Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
MyProxy Jim Basney Senior Research Scientist NCSA
Federated Identity for Grid Architects Tom Scavo NCSA
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Implementing Federated Security with ConSec Jens Jensen, STFC OGF40, Oxford, 16 Jan 2014.
MyProxy: A Multi-Purpose Grid Authentication Service
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Draft-lemonade-imap-submit-01.txt “Forward without Download” Allow IMAP client to include previously- received message (or parts) in or as new message.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.
WebFTS as a first WLCG/HEP FIM pilot
Public Key Infrastructure from the Most Trusted Name in e-Security.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Federated A(A(A))I Jens Jensen hepsysman, RAL,
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
Aspects of application security Jens Jensen, STFC 3 rd T&S workshop, NeSC July 2008.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Jens G Jensen CCLRC e-Science Single Sign-on at RAL (and DLS too) Authentication and Integrated Identity Management hepsysman Cambridge, 23 Oct 2006.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Authentication and Integrated Identity Management HEPiX, CASPUR, Rome 3-7 April 2006.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.
Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.
AAI Developments AAI for e-infrastructures UK T0 workshop, Milton Hill Park October 2015
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
VOMS Attribute Authorities Michael Helm ESnet/LBNL 23 Feb 2007.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
SESEC Storage Element (In)Security hepsysman, RAL 0-1 July 2009 Jens Jensen.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Draft-lemonade-imap-submit-00.txt “Forward without Download” Allow IMAP client to include previously- received message (or parts) in or as new message.
Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,
DataGrid Security Wrapup Linda Cornwall 4 th March 2004.
CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.
Unified Identity for Access Control Carl Ellison 7 April 2011 IDtrust.
Grid Computing Security Mechanisms: the state-of-the-art
Authentication, Authorisation and Security
OGF PGI – EDGI Security Use Case and Requirements
Grid Security.
Update on EDG Security (VOMS)
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
Public Key Infrastructure from the Most Trusted Name in e-Security
AARC Blueprint Architecture and Pilots
Presentation transcript:

Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010

Why Security? Protect our infrastructure (and users’ data) Enforce allocations Accounting for resource use Track resource misuse Peering – across UK, Europe, World

Security – site requirements Let the good guys in Keep the bad guys out Minimal support requirements

Security – user requirements “No security” “It only gets in the way” “Add it later”

Security – user requirements Should be like a duck Who moves across the pond Paddling of feet unseen (enlightened version)

Model

Certificates: The Executive Summary Combine A name – globally unique A public key Assertions (“extensions”), lifetime into a signed envelope

Certificates Validity asserted by authority Timeliness of information Revocable Secrets managed by user Single identity (credential)

Certificates Advantages Standard Interoperable Scalable Disadvantages Need tools Needs infrastructure

Delegation id of identity

Delegation of ID Agent acts on behalf of user Acts as the user SHOULD NOT be delegated to other user (really!) Restrictions? Can delegations be delegated?

Delegation of ID Protect original credentials Create delegated credentials Cf Kerberos tgt  session ticket Cf SAML authentication assertions Cf OAuth What has the credential done

Example Credential Conversion Scientist wishes to do work Logs in Uses resource

Example User Agent Credentials Store

GSI proxies GSI = Globus Security Infrastructure RFC 3820 Sort of extending cert chain Extends existing trust infrastructure Keeps (orig) secret with users

GSI 1. Proxy credential format Limitating redelegation 2. Delegation-“extended” TLS Secrets never cross the wire

GSI proxies Advantages Work with the grid In std OpenSSL Can limit proxy, eg policy Client keeps secret secret Disadvantages Not common outside Off by default Somewhat coarsegrained Delegatee has unprotected working secret

Delegation Step (simplified) 1.Recipient generates key pair, CSR 2.Recipient sends CSR to Sender 3.Sender signs CSR into (proxy) cert 4.Sender sends proxy cert to Recipient

Personal Certificate Private Key Personal certificate Issued by a CA (chain)

Private Key Personal Certificate MyProxy Proxy Certificate “uploaded” to a MyProxy server Private key is stored in MyProxy server Principle: private key doesn’t cross the wire Uploader Proxy

UI Proxy Private Key Personal Certificate Uploader Proxy I get a delegated proxy to work with MyProxy Proxy

UI Proxy Private Key Personal Certificate Uploader Proxy MyProxy Proxy VOMSified proxy

Things to Note Only the most recent private key is present in the proxy The other keys are not needed!! Lifetime of “parent” proxy must (should) span all children

Things to Note Rights of a proxy can be inherited from parent And restricted by policy And granted by (attribute) authority AA different from IdP

Central AuZ VOMS IdP1IdP2IdP3IdP4

Issues Tracking proxies once issued Where it is What it has done What it is doing Usefully restricting proxies Expressiveness and granularity Enforceable and enforced Stopping naughty proxies

Delegation of Authority More like roles Or other attributes Or specific actions on objects

RBAC A. UserRoleAdmission

Delegation of Authority Roles are harder to scale Unless they are few and coarse grained Need translations between role providers Unless you have only one role provider Or there is a standard and people actually follow it (This never happens)

…Usability? Security… …a necessary evil? Technophobes

Improve tools With MyProxy, VOMS Improving client tools Browsers don’t work so well for PKI

Experiences Usable security …satisfying user and site requirements… …makes happy(er) and productiver users

Credential Stores Manage long term credential centrally Create short term credential when needed Credential conversion  create GSI proxies  download MyProxy, SLAC VSC, …

Aspects To centralise or not to centralise Mapping to roles and local ids Flavours of Proxy certificates Pre-RFC, RFC, …

Getting certificates International Grid Trust Federation Global, with ~80 countries Creating them yourselves Credential conversion based on local IdPs Advice: use IGTF if you can

Shib for CC PasswordShibboleth Resource access Create certificates instead (portal)

MyProxy for CC Grids (NGS, gLite/GridPP, SRB) Kerberos or Active Directory

Interoperation and standards Standards improve standardisation Not just a tautology More and better implementations Standards improve interoperability Interoperability improves reusability Reusable means more versatile Improves usability

Ponder What we learn from other communities? Components for reuse Experiences Deploy services for other communities –Try to adapt what they already have

Dimensions Time (user’s) Time (ours) Space (geo) Financial and resources Ease of use Assurance Trust End to end (user to system)

Don’t reinvent the But did they want this? or this?

Final words (promise) Aim to meet user and site requirements Build on stuff that works (or build stuff that works…) Users don’t always know what they want Don’t forget, it’s an experimental science – across all dimensions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.