GEC5 Security Summary Stephen Schwab Cobham Analytical Services July 21, 2009.

Published byMarjorie Hamilton Modified over 9 years ago

Similar presentations

Presentation on theme: "GEC5 Security Summary Stephen Schwab Cobham Analytical Services July 21, 2009."— Presentation transcript:

1 GEC5 Security Summary Stephen Schwab Cobham Analytical Services July 21, 2009

2 Outline GENI Security Architecture – plans GENI Clusters & Projects – status chart GENI Clusters – identity/authentication & authorization diagrams GENI Security call-outs for other notable projects

3 GENI Security Architecture Revised Document Posted on GENI wiki Includes “As-built” discussions on each control framework At least one more revision in August

4 Security Chart

5 PlanetLab Cluster B

6 Identifiers GID consists of –UUID generated as per RFC4122 v4 –HRN (resolvable nicknames) –A SSL X.509 Certificate with parent field The GID stored in subject-alt-name of certificate –The authority that is responsible for the entity authenticates it by signing the certificate

7 Authentication Authentication is done on the basis of the certificate that is signed by the responsible authority. Authentication implies no permission –the certificate just indicates identity

8 Identity and Authentication GID 1. Generate self-signed certificate authority. The PlanetLab Consortium serves as top-level slice, Slice and User Registry 3a. Request a GID by sending 1024-bit RSA public key 4. Register user with registry Slice Manager Planetlab Central Aggregate Manager 2. Register root certificate with registry 3. Register: PLC generates a certificate that includes a UUID (public key) and HRN in the subject-alt-name field. The subject- public-key contains the user public key. It signed by the PLC.

9 Authorization Based on credentials; credentials grants privileges to users

10 Aggregate Manager 4. GetTicket: the ticket is defined by a 5- tuple, (GIDCaller, GIDObject, Attribs, Rspec, Delegate). The GetTicket operation is completed by the AM Slice Creation GID Slice Authority PlanetLab Central 1. Verify user credentials and authorize him to perform slice creation 3. Request Ticket: User selects components, creates Rspec. If request is granted, the AM signs the request and returns a ticket 5. Redeem Ticket: User redeems the ticket causing the sliver to be created. The Rspec defines the resources bound to the slice. 7 Start Sliver: User requests sliver to be brought to running state Compute Cluster Network Storage Measurement Component Manager 2.List Resources: On behalf of the user, the SM calls each peer AM to learn of available resources. 6. SM maintains a database of all slices created with the resources used. Registries Slice & User Registry Resource Status Service

11 ProtoGENI Cluster C

12 Identifiers GID consists of –UUID (ex: a0f4) –HRN (resolvable nicknames) –A SSL Certificate The GID stored in DN of SSL certificate –Cert issued by home emulab that authenticates entity in GENI –DN also includes email address

13 Authentication Authentication is done on basis of the SSL certificate that is signed by the home emulab Authentication implies no permission, SSL certificate just indicates identity

14 Identity and Authentication GID ProtoGENI Slice Authority 1. Generate self-signed certificate authority, serves as root for Emulab. 2. Register root certificate with clearing house ClearingHouse Slice & User Registry Resource Status Service 3. Register: MA generates a certificate that includes a UUID (public key) and HRN in the DN field. 3a. Request a GID by sending hashed public key 4. Register user with Clearing house

15 Authorization Based on credentials; credentials grants privileges to users

16 Slice Creation GID 6b. AM sends copy of ticket to Slice Registry (who tracks resources in each slice). ClearingHouse Slice & User Registry Resource Status Service Compute Cluster Network Storage Aggregate Manager Measurement Slice Authority Home Facility 1. GetCredential: S A issues self credential authenticating user to perform actions 3. Register: SA registers the user and the slice 2. CreateSlice: User creates a new slice and receives a credential granting control over the slice 4. ListComponents: Requests list of all AM registered with the CH 5. DiscoverResources: User submits credentials and send request to each AM for detail resource lists (Rspecs) 6. RequestTicket: User selects components, creates Rspec. If request is granted, the AM signs the request and returns a ticket 7. RedeemTicket: User redeems the ticket causing the sliver to be created. 8. StartSliver: Client requests sliver to be brought to running state

17 Orca/Ben Cluster D

18 Identifiers GID consists of –RFC 4122-based GUIDS –Public Key –attributes

19 Identity and Authentication GID Shibboleth Identity Provider 1. Identity provider maintains registry of all other id providers including their GUID, keys, and attributes 2. Runs as a SOAP server, all messages are digitally signed as per WS-Security User Registry Principal Registry 5. Returns a RFC 4122 based GUID and security attributes 4. User request a GID by sending a public key via a browser interface 3. Each ID provider is responsible for the principals it registers. It maintains a local MySQL database.

