MyProxy: A Multi-Purpose Grid Authentication Service

Slides:



Advertisements
Similar presentations
GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.
Advertisements

National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.
MyProxy Jim Basney Senior Research Scientist NCSA
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications
Jim Basney GSI Credential Management with MyProxy GGF8 Production Grid Management RG Workshop June.
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Mechanisms to Secure x.509 Grid Certificates Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Unit 1: Protection and Security for Grid Computing Part 2
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
Managing Credentials with MyProxy Jim Basney National Center for Supercomputing Applications University of Illinois
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
Module 9: Fundamentals of Securing Network Communication.
GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA
Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois
Building Security into Your System Bill Major Gregory Ponto.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
An OGSI CredentialManager Service Jim Basney, Shiva Shankar Chetan, Feng Qin, Sumin Song, Xiao Tu National Center for Supercomputing Applications, University.
National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.
Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.
The MyProxy Online Credential Repository Jim Basney NCSA
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005 Von Welch
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Fermilab CA Infrastructure EDG CA Managers Mtg June 13, 2003.
Module 13: Enterprise PKI Active Directory Certificate Services (AD CS)
Services Security A. Casajus R. Graciani. 12/12/ Overview DIRAC Security Infrastructure HSGE Transport Authentication Authorization DIRAC Authorization.
National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
X509 Web Authentication From the perspective of security or An Introduction to Certificates.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
Grid Security.
IBM Certified WAS 8.5 Administrator
MyProxy and NVO or Web SSO for Grid Portals
Grid School Module 4: Grid Security
Grid Security Infrastructure
Presentation transcript:

MyProxy: A Multi-Purpose Grid Authentication Service Jim Basney Senior Research Scientist NCSA jbasney@ncsa.uiuc.edu

What is MyProxy? A service for managing X.509 PKI credentials A credential repository and certificate authority An Online Credential Repository Issues short-lived X.509 Proxy Certificates Long-lived private keys never leave the server An Online Certificate Authority Issues short-lived X.509 End Entity Certificates Supporting multiple authentication methods Passphrase, Certificate, PAM, SASL, Kerberos Open Source Software Included in Globus Toolkit, VDT, and CoG Kits C, Java, Python, and Perl clients available Contributions from EDG, UVA, LBNL, and others WCGA 2006 http://myproxy.ncsa.uiuc.edu/

MyProxy Logon Authenticate to retrieve PKI credentials End Entity or Proxy Certificate Trusted CA Certificates Certificate Revocation Lists (CRLs) MyProxy maintains the user’s PKI context Users don’t need to manage long-lived credentials Enables server-side monitoring and policy enforcement (ex. passphrase quality checks) CA certificates & CRLs updated automatically at login WCGA 2006 http://myproxy.ncsa.uiuc.edu/

MyProxy Authentication Key Passphrase X.509 Certificate Used for credential renewal Pluggable Authentication Modules (PAM) Kerberos password One Time Password (OTP) Lightweight Directory Access Protocol (LDAP) password Simple Authentication and Security Layer (SASL) Kerberos ticket (SASL GSSAPI) WCGA 2006 http://myproxy.ncsa.uiuc.edu/

MyProxy Online Certificate Authority Issues short-lived X.509 End Entity Certificates Leverages MyProxy authentication mechanisms Compatible with existing MyProxy clients Ties in to site authentication and accounting Using PAM and/or Kerberos authentication Map username to certificate subject via “gridmap” file or LDAP query Avoid need for long-lived user keys Server can function as both CA and repository Issues certificate if no credentials for user are stored WCGA 2006 http://myproxy.ncsa.uiuc.edu/

