Presentation is loading. Please wait.

Presentation is loading. Please wait.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Published byShauna Hill Modified over 8 years ago

Similar presentations

Presentation on theme: "National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements."— Presentation transcript:

1 National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements Jim Basney jbasney@ncsa.uiuc.edu http://www.ncsa.uiuc.edu/~jbasney/

2 National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Online Credential Retrieval Defined ClientServer Authenticate Request Credential Verify Authorization Retrieve Credential

3 National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Motivation for OCR Credential management –Securely manage credential files on user’s behalf –Ease use of multiple credentials Credential translation –Single sign-on to multiple authentication mechanisms and domains Credential renewal by trusted services –Alternative to delegating long-lived proxies Indirect credential delegation –Example: web portals

4 National Computational Science National Center for Supercomputing ApplicationsNational Computational Science OCR Examples ServiceAuth MethodCredential MyProxyPasswordX509 user proxy K5CertKerberosK5 CA issued X509 cert CASGSIX509 community proxy GSIklogGSIAFS token SSLK5SSLKerberos ticket Kerberos KDCAS_REQ+preauthKerberos ticket CAOOB or IAKCA issued X509 certificate

5 National Computational Science National Center for Supercomputing ApplicationsNational Computational Science OCR Implementations Online Credential Authority –Examples: Online CA, Kerberos KDC –Creates credentials on demand –Vulnerability of authority’s private key a concern Encrypted credential repository –Credentials stored encrypted in the repository –Credentials may be opaque to protocol and repository –Requires client to decrypt credentials on receipt Delegating credential repository –Unencrypted credential stored in repository –Server delegates credential to client

6 National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Proposed GGF Activity OCR Requirements document –What OCR services are needed for Grids? OCR Framework document –Address policy issues of credential repositories, credential translation, credential renewal –Recommendations for interoperability OCR Protocol document –Define an OCR protocol framework that enables interoperability between different types of OCR services –Share mechanisms between OCR implementations (auditing, delegation tracing, event notification, etc.)

7 National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Standards Activity IETF SACRED WG –Credential format MUST be opaque to the protocol –Protocol MUST NOT force credentials to be present in clear text on the server IETF PKIX WG –Online Certificate Authorities –Certificate request may include Initial Authentication Key

8 National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Protocol Requirements Mutual authentication –Client-side configuration required to authenticate server Multiple authentication mechanisms –Password, GSI, Kerberos Delegate different credential types –X509 cert, X509 proxy, Kerberos ticket Client can choose among available credentials –Query available credentials and choose –Request credential that meets specification Administrative protocols –Credential upload and remove –Authorization control (user, administrator, and community) OGSA-compliant

9 National Computational Science National Center for Supercomputing ApplicationsNational Computational Science OCR Issues Authorization Restricted delegation Delegation tracing across multiple mechanisms Audit trail Notification services Compatibility with site security policies Availability/Replication

10 National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Discussion Is there a need for OCR services in the Grid? –If so, what types of OCR services are needed? Will production Grid policies allow OCR services? –Centralized key storage –Transitive trust Is there interest in GGF OCR activity? Any comments on requirements draft? Other comments or discussion topics?

Download ppt "National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements."

Similar presentations

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
High Performance Computing Course Notes 2007-2008 Grid Computing.

High Performance Computing Course Notes Grid Computing.
GRID Security Infrastructure: Overview and problems PKI-COORD Meeting, Amsterdam November 26, 2001 Yuri Demchenko.

GRID Security Infrastructure: Overview and problems PKI-COORD Meeting, Amsterdam November 26, 2001 Yuri Demchenko.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Jim Basney GSI Credential Management with MyProxy GGF8 Production Grid Management RG Workshop June.

Jim Basney GSI Credential Management with MyProxy GGF8 Production Grid Management RG Workshop June.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.

Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

Similar presentations

Ads by Google