A responsibility based model EDG CA Managers Meeting June 13, 2003.

Slides:

Advertisements

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Advertisements

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Chapter 14 – Authentication Applications

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Internet of Things Security Architecture

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Security Q&A OSG Site Administrators workshop Indianapolis August Doug Olson LBNL.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Grid Security. Typical Grid Scenario Users Resources.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

\ Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

Globus Computing Infrustructure Software Globus Toolkit 11-2.

Security Management.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.

Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.

Operating Systems Protection & Security.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

King Mongkut’s University of Technology Faculty of Information Technology Network Security Prof. Reuven Aviv 6. Public Key Infrastructure Prof. R. Aviv,

Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization and Delegation ADINA RIPOSAN Applied Information Technology.

Identity in the Virtual World: Creating Virtual Certainty David L. Wasley Information Resources & Communications UC Office of the President.

Security Issues in a SOA- based Provenance System Victor Tan, Paul Groth, Simon Miles, Sheng Jiang, Steve Munroe, Sofia Tsasakou and Luc Moreau PASOA/EU.

CSE 543 Computer Security: Risks of PKI - Josh Schiffman & Archana Viswanath Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure.

3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK

Academia Sinica Grid Computing Certification Authority (ASGCCA)

National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz

Legion - A Grid OS. Object Model Everything is object Core objects - processing resource– host object - stable storage - vault object - definition of.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Fermilab CA Infrastructure EDG CA Managers Mtg June 13, 2003.

Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.

X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

VOMS Attribute Authorities Michael Helm ESnet/LBNL 23 Feb 2007.

AuthZ WG Conceptual Grid Authorization Framework document Presentation of Chapter 2 GGF8 Seattle June 25th 2003 Document AID 222 draft-ggf-authz-framework pdf.

INFSO-RI Enabling Grids for E-sciencE NPM Security Alistair K Phipps (NeSC) JRA4 Face To Face, CERN, Geneva.

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.

AAVS Middleware Security Group Bob Cowles CERN – September 14, 2005.

Alternative Governance Models for PKI

Authority Recognition GGF9

Secure Software Confidentiality Integrity Data Security Authentication

THE STEPS TO MANAGE THE GRID

CS 465 Certificates Last Updated: Oct 14, 2017.

TEL382 Greene Chapter 5.

Presentation transcript:

A responsibility based model EDG CA Managers Meeting June 13, 2003

Trusts Authentication requires the following trusts: –Identity issued is unique –Identity is issued to the appropriate entity –Identity Signing Key is well protected –Compromised identities are revoked –Entity asserting the identity is authorized to hold the secret –Proxy has not been stolen + –Authentication token has not been forged or stolen

Managing the Risks The Pool of involved parties will grow, certainly in the near term, as the Grid grows. How will we manage the risks ? Reduce the threat –Improve private key management Reduce the impact of misuse –Restricted network connections –Validated executables –Throttled bandwidth Reduce the liability –Assign responsibilities clearly –Provide means for calling to task

Scenario A Grid job is submitted to a multiuser machine which contains a root escalation attack which takes all proxies from the attacked machines and copies all key files (private and public) from available user home areas. Who does what now ?

Walk through the responsibilities Cleanup requires: –Analysis of how the job was submitted and closing the hole. Rogue user ? Exploit of application hole on target resource ? Stolen user identity ? Stolen proxy ? Hacked submitting machine ? –Replacement of hacked machine’s credentials Pretty clearly responsibility of machine owner –Replacement of all stolen user credentials –Alert (?) of compromised proxies This may be minimized by checks in code that proxies are used by the machine to which they have been delegated.

Walk through the responsibilities Identity Issued is Unique –Discovered by overlapping namespaces or duplicate identities –Resolution left to CAs and enforced by signing policies used by relying parties Identity is issued to the appropriate entity –How discovered ? –Resolved by CAs invalidating misissued credentials (and issuing correct replacements) Identity Signing Key is well protected –Discovered by report of unauthorized use of Signing Key or discovery of compromised storage –Fixed by CA (how and what standards?) Compromised identities are revoked –Compromises have to be reported (by whom to whom and how ?) –How to tell if a revocation has not happened ? –Fixed by CAs updating revocation lists Entity asserting the identity is authorized to hold the secret –Discovered by finding the secret exposed or in possession of unauthorized party –Resolution requires interaction with user and certificate issuer. Fixed by Proxy has not been stolen –Discovered by finding machine compromises or misused proxies. –Fixed by custodian of proxy fixing the access hole.