3
SESAME IN A NUTSHELL SESAME supports single sign-on to the network. SESAME provides role based distributed access control using digitally signed Privilege Attribute Certificates, with optional delegation of access rights. SESAME supports full cryptographic protection of exchanges between users and remote applications. SESAME supports multiple domain operation with different security policies. SESAME can be scaled to operate over very large networks through its use of public key technology. SESAME builds on work done in international standards - it is an Open Systems solution. SESAME uses the widely accepted Generic Security Service API (GSS-API). The SESAME user gets mechanism transparency. SESAME is available NOW WHAT IS SESAME? SESAME (a Secure European System for Applications in a Multi- vendor Environment) is a European research and development project, part funded by the European Commission under its RACE programme. It is also the name of the technology that came out of that project. The SESAME technology offers sophisticated single sign-on with added distributed access control features and cryptographic protection of interchanged data. SESAME is a construction kit. It is a set of security infrastructure components for product developers. It provides the underlying bedrock upon which full managed single sign-on products can be built. Examples of such products are ICL's Access Manager and Bull SA's Integrated System Management AccessMaster (ISM AccessMaster) . Siemens (Software & Systems Engineering Ltd) is also using SESAME technology to improve its secure X.400 mail product set. HOW DOES SESAME WORK?

Sesame in a nutshell

Embed Size (px)

Citation preview

Page 1: Sesame in a nutshell

SESAME IN A NUTSHELL

SESAME supports single sign-on to the network. SESAME provides role based distributed access control using digitally signed

Privilege Attribute Certificates, with optional delegation of access rights. SESAME supports full cryptographic protection of exchanges between users and

remote applications. SESAME supports multiple domain operation with different security policies. SESAME can be scaled to operate over very large networks through its use of public

key technology. SESAME builds on work done in international standards - it is an Open Systems

solution. SESAME uses the widely accepted Generic Security Service API (GSS-API). The

SESAME user gets mechanism transparency. SESAME is available NOW

WHAT IS SESAME?

SESAME (a Secure European System for Applications in a Multi-vendor Environment) is a European research and development project, part funded by the European Commission under its RACE programme. It is also the name of the technology that came out of that project.The SESAME technology offers sophisticated single sign-on with added distributed access control features and cryptographic protection of interchanged data.SESAME is a construction kit. It is a set of security infrastructure components for product developers. It provides the underlying bedrock upon which full managed single sign-on products can be built.Examples of such products are ICL's Access Manager and Bull SA's Integrated System Management AccessMaster (ISM AccessMaster). Siemens (Software & Systems Engineering Ltd) is also using SESAME technology to improve its secure X.400 mail product set.

HOW DOES SESAME WORK?

This is what happens:To access the distributed system, a user first authenticates to an Authentication Server to get a cryptographically protected token used to prove his or her identity. The user then presents the token to a Privilege Attribute Server to obtain a guaranteed set of access rights contained in a Privilege Attribute Certificate (or PAC). The PAC is a specific form of Access Control Certificate that conforms to ECMA and ISO/ITU-T standards.The promulgation, protection and use of PACs are central features of the SESAME design.The PAC is presented by the user to a target application whenever access to a protected resource is needed. The target application makes an access control decision according to the user's security attributes from the PAC, and other access control information (for example an Access Control List) attached to the controlled resource.A PAC can be used more than once at more than one target application. It is digitally signed to prevent it being undetectably tampered with.

Page 2: Sesame in a nutshell

In some circumstances a user might want an application to act on his or her behalf. The user might want to delegate access rights to that application. SESAME supports delegation, allowing this to be controlled by the user, who can dictate which applications are permitted to act as delegates, and which other applications they can access on the user's behalf.The PAC is cryptographically protected from the point it leaves the Privilege Attribute Server all the way to the final target application to prevent anybody but its genuine owner or an authorised delegate making use of it.To provide this protection SESAME needs to establish temporary secret cryptographic keys shared pairwise between the participants. Kerberos key distribution protocols can be used for this, but they can also be either supplemented, or where appropriate completely replaced by public key technology. SESAME also supports Certification Authorities, X.509 Directory user certficates, following ISO/ITU-T standards.User data passed in a dialogue between a client and a server can optionally be either integrity protected or confidentiality protected or both, using specially created Dialogue Keys.Dialogue Keys also ensure that the actions that are authorised really have come from the user whose PAC is providing the basis for that authorisation.

HOW DOES SESAME RELATE TO KERBEROS?

