Welcome to SESAME ADVANCED DISTRIBUTED ACCESS CONTROL FOR THE AGE OF THE OPEN SYSTEM SESAME IS AVAILABLE NOW 1. SESAME in a nutshell 2. What is SESAME? 3. How does SESAME work? 4. How does SESAME relate to Kerberos? 5. What about the GSS-API? 6. SESAME's open systems origins 7. Where do I find out more about SESAME? 8. How do I obtain the SESAME technology? 9. The SESAME User Forum 1. SESAME IN A NUTSHELL SESAME supports single sign-on to the network. SESAME provides role based distributed access control using digitally signed Privilege Attribute Certificates, with optional delegation of access rights. SESAME supports full cryptographic protection of exchanges between users and remote applications. SESAME supports multiple domain operation with different security policies. SESAME can be scaled to operate over very large networks through its use of public key technology. SESAME builds on work done in international standards - it is an Open Systems solution. SESAME uses the widely accepted Generic Security Service API (GSS-API). The SESAME user gets mechanism transparency. SESAME is available NOW Go back to the top 2. WHAT IS SESAME? SESAME (a Secure European System for Applications in a Multi-vendor Environment) is a European research and development project, part funded by the European Commission under its RACE programme. It is also the name of the technology that came out of that project. The SESAME technology offers sophisticated single sign-on with added distributed access control features and cryptographic protection of interchanged data. SESAME is a construction kit. It is a set of security infrastructure components for product developers. It provides the underlying bedrock upon which full managed single sign-on products can be built. Examples of such products are ICL's Access Manager and Bull SA's Integrated System Management AccessMaster (ISM AccessMaster). Siemens (Software & Systems Engineering Ltd) is also using SESAME technology to improve its secure X.400 mail product set. Go back to the top 3. HOW DOES SESAME WORK? This is what happens: To access the distributed system, a user first authenticates to an Authentication Server to get a cryptographically protected token used to prove his or her identity. The user then presents the token to a Privilege Attribute Server to obtain a guaranteed set of access rights contained in a Privilege Attribute Certificate (or PAC). The PAC is a specific form of Access Control Certificate that conforms to ECMA and ISO/ITU-T standards. The promulgation, protection and use of PACs are central features of the SESAME design. The PAC is presented by the user to a target application whenever access to a protected resource is needed. The target application makes an access control decision according to the user's security attributes from the PAC, and other access control information (for example an Access Control List) attached to the controlled resource. A PAC can be used more than once at more than one target application. It is digitally signed to prevent it being undetectably tampered with. In some circumstances a user might want an application to act on his or her behalf. The user might want to delegate access rights to that application. SESAME supports delegation, allowing this to be controlled by the user, who can dictate which applications are permitted to act as delegates, and which other applications they can access on the user's behalf. The PAC is cryptographically protected from the point it leaves the Privilege Attribute Server all the way to the final target application to prevent anybody but its genuine owner or an authorised delegate making use of it. To provide this protection SESAME needs to establish temporary secret cryptographic keys shared pairwise between the participants. Kerberos key distribution protocols can be used for this, but they can also be either supplemented, or where appropriate completely replaced by public key technology. SESAME also supports Certification Authorities, X.509 Directory user certficates, following ISO/ITU-T standards. User data passed in a dialogue between a client and a server can optionally be either integrity protected or confidentiality protected or both, using specially created Dialogue Keys. Dialogue Keys also ensure that the actions that are authorised really have come from the user whose PAC is providing the basis for that authorisation. Go back to the top 4. HOW DOES SESAME RELATE TO KERBEROS? Similar work, aimed specifically at UNIX systems, has been done by the Massachusetts Institute of Technology which has developed a basic distributed single sign-on technology called Kerberos. Kerberos has been proposed as an Internet standard (rfc1510). In the light of this work, the SESAME project decided that in its early implementation some of the SESAME components would be accessible through the Kerberos V5 protocol (as specified in RFC1510), and would use Kerberos data structures, as well as new SESAME ones. This has shown unequivocally that a product quality approach reusing selected parts of the Kerberos specification is workable and that a world standard is possible incorporating features of both technologies." SESAME adds to Kerberos : Heterogeneity, sophisticated access control