Fermilab CA Infrastructure EDG CA Managers Mtg June 13, 2003.

Slides:



Advertisements
Similar presentations
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
MyProxy: A Multi-Purpose Grid Authentication Service
Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
Grid Computing Basics From the perspective of security or An Introduction to Certificates.
A responsibility based model EDG CA Managers Meeting June 13, 2003.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Lecture 23 Internet Authentication Applications
Chapter 9 Deploying IIS and Active Directory Certificate Services
Grid Security. Typical Grid Scenario Users Resources.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Mechanisms to Secure x.509 Grid Certificates Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Secure Socket Layer (SSL)
KX509: Leveraging Kerberos to Obtain Digital Certificates for Web Client Authentication University of Michigan Kevin Coffman Bill Doster.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Unit 1: Protection and Security for Grid Computing Part 2
Configuring Directory Certificate Services Lesson 13.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Module 9: Fundamentals of Securing Network Communication.
Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.
X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA.
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
X509 Web Authentication From the perspective of security or An Introduction to Certificates.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
Key management issues in PGP
Grid Security.
Cryptography and Network Security
Radius, LDAP, Radius used in Authenticating Users
Presentation transcript:

Fermilab CA Infrastructure EDG CA Managers Mtg June 13, 2003

Overall Architecture FNAL Root CA FNAL KCAFNAL Service CA Signs Offline machine N of M Key storage Offline “traditional” CA config Online protected machine

Salient Features Scope is FNAL internal and collaborators Registration tied to FNAL user registration Root CA used solely for signing subordinate CAs Service CA is traditional KCA issues short-lived user certificates only.

User registration Users register with FNAL. Information vetted by experiment delegates. All users revalidated twice within past 2 yrs. Users office collects signatures from experiment All users can get a Kerberos credential and with that can get a KCA credential.

What would we like? Accept FNAL Root CA and Service CA as “traditional” CAs Accept FNAL KCA as first instance of “online” CA

Status Root CA created and have certificate here now for transmission. KCA went production in March –4000 registered users –~100 unique users/month getting proxies Production Service CA not yet operational. Finalizing plans now.

Why Short-Lived Certificates? Intuition and measurement both tell us that a significant number of long-lived authentication secrets will be compromised. The frequency of this event is reduced if the secrets: –are not stored on computers; –are not transmitted on the network; –can be held in organic memory. The impact of this event is reduced if: –The owner of the secret can quickly and easily invalidate it and establish a new one.

Passwords vs. Private Keys Passwords are small secrets (most) users can remember. Private keys are sets of large integers which must be stored - usually in one or more online file systems. Passwords are easy to change, private keys difficult. On the other hand, passwords can sometimes be guessed - if an offline attack is possible. Private keys are seldom guessable.

KCA KCA = Kerberized Certificate Authority –An online CA which is a Kerberos service. Client generates an RSA key pair, sends public key to KCA with authentication and integrity protection. KCA generates the Subject DN, other extensions, and signs a certificate. –Valid until expiration time of Kerberos ticket. Client receives certificate, inserts it in the browser cache or Globus proxy file. Software originated at CITI, U of Michigan. Distributed with the NMI package and client in VDT next version.

CA Considerations The KCA host must be as well protected as any comparable part of the authentication infrastructure - KDC, Domain Controller,... Since the CA private key is on-line, it should be short- lived* and easy to replace. –* Short relative to some other CAs, not to the certificates it signs! Relying parties (Grid or SSL services) need the KCA public key on file, or another CA key which certifies the KCA. Certificate revocation: moot.

KCA - LDAP Connection The KCA accepts only the public key and Kerberos identity from a client. The Kerberos identity is algorithmically transformed into a UserID and an address, but the CommonName ("John Smith") is also wanted. –The CommonName is obtained through a secure LDAP query to the Windows 2000 directory. –All our Windows 2000 domain user accounts are synchronized with Kerberos v5 user principals.

KCA - DNS Connection KCA's client, "kx509,” locates the KCAs through DNS SRV records, based on the Kerberos realm name. This obviates any client configuration and achieves failover and load-balancing among redundant servers.

Uses - Grid Grid users can delegate proxy credentials from a KCA certificate in the usual way. As long as the Globus toolkit on a grid server can trace a path from a trusted root CA to a user's certificate or proxy, that server can verify a user's identity. –Simplest deployment: store the KCA's self-signed certificate and signing policy on each server. –More elegant deployment: KCA fit into a hierarchy of CA's

Uses - Web Windows client stores user certificate & private key in the registry for browser's use. *n*x client includes a Netscape cryptographic module which can access the certificate and private key stored among the tickets in the Kerberos credential cache. An SSL-enabled web server can securely determine the client's UserID, name, address and Kerberos principal name. –Subject DN available to CGI, PHP, etc. Alternative to IP-based access control

Uses - Other The Nessus security scanner can act as a TLS- authenticated server. We provide servers inside and outside the site border and generate, for each registered sysadmin, a list of IP addresses they are responsible for and allowed to scan. On their own schedules, they authenticate through KCA/kx509, connect to the Nessus server with a GUI client, initiate scans, and receive the reports directly or return for them later.

Summary Deploying KCA has linked many TLS/SSL services into our sitewide authentication infrastructure. Either W2K or KRB5 is a sufficient base to allow deployment of this technology. –Can serve both at once The security concerns of an online CA issuing short- lived certificates are no more severe than KDC, kaserver, W2K DC,... Short-lived certificates require less storage protection than long-lived ones, and fulfill all the most common user requirements.