Presentation is loading. Please wait.

Presentation is loading. Please wait.

MyProxy: A Multi-Purpose Grid Authentication Service

Published byDalton Johnes Modified over 9 years ago

Similar presentations

Presentation on theme: "MyProxy: A Multi-Purpose Grid Authentication Service"— Presentation transcript:

1 MyProxy: A Multi-Purpose Grid Authentication Service
Jim Basney Senior Research Scientist NCSA

2 What is MyProxy? A service for managing X.509 PKI credentials
A credential repository and certificate authority An Online Credential Repository Issues short-lived X.509 Proxy Certificates Long-lived private keys never leave the server An Online Certificate Authority Issues short-lived X.509 End Entity Certificates Supporting multiple authentication methods Passphrase, Certificate, PAM, SASL, Kerberos Open Source Software Included in Globus Toolkit, VDT, and CoG Kits C, Java, Python, and Perl clients available Contributions from EDG, UVA, LBNL, and others WCGA 2006

3 MyProxy Logon Authenticate to retrieve PKI credentials
End Entity or Proxy Certificate Trusted CA Certificates Certificate Revocation Lists (CRLs) MyProxy maintains the user’s PKI context Users don’t need to manage long-lived credentials Enables server-side monitoring and policy enforcement (ex. passphrase quality checks) CA certificates & CRLs updated automatically at login WCGA 2006

4 MyProxy Authentication
Key Passphrase X.509 Certificate Used for credential renewal Pluggable Authentication Modules (PAM) Kerberos password One Time Password (OTP) Lightweight Directory Access Protocol (LDAP) password Simple Authentication and Security Layer (SASL) Kerberos ticket (SASL GSSAPI) WCGA 2006

5 MyProxy Online Certificate Authority
Issues short-lived X.509 End Entity Certificates Leverages MyProxy authentication mechanisms Compatible with existing MyProxy clients Ties in to site authentication and accounting Using PAM and/or Kerberos authentication Map username to certificate subject via “gridmap” file or LDAP query Avoid need for long-lived user keys Server can function as both CA and repository Issues certificate if no credentials for user are stored WCGA 2006

6 MyProxy Online Credential Repository
Stores X.509 End Entity and Proxy credentials Private keys encrypted with user-chosen passphrases Credentials may be stored directly or via proxy delegation Users can store multiple credentials from different CAs Access to credentials controlled by user and administrator policies Set authentication requirements Control whether credentials can be retrieved directly or if only proxy delegation is allowed Restrict lifetime of retrieved proxy credentials Can be deployed for a single user, a site, a virtual organization, a resource provider, a CA, etc. WCGA 2006

7 Talk Outline MyProxy Introduction PKI Introduction and MyProxy CA
Proxy Certificates and MyProxy Repository MyProxy Scenarios Administratively Loaded Credentials Registration Portals Web Portal Authentication and Delegation Password-based Delegation Credential Renewal Web Single Sign-On (SSO) Demos Conclusion WCGA 2006

8 PKI Overview signs Public Key Cryptography Issuer: CA Key Distribution
Sign with private key, verify signature with public key Encrypt with public key, decrypt with private key Key Distribution Who does a public key belong to? Certification Authority (CA) verifies user’s identity and signs certificate Certificate is a document that binds the user’s identity to a public key Authentication Signature [ h ( random, … ) ] Issuer: CA Subject: CA signs Issuer: CA Subject: Jim WCGA 2006

9 PKI Authentication Client Server randomc certificates + randoms
Standard SSL/TLS Protocol (summarized) Client Server randomc certificates + randoms certificatec + { secret }pubkeys + signaturec[ h( randomc, randoms, … ) ] { h( secret ) }secret WCGA 2006

10 Sign new end entity certificate
PKI Enrollment Applicant CA 1 2 Generate new key pair CA Certificate request CA 3 Sign new end entity certificate 4 User User User WCGA 2006

11 MyProxy CA with PAM DN lookup Grid Service X.509 LDAP Server password
MyProxy Server gridmap P A M Client TLS handshake RADIUS Server certificate request certificate password password keypair TGT CA key Kerberos KDC WCGA 2006

12 MyProxy CA with Kerberos
DN lookup Grid Service LDAP Server X.509 MyProxy Server gridmap S A S L S A S L Client SASL/GSSAPI/Kerberos TLS handshake certificate request certificate keypair CA key ticket Kerberos KDC WCGA 2006

13 PAM/SASL Issues PAM Conversation SASL client-side setup
PAM modules can require multiple rounds of user interaction No standard protocol SASL/PLAIN doesn’t support multiple rounds Need something like SSH keyboard-interactive protocol SASL client-side setup Requires SASL library and configuration of SASL mechanisms Alternative: native Kerberos protocol support WCGA 2006

