Virtual Smart Card Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.

Slides:

Advertisements

Similar presentations

Introduction of Grid Security

Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Andrew File System CSS534 ZACH MA. History  Originated in October 1982, by the Information Technology Center (ITC) formed with Carnegie Mellon and IBM.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

MyProxy: A Multi-Purpose Grid Authentication Service

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Credential Repositories in an Interprise Environment Bob Cowles Stanford Linear Accelerator Center 27 January 2003 Work supported by U. S. Department of.

Grid Security. Typical Grid Scenario Users Resources.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Mechanisms to Secure x.509 Grid Certificates Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.

About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

1 Authentication Protocols Celia Li Computer Science and Engineering York University.

Public Key Infrastructure from the Most Trusted Name in e-Security.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

1 Computer & Web Security  Security Problems in Computer Use  Privacy-Protecting Techniques  Privacy-Protecting Technologies: cryptography, digital.

Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Masud Hasan Secue VS Hushmail Project 2.

Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

World Wide Web Hypertext model Use of hypertext in World Wide Web (WWW) WWW client-server model Use of TCP/IP protocols in WWW.

1.The portal sends, under the user approval, user’s attribute retrieved from IDP to CA bridge 2.CA bridge module requests to a CA-online a certificate.

12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

INTRODUCTION. The security system is used as in various fields, particularly the internet, communications data storage, identification and authentication.

DFS & Active Directory Joshua Hedges |Brandon Maxfield | Robert Rivera | Will Zilch.

Module 9: Fundamentals of Securing Network Communication.

Physical ways of keeping your system secure. Unit 7 – Assignment 2. (Task1) By, Rachel Fiveash.

1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.

A Distributive Server Alberto Pareja-Lecaros. Introduction Uses of distributive computing - High powered applications - Ever-expanding server so there’s.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Association with the Gilda Virtual Organization Certificate,VO membership, and MyProxy Server usage.

The TAOS Authentication System: Reasoning Formally About Security Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.

National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.

CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.

1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.

Grid technology Security issues Andrey Nifatov A hacker.

CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.

1 Andrew Hanushevsky - CHEP, February 7-11, 2000 Practical Security In Large Scale Distributed Object Oriented Databases

File Transfer And Access (FTP, TFTP, NFS). Remote File Access, Transfer and Storage Networks For different goals variety of approaches to remote file.

The overview How the open market works. Players and Bodies  The main players are –The component supplier  Document  Binary –The authorized supplier.

12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK

KERBEROS SYSTEM Kumar Madugula.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.

SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.

EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Security Bob Cowles

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

Chapter 40 Internet Security.

SFS-HTTP: Securing the Web with Self-Certifying URLs

THE STEPS TO MANAGE THE GRID

Tutorial on Creating Certificates SSH Kerberos

Message Digest Cryptographic checksum One-way function Relevance

Kerberos Kerberos is an authentication protocol for trusted hosts on untrusted networks.

Presentation transcript:

Virtual Smart Card Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center

December 13, 20022: Virtual Smart Card Enmeshed Private Keys Premise: Private keys and users don’t mix Inherently insecure model No guarantee of good or any password choice No guarantee of secure private key location E.g., users store keys in network based file systems No guarantee how private key was handled E.g., users copy/ keys to remote machines & leave them cannot User managed keys cannot be trusted

December 13, 20023: Virtual Smart Card Solitary Private Keys Premise: Never give a user their private key Can’t mishandle something you don’t have stronger Can provide a stronger security guarantee Signed cert as secure as institution’s accounts Must provide agent-based key handling E.g., smart cards

December 13, 20024: Virtual Smart Card Virtual Smart Card (vsc) Premise: Physical smart cards (psc) in software vsc’s have a 1-to-1 concept correspondence to psc’s ConceptPhysicalVirtual ProcurementPurchase/downloadRequest/generate PossessionPhysicalAuthentication OperationsIndirect Tamper protectionSelf-destructRestricted access Theft protectionSettable pinSettable password

December 13, 20025: Virtual Smart Card VSC Conceptualization A vsc is implemented using a secure, access restricted server One server holds many user’s private keys Hence, one server instantiates many vsc’s Can be well secured Restricted physical access Cages, keyed room, etc. Restricted logical access Only three access protocols needed: dns, ntp, and vsc Keys can be encrypted via user-supplied passwords

December 13, 20026: Virtual Smart Card VSC Procurement 1. Ask for a cert 2. Generate keys and send cert request 3. cert url User never sees the private key! CA 4. Download CA signed public cert* *When available on 1 st request or automatic poll.

December 13, 20027: Virtual Smart Card VSC Operation (vsc-proxy) 2. Generate proxy public/private key Sign proxy cert 3. Sign proxy cert Private key never sees the network! Get public cert 1. Get public cert Externally authenticated Externally authenticated (e.g., Kerberos)

December 13, 20028: Virtual Smart Card VSC Theft Protection 1. Generate key-string from a strong user password Send encrypted key-string 2. Send encrypted key-string Externally authenticated Externally authenticated (e.g., Kerberos) 3. Encrypt user’s x509 private key and discard key-string User must now supply key-string for vsc to use private key

December 13, 20029: Virtual Smart Card VSC Advantages I Simple and effective Models well-known physical object -- smart card Initial certificate request is trivial Private keys never exposed Can be further encrypted by user Can get proxy cert anywhere in the world No need to copy public/private keys

December 13, : Virtual Smart Card VSC Advantages II Can provide special extensions EDG VOM extensions (natural fit) Can provide special always-on services Perhaps proxy cert revalidation stronger Can provide stronger security guarantee Signed cert as secure as institution’s accounts

December 13, : Virtual Smart Card VSC Disadvantages Private keys are concentrated Can be user-encrypted Similar problem in Kerberos May violate current CA CP/CPS Political vs. practical reality No more secure than external authentication Need good authentication (e.g., K5)

December 13, : Virtual Smart Card Conclusion Virtual Smart Cards effective Simple, relatively transparent, secure Provides a path to more stringent security Physical smart cards Simplify user’s lives Ease of use reduces security lapses Promotes a congenial grid security environment!