EMI is partially funded by the European Commission under Grant Agreement RI-261611 Common Authentication Library Daniel Kouril, for the CaNL PT EGI TF.

Slides:

Advertisements

Similar presentations

Innovations in OSGi How to prevent patent applications.

Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Mobile Application Architecture Initiative Steve Wheat Chief IT Architect.

Chapter 14 – Authentication Applications

MyProxy: A Multi-Purpose Grid Authentication Service

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

PAWN: A Novel Ingestion Workflow Technology for Digital Preservation Mike Smorul, Joseph JaJa, Yang Wang, and Fritz McCall.

Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Securing Your Condor Pool With SSL.

X.509 Certificate management in.Net By, Vishnu Kamisetty

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Trust Anchor Management Problem Statement 69 th IETF Trust Anchor Management BOF Carl Wallace.

Survey of Identity Repository Security Models JSR 351, Sep 2012.

September, 2005What IHE Delivers 1 ITI Security Profiles – ATNA, CT IHE Vendors Webinar 2006 IHE IT Infrastructure Education Robert Horn, Agfa Healthcare.

Digital Signatures and e-Identity. Getting the best out of DSS / DSS-X services. Andreas Kuehne – DSS-X member.

The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation.

Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.

Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)

EMI INFSO-RI SA2 - Quality Assurance Alberto Aimar (CERN) SA2 Leader EMI First EC Review 22 June 2011, Brussels.

Secure Credential Manager Claes Nilsson - Sony Ericsson

XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.

EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,

Integrating security services with the automatic processing of content TERENA 2001 Antalya, May 2001 Francesco Gennai, Marina Buzzi Istituto.

Overview of user client usage: ARC Iván Márton Zsombor Nagy.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

EGEE is a project funded by the European Union under contract IST Gap analysis draft v2 Olle Mulmo, David Groep, Joni Hahkala JRA3 Gap, 10.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.

Path Construction “It’s Easy!” Mark Davis. Current WP Scope u Applications that make use of public key certificates have to validate certificate paths.

Legion - A Grid OS. Object Model Everything is object Core objects - processing resource– host object - stable storage - vault object - definition of.

Security Token Service (STS) Design & Development Plans Henri Mikkonen / HIP 3 rd EMI All-Hands Meeting , Padova, Italy.

EGI-InSPIRE RI EGI.eu European Grid Infrastructure EGI-InSPIRE RI Credential Validation Middleware Requests compiling.

Services Security A. Casajus R. Graciani. 12/12/ Overview DIRAC Security Infrastructure HSGE Transport Authentication Authorization DIRAC Authorization.

EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.

X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.

EMI INFSO-RI ARC tools for revision and nightly functional tests Jozef Cernak, Marek Kocan, Eva Cernakova (P. J. Safarik University in Kosice, Kosice,

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan1 Certificates for DataGrid Testbed0 David Kelsey CLRC/RAL, UK

GRID Security & DIRAC A. Casajus R. Graciani A. Tsaregorodtsev.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks GSI with OpenSSL Vincenzo Ciaschini EGEE-3.

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Transforming the Existing User Credentials.

Security on Grid: User Interface, Internals and APIs Simone Campana LCG Experiment Integration and Support CERN IT.

EMI is partially funded by the European Commission under Grant Agreement RI EMI Registry (EMIR) Shiraz Memon, Ivan Marton, Gabor Szigeti, Laurence.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Improved X.509 Management Using PKCS11 Daniel Kouřil, Michal Procházka CESNET.

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.

EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.

EMI is partially funded by the European Commission under Grant Agreement RI caNl++ caNl++ team University Of Oslo 5th EMI AHM, Budapest.

X509 Web Authentication From the perspective of security or An Introduction to Certificates.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.

EMI is partially funded by the European Commission under Grant Agreement RI Common Framework for Extracting Information and Metrics from Multiple.

EMI is partially funded by the European Commission under Grant Agreement RI Future Proof Storage with DPM Oliver Keeble (on behalf of the CERN IT-GT-DMS.

Security Area Christoph Witzig (SWITCH) on behalf of John White (HIP)

EMI INFSO-RI Common Authentication Library Krzysztof Benedyczak (UWAR)

UNICORE and Argus integration Krzysztof Benedyczak ICM / UNICORE Security PT.

Principles Architecture Functionality Configuration Future plans

Secure Single Sign-On Across Security Domains

EMI Interoperability Activities

EMI 1 (Kebnekaise) release preparation status

IBM Certified WAS 8.5 Administrator

What’s changed in the Shibboleth 1.2 Origin

AuthN Middleware Requests

Presentation transcript:

EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI TF 2012, Prague

EMI INFSO-RI Common security layer (PKI) used but no common code in applications – Expensive maintenance – No common profile for SSL and X.509 – Difficult to add new features – Security audit of code quite hard Adapting CANL decreases cost of maintenance and further develpment Motivation

EMI INFSO-RI Simple API to support authentication using X.509 TLS/SSL – Delegation, authorization, other sec. mechanisms, out of scope Functionality to deal with Grid specifics Cover popular languages – Native API for C,C++,Java APIs easy to understood and use – Differences between the bindings Main Goals

EMI INFSO-RI APIs designed and underwent detailed expert reviews Implementations delivered as part of EMI-2 Main features provided by all three libs – Credentials handling – Trust store handling – Name constraints checking – CRL – Proxy: verification, generation, proxy CSRs, utilities – Partially unified error codes and messages Current Status

EMI INFSO-RI Differences are mostly between Java and non- Java. Truststores – Java: several different – C&C++: only OpenSSL-style Distinguished names handling – Java: extensive support, RFC 2253 based – C & C++: minimal handling, currently OpenSLL syntax is used – C & C++ will add (configurable) support for RFC 2253, with RFC format being the suggested one. No network IO in Java (integrated with Java API) API Differences

EMI INFSO-RI API documentations available – JAVA: juelich.de/documentation/canl-1.0.1/manual.pdfhttp://unicore-dev.zam.kfa- juelich.de/documentation/canl-1.0.1/manual.pdf – C: – C++: Comments included in header files Samples of codes provided – Connection establishment, delegation, proxy mgmt Developers will need to replace their code with calls to canl Integration with applications

EMI INFSO-RI Example C: proxy creation ctx = canl_create_ctx(); /* First create a certificate request with a brand-new keypair */ ret = canl_cred_new(ctx, &proxy); ret = canl_cred_new_req(ctx, proxy, bits); /*Create key-pairs implicitly*/ ret = canl_cred_set_lifetime(ctx, proxy, lifetime); ret = canl_cred_set_cert_type(ctx, proxy, CANL_RFC); /* Load the signing credentials */ ret = canl_cred_new(ctx, &signer); ret = canl_cred_load_cert_file(ctx, signer, user_cert); ret = canl_cred_load_priv_key_file(ctx, signer, user_key, NULL, NULL); /* Create the proxy certificate and store it in a file*/ ret = canl_cred_sign_proxy(ctx, signer, proxy); ret = canl_cred_save_proxyfile(ctx, proxy, output);

EMI INFSO-RI Example C++: delegation, proxies //EEC acquisition AuthN::Context full_ctx(AuthN::Context::ClientFullContext); AuthN::Credentials eec_cred(full_ctx); //Proxy request AuthN::Context empty_ctx(AuthN::Context::EmptyContext); AuthN::ProxyCredentialsRequest proxyreq(empty_ctx); proxyreq.MakeKeys(1024); AuthN::Credentials::Extension policy; policy.value = "my test proxy policy"; proxyreq.SetPolicy(policy); proxyreq.SetValidFrom(time(NULL)); proxyreq.SetValidTill(time(NULL) *12); //Proxy signing AuthN::Credentials proxy(empty_ctx); AuthN::Status st = eec_cred.Sign(proxyreq, proxy, opensslcnf); std::string cert, key, chain; proxy.GetCertificate(cert); proxy.GetPrivateKey(key); proxy.GetChain(chain);

EMI INFSO-RI Example Java: Chain verification /* * Validates toBeChecked chain using Openssl style truststore, from * the /etc/grid-security/certificates directory. Both kinds of * namespaces are checked and forced if are present. Truststore is * reread every minute. The additional settings are not defined and * so defaults are used: CRLs are forced if are present. Proxy * certificates are supported. */ X509Certificate[] toBeChecked = null; X509CertChainValidator vff = new OpensslCertChainValidator( "/etc/grid-security/certificates", NamespaceCheckingMode.EUGRIDPMA_AND_GLOBUS, 60000); ValidationResult result = vff.validate(toBeChecked); if (result.isValid()) { //... } else { List errors = result.getErrors(); //... }

EMI INFSO-RI Thank you