Presentation is loading. Please wait.

Presentation is loading. Please wait.

NCSA CyberSecurity Research and Development

Published byKathlyn Merritt Modified over 9 years ago

Similar presentations

Presentation on theme: "NCSA CyberSecurity Research and Development"— Presentation transcript:

1 NCSA CyberSecurity Research and Development http://security.ncsa.uiuc.edu/research/

2 National Center for Supercomputing Applications NCSA Security Research and Development Part of National Center for Supercomputing Applications at the University of Illinois Ten person team of researchers and developers Funding from NSF and ONR Lead for the National Center for Advanced Secure Systems Research –www.ncassr.org Part of University of Illinois Information Trust Institute –www.iti.uiuc.edu

3 National Center for Supercomputing Applications NCSA Security R&D Projects Overview Technology R&D SELS - Secure Email Lists Mithril - Adaptive Security for Collaborative Computing FLAIM - Log Anonymization MyProxy - Credential Management SSH Key Management GridShib - Identity Federtation for Grids TCIP - Trusted CyberInfrastructure for the Power Grid Applied Security ITTF - Illinois Terrorism Task Force Credentialing Project Security for CyberEnvironments –MAEVis, Astronomy

4 National Center for Supercomputing Applications SELS: A Secure Email List Service Provides message-level security for emails exchanged on mailing lists –Confidentiality, Integrity, and Authentication Minimally trusted List Server –Novel feature: List Server does not get access to email plaintext –Proxy encryption techniques enable transformation of ciphertext Development with COTS and open-source components –Integrated with GnuPG on subscriber side; no need for software installation –Integrated with Mailman on server side with easy installation and setup Use Case Scenarios: Lists of –System administrators exchanging emails for infrastructure protection and incident response –Healthcare researchers exchanging emails on sensitive data URL: http://sels.ncsa.uiuc.edu; contact: hkhurana@ncsa.uiuc.edu

5 National Center for Supercomputing Applications IB-MKD: Identity Based Message Key Distribution for Secure Email Provides encryption for emails –Novel feature: No long term public keys for end users –Knowledge of email address sufficient for encryption Domain Based Administration –Trusted Key Distribution Center (KDC) distributes message keys to domain users Leverages DNS for key distribution –KDC public keys distributed via DNS using Yahoo’s domainkey technology S/MIME based implementation –Minor modifications to S/MIME using Java/Bouncycastle library URL: http://www.ncsa.uiuc.edu/People/hkhurana/IWAP06.pdf Contact: {hkhurana, jbasney}@ncsa.uiuc.edu

6 National Center for Supercomputing Applications MITHRIL Collaboration between NCSA, PNNL, NRL CCS Development of mechanisms for adaptable security for open, collaborative computing systems Maximize usability while allowing rapid, automated response to security incidents Four sub-components: –Credentials Management, SELS See slides elsewhere –Continuous Mouse Biometrics –Intrusion Detection and Response system Contact: Von Welch vwelch@ncsa.uiuc.eduvwelch@ncsa.uiuc.edu http://www.ncsa.uiuc.edu/People/hkhurana/WENS06.pdf

7 National Center for Supercomputing Applications Mithril: Computer Mouse Biometrics Project lead by PNNL Detects unauthorized users at console by building profile of authorized user’s biometric mouse movement patterns Can analyze and detect changes in pattern in near-real time Contact: Doug Schultz douglas.schulz@pnl.gov

8 National Center for Supercomputing Applications Mithril: Intrusion Detection and Response System Detect, correlate and respond to incidents Differentiate between isolated incidents and sustained attacks Built from open-source components: –Prelude, SEC, cfEngine TattleTale: NCSA- developed process monitoring system to detect illicit privileged access

9 National Center for Supercomputing Applications Network/System/Audit Log Anonymization NCSA produces ~5 GBytes of logs per day. Real-world logs are useful for investigations, education, testing of tools, and network/security research. However, real-world logs often contain sensitive information. –Privacy issues exist for both the individual users and the organization. –Network topology could be useful to attackers. –Services running on machines and trust relationships between systems could be useful to attackers.

10 National Center for Supercomputing Applications FLAIM – Framework for Log Anonymization and Information Management Solution – Anonymization to meet the needs of both parties –Data owner is concerned with privacy/security –Analyst is concerned with information loss –FLAIM has a rich policy language expressive enough to often define policies that meet needs of both E.g., one can obscure IP addresses, but preserve the subnet structure for networking researchers FLAIM is very flexible –Modular, allowing I/O modules for multiple logs to be built –Plethora of anonymization primitives to apply to many fields http://flaim.ncsa.uiuc.edu/flaim.html

11 National Center for Supercomputing Applications FLAIM – Into the future Analyze trade-offs between information loss and privacy –Create a metric of log utility and analyze effect of anonymization on metric. –Create a metric of the strength of an anonymization scheme. We can move beyond computer/network logs –Reuse the anonymization engine and policy engine, a.ka. FLAIM-Core. –Module API is flexible enough to support any data in a record/field format.

