Presentation is loading. Please wait.

Presentation is loading. Please wait.

SIMDAT Authentification and Autorisation Matteo Dell’Acqua ET-CTS meeting, Toulouse, 26-30 May 2008.

Published byDamon Barton Modified over 8 years ago

Similar presentations

Presentation on theme: "SIMDAT Authentification and Autorisation Matteo Dell’Acqua ET-CTS meeting, Toulouse, 26-30 May 2008."— Presentation transcript:

1 SIMDAT Authentification and Autorisation Matteo Dell’Acqua ET-CTS meeting, Toulouse, 26-30 May 2008

2 VGISC security requirements  Confidentiality –Users information, sensitive data  Data integrity  User authentication  Authorisation  PKI  Trust :Trust domain  user roles  data policies

3 Virtual Organisation Principles A B C D FE

4 Creation of trust domains A B C D FE VGISC1VGISC2  Agreement on user roles and data policies

5 Exchange of public keys  Data integrity, non-repudiation A B C D FE VGISC1VGISC2

6 B publishes a data with data policy VGISC1.researcher A B C D FE VGISC1VGISC2 VGISC1.researcher

7 A registers John Smith with VGISC1.researcher role A B C D FE VGISC1VGISC2 VGISC1.researcher

8 John Smith wants to access dataset in B A B C D FE VGISC1VGISC2 VGISC1.researcher JS log-ins to A and issues request

9 John Smith wants to access dataset in B A B C D FE VGISC1VGISC2 VGISC1.researcher A adds the user role VGISC1.researcher to the request and signs it with its private key, then sends it to B

10 John Smith wants to access dataset in B A B C D FE VGISC1VGISC2 B checks signature of A against known public keys. B checks if A is a member of VGISC1. B trusts A to tell the truth about the user’s role. B checks role against data policy. VGISC1.researcher

11 Li Yang is a registered user with D, with the role VGISC2.researcher A B C D FE VGISC1VGISC2 VGISC2.researcher VGISC1.researcher

12 Li Yang wants data from B A B C D FE VGISC1VGISC2 LY log-ins to D and issues request VGISC2.researcher VGISC1.researcher

13 Li Yang wants data from B A B C D FE VGISC1VGISC2 D signs the request with its private key and adds the user role VGISC2.researcher to the request and sends it to B VGISC2.researcher VGISC1.researcher

14 Li Yang wants data from B A B C D FE VGISC1VGISC2 B checks signature of D against known public keys. D is either unknown, or not part of VGISC1. Access is denied. VGISC2.researcher VGISC1.researcher

15 John Smith requests a certificate A B C D FE VGISC1VGISC2 VGISC1.researcher JS log-ins to A and requests a certificate

16 John Smith export his certificate A B C D FE VGISC1VGISC2 VGISC1.researcher Signed by A Certificate is created, contains user roles and is signed by A

17 A is down… John Smith logs to C with his certificate A B C D FE VGISC1VGISC2 VGISC1.researcher Signed by A JS logs into C with the certificate issued by A

18 A is down… John Smith logs to C with his certificate A B C D FE VGISC1VGISC2 VGISC1.researcher Signed by A C checks signature of A against it’s public key. C checks if A is a member of VGISC1. C adds the roles signed by A to the request. C also signs the request. Request is sent to B.

19 A is down. John Smith logs to C with his certificate. A B C D FE VGISC1VGISC2 VGISC1.researcher Signed by A B checks signature of A and C against known public key. B checks A and C are members of VGISC1. B trusts A to tell the truth about the user’s role. B checks role against data policy.

20 SIMDAT allows other trust domains to be created A B C D FE VGISC1VGISC2 Project X

21 SIMDAT allows other trust domains to be created A B C D FE VGISC1VGISC2 WMO? Project X

22 Development status Development of the Domain Authority: Authorization Engine –Support for Domains X509 Certificates used to check exchanged messages and security tokens [use of a PKI with several CAs] –Support for Attribute Certificates containing the user’s roles SAML Tokens Support for data policies qualifying the datasets. They have two components domain.policy –Development of a user database on each nodes to locally manage the users and roles User’s only known at DWD will access some datasets at Meteo-France

23 Development status  Development of tools to manage the VO –Web Admin Interface for the Node Create/delete domain, Add/remove domain member Import domain member’s certificates in Add/Create User, Add/Remove User’s Roles –Development of command-line tools offering the same services as the web interface  Use of NTP to synchronize all the Catalogue Nodes –To always deliver valid SAML tokens

24 Conclusion  There is a need to have different Authorization schemes –Some datasets will be accessible once the terms and conditions have been accepted Fairly weak security: user will self-register, The portal automatically associates some roles to the user once the user has agreed to the terms and conditions –Some datasets have to be very well protected and only accessible to a number of registered users High level of security: An admin will register the users and associate roles to these users  There might be a need to support several Authz Token formats

Download ppt "SIMDAT Authentification and Autorisation Matteo Dell’Acqua ET-CTS meeting, Toulouse, 26-30 May 2008."

Similar presentations

0 McLean, VA August 8, 2006 SOA, Semantics and Security.

0 McLean, VA August 8, 2006 SOA, Semantics and Security.
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.

Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.
3SKey 3SKey.

3SKey 3SKey.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
V-GISC Presentation – ET_WISC – Geneva - February 3 2010 v-GISC key functionalities ET_WISC meeting 2-5 February 2010 Jean-Pierre Aubagnac, Jacques Roumilhac.

V-GISC Presentation – ET_WISC – Geneva - February v-GISC key functionalities ET_WISC meeting 2-5 February 2010 Jean-Pierre Aubagnac, Jacques Roumilhac.
© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.

© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
Public Key Infrastructure Ben Sangster February 23, 2006.

Public Key Infrastructure Ben Sangster February 23, 2006.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.

1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.

Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Tiago Rodrigues Antao. RIPE 45, May 2003, Barcelona. 1 Improved Secure Communication System for RIPE NCC Members Tiago Rodrigues Antao.

Tiago Rodrigues Antao. RIPE 45, May 2003, Barcelona. 1 Improved Secure Communication System for RIPE NCC Members Tiago Rodrigues Antao.

Similar presentations

Ads by Google