Presentation is loading. Please wait.

Presentation is loading. Please wait.

EMI is partially funded by the European Commission under Grant Agreement RI-261611 Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.

Published byElvin Wade Modified over 8 years ago

Similar presentations

Presentation on theme: "EMI is partially funded by the European Commission under Grant Agreement RI-261611 Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF."— Presentation transcript:

1 EMI is partially funded by the European Commission under Grant Agreement RI-261611 Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF 2012, Munich

2 EMI INFSO-RI-261611 Common security layer (PKI) used but no common support in applications – Duplication of code - expensive maintenance – No common profile for SSL and X.509 – Difficult to add new features – Security audit of code quite hard Motivation

3 EMI INFSO-RI-261611 Simple API to support authentication and message protection Functionality to deal with Grid specifics Available for a wide range of languages Easy to understood and use – Hide complexity inside the library Credentials delegation not addressed Main Goals

4 EMI INFSO-RI-261611 API designed and underwent detailed expert reviews Implementation started in the middle of 2011 – EMI PT established for the work APIs implemened by three subgroups Implementations delivered as part of EMI-2 EMI PTs are expected to integrate CaNL in Y3 Current Status

5 EMI INFSO-RI-261611 API for connection-based applications – Simple to use – Mutualy authentication connection – Exchange of protected messages Minimal external dependencies – Numbers, size Dependency on SSL implementation kept minimal Available CaNL Features

6 EMI INFSO-RI-261611 Grid „extensions“ inherent to the library – Support for proxy certificates (RFC, legacy) – Support for CA‘s signing policies Management of X.509, including proxies – Generation of X.509 requests – Proxy signing Some bindings support PKCS11 – Smart cards and/or soft-tokens Available CaNL Features

7 EMI INFSO-RI-261611 Samples of codes provided (or can be) – Connection establishment, delegation, proxy mgmt API descriptions available Developers will need to replace their code with calls to canl Any feedback welcome Integration with applications

8 EMI INFSO-RI-261611 Largely based on existing code Two levels of API First level contains basic calls to establish authenticated connection and communicate – Simple but generic – Generic API with no SSL and/or X.509 dependency – Internaly plugin-based – Other security mechanims easy to support C

9 EMI INFSO-RI-261611 The second level provides extensions for SSL and/or X.509 – Setting SSL specifics for connections CA‘s locations, cert/priv key, SSL versions, … Certificate and proxy management – Preparing CSR requests, signing proxies, … C

10 EMI INFSO-RI-261611 Based on code from ARC framework – A lot of code cleaning performed Interface for handling X.509 credentials – Private key, certificate, proxy – Certificate request – CA and policies – Predefined environment setups Abstract X.509 authenticated connection – Both client and server side Expandable to different transport layers – implemented for network sockets C++

11 EMI INFSO-RI-261611 Designed to integrate seamlessly with the standard Java network stack. Provides implementation of multiple trust stores: – OpenSSL-like trust store with support for Globus EACL and IGTF Namespaces – Custom directory store which can be flexibly configured to use certificates and CRLs defined with wildcard expressions – Traditional Java Keystore amended with separate CRLs It is possible to automatically use remote CRLs and certificates (with local caching) Java

12 EMI INFSO-RI-261611 Trust stores are refreshed at configurable intervals User credentials can be provided in multiple formats: – Java keystore – Pair of PEM files – PEM keystore – DER PKCS8 Offers support for RFC 2818 Adds a lot of helper utilities, e.g. allowing to perform DN comparison in a portable and safe way or to format a DN for printing. Java

13 EMI INFSO-RI-261611 Thank you

Download ppt "EMI is partially funded by the European Commission under Grant Agreement RI-261611 Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF."

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
13 Sept 00 Token Interoperability and Portability Project status report John Hughes Montreal - 14 September 00.

13 Sept 00 Token Interoperability and Portability Project status report John Hughes Montreal - 14 September 00.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Abdelilah Essiari Gary Hoo Keith Jackson William Johnston Srilekha Mudumbai Mary Thompson Akenti - Certificate-based Access Control for Widely Distributed.

Abdelilah Essiari Gary Hoo Keith Jackson William Johnston Srilekha Mudumbai Mary Thompson Akenti - Certificate-based Access Control for Widely Distributed.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
Asper School of Business University of Manitoba Systems Analysis & Design Instructor: Bob Travica System interfaces Updated: November 2014.

Asper School of Business University of Manitoba Systems Analysis & Design Instructor: Bob Travica System interfaces Updated: November 2014.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)

Similar presentations

Ads by Google