Presentation is loading. Please wait.

Presentation is loading. Please wait.

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Extending user controlled security domain.

Published byAlvin Barnett Modified over 8 years ago

Similar presentations

Presentation on theme: "EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Extending user controlled security domain."— Presentation transcript:

1 EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Extending user controlled security domain with the TPM/TCG Yuri Demchenko University of Amsterdam MWSG10 meeting November 14-15, 2006, CERN

2 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG10, 14-15 November 2006, CERN 2 Outline Different sides of the Security and Trust –User and Service Provider vs System and Data –Secure Credentials Storage Trusted Computing Platform and Trusted Platform Module User controlled Virtual Workspace organisation Discussion – Vision for use of this technology

3 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG10, 14-15 November 2006, CERN 3 Different sides of the Security and Trust Modern paradigm of remote distributed services and digital content providing makes security and trust relations between User and Provider more complex User and Service Provider – two actors concerned with own Data/Content security and each other System/Platform trustworthiness Two other aspects of security/trust –Data stored vs Data accessed/processed –System Idle vs Active with User session Think about real life analogy: Diplomatic/President’s visit User System Data Provider System Data

4 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG10, 14-15 November 2006, CERN 4 Security in SOA Collaborative Environment – Use Cases Virtual Laboratory (VL) as Business Collaborative Environment –Implementing Utility Computing paradigm –Can a VL provider offer a trusted experiment environment from the competitor’s point of view  Extreme usecase: Will Pepsi Company trust to do analysis on the Coca-Cola VL facility?  Common sense: Remote System can be trusted as much as the administrator can be trusted Content providers (music, movie) Real life analogy: Diplomatic visit

5 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG10, 14-15 November 2006, CERN 5 Secure User Credential Storage EGEE1 MJRA3.5 Deliverable “Secure Credential Storage” - https://edms.cern.ch/document/638872/https://edms.cern.ch/document/638872/ –Overview and security analysis of available credential storage methods –Suggested pro-active and countermeasures against identified security threats Smartcard together with One-time Password (OTP) identified as a preferable solution –Provides also solution for User/AuthZ session credentials storage –But this solution again is considered as much secure as the user client can be secured

6 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG10, 14-15 November 2006, CERN 6 TCG Trusted Computing Platform Promoted by the Trusted Computing Group (TCG) –Basis for building and managing controlled secure environment for running applications and processing (protected) content  https://www.trustedcomputinggroup.org/home –Standards for trusted network, client, server and mobile agent –TMP software stack (TSS) defines API’s for remote access, Identity Mngnt, PKI, Secure e-mail, file/folder encryption, etc. TCG components –Trusted Platform Module (TPM) –“Curtained memory” in the CPU –Security kernel in the OS and security kernel in each application –Back-end infrastructure of online security servers maintained by hardware and software vendors Trusted Network Connect (TNC) – to enforce security policies before and after endpoints or clients connect to multi-vendor environment

7 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG10, 14-15 November 2006, CERN 7 Trusted Platform Module (TPM) Chip built-in into the computer system or a smartcard chip – Can be considered as a platform tied “root-of-trust” and used for trusted platform registration and integrity assurance Provides a number of hardware-based cryptographic functions –Asymmetric key functions for on-chip key pair generation using hardware random key generation; private key signatures; public key encryption and private key decryption –An Endorsement key that can be used by a platform owner to establish that identity keys were generated in a TPM, without disclosing its identity –Direct Dynamic Attestation (DAA) that securely communicates information about the static or dynamic platform configuration, which is internally stored in TPM in the form of hashed values –Monotonic counter and the tick counter to enable transaction timing and sequencing –Protection of communication between two TPM –Secure key/data backup to another TPM

8 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG10, 14-15 November 2006, CERN 8 User-controlled Virtual Workspace Service (VWSS-UC) - 3 layer model Trust Anchors: T0 (TPM) – TA1 (VM/VWSS) – TA2 (Appl) – TA# (User) User and AuthZ Sessions

9 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG10, 14-15 November 2006, CERN 9 VWSS-UC – Implementation Suggestions TPM Enabled computer platforms –http://www.tonymcfadden.net/tpmvendors.htmlhttp://www.tonymcfadden.net/tpmvendors.html Xen v3.0 has already so-called Virtual TPM module –http://www.cl.cam.ac.uk/Research/SRG/netos/xen/readmes/user Grid Virtual Workspace Service (VWSS) – GT4 candidate component –http://workspace.globus.org/ GAAA-AuthZ Authorisation session management supported by GAAAPI –Proprietary and SAML based AuthZ ticket formats

10 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG10, 14-15 November 2006, CERN 10 Discussion What is the vision for use of this technology?

Download ppt "EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Extending user controlled security domain."

Similar presentations

1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary December 2010 Irvine, CA – PWG Meeting Ira McDonald (High.

1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary December 2010 Irvine, CA – PWG Meeting Ira McDonald (High.
Software Bundle ViPNet Secure Remote Access Arrangement using ViPNet Mobile © Infotecs.

Software Bundle ViPNet Secure Remote Access Arrangement using ViPNet Mobile © Infotecs.
Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha.

Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha.
Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.

Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.
Vpn-info.com.

Vpn-info.com.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.

Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.

Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.
SEC316: BitLocker™ Drive Encryption

SEC316: BitLocker™ Drive Encryption
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
outline Purpose Design Implementation Market Conclusion presentation Outline.

outline Purpose Design Implementation Market Conclusion presentation Outline.
Securing Information Transfer in Distributed Computing Environments AbdulRahman A. Namankani.

Securing Information Transfer in Distributed Computing Environments AbdulRahman A. Namankani.
Web services security I

Web services security I

Similar presentations

Ads by Google