Presentation is loading. Please wait.

Presentation is loading. Please wait.

A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006."— Presentation transcript:

1 A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006

2 19 Sept 062 This talk The ESP-GRID project What is Shibboleth? Our requirements for grid security –How we usually express those requirements –What are the real requirements? Shibboleth vs (usual GSI-style) PKI –Assertion of permanent identifier versus –Assertion of current membership and suitability

3 19 Sept 063 The ESP-GRID Project The Evaluation of Shibboleth and PKI for Grids (ESP-GRID) Project –Ran July 04 to June 06 Aim was to investigate whether and how Shibboleth offers solutions to issues of grid authentication, authorisation and security The first questions we hit were: –Do we really need explicit IDs asserted everywhere? –What would make things scalable?

4 19 Sept 064 Unforgeable or unrevocable? What’s the best situation? –Using unforgeable paper that lasts for 10 years –or… –Checking with a trusted colleague to vouch for you every time ?? The answer is (obviously) “it depends” It’s all about authorisation…

5 19 Sept 065 What is Shibboleth? “Shibboleth is a system designed to exchange attributes across realms for the primary purpose of authorisation” –It’s not strictly an authentication mechanism –Nor an authorisation mechanism It enables both But in plainer speaking…

6 19 Sept 066 What is Shibboleth? It’s all about how to transmit the authorisation and role information from your home institution to outside service providers And how those service providers can ask for that information Access management and the communication of authorisation credentials Aims: to separate authentication from authorisation –Devolve authentication to the ‘home’ organisation –Devolve the management of authorisation information as well

7 19 Sept 067 Can we use it on grids? It’s not quite that easy! –Grids tend to use X.509 digital certificates (Centrally/Nationally issued) A bit hard to use (but that’s a different matter) –Shibboleth is (so far) based in the web world HTTP only –Some grid people think that Certificates = secure University libraries/SSO = insecure –(This is probably wrong, but grids do need higher security)

8 19 Sept 068 Grid security: what are we trying to secure? Current grid users have quite a deep level of control over the host machines If you compare them with web browser/readers, for example Is this scaleable to high numbers of users? Surely these people are Power Users (and we just haven’t got many Regular Users yet)? Are personal digital certificates suitable for Power Users and something else (e.g. Shib) good for ordinary Users?

9 19 Sept 069 Should we devolve ID management? (Shibboleth is an ideal model for this) Currently we use 12 month credentials, checked once (possibly years ago) And trust that the user hasn’t gone bad, or if s/he does, we’ll somehow get to hear about it When ID management is devolved: Less central control of user policies (bad) When someone steals something, they get their accounts immediately suspended (good)

10 19 Sept 0610 Should we devolve ID management? (2) (Shibboleth is an ideal model for this) Maybe we can’t trust the local ID managers –They might be really sloppy with their ID management! But we trusted the University Card that they issued –So we were trusting them all along!?!

11 19 Sept 0611 GSI-style PKI: it’s identity, not AuthZ We all know that you should separate authentication and authorisation But having a certificate tends to mean that ‘you’re a member of the community for a year’ –That’s mixing authN and authZ It would be OK if someone had a long term certificate (e.g. 10 years) and we had sophisticated authZ

12 19 Sept 0612 Emotional security “We must know who everyone is in case they do something bad” –Do we really mean that? How about: “If someone/something does something bad (on purpose or otherwise), I need to suspend their jobs and their activity until they are identified and dealt with” –So maybe you don’t need to know their ID up front?

13 19 Sept 0613 Real requirements Rapid suspension –Get the bad thing to stop ASAP and you could go for slower (human mediated) identification/revocation? (It’s not outside the requirement) Identification of wrong-doers Revocation of credentials for deliberate wrong- doers These are the real requirements. The supposed requirement of needing to know an ID ‘up front’ is one solution for these requirements.

14 19 Sept 0614 A case for Shibboleth If we agree that… –numbers of users will grow –most current users are Power Users –most (future) regular users will be less technical –most regular users will be interested in (predictable) applications –(and maybe) we will have methods to deal with rogue users and jobs based upon suspend and then investigate then Shibboleth is attractive

15 19 Sept 0615 Grids use GSI But grids are based on Grid Security Infrastructure –Tied inextricably to X.509 digital certificates Grids do have greater need for high security What about people using (e.g.) portals with applications in portlets? –The portal could authenticate them using username/password – or even via Shibboleth –The portal talks to the grid using GSI –(See other paper for the Customer-Service Provider model)

16 19 Sept 0616 The C-SP model

17 19 Sept 0617 A last word about “identity” Is your identity a unique (scoped) identifier? e.g. citizen 0001234567.uk (or mark o norman@oucs o ox o ac o uk) Or is your identity a whole list of things? e.g. member of oucs, member of oerc, member of Oxford University, part of ESP-GRID project, staff, “Mark Norman”, male?

18 A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006

Download ppt "A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006."

Similar presentations

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Digital Certificate Operation in a Complex Environment Matthew J. Dovey Oxford University Computing Services.

Digital Certificate Operation in a Complex Environment Matthew J. Dovey Oxford University Computing Services.
ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.

ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Copyright JNT Association 20051Optional www.ukfederation.org.uk Copyright JNT Association 2007 1 Joining the UK Access Management Federation 4th April.

Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
ESP-GRID The case for devolved authentication: over-centralised security doesn't work JISC Core Middleware meeting at NeSC: Developments within Security.

ESP-GRID The case for devolved authentication: over-centralised security doesn't work JISC Core Middleware meeting at NeSC: Developments within Security.

Similar presentations

Ads by Google