D u k e S y s t e m s Some Issues for Control Framework Security GEC7 Jeff Chase Duke University.

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

FIBRE-BR Meeting GENI I&M Marcelo Pinheiro. Agenda GENI Overview GENI User groups GENI I&M Use Cases GENI I&M Services.

Sponsored by the National Science Foundation Campus Policies for the GENI Clearinghouse and Portal Sarah Edwards, GPO March 20, 2013.

D u k e S y s t e m s Authorization Framework: Status Jeff Chase Duke University.

Report on Attribute Certificates By Ganesh Godavari.

Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

The EC PERMIS Project David Chadwick

WebFTS as a first WLCG/HEP FIM pilot

Widely Distributed Access Management Tom Barton University of Chicago.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

D u k e S y s t e m s Accountability and Authorization GEC 12 Jeff Chase Duke University Thanks: NSF TC CNS

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

Digital Object Architecture

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

1 GENI Operational Security GEC4 Stephen Schwab Miami, Florida.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

D u k e S y s t e m s A Tale of Two Federations Jeff Chase Duke University.

FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.

SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:

GEC5 Security Summary Stephen Schwab Cobham Analytical Services July 21, 2009.

David L. Wasley Office of the President University of California Shibboleth Safe delivery of reliable authorization data David L. Wasley University of.

Sponsored by the National Science Foundation GEC17 Developer Sessions: ABAC: Life after Speaks-For Marshall Brinn, GPO July 22, 2013.

D u k e S y s t e m s ABAC: An ORCA Perspective GEC 11 Jeff Chase Duke University Thanks: NSF TC CNS

Sponsored by the National Science Foundation GEC16 Plenary Session: GENI Solicitation 4 Tool Context Marshall Brinn, GPO March 20, 2013.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein

Sponsored by the National Science Foundation GENI Security Architecture What’s Up Next? GENI Engineering Conference 7 Durham, NC Stephen Schwab SPARTA/Cobham.

D u k e S y s t e m s Building the GENI Federation With ABAC Jeff Chase Duke University Thanks: NSF TC CNS

Virtual Workspaces Kate Keahey Argonne National Laboratory.

1 Testbeds Breakout Tom Anderson Jeff Chase Doug Comer Brett Fleisch Frans Kaashoek Jay Lepreau Hank Levy Larry Peterson Mothy Roscoe Mehul Shah Ion Stoica.

1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.

Sponsored by the National Science Foundation Cluster D Working Meetings GENI Engineering Conference 5 Seattle, WA July ,

Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Sponsored by the National Science Foundation Introduction to GENI Architecture: Federated Trust Perspective Marshall Brinn, GPO GEC20: June 24, 2014.

D u k e S y s t e m s GENI Federation Basics Jeff Chase Duke University.

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.

Sponsored by the National Science Foundation Establishing Policy-based Resource Quotas at Software-defined Exchanges Marshall Brinn, GPO June 16, 2015.

© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.

Globus and PlanetLab Resource Management Solutions Compared M. Ripeanu, M. Bowman, J. Chase, I. Foster, M. Milenkovic Presented by Dionysis Logothetis.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Experimental Control Tools for ORCA Control Framework Anirban Mandal Renaissance Computing Institute (RENCI)

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Sponsored by the National Science Foundation GENI Cloud Security GENI Engineering Conference 12 Kansas City, MO Stephen Schwab University of Southern California.

Sponsored by the National Science Foundation 1 March 15, 2011 GENI I&M Update: I&M Service Types, Arrangements, Assembling Goals Architecture Overview.

Clearing house for all GENI news and documents GENI Architecture Concepts Global Environment for Network Innovations The GENI Project Office.

Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.

OGF 43, Washington 26 March FELIX background information Authorization NSI Proposed solution Summary.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd

Federation made simple

Identity Federations - Overview

Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support

UK e-Science All Hands Meeting, 2006 Mark Norman 18 Sept 2006

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Stitching: the ORCA View

NAAS 2.0 Features and Enhancements

Mix & Match: Resource Federation

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

D u k e S y s t e m s Some Issues for Control Framework Security GEC7 Jeff Chase Duke University

GENI Distributed Services Preliminary Requirements and Design Tom Anderson and Amin Vahdat (co-chairs) David Andersen, Mic Bowman, Frans Kaashoek, Arvind Krishnamurthy, Yoshi Kohno, Rick McGeer, Vivek Pai, Mark Segal, Mike Reiter, Mothy Roscoe, Ion Stoica Flashback to 7/10/07

Security Architecture What is the threat model? What are the goals/requirements? Access control Authentication and key management Auditing Operator/administrative interfaces Flashback to 7/10/07

