1. Password?

2. Project CLASP: Common Login and Access rights across Services Plan http://cern.ch/proj-CLASP

3. Outline  What is CLASP? - Project Goal  Why launch this project now?  What is included? - Project Scope  Project Status Service Survey & Feasibility Study  Technology Kerberos, LDAP, PKI, Certificates  Summary

4.  Propose a detailed plan to reduce the number of login/passwords entered by users to access services they are authorised to use Goal “Single Sign On” Access Control +

5. Why launch this project now?  The number of login/passwords has become a frustration for the user community  The number of services continues to grow  Initiatives towards a common login id and password synchronisation are in progress  Windows 2000 and Linux 2000 provide an opportunity for further improvement  Technologies such as Kerberos v5, PKI, Certificates & LDAP are becoming mature  Can we have a common solution across services?

6. Project Scope  Address computing services offered by at least IT and AS Divisions  Normal user access from in or outside CERN  Target W2000 and Linux for web, mail, telnet, X and file access  Focus on a common solution, even if it does not cover all services today  Not a “security project”- but elimination of clear-text passwords is desirable

7. The final proposal will include:  A proposed common authentication and authorisation mechanism  A plan for introducing the mechanism  A list of services covered  Recommendations for services not covered  An opt-out mechanism for special cases  Security levels achievable, including a password (check & change) policy  An assessment of the impact on users and service providers both at CERN and other sites

8. Project Status Project Mandate (Dec 1999):  Goal, Background, Purpose, Scope, Phases http://cern.ch/proj-clasp Phase 1 (Jan - Apr 2000):  Service Survey and Feasibility Study what do we have now and what is possible for the future Phase 2 (from May 200):  Final Proposal and Detailed Plan Phase 1 will define the steps required for Phase 2

9. Kerberos  A network authentication protocol created by MIT, based on encrypted tickets  Kerberos v5 has better security and cross- realm authentication than previous versions  Kerberos v5 is in W2000, Solaris 8, and the public domain (e.g. for Linux) integration with AFS (Kerberos v4) is possible  Not all applications offer a Kerberos interface, but its popularity is growing GSS-API allows Kerberos authentication  FNAL’s “Strong Authentication Project” is based on Kerberos v5

10. LDAP  LDAP = Lightweight Directory Access Protocol  Applications can authenticate using passwords on LDAP servers tested for imap and http(s) protocols  X.509 certificates used for authentication are stored in LDAP servers  Authorisation groups can be stored on LDAP servers tested for web page access

11. PKI and Certificates  PKI = Public Key Infrastructure  Electronic keys are stored in certificates  Authentication on the scale of the Internet Based on public and private keys used for encryption Public keys are accessible to the Internet  Current use is still quite limited certificates are used for encryption in e-commerce Eurocard (SET) uses PKI to authenticate who a person really is PKI is used for web based GRID applications - being evaluated for LHC wide area computing

12. Summary  CLASP will propose a plan for common login and access rights across CERN services focus on W2000 an Linux platforms for general use (e.g. web, mail, file access, telnet, X) acceptance by service managers and user community  Cross-platform technology for authentication and access control is maturing native Kerberos in W2000 and UNIX platforms advances in e-commerce (certificates, smart cards) LDAP servers used for passwords and access groups  Service survey and feasibility study are in progress in collaboration with CERN “service providers”