NCSA CyberSecurity Research and Development
National Center for Supercomputing Applications NCSA Security Research and Development Part of National Center for Supercomputing Applications at the University of Illinois Ten person team of researchers and developers Funding from NSF and ONR Lead for the National Center for Advanced Secure Systems Research – Part of University of Illinois Information Trust Institute –
National Center for Supercomputing Applications NCSA Security R&D Projects Overview Technology R&D SELS - Secure Lists Mithril - Adaptive Security for Collaborative Computing FLAIM - Log Anonymization MyProxy - Credential Management SSH Key Management GridShib - Identity Federtation for Grids TCIP - Trusted CyberInfrastructure for the Power Grid Applied Security ITTF - Illinois Terrorism Task Force Credentialing Project Security for CyberEnvironments –MAEVis, Astronomy
National Center for Supercomputing Applications SELS: A Secure List Service Provides message-level security for s exchanged on mailing lists –Confidentiality, Integrity, and Authentication Minimally trusted List Server –Novel feature: List Server does not get access to plaintext –Proxy encryption techniques enable transformation of ciphertext Development with COTS and open-source components –Integrated with GnuPG on subscriber side; no need for software installation –Integrated with Mailman on server side with easy installation and setup Use Case Scenarios: Lists of –System administrators exchanging s for infrastructure protection and incident response –Healthcare researchers exchanging s on sensitive data URL: contact:
National Center for Supercomputing Applications IB-MKD: Identity Based Message Key Distribution for Secure Provides encryption for s –Novel feature: No long term public keys for end users –Knowledge of address sufficient for encryption Domain Based Administration –Trusted Key Distribution Center (KDC) distributes message keys to domain users Leverages DNS for key distribution –KDC public keys distributed via DNS using Yahoo’s domainkey technology S/MIME based implementation –Minor modifications to S/MIME using Java/Bouncycastle library URL: Contact: {hkhurana,
National Center for Supercomputing Applications MITHRIL Collaboration between NCSA, PNNL, NRL CCS Development of mechanisms for adaptable security for open, collaborative computing systems Maximize usability while allowing rapid, automated response to security incidents Four sub-components: –Credentials Management, SELS See slides elsewhere –Continuous Mouse Biometrics –Intrusion Detection and Response system Contact: Von Welch
National Center for Supercomputing Applications Mithril: Computer Mouse Biometrics Project lead by PNNL Detects unauthorized users at console by building profile of authorized user’s biometric mouse movement patterns Can analyze and detect changes in pattern in near-real time Contact: Doug Schultz
National Center for Supercomputing Applications Mithril: Intrusion Detection and Response System Detect, correlate and respond to incidents Differentiate between isolated incidents and sustained attacks Built from open-source components: –Prelude, SEC, cfEngine TattleTale: NCSA- developed process monitoring system to detect illicit privileged access
National Center for Supercomputing Applications Network/System/Audit Log Anonymization NCSA produces ~5 GBytes of logs per day. Real-world logs are useful for investigations, education, testing of tools, and network/security research. However, real-world logs often contain sensitive information. –Privacy issues exist for both the individual users and the organization. –Network topology could be useful to attackers. –Services running on machines and trust relationships between systems could be useful to attackers.
National Center for Supercomputing Applications FLAIM – Framework for Log Anonymization and Information Management Solution – Anonymization to meet the needs of both parties –Data owner is concerned with privacy/security –Analyst is concerned with information loss –FLAIM has a rich policy language expressive enough to often define policies that meet needs of both E.g., one can obscure IP addresses, but preserve the subnet structure for networking researchers FLAIM is very flexible –Modular, allowing I/O modules for multiple logs to be built –Plethora of anonymization primitives to apply to many fields
National Center for Supercomputing Applications FLAIM – Into the future Analyze trade-offs between information loss and privacy –Create a metric of log utility and analyze effect of anonymization on metric. –Create a metric of the strength of an anonymization scheme. We can move beyond computer/network logs –Reuse the anonymization engine and policy engine, a.ka. FLAIM-Core. –Module API is flexible enough to support any data in a record/field format.