MyProxy Online Credential Repository Stores X.509 End Entity and Proxy credentials Private keys encrypted with user-chosen passphrases Credentials may be stored directly or via proxy delegation Users can store multiple credentials from different CAs Access to credentials controlled by user and administrator policies Set authentication requirements Control whether credentials can be retrieved directly or if only proxy delegation is allowed Restrict lifetime of retrieved proxy credentials Can be deployed for a single user, a site, a virtual organization, a resource provider, a CA, etc. WCGA 2006 http://myproxy.ncsa.uiuc.edu/

Talk Outline MyProxy Introduction PKI Introduction and MyProxy CA Proxy Certificates and MyProxy Repository MyProxy Scenarios Administratively Loaded Credentials Registration Portals Web Portal Authentication and Delegation Password-based Delegation Credential Renewal Web Single Sign-On (SSO) Demos Conclusion WCGA 2006 http://myproxy.ncsa.uiuc.edu/

PKI Overview signs Public Key Cryptography Issuer: CA Key Distribution Sign with private key, verify signature with public key Encrypt with public key, decrypt with private key Key Distribution Who does a public key belong to? Certification Authority (CA) verifies user’s identity and signs certificate Certificate is a document that binds the user’s identity to a public key Authentication Signature [ h ( random, … ) ] Issuer: CA Subject: CA signs Issuer: CA Subject: Jim WCGA 2006 http://myproxy.ncsa.uiuc.edu/

PKI Authentication Client Server randomc certificates + randoms Standard SSL/TLS Protocol (summarized) Client Server randomc certificates + randoms certificatec + { secret }pubkeys + signaturec[ h( randomc, randoms, … ) ] { h( secret ) }secret WCGA 2006 http://myproxy.ncsa.uiuc.edu/

Sign new end entity certificate PKI Enrollment Applicant CA 1 2 Generate new key pair CA Certificate request CA 3 Sign new end entity certificate 4 User User User WCGA 2006 http://myproxy.ncsa.uiuc.edu/

MyProxy CA with PAM DN lookup Grid Service X.509 LDAP Server password MyProxy Server gridmap P A M Client TLS handshake RADIUS Server certificate request certificate password password keypair TGT CA key Kerberos KDC WCGA 2006 http://myproxy.ncsa.uiuc.edu/

MyProxy CA with Kerberos DN lookup Grid Service LDAP Server X.509 MyProxy Server gridmap S A S L S A S L Client SASL/GSSAPI/Kerberos TLS handshake certificate request certificate keypair CA key ticket Kerberos KDC WCGA 2006 http://myproxy.ncsa.uiuc.edu/

PAM/SASL Issues PAM Conversation SASL client-side setup PAM modules can require multiple rounds of user interaction No standard protocol SASL/PLAIN doesn’t support multiple rounds Need something like SSH keyboard-interactive protocol SASL client-side setup Requires SASL library and configuration of SASL mechanisms Alternative: native Kerberos protocol support WCGA 2006 http://myproxy.ncsa.uiuc.edu/

Proxy Credentials CA signs User signs signs RFC 3820: Proxy Certificate Profile Associate a new private key and certificate with existing credentials Short-lived, unencrypted credentials for multiple authentications in a session Restricted lifetime in certificate limits vulnerability of unencrypted key Credential delegation (forwarding) without transferring private keys signs User signs Proxy A signs Proxy B WCGA 2006 http://myproxy.ncsa.uiuc.edu/

Proxy Delegation Delegator Delegatee 1 2 Generate new key pair Proxy certificate request 3 Sign new proxy certificate 4 Proxy Proxy Proxy WCGA 2006 http://myproxy.ncsa.uiuc.edu/

MyProxy Put Client MyProxy Server TLS handshake certificate username proxy certificate chain certificate request password policy private key keypair cert chain private key WCGA 2006 http://myproxy.ncsa.uiuc.edu/

MyProxy Get Client MyProxy Server Grid Service TLS handshake cert chain username proxy certificate chain certificate request password private key cert chain private key X.509 Grid Service WCGA 2006 http://myproxy.ncsa.uiuc.edu/

