Presentation is loading. Please wait.

Presentation is loading. Please wait.

25 April 2005NVO Team Meeting - Tucson1 Interoperable Authentication And Authorization for the VO T HE US N ATIONAL V IRTUAL O BSERVATORY Background: Single.

Published byCecilia Wright Modified over 8 years ago

Similar presentations

Presentation on theme: "25 April 2005NVO Team Meeting - Tucson1 Interoperable Authentication And Authorization for the VO T HE US N ATIONAL V IRTUAL O BSERVATORY Background: Single."— Presentation transcript:

1 25 April 2005NVO Team Meeting - Tucson1 Interoperable Authentication And Authorization for the VO T HE US N ATIONAL V IRTUAL O BSERVATORY Background: Single Sign-on Document Series GWS-WG http://www.ivoa.net/twiki/bin/view/IVOA/IvoaGridAndWebServices Security 101 Matthew Graham (see teamwg mail archive) VO-friendly, Community-based Authorization Framework, Pt. 1, 2 Ray Plante http://chart.stsci.edu/twiki/pub/Main/TechWG/CommunityAuthorizationP1.pdf Ray Plante NVO@NCSA Von Welch & Jim Basney NCSA Grid Security Team Mike Freemon & Randy Butler National Middleware Initiative (NMI) Grid Center

2 25 April 2005NVO Team Meeting - Tucson2 What we’d like to see from interoperable security Trustworthy access to restricted resources –Proprietary data * –Remote storage –CPU cycles Sufficient control and auditing by resource providers Single sign-on –User enters a username/password once per session –Can access many restricted resources in an operation from different providers –Interoperates with public (non-restricted) data and services seamlessly –Interoperability with Grid security A framework that can be leveraged by observatories –A common way to get at proprietary data –A common way to support security in portals

3 25 April 2005NVO Team Meeting - Tucson3 What we’d not like to see from interoperable security A framework so cumbersome that no one uses it –Users & service providers –“Why do we even need this?” A hacking incident that erodes trust in the system –We’re used to relying on goodwill –The VO will raise our profile to hackers

4 25 April 2005NVO Team Meeting - Tucson4 Certificate-based Security Beyond the browser: Good for “grid” applications –Web services talking to each other –Can handle users across administrative boundaries X.509 Certificates in wide use today –To support SSL connections –Libraries available Certificates presented at socket connection time assure identity of holder –Identities of user and service –Each end must already have copy of Certificate Authority’s certificate –Each end holds own private key; cert contains public key –“handshake” tests that each side has private key corresponding to public key in cert

5 25 April 2005NVO Team Meeting - Tucson5 Certificate Authorities: the root of Trust A service/user will trust a CA by acquiring the CA’s public key –Public key acquired “out-of-band” of a user request –Benefit from a small number of CAs Recommendation: Each VO project runs its own CA –IVOA level: trust chain too hard to track Trust model to be discussed later… –Organization level: too many CAs Recommendation: Accept other established CAs from scientific community as a matter of practice –DOE, NCSA/TeraGrid –Leverage their trust model

6 25 April 2005NVO Team Meeting - Tucson6 Certificate Management User-managed certificates –User stores certificate & private key on local machine –User must “load” certificate into client applications e.g. web browser, Globus –User must also “load” certificates of trusted CAs –Often considered part of the “pain” of certificates Portal-managed certificates –Portal manages certificate & private key on users behalf –users don’t have to know certificates are being used –Possible to pass cert to client apps when needed

7 25 April 2005NVO Team Meeting - Tucson7 Portal-Managed Certificates Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal

8 25 April 2005NVO Team Meeting - Tucson8 Portal-Managed Certificates Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal

9 25 April 2005NVO Team Meeting - Tucson9 Portal-Managed Certificates Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal

10 25 April 2005NVO Team Meeting - Tucson10 Portal-Managed Certificates Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal

11 25 April 2005NVO Team Meeting - Tucson11 Portal-Managed Certificates Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal

12 25 April 2005NVO Team Meeting - Tucson12 Portal-Managed Certificates Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal

13 25 April 2005NVO Team Meeting - Tucson13 Portal-Managed Certificates Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal

14 25 April 2005NVO Team Meeting - Tucson14 Portal-Managed Certificates Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal

15 25 April 2005NVO Team Meeting - Tucson15 Certificate Management Both certificate models will be important –Important to support portal-based management for ease of use –The savvier users will manage own certs for use with client applications that connect directly to services Recommendation: VO project runs the following services: –Registration service (to create certs) –Certificate Repository (MyProxy) to store certs for use with portals –A login service for use with portals –Cert Download service: for retrieving certs for local client apps Existing tools: PURSE (NMI), GAMA (SDSC)

16 25 April 2005NVO Team Meeting - Tucson16 Portal-Managed Certificates Local Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal NVO Registration Service e.g., VO Project

