Password?. Project CLASP: Common Login and Access rights across Services Plan

Slides:

Advertisements

Similar presentations

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

HEP Data Sharing … … and Web Storage services Alberto Pace Information Technology Division.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.

Password?. Project CLASP: Common Login and Access rights across Services Plan

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

1/11/2000LDAP Status Report - HEPix - JLab 2000 LDAP Status Report Michel Jouvin LAL / IN2P3

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

Password? CLASP Phase 2: Revised Proposal C5 Meeting, 16 February 2001 Denise Heagerty, IT/IS.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Secure Off Site Backup at CERN Katrine Aam Svendsen.

Tom Parker Project Manager Identity Management Team IT Security Group.

X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

03 December 2003 Digital Certificate Operation in a Complex Environment Consultation/Stakeholders Meeting 3 December 2003.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

Understanding Networks I. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.

Internet Services Alberto Pace. Internet Services Group u Mission and Goals u Provide core computing services, worldwide u Three specific areas u Collaborative.

Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

HEPiX Catania 19 th April 2002 Alan Silverman HEPiX Large Cluster SIG Report Alan Silverman 19 th April 2002 HEPiX 2002, Catania.

HEPiX Orsay 27 th April 2001 Alan Silverman HEPiX Large Cluster SIG Report Alan Silverman 27 th April 2001 HEPiX 2001, Orsay.

Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.

Home Control Protocol for Smart Devices Hojin Park WG!-N1505.

Welcome to HEPNT Gian Piero Siroli, Physics Dept., Univ. of Bologna LAL, HEPiX-HEPNT 2001.

KX509: Leveraging Kerberos to Obtain Digital Certificates for Web Client Authentication University of Michigan Kevin Coffman Bill Doster.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation.

AREVA T&D Security Focus Group - 09/14/091 Security Focus Group A Vendor & Customer Collaboration EMS Users Conference September 14, 2009 Rich White AREVA.

Module 9: Fundamentals of Securing Network Communication.

Scaling NT To The Campus Integrating NT into the MIT Computing Environment Danilo Almeida, MIT.

Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.

Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.

PKI Activities at Virginia September 2000 Jim Jokl

Password? CLASP Project FOCUS Meeting, 12 October 2000 Denise Heagerty, IT/IS.

Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.

File sharing requirements of remote users G. Bagliesi INFN - Pisa EP Forum on File Sharing 18/6/2001.

Kerberos Guilin Wang School of Computer Science 03 Dec

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

1 Kerberos – Private Key System Ahmad Ibrahim. History Cerberus, the hound of Hades, (Kerberos in Greek) Developed at MIT in the mid 1980s Available as.

CERN - European Organization for Nuclear Research Beyond ACB – VPN’s FOCUS June 13 th, 2002 Frédéric Hemmer & Denise Heagerty- IT Division.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

E-Science Security Roadmap Grid Security Task Force From original presentation by Howard Chivers, University of York Brief content:  Seek feedback on.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Advanced Authentication Campus-Booster ID: Copyright © SUPINFO. All rights reserved Kerberos.

KERBEROS SYSTEM Kumar Madugula.

Password? CLASP Phase 2: Revised Proposal FOCUS, 3 May 2001 Denise Heagerty, IT/IS.

IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

Project CLASP: Common Login and Access rights across Services Plan Goal  Propose a detailed plan to reduce the number of login/passwords entered by users.

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

Basharat Institute of Higher Education

Secure Connected Infrastructure

Data and Applications Security Developments and Directions

Goals Introduce the Windows Server 2003 family of operating systems

Public Key Infrastructure from the Most Trusted Name in e-Security

CLASP Project AAI Workshop, Nov 2000 Denise Heagerty, CERN

Presentation transcript:

Password?

Project CLASP: Common Login and Access rights across Services Plan

Outline  What is CLASP? - Project Goal  Why launch this project now?  What is included? - Project Scope  Project Status Service Survey & Feasibility Study  Technology Kerberos, PKI, Certificates  Summary

 Propose a detailed plan to reduce the number of login/passwords entered by users to access services they are authorised to use Goal “Single Sign On” Access Control +

Why launch this project now?  The number of login/passwords has become a frustration for the user community  The number of services continues to grow  Initiatives towards a common login id and password synchronisation are in progress  Windows 2000 and Linux 2000 provide an opportunity for further improvement  Technologies such as Kerberos v5, PKI, Certificates & LDAP are becoming mature  Can we have a common solution across services?

Project Scope  Address computing services offered by at least IT and AS Divisions  Normal user access from in or outside CERN  Target W2000 and Linux for web, mail, telnet, X and file access  Focus on a common solution, even if it does not cover all services today  Not a “security project”- but elimination of clear-text passwords is desirable

The final proposal will include:  A proposed common authentication and authorisation mechanism  A plan for introducing the mechanism  A list of services covered  Recommendations for services not covered  An opt-out mechanism for special cases  Security levels achievable, including a password (check & change) policy  An assessment of the impact on users and service providers both at CERN and other sites

Project Status Project Mandate (Dec 1999):  Goal, Background, Purpose, Scope, Phases Phase 1 (Jan - Apr 2000):  Service Survey and Feasibility Study what do we have now and what is possible for the future Phase 2 (from May 200):  Final Proposal and Detailed Plan Phase 1 will define the steps required for Phase 2

Phase 1 Goals  Document the current login/password mechanisms used on IT and AS services  Assess the feasibility of Kerberos v5 and/or other technology as a common authentication mechanism for the planned Windows 2000 & Linux 2000 environments  Investigate possibilities for platform independent access control  Obtain acceptance of service managers and user community  Propose next steps, including personnel and budget estimates

Kerberos  A network authentication protocol created by MIT, based on encrypted tickets  Available in W2000, Solaris 8, AFS, public domain versions (e.g. for Linux)  Not all applications offer a Kerberos interface, but its popularity is growing  Kerberos version 5 has better security and improved cross-realm authentication  FNAL’s “Strong Authentication Project” is based on Kerberos version 5

PKI and Certificates  PKI = Public Key Infrastructure  Electronic keys are stored in certificates  Authentication on the scale of the Internet Based on public and private keys used for encryption Public keys are accessible to the Internet  Current use is still quite limited certificates are used for encryption in e-commerce Eurocard (SET) uses PKI to authenticate who a person really is PKI is used for web based GRID applications - being evaluated for LHC wide area computing

Summary  CLASP will propose a plan for common login and access rights across CERN services Focus on W2000 an Linux platforms for general use (e.g. web, mail, file access, telnet, X) Acceptance by service managers and user community  Cross-platform technology for authentication and access control is maturing Native Kerberos in W2000 and UNIX platforms advances in e-commerce (certificates, smart cards) PKI (Public Key Infrastructure) in GRID appplications  Service survey and feasibility study are in progress in collaboration with CERN “service providers”