Credential Repositories in an Interprise Environment Bob Cowles Stanford Linear Accelerator Center 27 January 2003 Work supported by U. S. Department of.

Slides:



Advertisements
Similar presentations
Introduction of Grid Security
Advertisements

Internet Protocol Security (IP Sec)
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
MyProxy: A Multi-Purpose Grid Authentication Service
SPEKE S imple Password-authenticated Exponential Key Exchange Robert Mol Phoenix Technologies.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
GRID Security Infrastructure: Overview and problems PKI-COORD Meeting, Amsterdam November 26, 2001 Yuri Demchenko.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Lecture 23 Internet Authentication Applications
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Mechanisms to Secure x.509 Grid Certificates Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Windows 2003 and 802.1x Secure Wireless Deployments.
Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Masud Hasan Secue VS Hushmail Project 2.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization and Delegation ADINA RIPOSAN Applied Information Technology.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
The TAOS Authentication System: Reasoning Formally About Security Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.
Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.
Biometric Authentication in Distributed Computing Environments Vijai Gandikota Karthikeyan Mahadevan Bojan Cukic.
Legion - A Grid OS. Object Model Everything is object Core objects - processing resource– host object - stable storage - vault object - definition of.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Fermilab CA Infrastructure EDG CA Managers Mtg June 13, 2003.
Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.
X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.
SACRED REQUIREMENTS DOCUMENT Stephen Farrell, Baltimore Alfred Arsenault, Diversinet.
Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
1 Andrew Hanushevsky - CHEP, February 7-11, 2000 Practical Security In Large Scale Distributed Object Oriented Databases
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Virtual Smart Card Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.
12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
1 Example security systems n Kerberos n Secure shell.
Grid Security.
Radius, LDAP, Radius used in Authenticating Users
THE STEPS TO MANAGE THE GRID
Kerberos Kerberos is an authentication protocol for trusted hosts on untrusted networks.
Presentation transcript:

Credential Repositories in an Interprise Environment Bob Cowles Stanford Linear Accelerator Center 27 January 2003 Work supported by U. S. Department of Energy contract DE-AC03-76SF00515

Noon 2PM 4PM 6PM 8PM

8AM 10AM Noon 2PM Australia Japan Korea China India

Grid Computing Model

Grid Vision Location independent access to computing resources similar to access to the electrical grid User authenticates using PKI-based application Request job to be run Scheduler determines where job runs Data and computational resources brought together Results are stored or returned

Grid Security Infrastructure Based on X.509 certificates International efforts coordinated by several security working groups in the Global Grid Forum (

Statement of the Problem Provide trusted authentication and authorization checking across security and trust domains Risk model is difficult to determine –What are threats and vulnerabilities? Protect but not interfere (too much) –Balanced to reduce over/underprotection –On the edge of chaos …

“Logging on” to the Grid Authenticate: % grid-proxy-init Enter PEM pass phrase: ****** Creates temporary, short-lived proxy credential

Proxy Credentials Proxy credentials are short-lived credentials created by user –Short term binding of user’s identity to alternate private (and public) key –Stored unencrypted for easy repeated access –Short lifetime in case of theft –Enables user to authenticate once then perform multiple actions without reauthenticating

Proxy Delegation Delegation = remote creation of a (second level) proxy credential –New key pair generated remotely on server –Proxy cert and public key sent to client via SSL –Client signs proxy cert and returns it –Note: no private key movement across network Allows remote process to authenticate on behalf of the user –Remote process “impersonates” the user

Private Key Problems Private keys and users don’t mix –No guarantee of good or any password choice –No guarantee of secure private key location E.g., users store keys in network based file systems –No guarantee how private key was handled E.g., users copy/ keys to remote machines & leave them cannotUser managed keys cannot be trusted

Solitary Private Keys Never give a user their private key –Can’t mishandle something you don’t have strongerProvide a stronger security guarantee –Signed cert as secure as institution’s accounts –Must provide agent-based key handling E.g., smart cards

SACRED IETF RFC 3157 SACRED is concerned with the secure use of credentials in roaming or mobile environment with: desktop or laptop, mobile phone, PDA, etc. (thanks to Yuri Demchenko

IETF Information Internet-Drafts: –Securely Available Credentials - Credential Server Framework 02.txt 02.txt –Securely Available Credentials Protocol 00.txt 00.txt –PKI Enrollment Information 00.txt 00.txt Request For Comments: –Securely Available Credentials - Requirements (RFC 3157)

