August 2013 Introduction to Moonshot
Why Moonshot? Within education, there are a number of specialised federations: – UK federation - Access to web-based resources – eduroam - International wireless roaming – edugain - Access to resources worldwide To build a single unified federation, we need a common interface, to allow us to federate anything and everything.
Federations: Why Federate? Costs can be reduced and shared Users take better care of a single, reusable credential Adding services is simple Offers enhanced privacy to users Access decisions can be delegated to the identity provider
Federations: Why Federate? The ATM doesn ’ t decide whether you get your money or not - that ’ s decided by your own bank The ATM doesn ’ t validate your PIN and card either - again, that ’ s checked by your own bank
ABFAB Application Bridging for Federated Access Beyond web
Interface: GSS GSS-API is used by Moonshot to interface between applications and the relying party. – GSS is not the only API supported here - SASL and SSPI work too!
Transport Credentials are transmitted from the end user to the RP using GSS - but how do the credentials then move credentials from the RP to the IdP?
Transport: RadSec RadSec is a security focused evolution of RADIUS - a proven technology that you could be using right now. Moonshot uses RadSec to transport credentials between a Relying Party and the Identity Provider.
Transport: RadSec eduroam has been operating using RADIUS for 10 years In the UK alone, there are currently 229 members Last month, the UK saw 200,000 unique devices, and handled almost 10,000,000 successful authentications 54 countries worldwide
Confidentiality One weakness that may be apparent is that credentials are sent to the RP - they could potentially alter them or worse, steal them.
Confidentiality: EAP EAP provides a standard to encapsulate credentials, and protect them from being read by anything but the IdP - even the RP. EAP also provides “ Channel Bindings ” - allowing the IdP to verify the user is connecting to the RP they think they are.
Rich Identity: SAML SAML provides a language to describe the properties a user might have - their role, address, or name for example. Moonshot supports SAML, allowing the IdP to give this information to the RP.
Moonshot Architecture 13 SSH clientSSH serverRADIUS server (2) SSH negotiation (3) Authentication (4) RADIUS (1) Credentialing (5) Attributes (6) SSH session OpenSSH used as example of application; many others also apply
Scaling Moonshot brings together a number of technologies: – GSS - a common interface between applications and services – RadSec - Secure AAA Transport – EAP - Protection for credentials – SAML - Rich identity information How can these technologies be scaled for use beyond a single institution?
Scaling: The Trust Router The trust router uses the concept of a “ Web of Trust ” to find a trusted path to a resource. You don ’ t necessarily trust the person holding the resource - but you do trust the judgement of someone that can vouch for them.
Scaling: The Trust Router University of Camford Blue Book Publishing Inc. Internet2 Janet Oxfordshire NHS Trust Jisc Collections
Scaling: The Trust Router
RadSecRadSec Trust Router RadSecRadSec TPQTPQ Temporary Identity GSSGSSEAPEAPEAPEAP Relying Party Client Trust Router Trust Router RP Proxy IdP Proxy T.I.T.I. Access-AcceptAccess-Accept Access-AcceptAccess-Accept SessionSession Moonshot and Trust Router Architecture
Using Moonshot: UX [This slide intentionally left blank.]
Using Moonshot: UX
Using Moonshot: Why? Enhanced UX and privacy – Improved SSO: users can access more resources more easily No credential management – Home institution is responsible for provisioning credentials and support Fine-grained security policies with minimal effort Reduced management overhead
Using Moonshot: Use Cases Primarily Janet is supporting research users Strong demand from local and central government, health, education and research for a federated desktop experience – Many desktops in these institutions run Windows – Janet ’ s SSPI provides this functionality already, but UX could be improved even further by tighter integration
Using Moonshot: Use Cases “We aim to streamline access services using Moonshot technology, which will take the burden of authentication out of the hands of our users.” -- Dr Peter Oliver, Group Leader Science and Technology Facilities Council
Using Moonshot: Use Cases “Moonshot is a valuable enabler for Cancer Research across the UK. It will make collaboration systems easy to build internally so that we can quickly share large data sets,between institutes without complicating the management of that system.” -- Peter Maccallum, Head of IT & Scientific Computing CRUK Cambridge Research Institute
Using Moonshot: Use Cases “Moonshot technology will give our university a better means of cooperating for research purposes using High Performance Computing” -- Alex Brulo, Senior Server Engineer (HPC) Aston University
Using Moonshot: How Anything that understands GSS or Kerberos can already support Moonshot. Web based applications will be able to implement the Moonshot web plugin. Non web applications - integrate GSS, SASL or SSPI directly. – Doing this will mean that it will work with not just Moonshot, but Kerberos/Active Directory, and more
Janet’s Moonshot Pilot
Moonshot Pilot Service To assist pilot sites in implementing Moonshot to solve real use cases. To fully test Janet support and infrastructure operations. To develop, test & refine documentation, training and policies. To inform and shape the business case for a full production service.
Janet Pilot Sites London Research Institute Norfolk County Council Loughborough University Swansea University Newcastle University QCIF (also working with Monash Uni) Deutsches Elektronen- Synchrotron Universidade do Porto University of Leicester Georgia Tech University of Leeds University of Nottingham Universidade Lusofona University of Westminster CANARIE Inc.. London Metropolitan University Francis Crick Institute E2BN (East of England RBC) University of Edinburgh Research Data, ISD, UCL Queen Mary, University of London Wellcome Trust Sanger Institute GSI Darmstadt University of Liverpoo l University of Kent University of Glasgow University of Cambridge University for the Creative Arts Cardiff University and LIGO Scientific Collaboration University of Leicester STFC Brunel University Harper Adams University University of Huddersfield University of Southampton Brunel University Coleg Sir Gar University of Sussex University of Exeter University of South Australia Arkivum Microsoft
GÉANT GN3+ MOONSHOT PILOT
GN3+ Pilot 2 year project to implement an eduGAIN pilot service to: investigate the peering requirements between different NREN Trust Router infrastructures; promote uptake of a standard non-web SSO solution across eduGAIN members; implement non-web SSO for specific user-defined problems; establish a policy framework within eduGAIN for pilot Communities of Interest
GN3+ Janet RENATER NIIFI SWITCH CARNetCESNET NORDUnet (CSC) RedIRIS
Further Information Moonshot Community website: Software: moonshot-using-live-dvdhttps://community.ja.net/groups/moonshot/wiki/getting-started- moonshot-using-live-dvd Standards:
THANK YOU Janet, Lumen House Library Avenue, Harwell Oxford Didcot, Oxfordshire t: +44 (0) f: +44 (0) e: