Presentation on theme: "UPKI Inter-University Authentication and Authorization Platform for Japanese Cyber-Science Infrastructure Yasuo OKABE Academic Center for Computing and."— Presentation transcript:
UPKI Inter-University Authentication and Authorization Platform for Japanese Cyber-Science Infrastructure Yasuo OKABE Academic Center for Computing and Media Studies, Kyoto University
Tohoku University Information Synergy Center Hokkaido University Information Initiative Center University of Tokyo Information Technology Center Nagoya University Information Technology Center Kyoto University Academic Center for Computing and Media Studies Osaka University Cybermedia Center Kyushu University Computing and Communications Center Sapporo Sendai TokyoKyoto Osaka Fukuoka Information Infrastructure Centers in the Seven Universities in JAPAN Nagoya National Institute of Informatics (NII)
Brief history of the federation among the Centers Established as supercomputer centers for nation-wide service 1981 Connected by commercial X.25 service 1986 Dedicated interuniversity X.25 network service was started by NACSIS (predecessor of NII) Federated Identity Management ( 2004) Unified ID Online subscription to secondary centers 1988 JAIN (Japan Academic Inter- university Network) project started IP over X SINET, the academic Internet backbone service was started by NACSIS 2002 Operation of SuperSINET was started 2003 NAREGI (National Research Grid Initiative) project started
Fundamental Resources for Academic and Research Activities Education and Training / Encouraging Young Talent NAREGI (National Research Grid Initiative) NII-REO (Repository of Electronic Journals and Online Publications NII: Toward Cyber-Science Infrastructure NII: Toward Cyber-Science Infrastructure Next-generation Academic Information Infrastructure for Interuniversity Collaboration UPKI: Authentication and Authorization Platform Cyber-Science Infrastructure SINET/SuperSINET National Academic Internet Backbone GeNii (Global Environment for Networked Intellectual Information) Corporation with Industry International Collaboration
UPKI: concept Authentication and Authorization platform for Cyber-Science Infrastructure in Japan Targets various applications SSO of Web services Network service wireless LAN roaming, VPN, public IP phone/Web terminals Grid computing Utilization PKI
UPKI: project member NII SINET Headquarter Authentication and Authorization Working Group Yasuo Okabe, Kyoto University (chair) Noboru Sonehara, NII (vice chair) Yoshiaki Takai, Hokkaido University Hideaki Sone, Tohoku University Hiroyuki Sato, University of Tokyo Yasushi Hirano, Nagoya University Shinji Shimojo, Osaka University Takahiro Suzuki, Kyushu University Satoshi Matsuoka, Tokyo Institute of Technology Setsuya Kawabata, KEK
repository registrar Campus Public Wireless AP Certif. Prof. A Pub key Certf. user Prof. A Policy mapping Hokkaido Univ. register Authentication for campus wireless LAN PKI Campus LAN authenticatio authorization private key PKI token Bridge CA CA Mutual auth Prof. A is visiting other univ. Roaming service Mutual auth
UPKI: requirements Scalability up to 800 universities in Japan Centralized system will never work Federated ID management is indispensable Security against so many cyber attacks and increasing physical attacks Privacy Compliant to the law of privacy protection in Japan Enforced since April Mobility Both students and professors may visit other universities Cost National Universities has become an independent agency since 2004.
UPKI: basic idea Deployment of Grid/PKI middleware for national academic AA infrastructure Management of faculty members, administrative staffs and students Virtual Organizations (VO) like committees, research groups or academic societies should be supported Targets all of Educational activities like E-learning Administrative works like exchange of credits among universities Research activities like Grid computing Other networking services like WLAN roaming and a single infrastructure is by all applications AA based on Federated Identity Management is the key PKI solves some authentication issues, but not all PKI itself has many problems in deployment
NAREGI National Research Grid Initiative collaboration projects among industry, academic sector and the government.
NAREGI Grid Middleware stack
NAREGI CA A full-fledged CA (Certificate Authority) Software for PKI Originally developed for Grid computing, but can be used for general purpose Free open source software Version is available at the download site
Comparison among CA softwares Producut nameIssue of Certif.CRL periodic al LDAPHSMMultipl e CA Profile managem ent HW token Operat or Loggin g NAREGI CA file, bulk, WEB, LCMP OpenSSL file ××× ×××× Microsoft Certificate Server WEB, LDAP (Active Directory only) (Domain Controlle r onlu) × (Domain Controller only) × (Event logging) Entrust Authority CMP, bulk, LDAP,WEB, SCEP × available × not available some restriction
Case study The Consortium of Universities in Kyoto Consortium of 50 universities in Kyoto 3 national, 2 prefectural, 2 municipal, 43 private Most of them are in the center area of Kyoto City Activities Shared lecture rooms near JR Kyoto Shinkansen station. Class for ordinary students, evening classes and classes for graduated adults Open Web terminals, WLAN services Exchange of credits among universities in very conventional manner How academic AAI will help them?
UPKI: issues How various services can be provided on a single AA infrastructure Web services Grid computing Network services Existing works GridShib: Shibolleth for non-web-based applications EduRoam campus wireless roaming service architecture EGEE multi-VO support and delegation via MyProxy E-authentication by the U.S. government GPKI, LGPKI and JPKI for Japanese e-government How we learn from and how we can collaborate with?
Summary UPKI national academic authentication and authorization infrastructure project has just started. Conducted by NII and the information infrastructure centers in 7 universities As a basis of CSI (Cyber Science Infrastructure), the next generation of SINET/SuperSINET Actually, federated identity management is unavoidable even in a (big) university And political issues also exist We have started later, so we have get same advantage International federation/collaboration is a very important issue.