Threat model Exploitation of a slice –Runaway experiments ä Unwanted Internet traffic ä Exhausting disk space –Misuse of experimental service by end users ä E.g., to traffic in illegal content –Corruption of a slice ä Via theft of experimenter’s credentials or compromise of slice software Exploitation of GENI itself –Compromise of host O/S –DoS or compromise of GENI management infr Flashback to 7/10/07

Requirements: Do no harm Explicit delegations of authority –Node owner  GMC  Researcher  students  … Least privilege –Goes a long way toward confining rogue activities Revocation –Keys and systems will be compromised Auditability Scalability/Performance Autonomy/Federation/Policy Neutrality –Control ultimately rests with node owners, can delegate selected rights to GMC Flashback to 7/10/07

“Authorization Example (simplified)” 1) Delegate: all authority 2) You can authorize X to send to GENI nodes University 1 Local admin University 2 3) You can authorize X to send to GENI nodes Student GENI Management Central Slivers Resource monitor 4) You can authorize X to send to GENI nodes 5) You can authorize X to send to GENI nodes send X says send? Machine X Flashback to 7/10/07

Where are we now? SFA is “rough consensus and running code”. SFA outlines some suggested security mechanisms and policies. Still needed: security architecture – Common across CFs – Separates policy from mechanism – Sufficiently powerful for future policy needs – Plays well with others – Uses standard solutions when suitable – SFA isn’t any of that.

GENI Security Architecture Agreement on underlying mechanisms: – Endorsement of identity – Assertion of attributes – Delegation of rights – Anchored in some set of trust roots Issued by whom? How are are the subjects named? What are the attributes, rights, etc.? How to broker trust? How are authorization policies specified? Lots of discussion (shepherded by Steve Schwab) SFA is not the right starting point or guide to consider these questions.

External Identity Providers in GENI (?) GENI should enable/permit external IdPs. – Leverage powerful identity solutions developed by the large community focused on that problem. – Free GENI participants from administering identities and accounts. Which IdPs? Shibboleth and perhaps others. – Shibboleth is mature and widely deployed by universities and other institutions. Single Sign On (SSO) SFA appears to preclude IdPs: just one reason why we need to move beyond SFA.

Using IdPs An IdP is just a trust anchor maintained by an institution. The IdP authenticates the user agent (login). IdP asserts attributes of the user identity. – E.g., signed assertion of attributes of identity bound to an HTTPS session. – Might not reveal identity: e.g., just “Duke student”. Authorization policy in the server can consider these attributes (e.g., ABAC). – “Duke students may use this facility on Monday.”

IdentityProvider(IdP) Service Provide r Directory 1. I’d like access 2. Please login to your home IdP, which I trust. 3. I’d like to login for SP. Use r 4. Login 5. Here are your session attributes to send to SP. 6. Here are my attributes. 8a. Access granted 8b. Access Denied Policy SSO 101 (e.g., Shibboleth)

Operators ORCA Servers (Actors) Broker (CH) ticket redeem lease Authority/AM delegate Slice Manager (SM) request XML – RPC Example: ORCA CF Java Web portal For GENI the ORCA SMs are hosted at institutions. Web portal Web portal Users and “hands-free” tools

The Point of the Example Each CF server has a Web portal interface. – (at least in ORCA) We can use external IdPs to authenticate users at the portals. BUT, if server SM invokes AM or CH, how does AM/CH know the user’s attributes? – Shibboleth defines “delegated authentication” mechanisms for this case. Easy if (user agent == browser) – “Hands-free” tools are a different problem.

Shibboleth in GENI, IMHO Easy to use to authenticate user/browser at a portal “at the edge”. Once authenticated, user can upload a public key for use by “hands-free” tools. – Standard for existing testbeds and clouds – Leverages external IdPs and avoids PKI Continue to use GENI key-based mechanisms internally. Continue to explore potential of delegated authentication, but do not depend on it.

Related Security Issues Semantics/constraints for delegation of tickets. – Specification and broker splitting: not embraced by SFA Authorization for “interesting” aggregates – OpenFlow – Cyberphysical (“don’t point the camera at the sun”) – Not addressed by SFA Location of policy decision/enforcement code – Policy code does not have to run at the component or AM! Naming structures – If A asserts attributes of object X, is it possible for M to hijack the name X, i.e., to hijack the endorsement? – SFA specifies (in essence) DNSSEC hierarchy with zones.

eom

Guest/experiment Slice Manager (SM) RENCI/GENI clearinghouse Broker Engine tickets Exchange of labels, tokens, configuration attributes etc. through SM. leases Multiple aggregate managers (AM) Stitching