14 Proxy Credentials CA signs User signs signs
RFC 3820: Proxy Certificate Profile Associate a new private key and certificate with existing credentials Short-lived, unencrypted credentials for multiple authentications in a session Restricted lifetime in certificate limits vulnerability of unencrypted key Credential delegation (forwarding) without transferring private keys signs User signs Proxy A signs Proxy B WCGA 2006

15 Proxy Delegation Delegator Delegatee 1 2 Generate new key pair
Proxy certificate request 3 Sign new proxy certificate 4 Proxy Proxy Proxy WCGA 2006

16 MyProxy Put Client MyProxy Server TLS handshake certificate username
proxy certificate chain certificate request password policy private key keypair cert chain private key WCGA 2006

17 MyProxy Get Client MyProxy Server Grid Service TLS handshake
cert chain username proxy certificate chain certificate request password private key cert chain private key X.509 Grid Service WCGA 2006

18 MyProxy Store Client MyProxy Server TLS handshake certificate username
private key policy private key certificate private key WCGA 2006

19 MyProxy Retrieve Client MyProxy Server Grid Service TLS handshake
cert chain certificate chain username password private key private key cert chain private key X.509 Grid Service WCGA 2006

20 Administratively Loaded Creds
Certificate Authority Client MyProxy Server TLS handshake certificate cert chain username proxy certificate chain certificate request password private key private key certificate private key X.509 Grid Service WCGA 2006

21 User Registration Portal
Certificate Authority Registration Portal TLS handshake certificate Browser username password User DB certificate Client MyProxy Server private key TLS handshake username cert chain username proxy certificate chain certificate request password private key certificate private key X.509 Grid Service WCGA 2006

22 Gateway Portal Portal Browser Grid Service User DB cert key
TLS handshake Browser username password X.509 Grid Service WCGA 2006

23 Trusted Portal MyProxy Portal Browser Grid Service X.509 cert request
username Portal cert TLS handshake Browser username password User DB cert cert key key X.509 Grid Service WCGA 2006

24 Password-based Portal Auth
MyProxy X.509 cert request username Portal password cert TLS handshake Browser username password cert cert key key X.509 Grid Service WCGA 2006

25 Password-based Delegation
Delegator Delegatee certificate certificate username passwordrandom certificate certificate private key private key certificate certificate username MyProxy username certificate certificate request certificate certificate request TLS handshake passwordrandom passwordrandom certificate certificate TLS handshake certificate private key WCGA 2006

26 Password-based Renewal
Condor-G GRAM Gatekeeper proxy proxy job job proxy proxy proxy proxy proxy proxy password Client Job password proxy proxy proxy password MyProxy proxy WCGA 2006

27 Certificate-based Renewal
Workload Management Service Renewal Service Condor-G GRAM Gatekeeper proxy proxy proxy job job proxy proxy cert key proxy proxy Client Job proxy proxy proxy policy X.509 proxy MyProxy proxy WCGA 2006

28 Pubcookie Login Server
MyProxy and Web SSO PURSE password password cert Pubcookie Login Server password password cookie MyProxy Browser cookie cookie cookie Portal A cert password X.509 Grid Service X.509 cookie Portal B cert WCGA 2006

29 SSO for Browser and Application
Authenticate Browser Portal cookie cert JWS cookie cookie cert MyProxy Server Application X.509 X.509 Grid Service WCGA 2006

30 SSO for Browser and Application
Authenticate Browser Portal passwordrandom cert JWS cert passwordrandom passwordrandom MyProxy Server Application cert passwordrandom X.509 Grid Service WCGA 2006

31 Demonstrations WCGA 2006

32 Conclusion MyProxy: A Multi-Purpose Grid Authentication Service
Used in many delegation and single sign-on scenarios MyProxy provides practical authentication solutions Minimize changes to existing software and protocols Leverage community standards PAM, SASL, Kerberos, LDAP, Pubcookie, Shibboleth Active MyProxy open source community Deploy new developments via MyProxy Benefit from the work of others WCGA 2006

33 Thank you! Obrigado! WCGA 2006

Download ppt "MyProxy: A Multi-Purpose Grid Authentication Service"

Similar presentations

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.
National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.

National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Jim Basney GSI Credential Management with MyProxy GGF8 Production Grid Management RG Workshop June.

Jim Basney GSI Credential Management with MyProxy GGF8 Production Grid Management RG Workshop June.
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)

PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Similar presentations

Ads by Google