Decentralized User Authentication in a Global File System CS294-4 Presentation Nikita Borisov October 6, 2003.

Slides:



Advertisements
Similar presentations
Chapter 14 – Authentication Applications
Advertisements

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Decentralized User Authentication in a Global File System Max Meisterhans - Seminar in Distributed Computing WS 05/06.
Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
8.2 Discretionary Access Control Models Weiling Li.
Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.
CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.
Active Directory: Final Solution to Enterprise System Integration
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Using Digital Credentials On The World-Wide Web M. Winslett.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Copyright © B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall Security Systems Lecture notes Dr.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
Chapter 8 Chapter 8: Managing the Server Through Accounts and Groups.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
11 REVIEWING MICROSOFT ACTIVE DIRECTORY CONCEPTS Chapter 1.
Session 6 Windows Platform Dina Alkhoudari. Learning Objectives What is Active Directory Logical components of active directory Physical components of.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012.
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.
Digital Object Architecture
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
Paper Presentation – CAP Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.
Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.
Windows 2000 Operating System -- Active Directory Service COSC 516 Yuan YAO 08/29/2000.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 5: Active Directory Logical Design.
02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.
Information-Centric Networks06a-1 Week 6 / Paper 1 Untangling the Web from DNS –Michael Walfish, Hari Balakrishnan and Scott Shenker –Networked Systems.
Module 7 Active Directory and Account Management.
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
15.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Key Management.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Decentralized User Authentication in a Global File System Tony Young M.Math Candidate CS Fall 2004.
Peer-to-peer Information Systems Universität des Saarlandes Max-Planck-Institut für Informatik – AG5: Databases and Information Systems Group Prof. Dr.-Ing.
Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Computer Science Lecture 19, page 1 CS677: Distributed OS Last Class: Fault tolerance Reliable communication –One-one communication –One-many communication.
1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Session 8 Windows Platform Dina Alkhoudari. Learning Objectives Read Only Domain Controller Active Directory Certificate Service Group Policy.
GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania.
Digital Signatures and Digital Certificates Monil Adhikari.
Introduction to Active Directory
Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
11 GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES Chapter 4.
Directory Services CS5493/7493. Directory Services Directory services represent a technological breakthrough by integrating into a single management tool:
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
CRYPTOGRAPHY Cryptography is art or science of transforming intelligible message to unintelligible and again transforming that message back to the original.
Key management issues in PGP
Configuring Windows Firewall with Advanced Security
Cryptography and Network Security
Authentication Applications
CSE 451: Operating Systems Spring 2005 Module 20 Distributed Systems
FSMO Roles and Global Catalog Servers
Windows Active Directory Environment
CSE 451: Operating Systems Winter 2004 Module 19 Distributed Systems
O.S. Security.
CSE 451: Operating Systems Winter 2007 Module 21 Distributed Systems
Presentation transcript:

Decentralized User Authentication in a Global File System CS294-4 Presentation Nikita Borisov October 6, 2003

Goals Authenticate users to access the file system Support remote administrative domains Use only local information at access time Avoid certificates

Why not certificates? Complicated infrastructure Certificate chain hard to compute (e.g. SDSI) Or inflexible trust structure (e.g. VeriSign) Overkill for a file system?

SFS Servers Each server has a public key Key part of the name (“self-certifying”) –mit.edu,anb726muxau6phtk3zu3nq4n463mwn9a Use key to authenticate server and set up a secure connection –Connection provides confidentiality & integrity

Self-Certifying Names Public keys are explicit –Always together with the name No PKI necessary –Avoids organizational and technical issues Keys are obtained out-of-band –Perhaps falling back on people

Authentication Servers One server per administrative domain –Identified by self-certifying hostname Authenticate users –Unix passwords, public keys, SRP, … Manage local names and groups Export user and group records to remote servers

Groups Defined within an administrative domain Has a list of members and a list of owners Each user may define their own groups –E.g. alice.friends Members/owners can be remote or local

Group members Member typeExample Local userU=nikitab Local groupG=nikitab.friends Remote Remote Public keyP=d43dft5tr50lkxsdre42…

Group members Local users & groups –As defined by the authentication server Public key hashes –Allow ad-hoc users –Protect privacy Remote users & groups –Retrieved from remote servers –Authenticity protected by self-certifying name

Group Caching Group definitions may be distributed on many servers Each authentication server resolves and caches entire group membership Cache ensures all necessary information is locally available at time of access –Though it may be out of date

Resolving Membership Expand group names Query remote servers for group & user definitions Recursively query any new remote names Cache updated every hour Use version numbers to send deltas

Problems Freshness –Eventual consistency –Use out-of-date data for an hour –Longer if server unavailable Revocation –Easy to revoke users (with a delay of 1 hour) –Hard to revoke server keys

Scalability All relevant group members cached on local server may be large wouldn’t work –It would work with certificates Limit members to 1,000,000 to prevent DOS Most sharing groups are small –C.f. Athena at MIT

ACLs Each file and directory has an ACL –Stored in first 512 bytes Lists local users and groups and access rights –Read, write, modify ACL Remote names and public keys have to be indirected through a group –Save on space –Easier to change membership

Certificates Revisited What did we lose? –Human-readable namespace –Key management/revocation –Offline operation –Scalability Are these not important for a global FS?