MyProxy Store Client MyProxy Server TLS handshake certificate username private key policy private key certificate private key WCGA 2006 http://myproxy.ncsa.uiuc.edu/

MyProxy Retrieve Client MyProxy Server Grid Service TLS handshake cert chain certificate chain username password private key private key cert chain private key X.509 Grid Service WCGA 2006 http://myproxy.ncsa.uiuc.edu/

Administratively Loaded Creds Certificate Authority Client MyProxy Server TLS handshake certificate cert chain username proxy certificate chain certificate request password private key private key certificate private key X.509 Grid Service WCGA 2006 http://myproxy.ncsa.uiuc.edu/

User Registration Portal Certificate Authority Registration Portal TLS handshake certificate Browser username password User DB certificate Client MyProxy Server private key TLS handshake username cert chain username proxy certificate chain certificate request password private key certificate private key X.509 Grid Service WCGA 2006 http://myproxy.ncsa.uiuc.edu/

Gateway Portal Portal Browser Grid Service User DB cert key TLS handshake Browser username password X.509 Grid Service WCGA 2006 http://myproxy.ncsa.uiuc.edu/

Trusted Portal MyProxy Portal Browser Grid Service X.509 cert request username Portal cert TLS handshake Browser username password User DB cert cert key key X.509 Grid Service WCGA 2006 http://myproxy.ncsa.uiuc.edu/

Password-based Portal Auth MyProxy X.509 cert request username Portal password cert TLS handshake Browser username password cert cert key key X.509 Grid Service WCGA 2006 http://myproxy.ncsa.uiuc.edu/

Password-based Delegation Delegator Delegatee certificate certificate username passwordrandom certificate certificate private key private key certificate certificate username MyProxy username certificate certificate request certificate certificate request TLS handshake passwordrandom passwordrandom certificate certificate TLS handshake certificate private key WCGA 2006 http://myproxy.ncsa.uiuc.edu/

Password-based Renewal Condor-G GRAM Gatekeeper proxy proxy job job proxy proxy proxy proxy proxy proxy password Client Job password proxy proxy proxy password MyProxy proxy WCGA 2006 http://myproxy.ncsa.uiuc.edu/

Certificate-based Renewal Workload Management Service Renewal Service Condor-G GRAM Gatekeeper proxy proxy proxy job job proxy proxy cert key proxy proxy Client Job proxy proxy proxy policy X.509 proxy MyProxy proxy WCGA 2006 http://myproxy.ncsa.uiuc.edu/

Pubcookie Login Server MyProxy and Web SSO PURSE password password cert Pubcookie Login Server password password cookie MyProxy Browser cookie cookie cookie Portal A cert password X.509 Grid Service X.509 cookie Portal B cert WCGA 2006 http://myproxy.ncsa.uiuc.edu/

SSO for Browser and Application Authenticate Browser Portal cookie cert JWS cookie cookie cert MyProxy Server Application X.509 X.509 Grid Service WCGA 2006 http://myproxy.ncsa.uiuc.edu/

SSO for Browser and Application Authenticate Browser Portal passwordrandom cert JWS cert passwordrandom passwordrandom MyProxy Server Application cert passwordrandom X.509 Grid Service WCGA 2006 http://myproxy.ncsa.uiuc.edu/

Demonstrations WCGA 2006 http://myproxy.ncsa.uiuc.edu/

Conclusion MyProxy: A Multi-Purpose Grid Authentication Service Used in many delegation and single sign-on scenarios MyProxy provides practical authentication solutions Minimize changes to existing software and protocols Leverage community standards PAM, SASL, Kerberos, LDAP, Pubcookie, Shibboleth Active MyProxy open source community Deploy new developments via MyProxy Benefit from the work of others WCGA 2006 http://myproxy.ncsa.uiuc.edu/

Thank you! Obrigado! WCGA 2006 http://myproxy.ncsa.uiuc.edu/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.