Presentation is loading. Please wait.

Presentation is loading. Please wait.

25 April 2005NVO Team Meeting - Tucson1 Interoperable Authentication And Authorization for the VO T HE US N ATIONAL V IRTUAL O BSERVATORY Background: Security.

Published byDominic Morrison Modified over 11 years ago

Similar presentations

Presentation on theme: "25 April 2005NVO Team Meeting - Tucson1 Interoperable Authentication And Authorization for the VO T HE US N ATIONAL V IRTUAL O BSERVATORY Background: Security."— Presentation transcript:

1 25 April 2005NVO Team Meeting - Tucson1 Interoperable Authentication And Authorization for the VO T HE US N ATIONAL V IRTUAL O BSERVATORY Background: Security 101 Matthew Graham (see teamwg mail archive) VO-friendly, Community-based Authorization Framework, Pt. 1 Ray Plante http://chart.stsci.edu/twiki/pub/Main/TechWG/CommunityAuthorizationP1.pdf A Trust Model for Security in the VO Guy Rixon http://wiki.astrogrid.org/bin/view/Astrogrid/TrustModelForVO Ray Plante NVO@NCSA Von Welch & Jim Basney NCSA Grid Security Team Mike Freemon & Randy Butler National Middleware Initiative (NMI) Grid Center

2 25 April 2005NVO Team Meeting - Tucson2 What wed like to see from interoperable security Trustworthy access to restricted resources –Proprietary data –Remote storage –CPU cycles Sufficient control and auditing by resource providers Single sign-on –User enters a username/password once per session –Can access many restricted resources in an operation from different providers –Interoperates with public (non-restricted) data and services seamlessly –Interoperability with Grid security A framework that can be leveraged by observatories –A common way to get at proprietary data –A common way to support security in portals

3 25 April 2005NVO Team Meeting - Tucson3 What wed not like to see from interoperable security A framework so cumbersome that no one uses it –Users & service providers –Why do we even need this? A hacking incident that erodes trust in the system –Were used to relying on goodwill –The VO will raise our profile to hackers

4 25 April 2005NVO Team Meeting - Tucson4 Certificate-based Security Beyond the browser: Good for grid applications –Web services talking to each other –Can handle users across administrative boundaries X.509 Certificates in wide use today –To support SSL connections –Libraries available Certificates presented at socket connection time assure identity of holder –Identities of user and service –Each end must already have copy of Certificate Authoritys certificate –Each end holds own private key; cert contains public key –handshake tests that each side has private key corresponding to public key in cert

5 25 April 2005NVO Team Meeting - Tucson5 Certificate Authorities: the root of Trust A service/user will trust a CA by acquiring the CAs public key –Public key acquired out-of-band of a user request –Benefit from a small number of CAs Recommendation: Each VO project runs its own CA –IVOA level: trust chain too hard to track Trust model to be discussed later… –Organization level: too many CAs Recommendation: Accept other established CAs from scientific community as a matter of practice –DOE, NCSA/TeraGrid –Leverage their trust model

6 25 April 2005NVO Team Meeting - Tucson6 Certificate Management User-managed certificates –User stores certificate & private key on local machine –User must load certificate into client applications e.g. web browser, Globus –User must also load certificates of trusted CAs –Often considered part of the pain of certificates Portal-managed certificates –Portal manages certificate & private key on users behalf –users dont have to know certificates are being used –Possible to pass cert to client apps when needed

7 25 April 2005NVO Team Meeting - Tucson7 Portal-Managed Certificates Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal

8 25 April 2005NVO Team Meeting - Tucson8 Portal-Managed Certificates Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal

9 25 April 2005NVO Team Meeting - Tucson9 Portal-Managed Certificates Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal

10 25 April 2005NVO Team Meeting - Tucson10 Portal-Managed Certificates Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal

11 25 April 2005NVO Team Meeting - Tucson11 Portal-Managed Certificates Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal

12 25 April 2005NVO Team Meeting - Tucson12 Portal-Managed Certificates Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal

13 25 April 2005NVO Team Meeting - Tucson13 Portal-Managed Certificates Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal

14 25 April 2005NVO Team Meeting - Tucson14 Portal-Managed Certificates Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal

15 25 April 2005NVO Team Meeting - Tucson15 Certificate Management Both certificate models will be important –Important to support portal-based management for ease of use –The savvier users will manage own certs when useful Recommendation: NVO runs the following services: –Registration service (to create certs) –Certificate Repository (MyProxy) to store certs for use with portals –A login service for use with portals –Cert Download service: for retrieving certs for local client apps Existing tools: GAMA (SDSC), PURSE (NMI)

