The Traust Authorization Service A. Lee, M. Winslett, J. Basney, and V. Welch University of Illinois at Urbana-Champaign www.iti.uiuc.edu Goal: A scalable.

Slides:

Advertisements

Similar presentations

Authentication.

Advertisements

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu

GT 4 Security Goals & Plans Sam Meder

Enabling Secure Internet Access with ISA Server

Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

MyProxy: A Multi-Purpose Grid Authentication Service

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Authentication & Kerberos

Cryptography and Network Security Chapter 15 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Grid Security. Typical Grid Scenario Users Resources.

Responding to Policies at Runtime in TrustBuilder Bryan Smith, Kent E. Seamons, and Michael D. Jones Computer Science Department Brigham Young University.

WSO2 Identity Server Road Map

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

Using Digital Credentials On The World-Wide Web M. Winslett.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

Globus Computing Infrustructure Software Globus Toolkit 11-2.

Module 8 Configuring Mobile Computers and Remote Access in Windows 7.

CONNECT as an Interoperability Platform - Demo. Agenda Demonstrate CONNECT “As an Evolving Interoperability Platform” –Incremental addition of features.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.

Adaptive Trust Negotiation and Access Control Tatyana Ryutov, et.al. Presented by: Carlos Caicedo.

TRUST NEGOTIATION IN ONLINE BUSINESS TRANSACTIONS BY CHANDRAKANTH REDDY.

Integrating the Healthcare Enterprise Enterprise User Authentication and Consistent Time Glen Marshall Co-Chair, IHE IT Infrastructure Planning Committee.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.

TeraPaths TeraPaths: establishing end-to-end QoS paths - the user perspective Presented by Presented by Dimitrios Katramatos, BNL Dimitrios Katramatos,

Module 5: Designing a Terminal Services Infrastructure.

Module 9: Fundamentals of Securing Network Communication.

® Gradient Technologies, Inc. Inter-Cell Interworking Access Control Across the Boundary Open Group Members Meeting Sand Diego, CA USA April 1998 Brian.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

CaB2B features Rakesh Nagarajan. Authentication Service / Identity provider (IdP) Dorian username-password SAML Assertion Proxy Certificate Login using.

Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.

22/01/2004Daniel Olmedilla1 INTEGRATING PROLOG IN TRUST NEGOTIATION Software Project / Summer Semester /04/2004 Daniel Olmedilla L3S / University.

User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

CEOS Working Group on Information Systems and Services - 1 Data Services Task Team Discussions on GRID and GRIDftp Stuart Doescher, USGS WGISS-15 May 2003.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.

Module 13: Enterprise PKI Active Directory Certificate Services (AD CS)

WEB SERVER SOFTWARE FEATURE SETS

Security Solutions Rachana Ananthakrishnan University of Chicago.

1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.

Policy-Based Dynamic Negotiation for Grid Services Authorization Ionut Constandache, Daniel Olmedilla, Wolfgang Nejdl Semantic Web Policy Workshop, ISWC’05.

File Transfer And Access (FTP, TFTP, NFS). Remote File Access, Transfer and Storage Networks For different goals variety of approaches to remote file.

User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

Integrating the Healthcare Enterprise Improving Clinical Care: Enterprise User Authentication For IT Infrastructure Robert Horn Agfa Healthcare.

©Richard L. Goldman Public Key Policies for Windows 2000 ©Richard Goldman December 5, 2001.

Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.

General Overview of Various SSO Systems: Active Directory, Google & Facebook Antti Pyykkö Mikko Malinen Oskari Miettinen.

Kent Seamons Brigham Young University Marianne Winslett, Ting Yu

Data and Applications Security Developments and Directions

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Seraphim : A Security Architecture for Active Networks

Goals Introduce the Windows Server 2003 family of operating systems

Protecting Privacy During On-line Trust Negotiation

Presentation transcript:

The Traust Authorization Service A. Lee, M. Winslett, J. Basney, and V. Welch University of Illinois at Urbana-Champaign Goal: A scalable means of access control for resources shared across organizational boundaries, supporting:  bilateral trust establishment,  run-time access control policy discovery,  client and resource privacy, and  legacy and trust-aware resources. Trust-Aware Scenario: Tight binding of Traust and GridFTP using embedded access hints Legacy Scenario: Loose binding of Traust and web site Design: Traust utilizes the TrustBuilder framework for automated trust negotiation to conduct trust negotiation sessions within the TLS protocol. Usage Scenarios:  (1) TN to Protect Sensitive Resource Request (3) TN to Determine Client Authorization (4) Credential(s) Needed to Access Resource (2) Resource Request TLS Tunnel Alice Traust Service The iterative nature of automated trust negotiation allows resource access policies to be discovered incrementally, disclosing more of the relevant policies as the trust between the client and Traust service grows. The bilateral nature of automated trust negotiation allows Alice to protect her sensitive credentials with access policies that the Traust service must satisfy prior to their disclosure. After Alice discloses enough credentials to satisfy the resource access policy, the Traust server issues her one or more credentials that she can use to access the requested resource. These credentials could be (but are not limited to) username/password pairs, X.509 certificates, SAML assertions, or Kerberos tickets. Clients can enable local classifiers and heuristics to identify potentially sensitive resource requests. Content-triggered trust negotiation for sensitive resource requests can prevent inadvertent disclosure of those requests to imposters posing as the Traust Server. Client Features: User-defined sensitivity levels Open API for request classification subsystem Credential caching Server Features: No limits on size of protection domain (e.g., single host or large enterprise) Can provide both static and dynamically acquired credentials (1) User visits web site (2) Site provides an access hint to the user; User then invokes her Traust client application Traust Service (3) Traust used to obtain one-time use password (4) Log in Alice Future Directions: Remotely accessible Traust user agents Secure client-side credential caching policies Multi-party negotiations Negotiation-level credential location hints bigstorage.com domain gridftp.bigstorage.com traust.bigstorage.com Alice GridFTP Client Application (1) Log in request (2) cd earthquake (1a) Query for Traust server info (1b) Traust server info (1c) Use Traust to obtain login credentials (1d) Log in (2a) cd earthquake (2b) failure with embedded access hint (2c) Use Traust to pursue access hint; new access credential issued (2d) re-authenticate (2e) cd earthquake Scenario Notes: Client application interfaces with local Traust client process Access hints embedded at the application protocol level In GridFTP, access hints and re- authentication can be used to enforce least-privilege by changing Alice’s protection level as she traverses the file system Approach: Design a service that uses automated trust negotiation to map sets of attestations issued by well-known external entities into locally-meaningful access credentials.