20 Slice Creation 6. UpdateLease: The DA grants the service manager the resources as a lease. It includes the unit properties as assigned from the DA.. GID 0. Export Tickets: Delegate splitable tickets to broker. Attempts to honor all tickets issued by the broker Broker/ ClearingHouse Policy Module (applies attribs. from ID provider) Service Manager/ Slice Manager 1. Researcher/guest starts experiment creation using a web browser. Authenticated by the ID provider (not shown) 2. CreateSlice / GetTicket: user request allowed if he has the appropriate attributes and endorsed by ID. 5. RedeemTicket: The ticket is now presented to the DA along with configuration properties for setup of slice. Guest Handler (one per sliver) Domain Authority/ Aggregate Manager Site Policy (one per resource pool 3. UpdateTicket: broker grants ticket to the service manager that can be now redeemed from the domain authority. Each guest has a guest handler within the service manager. The ticket includes resource type properties.

21 DETER TIED Cluster A

22 Identifiers ID are triples –Testbed, project, user ex: (“DETER”,”proj1”,”faber”) Also defines federation IDs –160-bit SHA-1 hash of the public key –Avoids collisions when federating Triple name can use a fed-ID –(fedid:1234, “proj1”, “faber)

23 Authentication Authentication is done on the basis of the home testbed using public-private key pairs

24 Identity and Authentication TIED Federator/ Management Authority 2. Register federated testbed with clearing house/federator ClearingHouse / Federator Slice & User Registry Resource Status Service 3. Register: MA registers a new users with the testbed, associates him with a project, generates a fed-ID 4. Register user and fed-ID with Clearing house/federator 1. Create a name and fed-ID for testbed

25 Authorization Based on attributes assigned to user; project group is a type of attribute Attributes grant privileges to users

26 Experiment/Slice Creation GID 6b. Fedd sends a copy of CEDL to the CH (who tracks resources usage across GENI). Federated Fedds Slice & User Registry Resource Status Service Compute Cluster Network Storage Federator/ Slice Authority Measurement Federator/ Aggregate Manager Home Facility 1. User is authenticated by home facility aggregate manager for a federated exp. 4b. Register the user and the experiment with the CH 2. User initiates a federated experiments 3. Requests list of all testbed advertisements registered with the CH 4. User submits a canonical experiment description to the federator 5. Federator selects components, request resources from other testbeds. 6. Once all the resources are granted the experiment configuration begins 7. Grant the user complete control of the experiment Federated Fedds Slice & User Registry Resource Status Service Federated Fedds Slice & User Registry Resource Status Service

27 Orbit Cluster E No diagrams yet –Spiral 2 plans on-track to introduce security mechanisms to address Spiral 2 needs

28 Other Notable Projects Enterprise GENI –Controller off-loads security mechanisms from individual deployed switches Digital Object Registry –Provides for searching of identities beyond a single clearinghouse Million Node GENI –Language-based VM: restricted python

29 Questions What mechanisms should GENI be using for identity and authentication? What mechanisms should GENI be using for policy creation/definition/distribution and authorization? Should GENI security focus on yet-to-be- implemented or already-up-and-running features?

Download ppt "GEC5 Security Summary Stephen Schwab Cobham Analytical Services July 21, 2009."

Similar presentations

Similar presentations

GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Resource specification update for PlanetLab and VINI Andy Bavier Princeton University March 16, 2010.

Resource specification update for PlanetLab and VINI Andy Bavier Princeton University March 16, 2010.
PlanetLab Architecture Larry Peterson Princeton University.

PlanetLab Architecture Larry Peterson Princeton University.
Inter-Institutional Registration UNC Cause December 4, 2007.

Inter-Institutional Registration UNC Cause December 4, 2007.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.

Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.

Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.

Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Ads by Google