Cloud Computing. Lecture 5 Grid Security

Size: px
Start display at page:

Download "Cloud Computing. Lecture 5 Grid Security 2014-2015"

Transcription

1 Cloud Computing Lecture 5 Grid Security

2 Up until now Introduction. Definition of Cloud Computing. Grid Computing: Schedulers Globus Toolkit

3 Summary Grid Security TLS WS-Security Proxy certificates MyProxy Community Authorization Services

4 Grid Security: Context

5 Grid Security: Problems Valuable resources solving sensitive problems. Federation of organizations. Multiple security domains. Need for transparency. Both client-server and server-server interactions. Service composition. Variety of policies.

6 Ideal Solution! Single sign-on. Even if you re running a task that: Requires secure communication. Uses several services: Multiple authentication? On different organizations: Different identities? Different policies?

7 GT4 Tools Globus Toolkit Java Runtime GSI- OpenSSH MyProxy Data Rep C Runtime Delegation GRAM GridFTP Replica Location Python Runtime CAS GridWay Reliable File Transfer MDS4 Base Segurança Security Execution Execução Dados Data Monitoring Monit.

8 Let s recap some security concepts! Identity/Certification: Who is this person? Who is assuring that this identity matches a real person? Authentication: Is this person who she says she is? Authorization: Is this person allowed to do what she is requesting? Integrity: Has the message I m receiving been tampered with? Confidentiality: Will this message be exposed to anyone?

9 GSI: Globus Security Infrastructure It doesn t solve the trust issue but gets everyone using the same protocols and understanding each others certificates:

10 Secure Web Services <S:Envelope> <S:Header>... <Security S:actor="... S:mustUnderstand="...">... </Security>... </S:Header> <S:Body> </S:Body> </S:Envelope>

11 TLS: Transport Layer Security Transport level encryption protocol. Steps: 1. Algorithm negotiation. 2. Key exchange. 3. Symmetric encryption. Supported Algorithms: Key exchange: RSA, Diffie-Hellman, ECDH, SRP, PSK. Authentication: RSA, DSA, ECDSA. Symmetric key: RC4, Triple DES, AES, IDEA, DES. Hashing: HMAC-MD5, HMAC-SHA.

12 TLS: Communication Encryption

13 Identity: X.509 Certificates Certificate: Data: Version: 1 (0x0) Serial Number: 7829 (0x1e95) Signature Algorithm: md5withrsaencryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server Validity Not Before: Jul 9 16:04: GMT Not After : Jul 9 16:04: GMT Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, Subject Public Key Info: Public Key Algorithm: rsaencryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb: 33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1: 66:36:d0:8e:56:12:44:ba:75:eb:e8:1c:9c:5b:66: 70:33:52:14:c9:ec:4f:91:51:70:39:de:53:85:17: 16:94:6e:ee:f4:d5:6f:d5:ca:b3:47:5e:1b:0c:7b: c5:cc:2b:6b:c1:90:c3:16:31:0d:bf:7a:c7:47:77: 8f:a0:21:c7:4c:d0:16:65:00:c1:0f:d7:b8:80:e3: d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8: e8:35:1c:9e:27:52:7e:41:8f Exponent: (0x10001) Signature Algorithm: md5withrsaencryption 93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59:5d:9d: 92:2e:4a:1b:8b:ac:7d:99:17:5d:cd:19:f6:ad:ef:63:2f:92: ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e:9c:67: d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b:41:72: 0d:19:aa:ad:dd:9a:df:ab:97:50:65:f5:5e:85:a6:ef:19:d1: 5a:de:9d:ea:63:cd:cb:cc:6d:5d:01:85:b5:6d:c8:f3:d9:f7: 8f:0e:fc:ba:1f:34:e9:96:6e:6c:cf:f2:ef:9b:bf:de:b5:22: 68:9f Most common certificate format: Contains: Person s identification. Identification of a certification authority (CA). Person s public key. CA digital signature. Requires trusting the CA and knowledge of it s public key. Dominant mechanism in the grid community.

14 WS-Security Ensures integrity, authentication and confidentiality. Digital signature and encryption key specification using WS. Works at application level. Specifies the SOAP message headers and the variants of the different fields.

15 UsernameToken Example <wsse:security> <wsse:usernametoken> <wsse:username>zoe </wsse:username> <wsse:password>ilovedogs </wsse:password> </wsse:usernametoken> </wsse:security>

16 BinarySecurityToken Example <wsse:binarysecuritytoken xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/ 04/secext" Id="myToken" ValueType="wsse:X509v3" EncodingType="wsse:Base64Binary"> MIIEZzCCA9CgAwIBAgIQEmtJZc0... </wsse:binarysecuritytoken>

17 Delegation What if a service needs to call another one? We need Delegation!! Solves the multiple login problem. User signed proxies. Private key not encrypted in the local file system. Time-limited (12h). When you log out, the stored proxies are not eliminated.

