Gabriel López Millán

PKI-based trust management in inter-domain scenarios

Hierarchical cross-certification fits well within large organizations that want their root CA to have direct control over all subordinate CAs. However, both Peer-to-Peer and Bridge CA cross-certification models suits better than the hierarchical one with organizations where a certain level of flexibility is needed to form and revoke trust relationships with other organizations as changing policy or business needs dictate. It seems that this second approach better fits the current and next-generation inter-domain networking models existing in both the wired and wireless Internet. In this context, this paper analyses some relevant inter-domain scenarios and derives the main requirements in terms of cross-certification from them. It then describes the design and lab implementation of a pan-European scenario which is based on a research network composed by a set of organizations that may have their own PKIs running, and that are interested to link with others in terms of certification services. It provides a complete design, implementation and performance analysis for this complex scenario, including a procedure and practical recommendations for building and validating certification paths.

PKI services for IPv6

A public key infrastructure (PKI) is a key component for most of the current and future secure communications architectures and distributed application environments. Thus, the process of migrating UMU-PKI to IPv6 is important for the successful deployment of IPv6 as a basic component of the future Internet. A recent European research project provides an ideal opportunity to migrate the Java-based UMU-PKI to IPv6 and build new security services over it.

Providing efficient SSO to cloud service access in AAA-based identity federations

The inclusion of cloud services within existing identity federations has gained interest in the last years, as a way to simplify the access to them, reducing the user management costs, and increasing the utilization of the cloud resources. Whereas several federation technologies have been developed along the years for the Web world (e.g. SAML, Oauth, OpenID), non-web application services have been largely forgotten. The ABFAB IETF WG was created to define an architecture and a set of technologies for providing identity federation to non-Web application services, such as the cloud. ABFAB provides a way to use the existing EAP/AAA infrastructure to perform federated access control to any kind of application service, thanks to the definition of a new GSS-API mechanism called GSS-EAP. However, the ABFAB architecture does not define an efficient way of providing SSO. This paper defines a way to include such an SSO support into ABFAB, by introducing the required extensions to make use of the EAP Re-authentication Protocol (ERP), the IETF standard for providing fast re-authentication in EAP. Moreover, to demonstrate the feasibility of the proposed extensions, we have implemented a proof-of-concept based on Moonshot, the open-source implementation of ABFAB, and OpenStack as an example of cloud service. Finally, using this prototype we have completed a performance analysis that compares our proposal with the standard ABFAB operation. This analysis confirms the substantial reduction in terms of computational time and network traffic that can be achieved using ERP for providing efficient SSO to cloud service access in ABFAB-based identity federations. Defines a way to provide efficient SSO by extending the GSS-EAP mechanism.Implements the proposed solution demonstrating its feasibility.Provides a performance analysis comparing it with the standard GSS-EAP mechanism.

Definition of an advanced identity management infrastructure

In recent years, organizations are starting to demand a finer user access control in order to offer added-value services, while end users desire more control over their private information. Several approaches have been proved to be efficient in protecting basic scenarios. However, in scenarios requiring advanced features, such as advanced authorization capabilities, level of assurance facilities or effective privacy management, certain issues still need to be addressed. In this work, we propose an identity management infrastructure, based on the SAML, XACML and XKMS standards, which extends current approaches in order to achieve the required features. We include a performance analysis to show the feasibility of this architecture.In recent years, organizations are starting to demand a finer user access control in order to offer added-value services, while end users desire more control over their private information. Several approaches have been proved to be efficient in protecting basic scenarios. However, in scenarios requiring advanced features, such as advanced authorization capabilities, level of assurance facilities or effective privacy management, certain issues still need to be addressed. In this work, we propose an identity management infrastructure, based on the SAML, XACML and XKMS standards, which extends current approaches in order to achieve the required features. We include a performance analysis to show the feasibility of this architecture.

Towards the homogeneous access and use of PKI solutions: Design and implementation of a WS-XKMS server

Nowadays, there exists certain important scenarios where different WS-* security related protocols and technologies are being used, such as e-commerce, resource control, or secure access to grid nodes. Additionally, most of these scenarios require the interaction with a trust management infrastructure (such as a PKI -Public Key Infrastructure-), usually to validate the digital certificates provided by communication peers belonging, in most cases, to different administrative domains. For doing this with WS-enabled technologies the W3C proposed the XKMS (XML Key Management Specification) standard a few years ago. However, few implementations exist so far of this standard, and most of them with important limitations. This paper presents an open-source WS-enabled implementation of the XKMS standard named Open XKMS, certain key scenarios where it can be used and the details of how it has been designed and implemented. This paper tries to motivate and foster the use of the XKMS standard and describe a software solution that can help to designers and developers of WS-based security scenarios.

Dynamic and secure management of VPNs in IPv6 multi-domain scenarios

IPsec-based VPN solutions today run mainly in the IPv4 environment and it is important that they have the capability of being upgraded to IPv6 to remain interoperable in next generation Internet. Two of the key components of every VPN solution are the trust management system used to secure the VPN establishment process and the policy mechanism used to control the VPN life-cycle. However, these two components have not received much research effort in the IPv6 world, so although IPsec IPv6-enabled implementations are getting mature, the deployment of secure VPNs in IPv6 is progressing rather slowly. This paper provides a new vision on how trust management based on cross-certification can be extended to IPv6 multi-domain scenarios and presents a policy management architecture proposed to build flexible, large-scale interoperable IPv6 VPNs solutions.

Providing advanced authentication services in IPv6 muti-domain scenarios

To enable and promote security services in IPv6 networks, like end-to-end security, AAA, HTTP or DNSsec services, or VPN networks, it is required to offer the public key services required by the involved protocols. This is the main motivation of the research work presented in this paper where the most relevant design and implementation issues related with the deployment of PKI authentication services in multi-domain IPv6 scenarios are presented.

Integrating an AAA-based federation mechanism for OpenStack-The CLASSe view

Identity federations enable users, service providers, and identity providers from different organizations to exchange authentication and authorization information in a secure way. In this paper, we present a novel identity federation architecture for cloud services based on the integration of a cloud identity management service with an authentication, authorization, and accounting infrastructure. Specifically, we analyse how this type of authentication, authorization, and accounting–based federation can be smoothly integrated into OpenStack, the leading open source cloud software solution, using the Internet Engineering Task Force (IETF) Application Bridging for Federated Access Beyond web specification for authentication and authorization. We provide details of the implementation undertaken in GÉANTs CLASSe project and show its validation in a real testbed.

Deploying secure cryptographic services in multi-domain IPv6 networks

There are several reasons to offer PKI (public key infrastructure) services in IPv6 multidomain scenarios. The first reason is to provide IPv6-only or dual-stack connectivity to those Internet users and entities who want to use certification services, but there are other important motivations. If we want to enable and promote security services in IPv6 networks, like end-to-end security, AAA (authentication, authorization and accounting) services, HTTP or DNSsec services, or VPN networks, it is needed to offer the public key services required by the involved protocols. Other relevant reason is to allow services or devices to use X.509 public key certificates containing IPv6 information, such as IPv6 addresses used, for example, by any IPsec-based VPN end point. This is the main motivation of the research work presented in this paper where the most relevant design and implementation issues related with the deployment of PKI services in a multidomain IPv6 network are presented.