EMI is partially funded by the European Commission under Grant Agreement RI-261611 Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.

Slides:

Advertisements

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Advertisements

Data Management Expert Panel - WP2. WP2 Overview.

Chapter 17: WEB COMPONENTS

MyProxy: A Multi-Purpose Grid Authentication Service

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

13 Sept 00 Token Interoperability and Portability Project status report John Hughes Montreal - 14 September 00.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Abdelilah Essiari Gary Hoo Keith Jackson William Johnston Srilekha Mudumbai Mary Thompson Akenti - Certificate-based Access Control for Widely Distributed.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Asper School of Business University of Manitoba Systems Analysis & Design Instructor: Bob Travica System interfaces Updated: November 2014.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Internet Protocol Security (IPSec)

Public Key Infrastructure from the Most Trusted Name in e-Security.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

SOCKS Group: Challenger Member: Lichun Zhan. Agenda Introduction SOCKS v4 SOCKS v5 Summary Conclusion References Questions.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) Grid Engine Riccardo Rotondo

The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation.

1 22 August 2001 The Security Architecture of the M&M Mobile Agent Framework P. Marques, N. Santos, L. Silva, J. Silva CISUC, University of Coimbra, Portugal.

Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)

EMI INFSO-RI SA2 - Quality Assurance Alberto Aimar (CERN) SA2 Leader EMI First EC Review 22 June 2011, Brussels.

Gregorio Martínez Pérez University of Murcia PROVIDING SECURITY TO UNIVERSITY ENVIRONMENT COMMUNICATIONS.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:

XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.

Module 9: Fundamentals of Securing Network Communication.

Web Services Based on SOA: Concepts, Technology, Design by Thomas Erl MIS 181.9: Service Oriented Architecture 2 nd Semester,

Building Security into Your System Bill Major Gregory Ponto.

Data Encryption using SSL Topic 5, Chapter 15 Network Programming Kansas State University at Salina.

The Distribution Online Vending Pilot Project Demo Testing Certificate Management Kennedy P Subramoney 23 July 2004.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.

Security Token Service (STS) Design & Development Plans Henri Mikkonen / HIP 3 rd EMI All-Hands Meeting , Padova, Italy.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

SOCKS By BITSnBYTES (Bhargavi, Maya, Priya, Rajini and Shruti)

Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.

Services Security A. Casajus R. Graciani. 12/12/ Overview DIRAC Security Infrastructure HSGE Transport Authentication Authorization DIRAC Authorization.

EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.

X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Globus: A Report. Introduction What is Globus? Need for Globus. Goal of Globus Approach used by Globus: –Develop High level tools and basic technologies.

GRID Security & DIRAC A. Casajus R. Graciani A. Tsaregorodtsev.

EMI INFSO-RI Argus The EMI Authorization Service Valery Tschopp (SWITCH) Argus Product Team.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI TF.

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Transforming the Existing User Credentials.

TCS Internal Security. 2 TCS Internal Objective Objective :  Android Platform Security Architecture.

EGEE is a project funded by the European Union CA overview and requirements Ognjen Prnjat, Nikos Vogiatzis GRNET EGEE-SEE regional kick-off, April 7-8.

EMI is partially funded by the European Commission under Grant Agreement RI EMI Registry (EMIR) Shiraz Memon, Ivan Marton, Gabor Szigeti, Laurence.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Improved X.509 Management Using PKCS11 Daniel Kouřil, Michal Procházka CESNET.

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.

EMI is partially funded by the European Commission under Grant Agreement RI caNl++ caNl++ team University Of Oslo 5th EMI AHM, Budapest.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.

EMI is partially funded by the European Commission under Grant Agreement RI Common Framework for Extracting Information and Metrics from Multiple.

Security Area Christoph Witzig (SWITCH) on behalf of John White (HIP)

UNICORE and Argus integration Krzysztof Benedyczak ICM / UNICORE Security PT.

Public Key Infrastructure from the Most Trusted Name in e-Security

Presentation transcript:

EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF 2012, Munich

EMI INFSO-RI Common security layer (PKI) used but no common support in applications – Duplication of code - expensive maintenance – No common profile for SSL and X.509 – Difficult to add new features – Security audit of code quite hard Motivation

EMI INFSO-RI Simple API to support authentication and message protection Functionality to deal with Grid specifics Available for a wide range of languages Easy to understood and use – Hide complexity inside the library Credentials delegation not addressed Main Goals

EMI INFSO-RI API designed and underwent detailed expert reviews Implementation started in the middle of 2011 – EMI PT established for the work APIs implemened by three subgroups Implementations delivered as part of EMI-2 EMI PTs are expected to integrate CaNL in Y3 Current Status

EMI INFSO-RI API for connection-based applications – Simple to use – Mutualy authentication connection – Exchange of protected messages Minimal external dependencies – Numbers, size Dependency on SSL implementation kept minimal Available CaNL Features

EMI INFSO-RI Grid „extensions“ inherent to the library – Support for proxy certificates (RFC, legacy) – Support for CA‘s signing policies Management of X.509, including proxies – Generation of X.509 requests – Proxy signing Some bindings support PKCS11 – Smart cards and/or soft-tokens Available CaNL Features

EMI INFSO-RI Samples of codes provided (or can be) – Connection establishment, delegation, proxy mgmt API descriptions available Developers will need to replace their code with calls to canl Any feedback welcome Integration with applications

EMI INFSO-RI Largely based on existing code Two levels of API First level contains basic calls to establish authenticated connection and communicate – Simple but generic – Generic API with no SSL and/or X.509 dependency – Internaly plugin-based – Other security mechanims easy to support C

EMI INFSO-RI The second level provides extensions for SSL and/or X.509 – Setting SSL specifics for connections CA‘s locations, cert/priv key, SSL versions, … Certificate and proxy management – Preparing CSR requests, signing proxies, … C

EMI INFSO-RI Based on code from ARC framework – A lot of code cleaning performed Interface for handling X.509 credentials – Private key, certificate, proxy – Certificate request – CA and policies – Predefined environment setups Abstract X.509 authenticated connection – Both client and server side Expandable to different transport layers – implemented for network sockets C++

EMI INFSO-RI Designed to integrate seamlessly with the standard Java network stack. Provides implementation of multiple trust stores: – OpenSSL-like trust store with support for Globus EACL and IGTF Namespaces – Custom directory store which can be flexibly configured to use certificates and CRLs defined with wildcard expressions – Traditional Java Keystore amended with separate CRLs It is possible to automatically use remote CRLs and certificates (with local caching) Java

EMI INFSO-RI Trust stores are refreshed at configurable intervals User credentials can be provided in multiple formats: – Java keystore – Pair of PEM files – PEM keystore – DER PKCS8 Offers support for RFC 2818 Adds a lot of helper utilities, e.g. allowing to perform DN comparison in a portable and safe way or to format a DN for printing. Java

EMI INFSO-RI Thank you