decision Function (ADF) ??? Policy Decision (PDP)), ???????? ??????? (Access Control Information (ACI) ??? Policy).

??????????? ??????????????, ??????????? ? ????? (AAA ? Authentication, Authorisation, Accounting), ? ???????? ??????????????? ?? ????????? ??????? ??????????, ??????? ??????? ?????????? IETF RFC 2902-2906. ???????????? ??????????? ?????????? ??????? ???????? AAA, ? ???????? ?????????????? AAA-???????, AAA-????????? ???????? (ASM ? Application Specific Module), ?????? ???????? (RP ? Policy and event Repository), ?????????????? ?????? (CA ? Certification Authority), ??????????? ???????????????? ??? ????????????? ?????? (????? ??????). ????? ??????????? ????? ???????? ? ?????-???????? ?????, ?????? ????????? ?? ????????????? ??????????, ????? ????????? ?????, ??????????? ?????????????? ????????????? ???-?????????, ? ?? ????? ??? ??????????? ???????????? ???-???????? ??????? ?????????? ??????? AuthN ? AuthZ, ??????? ?????????????? ?????? ?????????? ? ???????? ? ???????.

??????????? ??? ???????? ??????? ? ????? ?????????????? ????????, ? ???????? ????????????? ??????, ? ??????? ??????????? ?? ?????? ???????? ???????? ??????? ? ???????????? ? ???????????????? ????????????? ?????????, ??????? ????? ???????? ?????????????? ??????????????, ?????????? ??? ??????? ??????? ? ?????? ??????, ??????????????? ??????? ??????????????. ??? ???? ??? ??? ????? ???????? ?????? ????? ???? ????????????? ???? ????????????? (push-??????) ??? ????????? ??????? ??????????? (pull-??????), ?????????????? ???????/?????? ADF/PDP ????? ????? ???????? ? ??????? push ??? pull.

3. C?????? ????????????? ? Single-Sign-On (SSO)

?????? ????????? ??????? ?????? ?????????????? ???????? ??????????? ??????? ??????? ??????? (SSO ? Single-Sign-On), ??????? ????????? ???????????? ????????????? ?????????????? ?????? (??????) ?????? ???? ??? ??? ????? ? ?????? ????????, ???????????? ?????????????? ???????????. ????????????? ??????? ????????? ???????????? SSO ?????? ? ???????? ?????? ????????????????? ??? ?????????????? ?????? ? ?????????? ???????????????? ?????? ?????????????? ?? ?????? ???????????????? ?????????? ??? ????-??????????. ?????? ???????? ??????? ?????????? ??????? SSO ???? ??????????? Microsoft Passport, ?????? ??? ??????? ???????? ?? ????????????? ??????????? ??????????, ???????? ????? ?????? ? ?????????????, ??? ????????, ?????, ???????????? ??? ?????? ?????, ? ??? ?? ????? ??????? ????????? ? ????? ???????, ?????? ????????????? ?????????????? ???-???????. ??? ????? ???????? ????????????? ??????? ?????????? ????? ??????? ?? ???? Liberty Alliance Project (LAP), ??????? ??????????? ? ?????? ?????? ????? 150 ??????????.

??????????? ???????? SSO, ????????????? LAP, ????????? ?????? ???????? ??????? ????? ??? ???-?????? ? ??? ???-????????. ???????????? ???????? SSO ??????? ?? ????????????? ??????????, ??????? ?????????? ????? ?????????? ????????? ??? ????????????, ??????? ????? ??????????? ????? ???????? (circle-of-trust), ??????? ???????????? ????????????? ? ??????????? ??????????? ?????????? ????????????? (Identity Provider), ??????? ???????????? ????????? ?????????????? ????????????. LPA ?????????? ????????? ? ?????? ?????????, ???????? ???????????? ????????????, ????????? ????????????? ? ??????-?????????. ???????????? ??????? ??????? ???????? ??, ??? ???????????? ?????????? ???????? ????? ??????? ? ???????????? ?????? ???????? ??? ??????????????/???????????????? ????? ??????. ????? ???????? ????? ???????, ??????? ????? ???????????? ?? ????? ?????????? ???????????? ?????? ? ??????????? ????? ?????? ???????????? ?? ???????, ???????????? ????? ??????? ?????????????? ?????????????, ??????? ????? ?????????? ?????? ??????? ??????? ? ??????? ????????????? ???????????? ????? ???????????? ? ?????????, ??????? ????????? ???? ????? ? ??????? ???????? ????????????, ??? ???????? ???????????? ???????? ?? ?????????? ???????.

???????????? LPA ??????? ???????? ?? ????????????? ???????????? ????? SAML (Security Assertion Markup Language), ??????????? ?? XML. ???????? SAML ??????????????? ???????????? ???????????? ???????????? ?? ?????????????? OASIS (Organization for the Advancement of Structured Information Standards). SAML ???????????? ??? ???????? ????????? ? ?????????? ????????????, ??????? ????? ???????????? ? ????????? ??? ?????? ????????????? ??????? ? ??????? XML, ??????????? ????? ????????? ? ???????? ?????????? ??????? AuthN/AuthZ. SAML ?????????? ?????? ????? ??????????, ???????? ??? ?????? ? ??????? ?????????? ????????????, ? ????? ????????????? ???????????? ?????????? SOAP (Simple Object Access Protocol) ? HTTP.

?????????? SAML ????????:

SAML ????? ?????????? ?????? ???????, ?????????? ? ?????? ???????? ??????????? ???????????????? ????????????, ????????: ?????????? ?? ???????? Y ? ????????? ??????? Z ????????????? S?.

??? ? ???????? Liberty Alliance Project, ??????????????, ??? SAML ?????? ??????? ???????? ??? ?????? ???????? ????????????, ??????? ???-??????? (Web Services Security) ? ????-??????? (Open Grid Services Architecture (OGSA) Security). ? ???? ????? SAML ???????????? ????????? ???????????? ????????????? ???????? AuthN/AuthZ ?? ?????? X.509 ? LDAP. ?????? ??????????? ???????? ??????? ? ??????? XML (XML Signature), ??????? ???????? ??????????? SAML, SAML ??????????? ???????????? ??????????? ???????? ?????? X.509 ? ??????????? ????????? (Attribute Certificate) ? ???????? ?????????? ?????????????? ? ???????????.

4. ??????? ?????? ?????????????? ?????????????? ? ???????????

? ????????? ????? ?????????? ????????? ??????, ?????????? ????????? ?????????? ?????????????? ? ??????? ??????? ?? ?????? ???????? ???????. ????????? ?? ??? ????????? ????????? ?????????? ? ??????? ????? ???????????, ?? ????? ????????? ?????????? ?? ?????? SAML ? ????????????? ? ????? ?????????? SSO LPA. ????????? ???? ??????? ? ??????? ????????????? ???????? ???????????????? ??????????? ??????????? ??? ??????????????? ?????????????.

1) PERMIS (Privilege and Role Management Infrastructure Standards validation)

PERMIS ????????, ?????? ?? ??????? ????????? ?????????? ??????? ?????????????? ? ???????????, ? ?????????? ??????????? ??????????? ?? ?????? ???????? ? ?????, ??????? ???????????? X.509 Attribute Certificate (AC). ???????? ????? ???????:

2) SPOCP (Simple Policy Control Protocol)

SPOCP ????????? ??????? ?? ??????????? ??????? ?? ?????? ??????? ?? ????? ????????, ????????? ????????? ??????????:

SPOCP ?????????? LISP-????????? ??? ???????? ???????? ??????? ? ???????????? ??????? ? ???????. SPOCP ?????????? ?????????? ???????? ? ?????? ????????? ?? ????????? ? SAML ? XACML, ?????? ????? ?????????? ? ?????????? ??????????? SAML.

3) Shibboleth ? WebISO/Pubcookie

Shibboleth ? WebISO/Pubcookie ??????????? ? ?????? ??????? Internet2 ? ???????????? ?????????????? ??? ??? ???-??????????????? ?????????????? ? ??????????? ? ??????? ??????? ? ????????, ??????????????? ????? ??????????????.

Shibboleth ???????????? ???????????, ?????????? ?? ????????? ????????????, ? ?????????? SAML ? ???????? ??????? ?????????? AuthN/AuthZ ? ?????????. ???????????? Shibboleth ???????? ??????/???????? ?????????????????? ????????????: ?????? ? ???????????? ???????? ? ??? ?????? ??????????? ? ????????? ??????????? ??????????? ?????? ??????????? ????? ??????, ??????????? ??? ???????? ???????; ????? ??????? Shibboleth ????? ??????????? ???????????? ??????? ??????? ??????????????.

??????? WebISO ??????????? ? ????? ???? ??????????? ????????????? ?? ??????????? ????????? ???????????? ?????? ? ?????????????? ????????, ?????????? ?????????????? ???-???????, ????????? ??????? ??????????? ?????? ?????????????? (?? ???????, ??????????? ?????/??????).

4) ?????? ???????: A-Select, PAPI

A-Select ???????? ?????? ?????????????? ??? ???-??????????, ??????????? ? ?????? ????????????????? ??? ?????????????? ??????. ?????????? ???????? ??????? ? ????????????? SAML ???????? ???????????? ???-???????? ????????????? ? ????????????? ?????? ?????????????? ?????? ????????.

