Upload
nikita-patil
View
52
Download
1
Embed Size (px)
Citation preview
B Y : M R U N AL PAT I L - 3 2
N I K I TA PAT I L - 3 3
AI S H WARYA S H E K O K AR - 5 2
Identity Access Management for Multi-tier CloudInfrastructures
Why do you need IAM?
significant risks not only to compliance but also an organization’s overall security.
increase the risk of greater damages.
access level escalation is not revoked.
accumulation of privileges known as privilege creep.
IAM address three important questions:
1. Who has access to what information?
2. Is the access appropriate for the job being performed?
3. Is the access and activity monitored, logged, and reported appropriately?
Let’s Define IAM Terms
Authentication (AuthN) Verify that a person is who they claim to be
This is where multi-factor authentication comes into play
Identification and authentication are related but not the same
Authorization (AuthZ) Deciding what resources can be accessed/used by a user
Accounting Charges you for what you do
Advantages of IAM
Faster response times.
Easily retrievable evidence of activities.
Automated workflows for approvals and
communication.
Better management of large data volumes.
Ability to centrally administer and monitor systems.
Identity and access management system
User connects to web server.
Web server has a connecter or “Agent”
1)An interface to access manager.
2)plugins or API’s.
Access manager is Policy Enforcement Point(PEP).
1)High volume systems to make decisions on access requests from the web server.
2)Must be high availability.
IAM is the Policy Management Point(PEM)
1)Central management of all identity information from various sources.
2)Able to define processes and workflows to manage, maintain and audit access to resources.
Access Controls
Role based access control.
Attribute based access control.
1)subject attributes(role, project).
2)resource attributes(owner of a file)
3)environmental attributes(risk level)
Managing Roles & Privileges
9
Grouper Signet
Role-Based Access Control (RBAC) model
• Users are placed into groups
• Privileges are assigned to groups
• Groups can be arranged into hierarchies to effectively bestow privileges
• Signet manages privileges
• Grouper manages, well, groups
How full IdM layer helps
10
Improves scalability: IdM process automation
Reduces complexity of IT ecosystem
Complexity as friction (wasted resources)
Improved user experience
Functional specialization: App developer can concentrate on app-specific functionality
IAM Solutions
What is Token
Token comprises of 3 parts :
Header
Payload
Signature
is a small hardware device that the owner carries to authorize access to a network service. The device may be in the form of a smart card or may be embedded in a commonly used object such as a key
Token is of 2 types : auto generated or dependent on username
JWT(JSON Web Token)
Info safe between 2 parties
Comprises of 3 parts :
application server
authentication server
user
JWT(JSON Web Token)
4 steps :
User sign in to the authenticating server
Server authenticates if user is authentic
User passes JWT when making API calls to application server
Application server verifies the application and send it back to the user
Application server receives secret key from authentication server
For creating a token in JWT
Create header
Create signature
Payload
Put together
Verify JWT(if sign matches user is authentic, id sign does not match then user is not authentic)
JWT advantages:
Obscure data
Proves data was sent and created by authentic source
Encoded(transform data struct) data obtained
Signed data(verified authenticity) obtained
JWT disadvantage :
Does not hide data
Does not encrypt data
RSA-ECDSA
User asks for authentication
If token is verified then process is done
RSA secureID has :
hw(USB dongle)
sw(soft token)
Assigned to comp user and generates code at fixed interval(60 sec)
Built-in clock is used and cards factory encoded random key(seed)
Seed is different for each token
Rsa(1K rsa key)
Adv :
Speed high
Verifies rsa signatures faster
Disadv :
Sign and public key is added to msg so high space
Low security
ECDSA(192-bit ECDSA)
Adv :
More secure
Disadv :
More space required
Speed slow
Comparison(JWT, RSA-ECDSA, HMAC SHA1)
RCF 4226 HOTP based on SHA1
Jwt and rsaecdsa requires SALTING
Hmac-sha1 is best because it does not require SALTING strings(MD5 add)
Salting is hash technique for reducing collision
Hash function is found in db
Salting is unknown element (random)
The OTP Server and Authentication Protocol
OTP is auto-generated
An OTP depends on 2 parameters:
A secret key
A counter
In the case of a transaction an OTP is sent to the mobile phone of the user, for an authentication if is possible to use either a secure token or to request an OTP to be send to the user phone
Why we are not using OTP method:
· Multiple uses means multiple lockouts if ever lost or stolen.
· Only runs with RSA Infrastructure installed. Single point of failure - multiple redundancy levels are
needed Limited to known or managed laptops/desktops - a
remote access component should be considered Need to monitor application upgrades and changes - SSO
templates/profiles should be easy to modify Different types of users have different workflows - the
solution should have flexible security policies to meet these requirements
HMAC SHA1
Used for checking tampered msg
Keyed hash algo(secret key)
Secret key + msg
Hashes result with hash function
Adds hash value
Output is 160 bits in length
HMAC SHA1
Sender sends original data and hash value to receiver
Sender computes hash value
Receiver calculates hash value
If mismatch then correct hash value is demanded
HMAC SHA1
Advantage : faster
More secure
Disadvantage :need for secret key to verify token
timelimit
The HMAC-SHA1 Token Generator
This OTP is based on the algorithm HMAC SHA.
used to perform authentication by challenge response
This algorithm is not reversible.
It is not an encryption algorithm but a hashing algorithm.
A HMAC SHA1 uses a key to transform an input array of bytes.
The secret key must be 20 bytes at least
The algorithm takes the 20 bytes key and the 8 bytes counter to create a 8 digits number
Why is the HMAC-SHA1 a strong authentication method?
The key is 20 digits
A password is a couple counter/password, only valid once and a very short time
The algorithm that generates each password is not reversible
With an OTP token, the key is hardware protected
If the OTP is received on your phone, the key always stays at the server
Diagram of HMAC-SHA1 working
Token generation
Benefits of token in HMAC-SHA1
Size of bits is desired
Security is very strong
practical in situations where two parties in a secure environment must be able to depart from one another and communicate from two separate secure environments with perfect secrecy.
optimum cryptosystem with theoretically perfect secrecy.
Further implementation:
We will make a cloud
Set user id and password
And set up system such that tokens are generated
Thank you!