Presentation is loading. Please wait.

Presentation is loading. Please wait.

NCSA CyberSecurity Research and Development

Published byΣταματία Μαγγίνας Modified over 6 years ago

Similar presentations

Presentation on theme: "NCSA CyberSecurity Research and Development"— Presentation transcript:

1 NCSA CyberSecurity Research and Development

2 NCSA Security Research and Development
Part of National Center for Supercomputing Applications at the University of Illinois Ten person team of researchers and developers Funding from NSF and ONR Lead for the National Center for Advanced Secure Systems Research Part of University of Illinois Information Trust Institute National Center for Supercomputing Applications

3 NCSA Security R&D Projects Overview
Technology R&D SELS - Secure Lists Mithril - Adaptive Security for Collaborative Computing FLAIM - Log Anonymization MyProxy - Credential Management SSH Key Management GridShib - Identity Federtation for Grids TCIP - Trusted CyberInfrastructure for the Power Grid Applied Security ITTF - Illinois Terrorism Task Force Credentialing Project Security for CyberEnvironments MAEVis, Astronomy National Center for Supercomputing Applications

4 SELS: A Secure Email List Service
Provides message-level security for s exchanged on mailing lists Confidentiality, Integrity, and Authentication Minimally trusted List Server Novel feature: List Server does not get access to plaintext Proxy encryption techniques enable transformation of ciphertext Development with COTS and open-source components Integrated with GnuPG on subscriber side; no need for software installation Integrated with Mailman on server side with easy installation and setup Use Case Scenarios: Lists of System administrators exchanging s for infrastructure protection and incident response Healthcare researchers exchanging s on sensitive data URL: contact: National Center for Supercomputing Applications

5 IB-MKD: Identity Based Message Key Distribution for Secure Email
Provides encryption for s Novel feature: No long term public keys for end users Knowledge of address sufficient for encryption Domain Based Administration Trusted Key Distribution Center (KDC) distributes message keys to domain users Leverages DNS for key distribution KDC public keys distributed via DNS using Yahoo’s domainkey technology S/MIME based implementation Minor modifications to S/MIME using Java/Bouncycastle library URL: Contact: {hkhurana, National Center for Supercomputing Applications

6 MITHRIL Collaboration between NCSA, PNNL, NRL CCS
Development of mechanisms for adaptable security for open, collaborative computing systems Maximize usability while allowing rapid, automated response to security incidents Four sub-components: Credentials Management, SELS See slides elsewhere Continuous Mouse Biometrics Intrusion Detection and Response system Contact: Von Welch Need image. Talk about OTP. National Center for Supercomputing Applications

7 Mithril: Computer Mouse Biometrics
Project lead by PNNL Detects unauthorized users at console by building profile of authorized user’s biometric mouse movement patterns Can analyze and detect changes in pattern in near-real time Contact: Doug Schultz National Center for Supercomputing Applications

8 Mithril: Intrusion Detection and Response System
Detect, correlate and respond to incidents Differentiate between isolated incidents and sustained attacks Built from open-source components: Prelude, SEC, cfEngine TattleTale: NCSA-developed process monitoring system to detect illicit privileged access National Center for Supercomputing Applications

9 Network/System/Audit Log Anonymization
NCSA produces ~5 GBytes of logs per day. Real-world logs are useful for investigations, education, testing of tools, and network/security research. However, real-world logs often contain sensitive information. Privacy issues exist for both the individual users and the organization. Network topology could be useful to attackers. Services running on machines and trust relationships between systems could be useful to attackers. National Center for Supercomputing Applications

10 FLAIM – Framework for Log Anonymization and Information Management
Solution – Anonymization to meet the needs of both parties Data owner is concerned with privacy/security Analyst is concerned with information loss FLAIM has a rich policy language expressive enough to often define policies that meet needs of both E.g., one can obscure IP addresses, but preserve the subnet structure for networking researchers FLAIM is very flexible Modular, allowing I/O modules for multiple logs to be built Plethora of anonymization primitives to apply to many fields National Center for Supercomputing Applications

