Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Slides:



Advertisements
Similar presentations
Integrating PKI and Kerberos Authentication services Alberto Pace.
Advertisements

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide
Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Digital Certificate Installation & User Guide For Class-2 Certificates.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Password?. Project CLASP: Common Login and Access rights across Services Plan
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Password?. Project CLASP: Common Login and Access rights across Services Plan
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Using Digital Credentials On The World-Wide Web M. Winslett.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Signing and Encrypting With the Thawte Web of Trust CSU Professional Development Institute January 8, 2009 Steve Lovaas.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Computer Science Public Key Management Lecture 5.
Public Key Infrastructure from the Most Trusted Name in e-Security.
Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Week #7 Objectives: Secure Windows 7 Desktop
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
Integrating PKI and Kerberos Authentication services Emmanuel Ormancey, Alberto Pace.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Module 9: Fundamentals of Securing Network Communication.
Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl.
Compliance Defects in Public- key Cryptography “ A public-key security system trusts its users to validate each others’s public keys rigorously and to.
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
Harshavardhan Achrekar - Grad Student Umass Lowell presents 1 Scenarios Authentication Patterns Direct Authentication v/s Brokered Authentication Kerberos.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
Windows 2000 Certificate Authority By Saunders Roesser.
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
Password? CLASP Project FOCUS Meeting, 12 October 2000 Denise Heagerty, IT/IS.
Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Computer and Network Security - Message Digests, Kerberos, PKI –
Creating and Managing Digital Certificates Chapter Eleven.
Web Services Security Patterns Alex Mackman CM Group Ltd
1 of 4 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
The New CERN Mail Services Information for group Administrators Alberto Pace for the Internet Service Group and the Mail Migration Task Force.
Password? CLASP Phase 2: Revised Proposal FOCUS, 3 May 2001 Denise Heagerty, IT/IS.
CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
X509 Web Authentication From the perspective of security or An Introduction to Certificates.
Trusted Organizations In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country.
Secure Connected Infrastructure
Data and Applications Security Developments and Directions
Module 8: Securing Network Traffic by Using IPSec and Certificates
CERN Certificates platform Emmanuel Ormancey / Anatoly Gladkov
Public Key Infrastructure from the Most Trusted Name in e-Security
CLASP Project AAI Workshop, Nov 2000 Denise Heagerty, CERN
Module 8: Securing Network Traffic by Using IPSec and Certificates
Building Security into Your System
Presentation transcript:

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department

E.Ormancey, A.Pace, HEPIX Meeting, Karlsrhue, 9-11 May Authentication Methods  Two technologies for authentication: Kerberos and X.509 Certificates (PKI)  Both technologies have weak and strong points  Distributed versus centralized management  Forwardable authentication  Offline authentication  Technology is different  Asymmetric encryption with public/private key pairs versus symmetric encryption and shared secrets

E.Ormancey, A.Pace, HEPIX Meeting, Karlsrhue, 9-11 May At CERN, both technologies  Kerberos is used in the Windows Domain and AFS  PKI is used in all Grid related projects, with multiple certification authorities  Both technologies are there to stay  Multiple scenarios exist to integrate and interoperate the two technologies

E.Ormancey, A.Pace, HEPIX Meeting, Karlsrhue, 9-11 May Usage of Client Certificates  Client authentication against a “service” (Example: a web server)  Proves your identity  Digitally Sign documents and  Proves you wrote that document  Encrypts information  Nobody else than your selected recipient can read the information

E.Ormancey, A.Pace, HEPIX Meeting, Karlsrhue, 9-11 May Example: signing and encrypting  In Outlook:

E.Ormancey, A.Pace, HEPIX Meeting, Karlsrhue, 9-11 May Example: Web authentication using certificates (1)  Certificate can be installed in any browser, on any platform.  The web service offer the possibility to end-users to map the “subject” of their Certificate to their kerberos account (login name)  pace = “CN=Alberto Pace 8717;OU=GRID;O=CERN;C=CH”  pace = Fre Member”  Authentication done automatically  The web browsers sends the client certificate to the web server  The web server verifies the digital signature and the validity of the certificate  The web server challenges the “client” system for the knowledge of the private key corresponding to the public key found in the certificate  If ok, the “subject” found in the certificate is authenticated. The Web server then can impersonate the kerberos account found in the PKI/Kerberos mapping table and proceeds with the user’s credentials

E.Ormancey, A.Pace, HEPIX Meeting, Karlsrhue, 9-11 May Example: Web authentication using certificates (2)  Popup for selection if several certificates installed  multiple identity and roles are supported  If no client certificate:  Optionally, downgrade smoothly to form-based authentication  User enters kerberos username/password  Useful if using a public computer, but can be a security issue.  Or force client certificate installation  Requires the service provider to have an established Certification Authority  More secure but accessibility issue.