12 National Center for Supercomputing Applications Credential Management Users are poor at managing electronic credentials such as digital keys Hardware tokens are one solution –But not always available –E.g. different system platforms in science communities Credential Management allows for these credentials to be managed for the user –By profession IT staff in secure machine rooms –Provide control and monitoring over credential use

13 National Center for Supercomputing Applications Open Source software for managing PKI credentials –Online CA issues short-lived certificates –Online credential repository securely stores PKI credentials –Supports many authentication methods: passphrase, certificate, PAM, SASL, Kerberos, OTP –Integrates with job managers for automated credential renewal –Distributed in Globus Toolkit, VDT, NMI, CoG Kits, TG CTSS, and Univa Globus Enterprise MyProxy on TeraGrid –MyProxy CA provides certificates to users via User Portal Login –User Portal and Ticket System use MyProxy authentication –MyProxy integrates with Science Gateway web portals For more information –http://myproxy.ncsa.uiuc.edu/ –Contact: jbasney@ncsa.uiuc.edu MyProxy Used by TeraGrid LCG FusionGrid PRAGMA EGEE ESG LNCC CCG OSG and others…

14 National Center for Supercomputing Applications Secure Shell Key Management Secure Shell (SSH) is common way to access high-end resources at NCSA User managed RSA keys a common, easy authentication mechanism But these keys get easily stolen, shared Solution: Manage RSA keys centrally, allow user access through standard SSH Remote Agent protocol and tools Contact: jbasney@ncsa.uiuc.edu

15 National Center for Supercomputing Applications SSH Key Management SSH Key Server Maintains private RSA keys Client Authenticates via site mechanisms e.g. Kerberos, OTP Client accesses private RSA key via ssh-agent Public Key Distribution RSA-authenticated access Compute Resource

16 National Center for Supercomputing Applications GSI-OpenSSH Modified version of OpenSSH supporting X.509 authentication and proxy delegation –Provides a single sign-on remote login and file transfer service –Included in Globus Toolkit, VDT, NMI, TG CTSS Standards-based –RFC 3820: X.509 Proxy Certificates –RFC 4462: GSSAPI for SSH For more information: –http://grid.ncsa.uiuc.edu/ssh/ –Contact: jbasney@ncsa.uiuc.edu Used by TeraGrid UK NGS NRC Canada LSC DataGrid INRIA NMI B&T TIGRE and others…

17 National Center for Supercomputing Applications NCASSR PKI Testbed Equipment: –Servers, laptops, workstations, and PDAs –Contact and contactless smartcards and readers –Secure co-processors for credential servers –Fingerprint readers Supporting: –ITTF smartcard credentialing project –Hardware-secured credential repositories –Smartcard authentication for grids and HPC For more information: –http://pkilab.ncsa.uiuc.edu/ –Contact: jmuggli@ncsa.uiuc.edu

18 National Center for Supercomputing Applications Trusted CyberInfrastructure for Power Grids (TCIP) NSF CyberTrust center at Illinois Trust Institute –Additional funding from DOE, DHS –Partners: Dartmouth, Washington State, Cornell Addressing security challenges motivated by our national power grid http://tcip.iti.uiuc.edu

19 National Center for Supercomputing Applications TCIP: Emergency Credentialing and Authorization (NCSA Focus) Real-time power grid operations requires real-time data access to understand and prevent system faults But, day-to-day data access regulated by policy and competition Solution is to allow for short-term credentialing of operators to allow for emergency authorization for data access –Combine with strong auditing for post-emergency validation Investigate methods for determining when emergency occurs and proper changes to authorization policy to allow for prevention of system failure Contact: {vwelch,hkhurana}@ncsa.uiuc.edu

20 National Center for Supercomputing Applications GridShib: Grid-Shibboleth Integration Integration of Internet2’s Shibboleth with Computational Grids via the Globus Toolkit Allow for use of Campus Identity Management for Grid Authentication and Authorization –Allow leveraging of Shibboleth software and deployments to support Grids –Utilizing Web Services security standards (SAML) Contact: Von Welch vwelch@ncsa.uiuc.edu http://gridshib.globus.org

