Presentation is loading. Please wait.

Presentation is loading. Please wait.

A PPARC funded project Single Sign-On Proposal Guy Rixon IVOA Interoperability Meeting Cambridge MA, May 2004.

Published byRichard Stuart Modified over 11 years ago

Similar presentations

Presentation on theme: "A PPARC funded project Single Sign-On Proposal Guy Rixon IVOA Interoperability Meeting Cambridge MA, May 2004."— Presentation transcript:

1 A PPARC funded project Single Sign-On Proposal Guy Rixon IVOA Interoperability Meeting Cambridge MA, May 2004

2 2 > Goals Software-to-software authentication Protect services from misuse User signs on once per interactive session Minimal impact on service providers No shared DBs of passwords Dont register each user at each service Minimal impact on users Register once for entire VObs, on-line One password for entire VObs. No p(r)oxy certificates for user to manage

3 3 > Parts of proposal Proposal text on IVOA wiki http://www.ivoa.net/twiki/bin/view/IVOA/SingleSignOnProposal Proposal in two parts: 1. Message-level protocol for authentication 2. How client s/w gets its credentials 2 nd expands on 1 st part More architectural More sociological Could adopt 1 st part but not 2 nd part

4 4 > Message-level protocol (1) Digitally sign body of message Prevents alteration of message Dig-sig mark-up goes in SOAP header Use WS-Security encoding Put X.509 ID certificate in message Certificate contains public key + user ID Put certificate in SOAP header WS-Security encoding again Certificate + signature = authentication Signature on msg ties msg to key pair Certificate ties key pair to account ID

5 5 > Message-level protocol (2) Basic signed message is vulnerable to replay attack Use nonce and timestamp to defeat this Nonce = unique message-ID Timestamp = time of message creation Service uses nonce & timestamp to detect bad messages Rejects messages older than (say) 5 minutes Records nonces from msgs in last 5 minutes Rejects messages with duplicate nonces Nonce + timestamp travel in SOAP header WS-Security encoding again Sender signs them to avoid tampering

6 6 > Example SOAP header <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext- 1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity- utility-1.0.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">... ivo://ast.cam.ac.uk/Community/GuyRixon 4cz8rnEhdsjmcie2138ck== 2004-05-12T14:26:00+01:00

7 7 > SOAP-header example (cont.)......

8 8 > Certifcate authority (1) All X.509 certs come from a certificate authority (CA) Signs cert. Establishes link between public key and user ID There are external Cas E.g. UK e-Science CA E.g. Verisign Service provider trusts authentication process only if he/she trust the CA

9 9 > Certificate authority (2) There are problems with CAs in the IVO High-security CAs demand off-line registration Not all astronomers have access to recognized CAs Set of all relevant CAs is open… …but CA details need to be preloaded in each service How to trust CAs? However, can run own CA locally Commonly done in early grid projects Toolkits exist

10 10 > Proposal VObs community services: Registration point for users Represent real-world communities Allows user sign-on to VObs with password Issues X.509 certs in exchange for password Also handles authorization E.g. service provider authorizes whole community E.g. service provider authorized group within community

11 11 > How the credentials are passed User Portal/ Desktop app. Portal/ Desktop app. Community service Community service Service Sign in with password Issue X.509 cert. Send signed message

Download ppt "A PPARC funded project Single Sign-On Proposal Guy Rixon IVOA Interoperability Meeting Cambridge MA, May 2004."

Similar presentations

What is. Digital Certificate It is an identity.

What is. Digital Certificate It is an identity.
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Presence, Security and Privacy. www.dynamicsoft.com VON 3.20. 01 The Current Environment Many Faces of Security Authentication Verify someone is who they.

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.
Introduction of Grid Security

Introduction of Grid Security
Single sign-on authentication: introduction GWS-WG session, IVOA interop meeting, Kyoto, May 2005 Guy Rixon.

Single sign-on authentication: introduction GWS-WG session, IVOA interop meeting, Kyoto, May 2005 Guy Rixon.
A PPARC funded project Asynchronous Activities in SOAP services Guy Rixon IVOA Interoperability Meeting Cambridge MA, May 2004.

A PPARC funded project Asynchronous Activities in SOAP services Guy Rixon IVOA Interoperability Meeting Cambridge MA, May 2004.
VOStore meetings, 2005-03-07 Slide 1 Ticket-based access control for VOStore? Guy Rixon March 2005.

VOStore meetings, Slide 1 Ticket-based access control for VOStore? Guy Rixon March 2005.
25 April 2005NVO Team Meeting - Tucson1 Interoperable Authentication And Authorization for the VO T HE US N ATIONAL V IRTUAL O BSERVATORY Background: Security.

25 April 2005NVO Team Meeting - Tucson1 Interoperable Authentication And Authorization for the VO T HE US N ATIONAL V IRTUAL O BSERVATORY Background: Security.
A PPARC funded project AstroGrid Framework Consortium meeting, Dec 14-15, 2004 Edinburgh Tony Linde Programme Manager.

A PPARC funded project AstroGrid Framework Consortium meeting, Dec 14-15, 2004 Edinburgh Tony Linde Programme Manager.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –

Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –
1 Authentication Applications Ola Flygt Växjö University, Sweden +46 470 70 86 49.

1 Authentication Applications Ola Flygt Växjö University, Sweden
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Kerberos and X.509 Fourth Edition by William Stallings

Kerberos and X.509 Fourth Edition by William Stallings
CSCE 815 Network Security Lecture 10 KerberosX.509 February 13, 2003.

CSCE 815 Network Security Lecture 10 KerberosX.509 February 13, 2003.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop 7.7.2011 London, UK.

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

Similar presentations

Ads by Google