18 Single Sign-on and Delegation To authenticate with your certificate directly you would have to type a passphrase every time. Also you need a way to send your credentials across. In the Grid Security Infrastructure today, this is solved by proxy certificates : a temporary key pair. in a temporary certificate signed by your long term private key. valid for a limited time (default: 12 hours). and itself not protected by a passphrase.

19 Proxy Certificate Generation B needs A's credentials to make a request to C. B, therefore, needs a proxy certificate signed by A: B generates a public/private key pair for the proxy certificate. B uses the key pair to generate a certificate request, which will be sent to A using a secure channel. This certificate request includes the proxy's public key, but not the private key. Organization A will use its private key to digitally sign the certificate request. A sends the signed certificate back to B using a secure channel. B can now use the proxy certificate to act on A's behalf. Note: proxy's private key and A s private key are never transmitted between A and B.

20 Proxy Initiation in Globus User enters pass phrase, which is used to decrypt private key. Private key is used to sign a proxy certificate with its own, new public/private key pair: User s private key not exposed after proxy has been signed. Pass Phrase User certificate file Private Key (Encrypted) User Proxy certificate file Proxy placed in /tmp the private key of the Proxy is not encrypted: stored in local file: must be readable only by the owner; proxy lifetime is short (typically 12 h) to minimize security risks

21 MyProxy What if I m executing a long-running task? What if my grid (not very well integrated) requires several certificates. MyProxy: Stores long-lasting certificates (private keys are encrypted). Generates short term certificates from the login (unencrypted private keys). Interacts with certification authorities to acquire certificates.

22 MyProxy Put Client certificate private key TLS handshake username proxy password certificate request chain policy MyProxy Server keypair cert chain private key

23 MyProxy Get Client cert chain private key TLS handshake username proxy password certificate request chain MyProxy Server X.509 Grid Service cert chain private key

24 Password-based Renewal Client job proxy password password proxy Condor-G proxy password proxy proxy job GRAM Gatekeeper proxy Job proxy MyProxy proxy

25 Authorization and Trust in VOs: Community Authorization Service WS require authorization. There are several interface mechanisms between X.509 and policy repositories. What if we want to integrate the repository in the grid s virtual organizations? CAS is a centralized repository that relates agents, resources and actions.

26 CAS Administration Services Enrolling and Unenrolling Objects Enrolling and Unenrolling Service Type Maintaining Service Types Maintaining User Groups Maintaining Object Groups Maintaining Permissions

27 A Typical CAS Request User proxy Community proxy Proxy restrictions CAS Server What rights does the community grant to this user? CAS-maintained community policy database Client Resource Server Community proxy Proxy restrictions Is this request authorized for the community? Local policy information Do the proxy restrictions authorize this request?

28 Signed Authorization Assertions Subject: /O=Grid/CN=Laura Valid: 3/25/03 11:00 3/26/03 11:00 AuthorizationAssertion (non-critical extension): Target Subject: /O=Grid/CN=Laura Valid: 3/25/03 13:00 15:00 These actions are allowed: Read gridftp://myhost/mydir/* Signature (of assertion, by the VO CAS server) Signature (of all above, by the user) The authorization assertion is signed by the VO s CAS server. It delegates a subset of the VO s rights to a user, during a validity time. It is only valid when used along with the target user s authentication credentials.

29 Grid Case Studies Next time

Public Key Infrastructure in idrac

Public Key Infrastructure in idrac A Dell Technical White Paper Dell Enterprise Team Jeethendra Telagu THIS WHITE PAPER IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS

More information

COSC4377. Chapter 8 roadmap

COSC4377. Chapter 8 roadmap Lecture 28 Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing e mail 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7

More information

, ) I Transport Layer Security

, ) I Transport Layer Security Secure Sockets Layer (SSL, ) I Transport Layer Security _ + (TLS) Network Security Products S31213 UNCLASSIFIED Location of SSL -L Protocols TCP Ethernet IP SSL Header Encrypted SSL data= HTTP " Independent

More information

GT 6.0 GSI C Security: Key Concepts

GT 6.0 GSI C Security: Key Concepts GT 6.0 GSI C Security: Key Concepts GT 6.0 GSI C Security: Key Concepts Overview GSI uses public key cryptography (also known as asymmetric cryptography) as the basis for its functionality. Many of the