PAPI (Point of Access to Provider of Information) ? ??????? ????????, ?????????????? ???????? ??????? ? ???????? ? ???????????? ????????. PAPI ?????????? ????????? ?????????????? ???????????? ??? ???????????? ???????????????? ??????? (token), ????????????? ???????????? ? ???????? cookie. PAPI ???????? ?????????? ??????? ????????, ?? ?? ?????????? ???????? ?? ?????? ????????????? SAML ???????? ?? ??????? ??????????????? ? ??????? ?????????.

5. ??????

?????????? ???????? ????? ?????????????? ? ??????????? ???????? ?? ????????????? ?????? ?????????? ???????? ?? ?????? ????? ??? ????????? ???????????? ? ???????? ???????, ???????????? ????????. ?????????????? ???????????? ??? ??????? ? ????????????? ????????? ???-???????? ?????????????? ?? ?????? ??????????? (??????????) ????????????? ??????????????? ????????????, ??????????????? ???????????? ?????????????. ??????? ??? ???????? ????? ??????????? ???????????? ? ??????? ????? ?????????????? ? ??????????? ???????? ?????????? ???????????? XML, ??????? ???????? SAML, XACML, Web Services Security, ? ??., ? ????????? ???????? ?????????? ? ???????? ???????????? ? ????????????? ??????? ???? ????????? ??? ??????????.

6 ??????????

  1. Demchenko Y. Overview of existing and developing systems for Authentication and Authorisation and Policy/Role based Privilege Management - http://www.uazone.org/demch/analysis/aaa-pmi-overview.html
  2. Demchenko Y. Security Architecture for Open Grid Services and related developments GGF5 and follow-on developments overview - http://www.uazone.org/demch/analysis/ggf5ogsa-security.html
  3. Demchenko Y. Global Grid Forum: Moving to Open Grid Services Architecture (OGSA) - Overview of GGF4 and follow-on developments - Yuri Demchenko, May 2002 - http://www.uazone.org/demch/analysis/ggf4ogsa-overview.html
  4. XML Web Services Security Overview. - Seminar at IIDS Group, Vrije Universiteit. - 27 March, 2003 - http://www.uazone.org/demch/presentations/ws-xml-sec.ppt
  5. XML Security in IODEF. - INCH WG, IETF56. - March 19, 2003 - http://www.ietf.org/proceedings/03mar/slides/inch-3/index.html
  6. Internet X.509 Public Key Infrastructure Certificate and CRL Profile (RFC 3280) - http://www.ietf.org/rfc/rfc3280.txt
  7. An Internet Attribute Certificate Profile for Authorization (RFC 3281) - http://www.ietf.org/rfc/rfc3281.txt
  8. RFC2902-RFC2906 ? Authentication, Authorisation, Accounting Framework http://www.ietf.org/rfc/rfc2902.txt - rfc2906.txt
  9. Internet X.509 Public Key Infrastructure Proxy Certificate Profile - http://www.ietf.org/internet-drafts/draft-ietf-pkix-proxy-05.txt
  10. ITU-T Rec. X.812(1995) | ISO/IEC 10181-3:1996, Information technology - Open systems interconnection - Security frameworks in open systems: Access control framework.
  11. XML-Signature Syntax and Processing. W3C Recommendation. 12 February 2002 - http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/
  12. Security Assertion Markup Language (SAML) v1.0 - OASIS Standard, 5 November 2002 - http://www.oasis-open.org/committees/documents.php?wg_abbrev=security
  13. eXtensible Access Control Markup Language (XACML) Version 1.0 - OASIS Standard, 18 February 2003 - http://www.oasis-open.org/committees/documents.php?wg_abbrev=xacml
  14. SOAP Version 1.2 Part 0: Primer - http://www.w3.org/TR/2002/CR-soap12-part0-2002121
  15. Web Services Security: SOAP Message Security Draft 11 ? March 2003 - http://www.oasis-open.org/committees/download.php/1044/WSS-SOAPMessageSecurity-11-0303-merged.pdf
  16. European Electronic Signature Standardisation Initiative (EESSI) - http://www.ict.etsi.org/EESSI/EESSI-homepage.htm
  17. PERMIS (Privilege and Role Management Infrastructure Standards
    validation) - http://sec.isi.salford.ac.uk/permis/
  18. SPOCP (Simple POlicy Control Protocol) - http://www.spocp.org/
  19. Shibboleth - http://shibboleth.internet2.edu/
  20. WebISO/Pubcookie - http://middleware.internet2.edu/webiso/
  21. A-Select - http://a-select.surfnet.nl/
  22. The Security Architecture for Open Grid Services - http://www.globus.org/ogsa/Security/