Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.

Slides:

Advertisements

Similar presentations

Internet Protocol Security (IP Sec)

Advertisements

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Lecture 23 Internet Authentication Applications

Grid Security. Typical Grid Scenario Users Resources.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Core Web Service Security Patterns

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

Information Security of Embedded Systems : Algorithms and Measures Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Web services security I

OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.

Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Chapter 10: Authentication Guide to Computer Network Security.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.

Environment for Management of Experiments on the Grid Master of Science Thesis AGH University of Science and Technology, Krakow, Poland Faculty of Electrical.

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Computer Science and Engineering 1 Service-Oriented Architecture Security 2.

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:

Lecture 10 Single Sign-On systems. What is Single Sign-on? Lets users authenticate themselves once and access different applications without re-authentication.

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

出處 :2010 2nd International Conference on Signal Processing Systems (ICSPS) 作者 :Zhidong Shen 、 Qiang Tong 演講者 : 碩研資管一甲吳俊逸.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.

1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.

Secure Systems Research Group - FAU SW Development methodology using patterns and model checking 8/13/2009 Maha B Abbey PhD Candidate.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

Security, Accounting, and Assurance Mahdi N. Bojnordi 2004

Security Many secure IT systems are like a house with a locked front door but with a side window open -somebody.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Security.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

Approaching Fine-grain Access Control for Distributed Biomedical Databases within Virtual Environments Onur Kalyoncu, Yi Pan, Matthias Assel High Performance.

Web Services Security Patterns Alex Mackman CM Group Ltd

Task Force CoRD Meeting / XML Security for Statistical Data Exchange Gregory Farmakis Agilis SA.

1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.

4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.

Distributed Systems Ryan Chris Van Kevin. Kinds of Systems Distributed Operating System –Offers Transparent View of Network –Controls multiprocessors.

Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Access Policy - Federation March 23, 2016

Secure Software Confidentiality Integrity Data Security Authentication

Data and Applications Security Developments and Directions

Secure Sockets Layer (SSL)

Configuring and Troubleshooting Routing and Remote Access

ESA Single Sign On (SSO) and Federated Identity Management

NAAS 2.0 Features and Enhancements

Presentation transcript:

Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis

Outline ViroLab as an example of a virtual laboratory. Motivation and goals. Security related algorithms, standards, protocols and frameworks. Threat model and requirements. Security system architecture. How ShibIdpCliClient works. Validation and evaluation. Conclusions and further work.

The ViroLab Virtual laboratory – software enabling creating in-silco experiments. Various types of users (computer scientists, virologists, doctors). VL runtime system:  uses computational services and data sources running on the Grid infrastructure,  provides access via dedicated interfaces.

Motivation for the work Necessity for complex federated security solution for the ViroLab. Solution must be user-friendly. Need for integration with external partners security components created for the Web part. Requirement to adapt Shibboleth to make it feasible for non-Web solutions.

Goals Analysis of existing security solutions and frameworks. Identification of elements that might be useful in creation of the complete solution. Creation of a formal threat model for the infrastructure. Enumeration system requirements. Discussion of the system architecture. Design and implementation of following system components: ShibIdpClient, ShibIdpCliClient, MOCCA Shibboleth Authenticator, Policy Distribution Point (PDistP), its client and administrator panel. Perform system validation and evaluation.

Algorithms, solutions and frameworks Cryptographic algorithms: Symmetric (AES) and asymmetric (RSA) encryption, key-exchange (Diffie-Helman), cryptographic hashes (SHA1, SHA2), Keyed-Hash Message Authentication Code (HMAC-SHA1) Standards and protocols: Public Key Infrastructure, Public-key certificates, Transport Layer Security, Security Assertion Markup Language Frameworks: GSI (certificates based solution), Shibboleth (federated SSO and attribute based authorization provider), GridShib and ShibGrid (integration of GSI services with Shibboleth), OpenID (identity management solution)

Threat model Security requirements – authentication, credential delegation, authorization, confidentiality, integrity, availability and non- repudiation. Assets protected by the system: medical databases, users databases, experiments, results as well as computers and network resources. Threats against the assets: databases theft or modification, using computational or network resources for criminal purposes (password cracking, network attacks like DDoS). Possible attacks (like eavesdropping, man-in-the-middle, users passwords cracking, phishing or other social engineering techniques, pharming).