17 25 April 2005NVO Team Meeting - Tucson17 Portal-Managed Certificates Local Registration Service Restricted Service Restricted Service Restricted Service Portal CA Certificate Repository (MyProxy) Login Service NVO Registration Service e.g., VO Project

18 25 April 2005NVO Team Meeting - Tucson18 Portal-Managed Certificates Local Registration Service Restricted Service Restricted Service Restricted Service Portal CA Certificate Repository (MyProxy) Login Service NVO Registration Service e.g., VO Project

19 25 April 2005NVO Team Meeting - Tucson19 Portal-Managed Certificates Local Registration Service Restricted Service Restricted Service Restricted Service Portal CA Certificate Repository (MyProxy) Login Service NVO Registration Service e.g., VO Project

20 25 April 2005NVO Team Meeting - Tucson20 CA Certificate Repository (MyProxy) Login Service NVO Registration Service e.g., VO Project Portal-Managed Certificates Local Registration Service Restricted Service Restricted Service Restricted Service Portal

21 25 April 2005NVO Team Meeting - Tucson21 Portal-Managed Certificates Local Registration Service CA Certificate Repository (MyProxy) Login Service Restricted Service Restricted Service Restricted Service Portal NVO Registration Service Login Interface

22 25 April 2005NVO Team Meeting - Tucson22 Trust Model The certificate “handshake” –Means that… User has private key issued to “Joe Astronomer” Service has private key issued to “Fab Storage” –Useful enough in some cases Service can save per user state across sessions Will control what user can do –Did “Joe” give a phony name? The CA signature means that the CA has made an effort to verify the identity –How does a CA determine that users are who they say they are?

23 25 April 2005NVO Team Meeting - Tucson23 Commercial Trust Model: Thawte Weak certificates –Generic identity: name not included –Can do low trust activities (encrypt email) Strong certificates (has identity info in it): –Identity notarized by multiple somewhat- trusted people—“Web of Trust” –Point system a notary can issue up to 35 points Need 50 points to get strong cert

24 25 April 2005NVO Team Meeting - Tucson24 An Astronomical Observatory To gain access to telescope and resulting proprietary data User writes a proposal –Includes identity information: affiliation, email –Includes references to published work –Includes collaborators with references Observatory contacts PIs, Co-Is by email Proposal is evidence that they are legit. Can we leverage this process?

25 25 April 2005NVO Team Meeting - Tucson25 Building a Trust Model How do we verify identities? –someone VO project trusts tells them (out-of-band) that the user is who she says she is. –Registration Authorities (RA): enlisting the help of existing institutions Academic departments? (akin to Shibboleth model) Observatories? –How much is enough? –What process/software can we provide to RAs to validate identities? Verification takes time and human involvement! –Can weak certificate enable some activity requiring less trust? Allows user to get started right away! Need trusted system to issues certs to services –So that users can trust services to behave with their ID –Can build on trust model for users

26 25 April 2005NVO Team Meeting - Tucson26 Authorization Authorization policies tend to be service specific –Provider will want to control who’s allowed to do what –Expect observatories to centralize authorization management –Authorization policies assigned to groups Observatory: groups defined on the proposal level Groups defined around archive-based research Recommendation: Leave authorization management to service providers. No interoperable standards are needed at this time*

27 25 April 2005NVO Team Meeting - Tucson27 Authorization Use Case Drivers Types of restricted resources –Proprietary data –Remote storage –CPU cycles Sufficient control and auditing by resource providers Types of proprietary data –Data from PI-driven telescope’s archive, covered by observatory’s proprietary policy –VO workspace data (VOStore) –Data under Proprietary policy based on origin of user* *Europe

28 25 April 2005NVO Team Meeting - Tucson28 Three models for handling authorization Map external identities to internal accounts –One account per group, groups define set of authorization policy Call out: –User accesses service with personal cert –Service calls out to authorization database to retrieve privileges associated with user –Service tests user request against policies Certificate wrapping (Globus CAS): –User visits authorization database with personal cert, gets back proxy cert with policies encoded inside (using SAML) –User presents proxy cert to service –Service test user request against policies –Good for portal-based access but inconvenient for outside clients

Download ppt "25 April 2005NVO Team Meeting - Tucson1 Interoperable Authentication And Authorization for the VO T HE US N ATIONAL V IRTUAL O BSERVATORY Background: Single."

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.

National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.
25 April 2005NVO Team Meeting - Tucson1 Interoperable Authentication And Authorization for the VO T HE US N ATIONAL V IRTUAL O BSERVATORY Background: Security.

25 April 2005NVO Team Meeting - Tucson1 Interoperable Authentication And Authorization for the VO T HE US N ATIONAL V IRTUAL O BSERVATORY Background: Security.
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Similar presentations

Ads by Google