SACRED Motivation Support user mobility by allowing roaming user to retrieve / use credentials Allow to use the same credentials for/from different user network appliances Secure user credentials by storing credentials on Credential Server

SACRED Principles I Credentials MUST not be sent in the clear during network transmission and SHOULD not be in the clear when stored on an end user device Secured credentials are defined for SACRED: opaque (and partially privacy and integrity protected) data object that can be used by network device

SACRED Principles II Clients should be able to recover their credentials from opaque object Credential formats SHOULD provide privacy and integrity protection Credentials MUST be protected with a second layer of encryption prior to network transmission (using client/server negotiated keys)

SACRED Framework The framework MUST support both "credential server" and "direct" solutions. The "credential server" and "direct" solutions SHOULD use the same technology as far as possible. The framework MUST allow for protocols which support different user authentication schemes The details of the actual credential type or format MUST be opaque to the protocol, though not to processing within the protocol's peers. The protocol MUST NOT depend on the internal structure of any credential type or format.

SACRED and Grid General issues: –Traditional systems are client/server centric –Grid computing is data centric Traditional systems: –Protect system from users –Protect data of single user In Grid systems: –Protect applications and data from the execution system –Stronger/mutual authentication needed to ensure resources and data not provided by a attacker –Different admin domains/Security policies

Kerberos IETF RFC 1510 National Science Foundation project to support KX.509 / KCA extensions for Grid applications R1/1/KX509KCA/

KCA Acts (nearly) as root Certificate Authority Signs a certificate for user based on Kerberos authentication ticket All resource providers must agree to accept KCA signed certificates

KX.509 Client side of protocol Generates key pair and sends certificate containing public key to KCA for signing Resulting credentials can be used like a GSI proxy certificate.

KX.509/KCA Drawbacks Site specific installation (based on KDC) Lacks scaling –Requires multi-site trust (potentially) –Grid projects (virtual organizations) have to perform site-by-site negotiation of trust

Virtual Smart Card Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center Work supported by U. S. Department of Energy contract DE-AC03-76SF00515

Virtual Smart Card (vsc) Premise: Physical smart cards (psc) in software –vsc’s have a 1-to-1 concept correspondence to psc’s ConceptPhysicalVirtual ProcurementPurchase/downlo ad Request/generat e PossessionPhysicalAuthentication OperationsIndirect Tamper protection Self-destructRestricted access Theft protectionSettable pinSettable password

VSC Conceptualization A vsc is implemented using a secure, access restricted server –One server holds many user’s private keys Hence, one server instantiates many vsc’s –Can be well secured Restricted physical access –Cages, keyed room, etc. Restricted logical access –Only three access protocols needed: dns, ntp, and vsc Keys can be encrypted via user-supplied passwords

VSC Procurement 1. Ask for a cert 2. Generate keys and send cert request 3. cert url User never sees the private key! CA 4. Download CA signed public cert* *When available on 1 st request or automatic poll.

VSC Operation (vsc-proxy) 2. Generate proxy public/private key Sign proxy cert 3. Sign proxy cert Private key never sees the network! Get public cert 1. Get public cert Externally authenticated Externally authenticated (e.g., Kerberos)

VSC Theft Protection 1. Generate key-string from a strong user password Send encrypted key-string 2. Send encrypted key-string Externally authenticated Externally authenticated (e.g., Kerberos) 3. Encrypt user’s x509 private key and discard key-string User must now supply key-string for vsc to use private key

VSC Advantages I Simple and effective –Models well-known physical object -- smart card –Initial certificate request is trivial Private keys never exposed –Can be further encrypted by user Can get proxy cert anywhere in the world –No need to copy public/private keys

VSC Advantages II Can provide special always-on services –Perhaps proxy cert revalidation strongerCan provide stronger security guarantee –Signed cert as secure as institution’s accounts

VSC Disadvantages Private keys are concentrated –Can be user-encrypted –Similar problem in Kerberos May violate current CA CP/CPS –Political vs. practical reality No more secure than external authentication –Need good authentication (e.g., K5)

Conclusion Virtual Smart Cards effective –Simple, relatively transparent, secure Provides a path to more stringent security –Physical smart cards Simplify user’s lives –Ease of use reduces security lapses