21 National Center for Supercomputing Applications NCASSR CyberCrime Investigation Environment CyberCrime incidents typically span multiple systems, domains and even continents Investigative teams comprise multiple individuals from multiple sites and have complex data management and analysis requirements

22 National Center for Supercomputing Applications NCASSR CyberCrime Investigation Environment We are developing a environment to facilitate this distributed investigations Includes facilities for data management, anonymization, sharing and analysis Plus components for collaboration All contained in a secured collaboration environment Contact: {rbutler,vwelch}@ncsa.uiuc.edu

23 National Center for Supercomputing Applications American Red Cross Associated Fire Fighters of Illinois FBI Illinois Governor’s Office Illinois State Police U.S. Attorney’s Office FEMA (Region V) Illinois Terrorism Task Force http://www.illinois.gov/security/ittf/ Mission –Created May 2000 to implement a comprehensive coordinated strategy for domestic preparedness in the state of Illinois, bringing together agencies, organizations, and associations representing all disciplines in the war against terrorism. Members include:

24 National Center for Supercomputing Applications ITTF Credentialing Project Goal: Pre-issue credentials to incident responders for identification and tracking at the incident perimeter –Smartcards printed with photo ID –Electronic authentication includes: Fingerprint biometric Identity certificate issued by State of Illinois PKI –Cross-certified with Federal Bridge CA Signed certifications (team, weapons, hazmat) +

25 National Center for Supercomputing Applications UIC ITTF Credentialing Project 5,000 initial credentials for pilot project Plan to grow to 100,000 credentials –Every Illinois firefighter, police officer, EMT –Pre-certified volunteers (Red Cross, etc.) Designed for general-purpose use state-wide –Secure building and computer system access –Interoperability with Federal standards Partners: Contact: jbasney@ncsa.uiuc.edu

26 National Center for Supercomputing Applications Astronomy (LSST / NVO / DES) Communities: LSST, NVO, DES, IVOA, NOAO, NRAO, STSCI Need: Grid Security Solution for a Portal Environment Distinguishing Features/Requirements –Inter-DNS-Domain Single Sign-On (SSO) Across Portals –Interoperability Across Multiple Grid Security Domains –Limit Trust of Portal Servers –Preserve Options/Flexibility for Power Users Our Work –Security Architecture for Astronomy Community –Implementation of Working Prototype Key Software Components Used –MyProxy, Pubcookie, PURSe Contact: mfreemon@ncsa.uiuc.edu

27 National Center for Supercomputing Applications MAEViz Portal Single Sign-on Complex environment with web portal (Sakai), java web start applications and back- end services Provided Grid-enabled single sign-on based on MyProxy across all components http://grid.ncsa.uiuc.edu/papers/sws-myproxy-jws.pdf

28 National Center for Supercomputing Applications Security for Large Collaborative Compute Infrastructures (LCCIs) Provides a set of requirements for securing LCCIs –Example LCCIs: TeraGrid, LHC Grid, GENI Risk and threat analysis –Identification of unique and magnified threats to LCCIs Exploration of security policies and procedures –Prevention, detection, and response –Collaboration among sites crucial for security Identification of requirements –Security architecture, agreements, implementation plan, management authority URL: http://www.ncsa.uiuc.edu/People/hkhurana/TrustColFinal.pdf; contact: {hkhurana, jbasney, vwelch}@ncsa.uiuc.edu

29 National Center for Supercomputing Applications Software Protection Adoptability Study ITI and SAIC are working with the Software Protection Center (SPC) at Wright-Patterson Air Force Base to study how use of software protection technology may affect work-flow, and impact adoptability of that technology by its targeted customers. This project is funded through the Software Protection Initiative, whose mission is to prevent the unauthorized distribution and exploitation of application software critical to national security. Contact: vwelch@ncsa.uiuc.edu

Download ppt "NCSA CyberSecurity Research and Development"

Similar presentations

MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.

Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Authentication & Kerberos

Authentication & Kerberos
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
1/13/05NCASSR PNNL Visit1 Security Tools Area Overview, Credential Management Services, and the PKI Testbed Jim Basney Senior Research Scientist

1/13/05NCASSR PNNL Visit1 Security Tools Area Overview, Credential Management Services, and the PKI Testbed Jim Basney Senior Research Scientist
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Milos Kobliha Alejandro Cimadevilla Luis de Alba Parallel Computing Seminar GROUP 12.

Milos Kobliha Alejandro Cimadevilla Luis de Alba Parallel Computing Seminar GROUP 12.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
Public Key Infrastructure from the Most Trusted Name in e-Security.

Public Key Infrastructure from the Most Trusted Name in e-Security.

Similar presentations

Ads by Google