AAVS Middleware Security Group Bob Cowles CERN – September 14, 2005.

Slides:



Advertisements
Similar presentations
Chapter 14 – Authentication Applications
Advertisements

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
A responsibility based model EDG CA Managers Meeting June 13, 2003.
Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.
Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.
Validity Management in SPKI 24 April 2002 (author) (presentation)
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
Certificate revocation list
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates.
Revocation in MICS §4.4 May 11-13, 2009 Zürich, Switzerland.
Compliance Defects in Public- key Cryptography “ A public-key security system trusts its users to validate each others’s public keys rigorously and to.
15.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Key Management.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
1 PKI Disaster Recovery and Key Rollover Bull S.A.S.
Academia Sinica Grid Computing Certification Authority (ASGCCA)
BGPSEC Router Key Roll-over draft-rogaglia-sidr-bgpsec-rollover-00 Roque Gagliano Keyur Patel Brian Weis.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
3 Copyright © 2004, Oracle. All rights reserved. Controlling Access to the Oracle Listener.
Chapter 14: Representing Identity Dr. Wayne Summers Department of Computer Science Columbus State University
Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.
X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.
Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.
Security on Grid: User Interface, Internals and APIs Simone Campana LCG Experiment Integration and Support CERN IT.
HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.
PKGrid CA Self-Audit 2012 Adeel-ur-Rehman Mansoor Sheikh.
TAG Presentation 18th May 2004 Paul Butler
Key management issues in PGP
CRLite: A Scalable System for Pushing All TLS Revocations to All Browsers By Kartik Patel.
Jean-Philippe Baud, IT-GD, CERN November 2007
JLR, Tozny, and DHS Isaac Potoczny-Jones
Document update - what has happened since GGF11
The Development Process of Web Applications
Trust Anchor Management Problem Statement
Cryptography and Network Security
draft-lemonade-imap-submit-01.txt “Forward without Download”
TAG Presentation 18th May 2004 Paul Butler
Security for Open Science
Chapter 15 Key Management
SPE Expectations Leverage existing delivery technologies
Authentication Applications
How to Check if a site's connection is secure ?
Update on EDG Security (VOMS)
کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)
Chapter 14: Representing Identity
Security in ebXML Messaging
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
Digital Certificates and X.509
CS 465 Certificates Last Updated: Oct 14, 2017.
Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau
Chapter 15 Key Management
Presentation transcript:

AAVS Middleware Security Group Bob Cowles CERN – September 14, 2005

2 Proxy Certificates Self-signed by an end-entity – not normally acceptable RFC 3820 defines motivation and usage Private key not protected except by file system security No CRL

3 Compromise Mitigations Only a single user Limited lifetime Does not compromise the original end- entity certificate Can be restricted in usage

4 Drawbacks Actual Use Lifetime may not be very limited No real agreement on renewal process Little use of limiting capabilities

5 Moving Ahead Renewal Can enforce limited lifetime constraint If application error, things don’t work and the bug gets fixed However –Proxy still exposed for inappropriate use until it expires –Significant resources can e consumed that are wasted

6 Moving Ahead Revocation Can use OCSP for “lighter weight” and more timely revocation Allows for more prompt revocation of compromised proxys However –Application may not be able to get information from server –Increased complexity of certificate validation

7 Moving Ahead Path forward is not clear Will need to use experience Need to maintain flexibility Need to increase security of checks from compromise If we have strong auth structure, do we even care about revoking authentication?

8 AAVS AA Validation Service Start with standard API of library routines for applications to call Move as quickly as possible to external service Eases load on application developers More flexibility as new requirements are discovered

9 Comments Discussion?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.