16 25 April 2005NVO Team Meeting - Tucson16 Portal-Managed Certificates Local Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal NVO Registration Service

17 25 April 2005NVO Team Meeting - Tucson17 Portal-Managed Certificates Local Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal NVO Registration Service

18 25 April 2005NVO Team Meeting - Tucson18 Portal-Managed Certificates Local Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal NVO Registration Service

19 25 April 2005NVO Team Meeting - Tucson19 Portal-Managed Certificates Local Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal NVO Registration Service

20 25 April 2005NVO Team Meeting - Tucson20 Portal-Managed Certificates Local Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal NVO Registration Service

21 25 April 2005NVO Team Meeting - Tucson21 Portal-Managed Certificates Local Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal NVO Registration Service

22 25 April 2005NVO Team Meeting - Tucson22 Trust Model The certificate handshake –Means that… User has private key issued to Joe Astronomer Service has private key issued to Fab Storage –Useful enough in some cases Service can save per user state across sessions Will control what user can do –Did Joe give a phony name? The CA signature means that the CA has made an effort to verify the identity –How does a CA determine that users are who they say they are?

23 25 April 2005NVO Team Meeting - Tucson23 Commercial Trust Model: Thawte Weak certificates –Generic identity: name not included –Can do low trust activities (encrypt email) Strong certificates (has identity info in it): –Identity notarized by multiple somewhat- trusted peopleWeb of Trust –Point system a notary can issue up to 35 points Need 50 points to get strong cert

24 25 April 2005NVO Team Meeting - Tucson24 An Astronomical Observatory To gain access to telescope and resulting proprietary data User writes a proposal –Includes identity information: affiliation, email –Includes references to published work –Includes collaborators with references Observatory contacts PIs, Co-Is by email Proposal is evidence that they are legit. Can we leverage this process?

25 25 April 2005NVO Team Meeting - Tucson25 Building a Trust Model How do we verify identities? –someone NVO trusts tells them (out-of-band) that the user is who she says she is. –Registration Authorities: enlisting the help of existing institutions Academic departments? (akin to Shibboleth model) Observatories? –How much is enough? Faxed drivers license? Verification takes time and human involvement! –Can weak certificate enable some activity requiring less trust? Allows user to get started right away! Need trusted system to issues certs to services –So that users can trust services to behave with their ID –Can build on trust model for users

26 25 April 2005NVO Team Meeting - Tucson26 Authorization Authorization policies tend to be service specific –Provider will want to control whos allowed to do what –Expect observatories to centralize authorization management –Authorization policies assigned to groups Observatory: groups defined on the proposal level Groups defined around archive-based research Recommendation: Leave authorization management to service providers. No interoperable standards are needed at this time

27 25 April 2005NVO Team Meeting - Tucson27 Three models for handling authorization Map external identities to internal accounts –One account per group, groups define set of authorization policy (coming up next from Neha!) Call out: –User accesses service with personal cert –Service calls out to authorization database to retrieve privileges associated with user –Service tests user request against policies Certificate wrapping (Globus CAS): –User visits authorization database with personal cert, gets back proxy cert with policies encoded inside (using SAML) –User presents proxy cert to service –Service test user request against policies –Good for portal-based access but inconvenient for outside clients

Download ppt "25 April 2005NVO Team Meeting - Tucson1 Interoperable Authentication And Authorization for the VO T HE US N ATIONAL V IRTUAL O BSERVATORY Background: Security."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
A PPARC funded project Single Sign-On Proposal Guy Rixon IVOA Interoperability Meeting Cambridge MA, May 2004.

A PPARC funded project Single Sign-On Proposal Guy Rixon IVOA Interoperability Meeting Cambridge MA, May 2004.
Single sign-on authentication: introduction GWS-WG session, IVOA interop meeting, Kyoto, May 2005 Guy Rixon.

Single sign-on authentication: introduction GWS-WG session, IVOA interop meeting, Kyoto, May 2005 Guy Rixon.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.

National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.
8 September 2008NVO Summer School 2008 – Santa Fe1 Publishing Data and Services to the VO Ray Plante Gretchen Greene T HE US N ATIONAL V IRTUAL O BSERVATORY.

8 September 2008NVO Summer School 2008 – Santa Fe1 Publishing Data and Services to the VO Ray Plante Gretchen Greene T HE US N ATIONAL V IRTUAL O BSERVATORY.
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Similar presentations

Ads by Google