National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

Slides:



Advertisements
Similar presentations
MyProxy Jim Basney Senior Research Scientist NCSA
Advertisements

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Contrail and Federated Identity Management
MyProxy: A Multi-Purpose Grid Authentication Service
Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.
Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.
1/13/05NCASSR PNNL Visit1 Security Tools Area Overview, Credential Management Services, and the PKI Testbed Jim Basney Senior Research Scientist
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
National Center for Supercomputing Applications PKI and CKM ® Scaling Study NCASSR Kick-off Meeting June 11-12, 2003 Jim Basney
GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign InCommon and TeraGrid Campus Champions Jim Basney
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Digital Signature Technologies & Applications Ed Jensen Fall 2013.
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.
Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor
Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor
Connect.usatlas.org ci.uchicago.edu ATLAS Connect Technicals & Usability David Champion Computation Institute & Enrico Fermi Institute University of Chicago.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
1.The portal sends, under the user approval, user’s attribute retrieved from IDP to CA bridge 2.CA bridge module requests to a CA-online a certificate.
Dynamic Symmetric Key Provisioning Protocol (DSKPP) Mingliang Pei Salah Machani IETF68 KeyProv WG Prague.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
Managing Credentials with MyProxy Jim Basney National Center for Supercomputing Applications University of Illinois
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
Federated Environments and Incident Response: The Worst of Both Worlds? A TeraGrid Perspective Jim Basney Senior Research Scientist National Center for.
June 6, 2007TeraGrid '071 Clustering the Reliable File Transfer Service Jim Basney and Patrick Duda NCSA, University of Illinois This material is based.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
An OGSI CredentialManager Service Jim Basney, Shiva Shankar Chetan, Feng Qin, Sumin Song, Xiao Tu National Center for Supercomputing Applications, University.
SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.
Biometric Authentication in Distributed Computing Environments Vijai Gandikota Karthikeyan Mahadevan Bojan Cukic.
The MyProxy Online Credential Repository Jim Basney NCSA
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.
Web Services Security Patterns Alex Mackman CM Group Ltd
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
WEB SERVER SOFTWARE FEATURE SETS
Esri UC 2014 | Demo Theater | Using ArcGIS Online App Logins in Node.js James Tedrick.
Security Solutions Rachana Ananthakrishnan University of Chicago.
Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois
AJAX Use Cases for WSRP Subbu Allamaraju BEA Systems Inc WSRP F2F Meeting, May 2006.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.
18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.
Lightweight OGCE Gadget Portal for Science Gateways Zhenhua Guo, Marlon Pierce Community Grids Laboratory, Pervasive Technology Institute, Indiana University,
1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney
Gateways security Aashish Sharma Security Engineer National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign.
Web Authorization Protocol WG Hannes Tschofenig, Derek Atkins.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
WSO2 Identity Server. Small company (called company A) had few services deployed on one app server.
MyProxy Integration with PubCookie
Federated Environments and Incident Response: The Worst of Both Worlds
A Grid Authorization Model for Science Gateways
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
Computer Network Information Center, Chinese Academy of Sciences
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science Foundation under grant number An OAuth Service for Issuing Certificates to Science Gateways for TeraGrid Users Jim Basney and Jeff Gaynor

Goals Support use of individual TeraGrid accounts via gateways Independent of support for gateway community accounts For more accurate accounting, greater resource access Avoid disclosing TeraGrid user passwords to gateways Avoid risk to long-lived credentials (i.e., user passwords) Use TeraGrid passwords only on systems operated by TeraGrid Use standard security protocols: TLS, OAuth More trustworthy Ease of integration for gateway developers

Current ApproachNew Approach +

Benefits Security WG concerns about password disclosure to external science gateway sites are addressed Science Gateways can support individual TeraGrid account access via standard protocols Resource Providers can support user access via gateways using existing certificate-based interfaces Users can access their individual TeraGrid accounts via gateways using their TeraGrid Portal login

OAuth Example Web User (Resource Owner) Photo Printing Service (Client) Photo Sharing Service (Server) Token Authenticate & Grant Access to Photos Token PhotosRequest Access to Photos

Current ApproachNew Approach

Protocol RFC 5849 – OAuth 1.0a OAuth client: science gateway OAuth server: TeraGrid User Portal OAuth resource owner: TeraGrid user All connections use HTTPS for integrity + confidentiality OAuth client messages signed using RSA-SHA1 PKCS#10 certificate request  PEM encoded certificate Private key never sent over the network Future work: OAuth 2.0 (under IETF development)

Current Status Code complete Java API: requestCertificate() and getCertificate() functions Acceptance testing with Globus Online in progress Next Step: Production User Portal deployment Code, Documentation, Specifications, etc. at:

Design Decisions OAuth server independent from Liferay Store all server-side state in a replicated database Leverage existing User Portal load balancing, fail-over, and replication mechanisms No changes to TG MyProxy servers Initially support only password-based authentication Federated authentication (InCommon/Shibboleth) a possible future enhancement No initial support for certificate renewal Certificates valid for up to 11 days Explicit user approval for every certificate issuance Initial support for web browser use cases only

Security Considerations Our paper addresses each security consideration identified in RFC 5849 (15 items) Summary: HTTPS provides message integrity+confidentiality and server authentication, avoids HTTP proxy caching RSA-SHA1 signature method: If gateway private key is compromised, revocation is a server-side database operation Only public key need be stored on server-side Address SHA-1 weakness in move to OAuth 2.0 Requiring user authentication+approval for every certificate issuance addresses “clickjacking” and similar threats

Related Work OAuth use by Gateways Open Protein Simulator (OOPS) Open Life Science Gateway (OLSG) Open Grid Computing Environments (OGCE) Also future work for PolarGrid, QuakeSim, TG Viz Gateway OAuth for certificate access Confusa (confusa.org) used by TERENA Certificate Service with European SAML federations CILogon (cilogon.org) with US InCommon SAML federation

Possible Future Work OAuth 2.0 update General-purpose MyProxy OAuth package w/o TeraGrid dependencies Integrate existing TeraGrid federated authentication (InCommon/Shibboleth) with OAuth Sign In page Certificate renewal using OAuth refresh tokens Support for non-browser use cases (e.g., REST services)

Conclusion A new standards-based service to issue certificates to science gateways for TeraGrid users Available now for testing Eliminates need for TeraGrid users to disclose TeraGrid passwords to science gateways when accessing individual accounts Independent of support for gateway community accounts Questions? Comments? Thanks!