National Center for Supercomputing Applications Credential Management Users are poor at managing electronic credentials such as digital keys Hardware tokens are one solution –But not always available –E.g. different system platforms in science communities Credential Management allows for these credentials to be managed for the user –By profession IT staff in secure machine rooms –Provide control and monitoring over credential use
National Center for Supercomputing Applications Open Source software for managing PKI credentials –Online CA issues short-lived certificates –Online credential repository securely stores PKI credentials –Supports many authentication methods: passphrase, certificate, PAM, SASL, Kerberos, OTP –Integrates with job managers for automated credential renewal –Distributed in Globus Toolkit, VDT, NMI, CoG Kits, TG CTSS, and Univa Globus Enterprise MyProxy on TeraGrid –MyProxy CA provides certificates to users via User Portal Login –User Portal and Ticket System use MyProxy authentication –MyProxy integrates with Science Gateway web portals For more information – –Contact: MyProxy Used by TeraGrid LCG FusionGrid PRAGMA EGEE ESG LNCC CCG OSG and others…
National Center for Supercomputing Applications Secure Shell Key Management Secure Shell (SSH) is common way to access high-end resources at NCSA User managed RSA keys a common, easy authentication mechanism But these keys get easily stolen, shared Solution: Manage RSA keys centrally, allow user access through standard SSH Remote Agent protocol and tools Contact:
National Center for Supercomputing Applications SSH Key Management SSH Key Server Maintains private RSA keys Client Authenticates via site mechanisms e.g. Kerberos, OTP Client accesses private RSA key via ssh-agent Public Key Distribution RSA-authenticated access Compute Resource
National Center for Supercomputing Applications GSI-OpenSSH Modified version of OpenSSH supporting X.509 authentication and proxy delegation –Provides a single sign-on remote login and file transfer service –Included in Globus Toolkit, VDT, NMI, TG CTSS Standards-based –RFC 3820: X.509 Proxy Certificates –RFC 4462: GSSAPI for SSH For more information: – –Contact: Used by TeraGrid UK NGS NRC Canada LSC DataGrid INRIA NMI B&T TIGRE and others…
National Center for Supercomputing Applications NCASSR PKI Testbed Equipment: –Servers, laptops, workstations, and PDAs –Contact and contactless smartcards and readers –Secure co-processors for credential servers –Fingerprint readers Supporting: –ITTF smartcard credentialing project –Hardware-secured credential repositories –Smartcard authentication for grids and HPC For more information: – –Contact:
National Center for Supercomputing Applications Trusted CyberInfrastructure for Power Grids (TCIP) NSF CyberTrust center at Illinois Trust Institute –Additional funding from DOE, DHS –Partners: Dartmouth, Washington State, Cornell Addressing security challenges motivated by our national power grid
National Center for Supercomputing Applications TCIP: Emergency Credentialing and Authorization (NCSA Focus) Real-time power grid operations requires real-time data access to understand and prevent system faults But, day-to-day data access regulated by policy and competition Solution is to allow for short-term credentialing of operators to allow for emergency authorization for data access –Combine with strong auditing for post-emergency validation Investigate methods for determining when emergency occurs and proper changes to authorization policy to allow for prevention of system failure Contact:
National Center for Supercomputing Applications GridShib: Grid-Shibboleth Integration Integration of Internet2’s Shibboleth with Computational Grids via the Globus Toolkit Allow for use of Campus Identity Management for Grid Authentication and Authorization –Allow leveraging of Shibboleth software and deployments to support Grids –Utilizing Web Services security standards (SAML) Contact: Von Welch
National Center for Supercomputing Applications NCASSR CyberCrime Investigation Environment CyberCrime incidents typically span multiple systems, domains and even continents Investigative teams comprise multiple individuals from multiple sites and have complex data management and analysis requirements
National Center for Supercomputing Applications NCASSR CyberCrime Investigation Environment We are developing a environment to facilitate this distributed investigations Includes facilities for data management, anonymization, sharing and analysis Plus components for collaboration All contained in a secured collaboration environment Contact:
National Center for Supercomputing Applications American Red Cross Associated Fire Fighters of Illinois FBI Illinois Governor’s Office Illinois State Police U.S. Attorney’s Office FEMA (Region V) Illinois Terrorism Task Force Mission –Created May 2000 to implement a comprehensive coordinated strategy for domestic preparedness in the state of Illinois, bringing together agencies, organizations, and associations representing all disciplines in the war against terrorism. Members include:
National Center for Supercomputing Applications ITTF Credentialing Project Goal: Pre-issue credentials to incident responders for identification and tracking at the incident perimeter –Smartcards printed with photo ID –Electronic authentication includes: Fingerprint biometric Identity certificate issued by State of Illinois PKI –Cross-certified with Federal Bridge CA Signed certifications (team, weapons, hazmat) +
National Center for Supercomputing Applications UIC ITTF Credentialing Project 5,000 initial credentials for pilot project Plan to grow to 100,000 credentials –Every Illinois firefighter, police officer, EMT –Pre-certified volunteers (Red Cross, etc.) Designed for general-purpose use state-wide –Secure building and computer system access –Interoperability with Federal standards Partners: Contact:
National Center for Supercomputing Applications Astronomy (LSST / NVO / DES) Communities: LSST, NVO, DES, IVOA, NOAO, NRAO, STSCI Need: Grid Security Solution for a Portal Environment Distinguishing Features/Requirements –Inter-DNS-Domain Single Sign-On (SSO) Across Portals –Interoperability Across Multiple Grid Security Domains –Limit Trust of Portal Servers –Preserve Options/Flexibility for Power Users Our Work –Security Architecture for Astronomy Community –Implementation of Working Prototype Key Software Components Used –MyProxy, Pubcookie, PURSe Contact:
National Center for Supercomputing Applications MAEViz Portal Single Sign-on Complex environment with web portal (Sakai), java web start applications and back- end services Provided Grid-enabled single sign-on based on MyProxy across all components
National Center for Supercomputing Applications Security for Large Collaborative Compute Infrastructures (LCCIs) Provides a set of requirements for securing LCCIs –Example LCCIs: TeraGrid, LHC Grid, GENI Risk and threat analysis –Identification of unique and magnified threats to LCCIs Exploration of security policies and procedures –Prevention, detection, and response –Collaboration among sites crucial for security Identification of requirements –Security architecture, agreements, implementation plan, management authority URL: contact: {hkhurana, jbasney,
National Center for Supercomputing Applications Software Protection Adoptability Study ITI and SAIC are working with the Software Protection Center (SPC) at Wright-Patterson Air Force Base to study how use of software protection technology may affect work-flow, and impact adoptability of that technology by its targeted customers. This project is funded through the Software Protection Initiative, whose mission is to prevent the unauthorized distribution and exploitation of application software critical to national security. Contact: