25 April 2005NVO Team Meeting - Tucson1 Interoperable Authentication And Authorization for the VO T HE US N ATIONAL V IRTUAL O BSERVATORY Background: Single.

Slides:



Advertisements
Similar presentations
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Advertisements

National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.
25 April 2005NVO Team Meeting - Tucson1 Interoperable Authentication And Authorization for the VO T HE US N ATIONAL V IRTUAL O BSERVATORY Background: Security.
MyProxy Jim Basney Senior Research Scientist NCSA
GT 4 Security Goals & Plans Sam Meder
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Report on Attribute Certificates By Ganesh Godavari.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Grid Security. Typical Grid Scenario Users Resources.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Microsoft Office 4/16/2017 © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Virtual Observatory Single Sign-on U.S. National Virtual Observatory National Center for Supercomputing Applications Ray Plante, Bill Baker.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Certificates ID on the Internet. SSL In the early days of the internet content was simply sent unencrypted. It was mostly academic traffic, and no one.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.
Security, Authorisation and Authentication.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
GWS-WG agenda and meeting goals Agenda Summary of reference implementations VOStore progress VOStore issues and plans –How to reconcile VOStore and VOSpace?
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
Trusted Organizations In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country.
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
Jens' obligatory soap box Can't be a PMA without a SoapBox A random collection of Soapy things Nicosia, Jan 2009.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.
1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney
Bringing Federated Identity to Grid Computing Dave Dykstra CISRC16 April 6, 2016.
Grid Security.
NAREGI-CA Development of NAREGI-CA NAREGI-CA Software CP/CPS Audit
MyProxy and NVO or Web SSO for Grid Portals
Grid School Module 4: Grid Security
Presentation transcript:

25 April 2005NVO Team Meeting - Tucson1 Interoperable Authentication And Authorization for the VO T HE US N ATIONAL V IRTUAL O BSERVATORY Background: Single Sign-on Document Series GWS-WG Security 101 Matthew Graham (see teamwg mail archive) VO-friendly, Community-based Authorization Framework, Pt. 1, 2 Ray Plante Ray Plante Von Welch & Jim Basney NCSA Grid Security Team Mike Freemon & Randy Butler National Middleware Initiative (NMI) Grid Center

25 April 2005NVO Team Meeting - Tucson2 What we’d like to see from interoperable security Trustworthy access to restricted resources –Proprietary data * –Remote storage –CPU cycles Sufficient control and auditing by resource providers Single sign-on –User enters a username/password once per session –Can access many restricted resources in an operation from different providers –Interoperates with public (non-restricted) data and services seamlessly –Interoperability with Grid security A framework that can be leveraged by observatories –A common way to get at proprietary data –A common way to support security in portals

25 April 2005NVO Team Meeting - Tucson3 What we’d not like to see from interoperable security A framework so cumbersome that no one uses it –Users & service providers –“Why do we even need this?” A hacking incident that erodes trust in the system –We’re used to relying on goodwill –The VO will raise our profile to hackers

25 April 2005NVO Team Meeting - Tucson4 Certificate-based Security Beyond the browser: Good for “grid” applications –Web services talking to each other –Can handle users across administrative boundaries X.509 Certificates in wide use today –To support SSL connections –Libraries available Certificates presented at socket connection time assure identity of holder –Identities of user and service –Each end must already have copy of Certificate Authority’s certificate –Each end holds own private key; cert contains public key –“handshake” tests that each side has private key corresponding to public key in cert

25 April 2005NVO Team Meeting - Tucson5 Certificate Authorities: the root of Trust A service/user will trust a CA by acquiring the CA’s public key –Public key acquired “out-of-band” of a user request –Benefit from a small number of CAs Recommendation: Each VO project runs its own CA –IVOA level: trust chain too hard to track Trust model to be discussed later… –Organization level: too many CAs Recommendation: Accept other established CAs from scientific community as a matter of practice –DOE, NCSA/TeraGrid –Leverage their trust model

25 April 2005NVO Team Meeting - Tucson6 Certificate Management User-managed certificates –User stores certificate & private key on local machine –User must “load” certificate into client applications e.g. web browser, Globus –User must also “load” certificates of trusted CAs –Often considered part of the “pain” of certificates Portal-managed certificates –Portal manages certificate & private key on users behalf –users don’t have to know certificates are being used –Possible to pass cert to client apps when needed

25 April 2005NVO Team Meeting - Tucson7 Portal-Managed Certificates Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal

25 April 2005NVO Team Meeting - Tucson8 Portal-Managed Certificates Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal

25 April 2005NVO Team Meeting - Tucson9 Portal-Managed Certificates Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal

25 April 2005NVO Team Meeting - Tucson10 Portal-Managed Certificates Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal

25 April 2005NVO Team Meeting - Tucson11 Portal-Managed Certificates Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal

25 April 2005NVO Team Meeting - Tucson12 Portal-Managed Certificates Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal

25 April 2005NVO Team Meeting - Tucson13 Portal-Managed Certificates Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal

25 April 2005NVO Team Meeting - Tucson14 Portal-Managed Certificates Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal

25 April 2005NVO Team Meeting - Tucson15 Certificate Management Both certificate models will be important –Important to support portal-based management for ease of use –The savvier users will manage own certs for use with client applications that connect directly to services Recommendation: VO project runs the following services: –Registration service (to create certs) –Certificate Repository (MyProxy) to store certs for use with portals –A login service for use with portals –Cert Download service: for retrieving certs for local client apps Existing tools: PURSE (NMI), GAMA (SDSC)

25 April 2005NVO Team Meeting - Tucson16 Portal-Managed Certificates Local Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal NVO Registration Service e.g., VO Project

25 April 2005NVO Team Meeting - Tucson17 Portal-Managed Certificates Local Registration Service Restricted Service Restricted Service Restricted Service Portal CA Certificate Repository (MyProxy) Login Service NVO Registration Service e.g., VO Project

25 April 2005NVO Team Meeting - Tucson18 Portal-Managed Certificates Local Registration Service Restricted Service Restricted Service Restricted Service Portal CA Certificate Repository (MyProxy) Login Service NVO Registration Service e.g., VO Project

25 April 2005NVO Team Meeting - Tucson19 Portal-Managed Certificates Local Registration Service Restricted Service Restricted Service Restricted Service Portal CA Certificate Repository (MyProxy) Login Service NVO Registration Service e.g., VO Project

25 April 2005NVO Team Meeting - Tucson20 CA Certificate Repository (MyProxy) Login Service NVO Registration Service e.g., VO Project Portal-Managed Certificates Local Registration Service Restricted Service Restricted Service Restricted Service Portal

25 April 2005NVO Team Meeting - Tucson21 Portal-Managed Certificates Local Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal NVO Registration Service Login Interface

25 April 2005NVO Team Meeting - Tucson22 Trust Model The certificate “handshake” –Means that… User has private key issued to “Joe Astronomer” Service has private key issued to “Fab Storage” –Useful enough in some cases Service can save per user state across sessions Will control what user can do –Did “Joe” give a phony name? The CA signature means that the CA has made an effort to verify the identity –How does a CA determine that users are who they say they are?

25 April 2005NVO Team Meeting - Tucson23 Commercial Trust Model: Thawte Weak certificates –Generic identity: name not included –Can do low trust activities (encrypt ) Strong certificates (has identity info in it): –Identity notarized by multiple somewhat- trusted people—“Web of Trust” –Point system a notary can issue up to 35 points Need 50 points to get strong cert

25 April 2005NVO Team Meeting - Tucson24 An Astronomical Observatory To gain access to telescope and resulting proprietary data User writes a proposal –Includes identity information: affiliation, –Includes references to published work –Includes collaborators with references Observatory contacts PIs, Co-Is by Proposal is evidence that they are legit. Can we leverage this process?

25 April 2005NVO Team Meeting - Tucson25 Building a Trust Model How do we verify identities? –someone VO project trusts tells them (out-of-band) that the user is who she says she is. –Registration Authorities (RA): enlisting the help of existing institutions Academic departments? (akin to Shibboleth model) Observatories? –How much is enough? –What process/software can we provide to RAs to validate identities? Verification takes time and human involvement! –Can weak certificate enable some activity requiring less trust? Allows user to get started right away! Need trusted system to issues certs to services –So that users can trust services to behave with their ID –Can build on trust model for users

25 April 2005NVO Team Meeting - Tucson26 Authorization Authorization policies tend to be service specific –Provider will want to control who’s allowed to do what –Expect observatories to centralize authorization management –Authorization policies assigned to groups Observatory: groups defined on the proposal level Groups defined around archive-based research Recommendation: Leave authorization management to service providers. No interoperable standards are needed at this time*

25 April 2005NVO Team Meeting - Tucson27 Authorization Use Case Drivers Types of restricted resources –Proprietary data –Remote storage –CPU cycles Sufficient control and auditing by resource providers Types of proprietary data –Data from PI-driven telescope’s archive, covered by observatory’s proprietary policy –VO workspace data (VOStore) –Data under Proprietary policy based on origin of user* *Europe

25 April 2005NVO Team Meeting - Tucson28 Three models for handling authorization Map external identities to internal accounts –One account per group, groups define set of authorization policy Call out: –User accesses service with personal cert –Service calls out to authorization database to retrieve privileges associated with user –Service tests user request against policies Certificate wrapping (Globus CAS): –User visits authorization database with personal cert, gets back proxy cert with policies encoded inside (using SAML) –User presents proxy cert to service –Service test user request against policies –Good for portal-based access but inconvenient for outside clients