11 FLAIM – Into the future Analyze trade-offs between information loss and privacy Create a metric of log utility and analyze effect of anonymization on metric. Create a metric of the strength of an anonymization scheme. We can move beyond computer/network logs Reuse the anonymization engine and policy engine, a.ka. FLAIM-Core. Module API is flexible enough to support any data in a record/field format. National Center for Supercomputing Applications

12 Credential Management
Users are poor at managing electronic credentials such as digital keys Hardware tokens are one solution But not always available E.g. different system platforms in science communities Credential Management allows for these credentials to be managed for the user By profession IT staff in secure machine rooms Provide control and monitoring over credential use National Center for Supercomputing Applications

13 FusionGrid PRAGMA EGEE
MyProxy Open Source software for managing PKI credentials Online CA issues short-lived certificates Online credential repository securely stores PKI credentials Supports many authentication methods: passphrase, certificate, PAM, SASL, Kerberos, OTP Integrates with job managers for automated credential renewal Distributed in Globus Toolkit, VDT, NMI, CoG Kits, TG CTSS, and Univa Globus Enterprise MyProxy on TeraGrid MyProxy CA provides certificates to users via User Portal Login User Portal and Ticket System use MyProxy authentication MyProxy integrates with Science Gateway web portals For more information Contact: Used by TeraGrid LCG FusionGrid PRAGMA EGEE ESG LNCC CCG OSG and others… National Center for Supercomputing Applications

14 Secure Shell Key Management
Secure Shell (SSH) is common way to access high-end resources at NCSA User managed RSA keys a common, easy authentication mechanism But these keys get easily stolen, shared Solution: Manage RSA keys centrally, allow user access through standard SSH Remote Agent protocol and tools Contact: National Center for Supercomputing Applications

15 SSH Key Management SSH Key Server Compute Resource
Maintains private RSA keys Client Authenticates via site mechanisms e.g. Kerberos, OTP Public Key Distribution Client accesses private RSA key via ssh-agent Compute Resource RSA-authenticated access National Center for Supercomputing Applications

16 GSI-OpenSSH Modified version of OpenSSH supporting X.509 authentication and proxy delegation Provides a single sign-on remote login and file transfer service Included in Globus Toolkit, VDT, NMI, TG CTSS Standards-based RFC 3820: X.509 Proxy Certificates RFC 4462: GSSAPI for SSH For more information: Contact: Used by TeraGrid UK NGS NRC Canada LSC DataGrid INRIA NMI B&T TIGRE and others… National Center for Supercomputing Applications

17 NCASSR PKI Testbed Equipment: Supporting: For more information:
Servers, laptops, workstations, and PDAs Contact and contactless smartcards and readers Secure co-processors for credential servers Fingerprint readers Supporting: ITTF smartcard credentialing project Hardware-secured credential repositories Smartcard authentication for grids and HPC For more information: Contact: National Center for Supercomputing Applications

18 Trusted CyberInfrastructure for Power Grids (TCIP)
NSF CyberTrust center at Illinois Trust Institute Additional funding from DOE, DHS Partners: Dartmouth, Washington State, Cornell Addressing security challenges motivated by our national power grid National Center for Supercomputing Applications

19 TCIP: Emergency Credentialing and Authorization (NCSA Focus)
Real-time power grid operations requires real-time data access to understand and prevent system faults But, day-to-day data access regulated by policy and competition Solution is to allow for short-term credentialing of operators to allow for emergency authorization for data access Combine with strong auditing for post-emergency validation Investigate methods for determining when emergency occurs and proper changes to authorization policy to allow for prevention of system failure Contact: National Center for Supercomputing Applications

20 GridShib: Grid-Shibboleth Integration
Integration of Internet2’s Shibboleth with Computational Grids via the Globus Toolkit Allow for use of Campus Identity Management for Grid Authentication and Authorization Allow leveraging of Shibboleth software and deployments to support Grids Utilizing Web Services security standards (SAML) Image would help. Contact: Von Welch National Center for Supercomputing Applications