Similar work, aimed specifically at UNIX systems, has been done by the Massachusetts Institute of Technology which has developed a basic distributed single sign-on technology called Kerberos. Kerberos has been proposed as an Internet standard (rfc1510).In the light of this work, the SESAME project decided that in its early implementation some of the SESAME components would be accessible through the Kerberos V5 protocol (as specified in RFC1510), and would use Kerberos data structures, as well as new SESAME ones. This has shown unequivocally that a product quality approach reusing selected parts of the Kerberos specification is workable and that a world standard is possible incorporating features of both technologies." SESAME adds to Kerberos : Heterogeneity, sophisticated access control features, scalability of public key systems, better manageability, audit and delegation.

WHAT ABOUT THE GSS-API?

Another important development in the field of Open distributed system security has been the Generic Security Services Application Program Interface (GSS-API). This interface hides from its callers the details of the specific underlying security mechanism, leading to better application portability, and moving generally in the direction of a better interworking capability.The GSS-API also completely separates the choice of security mechanism from choice of communications protocol. A GSS-API implementation is viable across virtually any communications method. GSS_API is an Internet and X/Open standard.SESAME is accessed through the GSS-API, extended to support features needed to provide distributed Access Control.


Fluidinfo in a Nutshell

Fluidinfo in a Nutshell

Technology
Open sesame: Identification of sesame oil and oil soot ink in … · RESEARCH ARTICLE Open sesame: Identification of sesame oil and oil soot ink in organic deposits of Tang Dynasty

Open sesame: Identification of sesame oil and oil soot ink in … · RESEARCH ARTICLE Open sesame: Identification of sesame oil and oil soot ink in organic deposits of Tang Dynasty

Documents
Nutrition in a nutshell

Nutrition in a nutshell

Health & Medicine
2014 Ethiopia Sesame Outlook. Topics Country Profile Sesame Production Sesame Marketing Opportunities in Ethiopia Sesame Challenges in Ethiopia

2014 Ethiopia Sesame Outlook. Topics Country Profile Sesame Production Sesame Marketing Opportunities in Ethiopia Sesame Challenges in Ethiopia

Documents
Features in GEMINI in Nutshell

Features in GEMINI in Nutshell

Documents
Migration In a Nutshell Migration In a Nutshell Migration In a Nutshell D.S. Macpherson

Migration In a Nutshell Migration In a Nutshell Migration In a Nutshell D.S. Macpherson

Documents
Nutch in Nutshell

Nutch in Nutshell

Documents
Sesame in Medicine

Sesame in Medicine

Documents
In a nutshell . .

In a nutshell . .

Documents
OSGi In A Nutshell

OSGi In A Nutshell

Technology
ITIL in Nutshell

ITIL in Nutshell

Documents
Agile in a Nutshell

Agile in a Nutshell

Business
Networking in Nutshell

Networking in Nutshell

Business
Marketing : In a Nutshell

Marketing : In a Nutshell

Business
Singapore in a nutshell

Singapore in a nutshell

Documents
Chamberlin in a Nutshell

Chamberlin in a Nutshell

Business
Studio09 in a nutshell

Studio09 in a nutshell

Documents
Arquillian in a nutshell

Arquillian in a nutshell

Software
Abolition In A Nutshell

Abolition In A Nutshell

News & Politics
GeoDjango in a nutshell

GeoDjango in a nutshell

Technology
In a In a February 2008 Nutshell Nutshellaustralianalmonds.com.au/documents/Newsletters/Nutshell...In a In a February 2008 Nutshell Nutshell In this issue: In this issue: Potential

In a In a February 2008 Nutshell Nutshellaustralianalmonds.com.au/documents/Newsletters/Nutshell...In a In a February 2008 Nutshell Nutshell In this issue: In this issue: Potential

Documents
BUSAN in a Nutshell

BUSAN in a Nutshell

Government & Nonprofit
Oikocredit in a nutshell

Oikocredit in a nutshell

Documents
Ambience In A Nutshell

Ambience In A Nutshell

Technology
Smalltalk In a Nutshell

Smalltalk In a Nutshell

Technology
Sesame Consumption Trends in Japan

Sesame Consumption Trends in Japan

Documents
In a nutshell!

In a nutshell!

Documents
MS: In a Nutshell

MS: In a Nutshell

Health & Medicine
Cassandra In A Nutshell

Cassandra In A Nutshell

Technology
Learning in nutshell

Learning in nutshell

Business