Building Global HEP Systems on Kerberos Matt Crawford Fermilab Computer Security.

Slides:

Advertisements

Similar presentations

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

AUTHENTICATION AND KEY DISTRIBUTION

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

CS5204 – Operating Systems 1 A Private Key System KERBEROS.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Chapter 14 – Authentication Applications

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Akshat Sharma Samarth Shah

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

A responsibility based model EDG CA Managers Meeting June 13, 2003.

The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.

Lecture 23 Internet Authentication Applications

Grid Security. Typical Grid Scenario Users Resources.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Chapter 11: Active Directory Certificate Services

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

KerberSim CMPT 495 Fall 2004 Jerry Frederick. Project Goals Become familiar with Kerberos flow Create a simple Kerberos simulation.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:

Module 12: Designing an AD LDS Implementation. AD LDS Usage AD LDS is most commonly used as a solution to the following requirements: Providing an LDAP-based.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner Clifford Neuman Jeffrey I. Schiller.

Lecture 5.3: Key Distribution: Public Key Setting CS 436/636/736 Spring 2012 Nitesh Saxena.

WP4 Security and AA(A) issues For WP4: David Groep

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Configuring Directory Certificate Services Lesson 13.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References.

Chapter 21 Distributed System Security Copyright © 2008.

Key Management. Session and Interchange Keys  Key management – distribution of cryptographic keys, mechanisms used to bind an identity to a key, and.

Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.

Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

1 caGrid Security Overview Mark Grand Senior Engineer caGrid Knowledge Center February 7, 2011.

Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.

Fermilab Computer Security & Strong Authentication Project Mark Kaletka Computing Division Operating Systems Support Department.

Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.

Security, Accounting, and Assurance Mahdi N. Bojnordi 2004

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

1 Kerberos – Private Key System Ahmad Ibrahim. History Cerberus, the hound of Hades, (Kerberos in Greek) Developed at MIT in the mid 1980s Available as.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

1 Kerberos n Part of project Athena (MIT). n Trusted 3rd party authentication scheme. n Assumes that hosts are not trustworthy. n Requires that each client.

Fermilab CA Infrastructure EDG CA Managers Mtg June 13, 2003.

Computer and Network Security - Message Digests, Kerberos, PKI –

1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.

Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Kerberos is a three-headed dog Available as open source or in supported.

Fermilab supports several authentication mechanisms for user and computer authentication. This talk will cover our authentication systems, design considerations,

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.

Message Digest Cryptographic checksum One-way function Relevance

Kerberos Part of project Athena (MIT).

Credential Management in HTCondor

Presentation transcript:

Building Global HEP Systems on Kerberos Matt Crawford Fermilab Computer Security

Matt Crawford, Fermilab1 What this talk is… A variety of use cases for secure access by far-flung collaborations. An exploration of the security problems distributed systems must address. Examples of Kerberos-based solutions to those problems.

Matt Crawford, Fermilab2 What this talk is not… Advocacy of one security mechanism over another. The final word on any of the topics that follow.

Matt Crawford, Fermilab3 Quick Contrast of Kerberos and PK authentication KerberosPKI Principal holds secret keyEnd Entity holds private key KDC issues tickets asserting secret key possession CA issues certificates asserting public key binding KDC knows all parties’ keysCAs’ public keys known to all parties TGTs reduce use of long- term client secret Proxy certificates reduce use of long-term client secret KDC must be on-line to clientFresh CRLs or OCSP must be on-line to client & server

Matt Crawford, Fermilab4 Problems to be Solved Web authentication Limited rights Unattended processes Shared agent authentication Long-queued and long-running jobs

Matt Crawford, Fermilab5 Web Authentication Client host mounts /afs. User visits file:///afs/fnal.gov/files/expwww/… Browser knows nothing. Yes, it is a cheap trick.

Matt Crawford, Fermilab6 Limited Rights Limited implementation of limited rights –Kernel support is typically poor-to-none –Storage systems are more flexible gets AFS the access of Kerberos tickets (& X.509 certificates) have room to invent something more.

Matt Crawford, Fermilab7 Unattended Processes Unattended user processes (started by cron, for example) may need authenticated access. Using the user’s own identity masks the dependency on host’s integrity. –User does not have control of a stored secret key. –Keeping the user’s own long-term key on-line is therefore not an option! How to manage this risk? –Make it explicit!

Matt Crawford, Fermilab8 Expose the Risk Our solution: is authorized to create & destroy principals named –Keys are stored in private disk of host. –Initially these principals have no authorization, or have only AFS rights. –Can be added to ACL where needed.

Matt Crawford, Fermilab9 Shared Agents Batch system or analysis farm initiates processes on behalf of many users. User processes may execute in many places. Users do not control (or know?) the security of their execution environment. User’s credentials could be compromised by an outsider or by another insider. Would like to be able to revoke and repair credentials put at risk.

Matt Crawford, Fermilab10 Compute Farms Jobs on Fermilab farm f authenticate to services, claiming to act for user u, with principal Job submission is Kerberos-authenticated. Batch system obtains credentials for job. Farm principals are created by helpdesk, keys installed by support staff.  Does not scale !

Matt Crawford, Fermilab11 Kerberized CAF System The CAF model is replicated ~25 times around the world. For each instance, security staff creates a special “headnode principal” which has the rights to create and destroy “CAF user principals.” As usual, CAF user principals have no rights except what users grant them.

Matt Crawford, Fermilab12 Summary Kerberos is already widely used in HEP. It has been easy to build naming-based schemes to distinguish users and agents. –This allows management of risk in an environment of insecure systems, and a crude form of limited-rights authorization. –No protocol changes; some work on ACLs on the Kerberos administrative server.