21 NCASSR CyberCrime Investigation Environment
CyberCrime incidents typically span multiple systems, domains and even continents Investigative teams comprise multiple individuals from multiple sites and have complex data management and analysis requirements National Center for Supercomputing Applications

22 NCASSR CyberCrime Investigation Environment
We are developing a environment to facilitate this distributed investigations Includes facilities for data management, anonymization, sharing and analysis Plus components for collaboration All contained in a secured collaboration environment Contact: National Center for Supercomputing Applications

23 Illinois Terrorism Task Force
Mission Created May 2000 to implement a comprehensive coordinated strategy for domestic preparedness in the state of Illinois, bringing together agencies, organizations, and associations representing all disciplines in the war against terrorism. Members include: American Red Cross Associated Fire Fighters of Illinois FBI Illinois Governor’s Office Illinois State Police U.S. Attorney’s Office FEMA (Region V) National Center for Supercomputing Applications

24 ITTF Credentialing Project
Goal: Pre-issue credentials to incident responders for identification and tracking at the incident perimeter Smartcards printed with photo ID Electronic authentication includes: Fingerprint biometric Identity certificate issued by State of Illinois PKI Cross-certified with Federal Bridge CA Signed certifications (team, weapons, hazmat) + National Center for Supercomputing Applications

25 ITTF Credentialing Project
5,000 initial credentials for pilot project Plan to grow to 100,000 credentials Every Illinois firefighter, police officer, EMT Pre-certified volunteers (Red Cross, etc.) Designed for general-purpose use state-wide Secure building and computer system access Interoperability with Federal standards Partners: UIC Contact: National Center for Supercomputing Applications

26 Astronomy (LSST / NVO / DES)
Communities: LSST, NVO, DES, IVOA, NOAO, NRAO, STSCI Need: Grid Security Solution for a Portal Environment Distinguishing Features/Requirements Inter-DNS-Domain Single Sign-On (SSO) Across Portals Interoperability Across Multiple Grid Security Domains Limit Trust of Portal Servers Preserve Options/Flexibility for Power Users Our Work Security Architecture for Astronomy Community Implementation of Working Prototype Key Software Components Used MyProxy, Pubcookie, PURSe Contact: National Center for Supercomputing Applications

27 MAEViz Portal Single Sign-on
Complex environment with web portal (Sakai), java web start applications and back-end services Provided Grid-enabled single sign-on based on MyProxy across all components National Center for Supercomputing Applications

28 Security for Large Collaborative Compute Infrastructures (LCCIs)
Provides a set of requirements for securing LCCIs Example LCCIs: TeraGrid, LHC Grid, GENI Risk and threat analysis Identification of unique and magnified threats to LCCIs Exploration of security policies and procedures Prevention, detection, and response Collaboration among sites crucial for security Identification of requirements Security architecture, agreements, implementation plan, management authority URL: contact: {hkhurana, jbasney, National Center for Supercomputing Applications

29 Software Protection Adoptability Study
ITI and SAIC are working with the Software Protection Center (SPC) at Wright-Patterson Air Force Base to study how use of software protection technology may affect work-flow, and impact adoptability of that technology by its targeted customers. This project is funded through the Software Protection Initiative, whose mission is to prevent the unauthorized distribution and exploitation of application software critical to national security. Contact: National Center for Supercomputing Applications

Download ppt "NCSA CyberSecurity Research and Development"

Similar presentations

MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
1/13/05NCASSR PNNL Visit1 Security Tools Area Overview, Credential Management Services, and the PKI Testbed Jim Basney Senior Research Scientist

1/13/05NCASSR PNNL Visit1 Security Tools Area Overview, Credential Management Services, and the PKI Testbed Jim Basney Senior Research Scientist
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Understanding Active Directory

Understanding Active Directory
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
© TecSec® Incorporated 2003 Threat Notification Model for Federal, State and Local Authorities Threat Notification Model for Federal, State and Local Authorities.

© TecSec® Incorporated 2003 Threat Notification Model for Federal, State and Local Authorities Threat Notification Model for Federal, State and Local Authorities.

Similar presentations

Ads by Google