Chosen solution As a predefined constraint solution must be compatible with Shibboleth. It was decided that it is feasible to just adapt Shibboleth framework, without introducing other frameworks. Adaptation required creation of following tools:  ShibIdpClient and ShibIdpCliClient,  Shib Authenticator for MOCCA/H2O,  Policy Distribution Point for MOCCA.

General architecture Solution integrates custom elements with the IdP either directly using SAML protocol (ShibIdpClient) or indirectly through third party component (ShibAuthAPI/ShibRPC) using XML-RPC protocol (MOCCA/H2O authenticator)‏ IdP – Shibboleth Identity Provider consistent of Single Sign-On and Attributes Authority. ShibIdpClient – allows handle acquisition. Shib Authenticator – provides Shibboleth protected access to MOCCA/H2O. PDistP – distributes local MOCCA policies.

ShibIdpCliClient 1. Run - run the software. 2. Req. credentials – ask user for credentials. 3. Send credentials - user gives his/her credentials. 4. Authenticate - client authenticates to the SSO. 5. Send SAML - SSO sends back SAML. 6. Send handle - client extracts handle from the assertion.

System validation Automatic security auditing has been performed on key system components:  ShibIdpClient was provided with combinations of valid and invalid credentials and SSO certificates, only combination of valid credentials and certificate yielded proper handle,  Shib Authenticator was provided with combinations of valid/invalid handles, and attributes trusted/untrusted by ShibRPC or MOCCA policies, just combination of valid handle for user with attributes trusted by both entities allowed access,  Policy Distribution Point was validated by successfully verifying that authentication method would not accept invalid credentials and that authorization mechanism would prevent anyone to run restricted methods without valid Session ID identifying user with role appropriate for the method.

Performance evaluation Test environment consists of two identical servers connected with LAN, that had following specification:  CPU: 2xIntel Xeon 5150 (2.66 GHz)‏  Physical RAM: 4 GB  SWAP: 8 GB  Connectivity: 1 GBit Ethernet

Performance evaluation Each key component was evaluated:  ShibIdpClient allows requesting handle valid for 8 hours in less then 1s  MOCCA authenticator uses up about 700 ms to authorize the user  Execution of remote PDistP method takes less then 100 ms Those results are well within acceptance tolerance, especially taking into account complicated nature of this processes.

Validation of the Integration Following components integration validation were successfully performed:  ShibIdpClient with ShibIdpCliClient, EPE and standalone version of EMI  MOCCA Authenticator with MOCCA/H2O  Policy Distribution Point Client with MOCCA  Policy Distribution Point with its client  Policy Distribution Point with administrator panel.

Conclusions Goals planned before creation of this work has been fully achieved:  security solutions and frameworks (PKI, TLS, SAML,GSI, Shibboleth ShibGrid, GridShib and OpenID) were analyzed,  elements that might be useful for creation of the complete solution were identified (direct Shibboleth use or using GridShib),  formal threat model was created,  system requirements were enumerated (including authentication, authorization, credential delegation, confidentiality, integrity, user friendliness and scalability),  architecture of the system were discussed and described in the thesis and on this presentation,  ShibIdpClient, ShibIdpCliClient, MOCCA Shibboleth Authenticator, PDistP, its client and administrator’s panel were designed and implemented,  validation and evaluation have been performed.

Future work The work will be continued to:  augment solution with new functionality like fully automated method of updating ShibIdpClient trusted certificates and configuration,  add support for newest third-party software (like Shibboleth 2.0),  adapt the software to support security for VL part of the PL-Grid infrastructure.

Web Sites