Presentation is loading. Please wait.

Presentation is loading. Please wait.

Virtual Smart Card Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.

Published byTracy Spencer Modified over 9 years ago

Similar presentations

Presentation on theme: "Virtual Smart Card Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center."— Presentation transcript:

1 Virtual Smart Card Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center

2 December 13, 20022: Virtual Smart Card Enmeshed Private Keys Premise: Private keys and users don’t mix Inherently insecure model No guarantee of good or any password choice No guarantee of secure private key location E.g., users store keys in network based file systems No guarantee how private key was handled E.g., users copy/e-mail keys to remote machines & leave them cannot User managed keys cannot be trusted

3 December 13, 20023: Virtual Smart Card Solitary Private Keys Premise: Never give a user their private key Can’t mishandle something you don’t have stronger Can provide a stronger security guarantee Signed cert as secure as institution’s accounts Must provide agent-based key handling E.g., smart cards

4 December 13, 20024: Virtual Smart Card Virtual Smart Card (vsc) Premise: Physical smart cards (psc) in software vsc’s have a 1-to-1 concept correspondence to psc’s ConceptPhysicalVirtual ProcurementPurchase/downloadRequest/generate PossessionPhysicalAuthentication OperationsIndirect Tamper protectionSelf-destructRestricted access Theft protectionSettable pinSettable password

5 December 13, 20025: Virtual Smart Card VSC Conceptualization A vsc is implemented using a secure, access restricted server One server holds many user’s private keys Hence, one server instantiates many vsc’s Can be well secured Restricted physical access Cages, keyed room, etc. Restricted logical access Only three access protocols needed: dns, ntp, and vsc Keys can be encrypted via user-supplied passwords

6 December 13, 20026: Virtual Smart Card VSC Procurement 1. Ask for a cert 2. Generate keys and send cert request 3. E-mail cert url User never sees the private key! CA 4. Download CA signed public cert* *When available on 1 st request or automatic poll.

7 December 13, 20027: Virtual Smart Card VSC Operation (vsc-proxy) 2. Generate proxy public/private key Sign proxy cert 3. Sign proxy cert Private key never sees the network! Get public cert 1. Get public cert Externally authenticated Externally authenticated (e.g., Kerberos)

8 December 13, 20028: Virtual Smart Card VSC Theft Protection 1. Generate key-string from a strong user password Send encrypted key-string 2. Send encrypted key-string Externally authenticated Externally authenticated (e.g., Kerberos) 3. Encrypt user’s x509 private key and discard key-string User must now supply key-string for vsc to use private key

9 December 13, 20029: Virtual Smart Card VSC Advantages I Simple and effective Models well-known physical object -- smart card Initial certificate request is trivial Private keys never exposed Can be further encrypted by user Can get proxy cert anywhere in the world No need to copy public/private keys

10 December 13, 200210: Virtual Smart Card VSC Advantages II Can provide special extensions EDG VOM extensions (natural fit) Can provide special always-on services Perhaps proxy cert revalidation stronger Can provide stronger security guarantee Signed cert as secure as institution’s accounts

11 December 13, 200211: Virtual Smart Card VSC Disadvantages Private keys are concentrated Can be user-encrypted Similar problem in Kerberos May violate current CA CP/CPS Political vs. practical reality No more secure than external authentication Need good authentication (e.g., K5)

12 December 13, 200212: Virtual Smart Card Conclusion Virtual Smart Cards effective Simple, relatively transparent, secure Provides a path to more stringent security Physical smart cards Simplify user’s lives Ease of use reduces security lapses Promotes a congenial grid security environment!

Download ppt "Virtual Smart Card Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Andrew File System CSS534 ZACH MA. History  Originated in October 1982, by the Information Technology Center (ITC) formed with Carnegie Mellon and IBM.

Andrew File System CSS534 ZACH MA. History  Originated in October 1982, by the Information Technology Center (ITC) formed with Carnegie Mellon and IBM.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Credential Repositories in an Interprise Environment Bob Cowles Stanford Linear Accelerator Center 27 January 2003 Work supported by U. S. Department of.

Credential Repositories in an Interprise Environment Bob Cowles Stanford Linear Accelerator Center 27 January 2003 Work supported by U. S. Department of.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Mechanisms to Secure x.509 Grid Certificates Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.

Mechanisms to Secure x.509 Grid Certificates Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.
About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.

About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
1 Authentication Protocols Celia Li Computer Science and Engineering York University.

1 Authentication Protocols Celia Li Computer Science and Engineering York University.

Similar presentations

Ads by Google