Presentation is loading. Please wait.

Presentation is loading. Please wait.

A responsibility based model EDG CA Managers Meeting June 13, 2003.

Published byHorace Benson Modified over 9 years ago

Similar presentations

Presentation on theme: "A responsibility based model EDG CA Managers Meeting June 13, 2003."— Presentation transcript:

1 A responsibility based model EDG CA Managers Meeting June 13, 2003

2 Trusts Authentication requires the following trusts: –Identity issued is unique –Identity is issued to the appropriate entity –Identity Signing Key is well protected –Compromised identities are revoked –Entity asserting the identity is authorized to hold the secret –Proxy has not been stolen + –Authentication token has not been forged or stolen

3 Managing the Risks The Pool of involved parties will grow, certainly in the near term, as the Grid grows. How will we manage the risks ? Reduce the threat –Improve private key management Reduce the impact of misuse –Restricted network connections –Validated executables –Throttled bandwidth Reduce the liability –Assign responsibilities clearly –Provide means for calling to task

4 Scenario A Grid job is submitted to a multiuser machine which contains a root escalation attack which takes all proxies from the attacked machines and copies all key files (private and public) from available user home areas. Who does what now ?

5 Walk through the responsibilities Cleanup requires: –Analysis of how the job was submitted and closing the hole. Rogue user ? Exploit of application hole on target resource ? Stolen user identity ? Stolen proxy ? Hacked submitting machine ? –Replacement of hacked machine’s credentials Pretty clearly responsibility of machine owner –Replacement of all stolen user credentials –Alert (?) of compromised proxies This may be minimized by checks in code that proxies are used by the machine to which they have been delegated.

6 Walk through the responsibilities Identity Issued is Unique –Discovered by overlapping namespaces or duplicate identities –Resolution left to CAs and enforced by signing policies used by relying parties Identity is issued to the appropriate entity –How discovered ? –Resolved by CAs invalidating misissued credentials (and issuing correct replacements) Identity Signing Key is well protected –Discovered by report of unauthorized use of Signing Key or discovery of compromised storage –Fixed by CA (how and what standards?) Compromised identities are revoked –Compromises have to be reported (by whom to whom and how ?) –How to tell if a revocation has not happened ? –Fixed by CAs updating revocation lists Entity asserting the identity is authorized to hold the secret –Discovered by finding the secret exposed or in possession of unauthorized party –Resolution requires interaction with user and certificate issuer. Fixed by Proxy has not been stolen –Discovered by finding machine compromises or misused proxies. –Fixed by custodian of proxy fixing the access hole.

Download ppt "A responsibility based model EDG CA Managers Meeting June 13, 2003."

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Internet of Things Security Architecture

Internet of Things Security Architecture
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Security Q&A OSG Site Administrators workshop Indianapolis August 6-7 2009 Doug Olson LBNL.

Security Q&A OSG Site Administrators workshop Indianapolis August Doug Olson LBNL.
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Similar presentations

Ads by Google