features, scalability of public key systems, better manageability, audit and delegation. Go back to the top 5. WHAT ABOUT THE GSS-API? Another important development in the field of Open distributed system security has been the Generic Security Services Application Program Interface (GSS-API). This interface hides from its callers the details of the specific underlying security mechanism, leading to better application portability, and moving generally in the direction of a better interworking capability. The GSS-API also completely separates the choice of security mechanism from choice of communications protocol. A GSS-API implementation is viable across virtually any communications method. GSS_API is an Internet and X/Open standard. SESAME is accessed through the GSS-API, extended to support features needed to provide distributed Access Control. Go back to the top 6. SESAME's open systems origins SESAME's origins lie in the Open Systems Standards work of ECMA, the European Computer Manufacturers Association. In 1987 ECMA started its work on Security in Open Systems. It was here that the early ideas that are the basis of SESAME were formed. Following that first meeting, experts from all of the major computer manufacturers have at different times been involved in this work. The Technical Report, and three Standards produced by this group describe an Open Systems approach to single sign-on. ISO adoption of the ECMA work is underway. The success of the ECMA initiative prompted the European Commission to sponsor under it's RACE programme, a project aimed at proving this theory in the hard school of actual implementation, and Project SESAME was born. The SESAME project was undertaken by BULL, ICL and Siemens under part funding from the EC. It developed the security componentry which is the subject of this homepage. Go back to the top 7. WHERE DO I FIND OUT MORE ABOUT SESAME? SESAME information available at this time : General information README Terms and conditions SESAME technology documentation (overview, administration guides, ...) : DOC-TXT : Documentation in ascii format. DOC-PS : Documentation in postscript format. SESAME related information : Internet Draft : The SESAME GSS-API mechanism Internet Draft : Extended GSS-API - Access Control and Delegation Extensions ECMA-219 : Authentication and Privilege Attribute Security Application with Related key distribution functions (in PostScript) SESAME conference papers : P. V. McMahon "SESAME V2 Public Key and Authorization Extensions to Kerberos", ISOC Symposium, 1994. Contact points : ICL - Mr. Don Salmon (D.J.Salmon@bra0108.wins.icl.co.uk) Bull - Mr. Eric Baize (E.Baize@frcl.bull.fr) SNI - Mr. Stephen Farrell (stephen.farrell@sse.ie) SESAME discussion list : In order to subscribe to the SESAME discussion mailing list, send the following command in a message without subject to listserv@inf.enst.fr : SUB sesame Your Name (e.g. SUB sesame Peter Smith) Go back to the top 8. How do I obtain the SESAME technology? SESAME V2 and SESAME V3 were available to selected pilot sites for experimentation purposes. Feedback from this experimentation has been brought back into SESAME V4. SESAME V4 has been released to the general public, and is available here. The SESAME technology is a set of functional components currently being used by its developers in the construction of vendor products. However version V4 is a release for non-commercial and evaluation purposes only and is distributed under licence. You must first accept the terms of the licence (see LICENCE file) before getting SESAME V4. (see Contact points under item 7) Go back to the top 9. The SESAME User Forum Was established in 1994 and operates informally. Work is mainly done by EMAIL and meetings (4 per year). Francois Sallé from Eucis Conseil is acting as convenor of the meetings. The objectives of the SESAME USER FORUM : To be a recognised body to receive advanced Product and Technology information from SESAME technology suppliers. To be a Forum of exchange of Information on: SESAME Architecture and specifications SESAME products SESAME experimentation To express feedback from SESAME Users and priorities for future developments To make as much Information available as possible on the public domain To recommend guidelines for the use of SESAME in order to ensure interoperability if required To encourage the development of Secure Applications under SESAME. To promote the SESAME architecture as an Open Standard Current members : Alcatel Baltimore Technologies Cambridge University Eucis Conseil ENST Bull ICL KU Leuven Siemens Nixdorf Thomson CSF Eligibility for membership : If you are willing to support the objectives of the group and if you fit in one of the three categories listed below, you can apply for membership Users and Potential users of SESAME technology, SESAME Technology suppliers, Recognised experts and representatives of other groups. New members have to be agreed on by the current members. How to apply for membership ? Send by EMAIL to the convenor a memo indicating your interest in SESAME, the background of your organisation and your motivations to become a member. Go back to the top This page is administered by Mark Vandenwauver (vdwauver@esat.kuleuven.ac.be)