Presentation is loading. Please wait.

Presentation is loading. Please wait.

CLASP Project AAI Workshop, Nov 2000 Denise Heagerty, CERN

Published byHengki Yuwono Modified over 5 years ago

Similar presentations

Presentation on theme: "CLASP Project AAI Workshop, Nov 2000 Denise Heagerty, CERN"— Presentation transcript:

1 CLASP Project AAI Workshop, 20-21 Nov 2000 Denise Heagerty, CERN
Password? Password? Password? Password? Password? Password? Password?

2 Outline Project goal Feasibility study results Key applications
Kerberos v5 advantages Smart cards Platform independent access control Next steps for the project

3 Project Goal Propose a detailed plan to reduce the number of login/passwords entered by users to access services they are authorised to use “Single Sign On” + Access Control

4 Feasibility Study Results
Kerberos v5 provides a good basis for common authentication and Single Sign On available in W2000, Linux RH v6.2, Solaris 8 standard application interfaces (RFC 2078, MS-SSPI) Some PKI (Public Key Infrastructure) is required for GRID applications Can be integrated with Kerberos v5 Single Sign On Enhanced security is essential to overcome the vulnerability of the initial sign on We need to control the explosion of web loginid/password pairs need to consider non-Kerberos solution

5 Key applications known to support Kerberos v5
Mail IMAP server (U of Washington) - Yes! Outlook and Pine - Yes! Netscape - No Interactive Commands telnet, ftp, rcp, rlogin: UNIX - Yes! / W Yes? Exceed: Yes! File Access (single platform) AFS - Yes (via Kerberos v4 extension on UNIX KDC) Microsoft DFS: W Yes! Web Internet Explorer - Yes

6 Kerberos v5 Advantages Common authentication technology across W2000 and UNIX platforms can focus expertise on a single protocol A basis for cross-platform Single Sign On Requires kerberized applications Allows authentication agreements with trusted remote sites using cross-realm authentication Integrates with GRID Single Sign On Proxy certificates generated from Kerberos TGTs Integrates with PKI PKINIT: from a certificate you can obtain a TGT

7 Kerberos Realms W2000 Realm UNIX Realm W2000 clients and servers
Common Database W2000 Realm UNIX Realm KDC1 KDC2 W2000 clients and servers UNIX clients and servers

8 Smart Cards can store a user certificate and private key
protected by a PIN code, normally requested each time the certificate is used Could be combined with new CERN physical access cards (at extra cost for the chip and writer) UBS smart card could be used for CERN authentication Globus works with Netscape on a PC (PKCS#11) readers connect to PCMCIA, serial, USB ports integrates with Kerberos v5 using PKINIT early technology - compatibility problems Not a general solution for off-site access requires card readers at all remote sites and systems

9 Platform-Independent Access Control
Centrally defined “e-groups” electronic grouping of people/accounts defined centrally and made available to applications web interface with access to personnel database LDAP / Active Directory play a key role Key/Initial applications: distribution lists web page protection file protections

10 Next Steps Implementation plan for the base authentication service (Feb 2001) Kerberos v5 with support for AFS/v4 and certificates Implementation plans for services (Feb2001) mail, web, interactive (login, telnet, ftp, Exceed, ssh), file (AFS, Windows DFS), batch (LSF), Oracle and future GRID services Final Recommendations (May 2001) security review, password (check and change) policy, opt-out mechanism, off-site access, platform independent access control for web pages, files and lists

11 CLASP studies have been made in collaboration with many colleagues both inside and outside CERN - Thanks! Password? Password? Password? Password? Password? Password? Password?

Download ppt "CLASP Project AAI Workshop, Nov 2000 Denise Heagerty, CERN"

Similar presentations

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
PowerPoint presentation of first 25 pages of instructional manual Edith Fabiyi Essentials of Internet Access.

PowerPoint presentation of first 25 pages of instructional manual Edith Fabiyi Essentials of Internet Access.
Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.

Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.
Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.

Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.
Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.

Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
Password? CLASP Phase 2: Revised Proposal C5 Meeting, 16 February 2001 Denise Heagerty, IT/IS.

Password? CLASP Phase 2: Revised Proposal C5 Meeting, 16 February 2001 Denise Heagerty, IT/IS.
HEPNT/HEPiX meeting Oct 6, 1999 1 Securing mail access with Kerberos and SSL Wolfgang Friebel DESY.

HEPNT/HEPiX meeting Oct 6, Securing mail access with Kerberos and SSL Wolfgang Friebel DESY.
X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster

X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Similar presentations

Ads by Google