E.Ormancey, A.Pace, HEPIX Meeting, Karlsrhue, 9-11 May Web Authentication example Opening a website The browser prompts to choose among the client certificates matching server requirement Certificate authentication complete. Cancelled or no certificate installed

E.Ormancey, A.Pace, HEPIX Meeting, Karlsrhue, 9-11 May Technology not platform specific

E.Ormancey, A.Pace, HEPIX Meeting, Karlsrhue, 9-11 May Phase 1 at CERN (planned)  Setup a CERN certification authority to create and sign X.509 certificates which will be pre-mapped to kerberos accounts  Initial test limited to the CERN active directory  Publish a web interface to allow users to request, download and install Client certificates on their computer OR to map their existing (Grid / Thawte / CaCert / Other) certificate to their Kerberos account  We have also accounts for every Listbox member (non cern users) and we will have the possibility to map certificates to external users.  Note: mapping is possible only for certificates signed by certification authorities trusted by CERN  Implement Certificate-based authentication on CERN central web servers

E.Ormancey, A.Pace, HEPIX Meeting, Karlsrhue, 9-11 May Phase 2 at CERN (optional)  For “managed” computers, the request, distribution and installation of Client certificates can be completely automated  For PCs member of the CERN Windows domain, the CERN certificate can be pushed to the client as a domain policy  Its renewal can be handled automatically (allowing short validity periods)  Users do not need to understand, be aware, be informed. 100 % transparent.  Similar automation levels are been investigated for Linux and Mac OS systems

E.Ormancey, A.Pace, HEPIX Meeting, Karlsrhue, 9-11 May Architectural Comment  At the end of phase 1 we will have an interoperable Kerberos / PKI service in a master-slave situation  Kerberos is the master, PKI is the slave  The Kerberos password is used to establish mapping between the Kerberos account and the PKI certificate  When possible, the Kerberos authentication triggers the client certificate installation  This can be changed

E.Ormancey, A.Pace, HEPIX Meeting, Karlsrhue, 9-11 May Future possibilities  If security needs to be strengthened  Store certificates elsewhere outside the computer (smart card) to better protect access to the private key during session authentication.  Smartcard protected by pin code  Consequence: No more passwords typed in  Passwords do not need to be known by users.  Passwords can be set to random string and can be reset very often, automatically.  Consequences if Kerberos passwords not known by users  User must use certificate authentication as form based authentication is no longer possible.  less security problems but accessibility issue especially if using smartcards (public computers).

E.Ormancey, A.Pace, HEPIX Meeting, Karlsrhue, 9-11 May Architectural Comment  With smartcards or with passwords unknown to the users, we will still have an interoperable Kerberos / PKI service in a master-slave situation  PKI is the master, Kerberos is the slave  We distribute to users Certificates (smartcards) which are pre-mapped to Kerberos accounts  This is an important change, lot of discussions needed, lot of consequences foreseen

E.Ormancey, A.Pace, HEPIX Meeting, Karlsrhue, 9-11 May Current Status  Few CERN web sites already support Client certificate authentication  Pilot tests  This gives Single sign on across all these Websites and the underlying kerberos services  Forms authentication failover if no certificate available.  CERN Root CA being implemented  Automatic mapping to Active Directory accounts being investigated.  Desktop authentication  Smartcard and variants being investigated.

E.Ormancey, A.Pace, HEPIX Meeting, Karlsrhue, 9-11 May Conclusion  Goals  Provide a common authentication interface for all CERN services, platform independent.  Quickly establish Single Sign On for all services willing to participate:  All CERN central web sites, Windows and Unix: could be done quickly.  For desktop authentications (Windows, Linux, Mac) also possible.  Automatic mapping of certificates to AFS accounts needs more investigation  Necessary if we want to reach a transparent service for all users on all platforms  Smartcards for desktop authentication  Keeping Forms based authentication for Public Computers access might be a security issue  Smart card deployment has a cost. CERN has a large number of external users … this idea will still require several years of thoughts.