More information

Technik und Informatik. SOAP Security. Prof. Dr. Eric Dubuis Berner Fachhochschule Biel. Version April 11, 2012

Technik und Informatik. SOAP Security. Prof. Dr. Eric Dubuis Berner Fachhochschule Biel. Version April 11, 2012 SOAP Security Prof. Dr. Eric Dubuis Berner Fachhochschule Biel Version April 11, 2012 Overview Motivation Transport security versus SOAP Security WS-Security stack overview Structure of secured SOAP messages

More information

Safety 1st Mobile Security. Markus Kopf payleven

Safety 1st Mobile Security. Markus Kopf payleven Safety 1st Mobile Security Markus Kopf payleven Mobile Threat //

More information

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213 Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213 UNCLASSIFIED Example http ://www. greatstuf f. com Wants credit card number ^ Look at lock on browser Use https

More information

Cryptography Basics. 1 Secret Key Encryption. 1.1 Classical Cryptosystems. Lecture Notes (Syracuse University) Cryptography Basics: 1

Cryptography Basics. 1 Secret Key Encryption. 1.1 Classical Cryptosystems. Lecture Notes (Syracuse University) Cryptography Basics: 1 Lecture Notes (Syracuse University) Cryptography Basics: 1 Cryptography Basics 1 Secret Key Encryption Convention and Terms Plaintext: Ciphertext: Encryption: Decryption: Cryptanalysis: Secret Key Encryption

More information

A quick overview of the DANE WG. * DNS-based Authentication of Named Entities

A quick overview of the DANE WG. * DNS-based Authentication of Named Entities A quick overview of the DANE WG * DNS-based Authentication of Named Entities Some background... When you connect to https://www.example.com you use SSL (actually TLS) to secure your connection. Need a

More information

Managing Credentials with

Managing Credentials with Managing Credentials with MyProxy Jim Basney National Center for Supercomputing Applications University of Illinois jbasney@ncsa.uiuc.edu http://myproxy.ncsa.uiuc.edu/ What is MyProxy? A service for managing

More information

Factory Application Certificates and Keys Products: SB700EX, SB70LC

Factory Application Certificates and Keys Products: SB700EX, SB70LC Factory Application Certificates and Keys Products: SB700EX, SB70LC 1 Contents 1 Overview... 3 2 Certificates and Keys... 3 2.1 What is in a Certificate?... 4 3 SSL Certificates and Keys... 6 3.1 NetBurner

More information

Using the MyProxy Online Credential Repository

Using the MyProxy Online Credential Repository Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois jbasney@ncsa.uiuc.edu What is MyProxy? Independent Globus Toolkit add-on

More information

Grid Delegation Protocol

Grid Delegation Protocol UK Workshop on Grid Security Experiences, Oxford 8th and 9th July 2004 Grid Delegation Protocol Mehran Ahsant a, Jim Basney b and Olle Mulmo a a Center for Parallel Computers,Royal Institute of Technology,

More information

Configuring HTTPS support. Overview. Certificates

Configuring HTTPS support. Overview. Certificates Configuring HTTPS support Overview Destiny provides the option to configure secure access when password information is transmitted between the client browser and the server. Destiny can switch from HTTP

More information

CS 356 Lecture 28 Internet Authentication. Spring 2013

CS 356 Lecture 28 Internet Authentication. Spring 2013 CS 356 Lecture 28 Internet Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

A STEP- BY-STEP GUIDE

A STEP- BY-STEP GUIDE Securing your Apache Web Server with a thawte Digital Certificate with a thawte Digital Certificate A STEP- BY-STEP GUIDE to test, install and use a thawte Digital Certificate on your Apache Web Server...

More information

CS 772. Network Security: Concepts, Protocols and Programming Fall 2008 Final Exam Time 2 & 1/2 hours Open Book & Notes.

CS 772. Network Security: Concepts, Protocols and Programming Fall 2008 Final Exam Time 2 & 1/2 hours Open Book & Notes. CS 772 Network Security: Concepts, Protocols and Programming Fall 2008 Final Exam Time 2 & 1/2 hours Open Book & Notes Name: Login: Question 1: A. Considering mod 5 arithmetic, determine all possible:

More information

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Using etoken for SSL Web Authentication. SSL V3.0 Overview Using etoken for SSL Web Authentication Lesson 12 April 2004 etoken Certification Course SSL V3.0 Overview Secure Sockets Layer protocol, version 3.0 Provides communication privacy over the internet. Prevents

More information

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Overview of CSS SSL. SSL Cryptography Overview CHAPTER CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet, ensuring secure transactions such as the transmission of credit card numbers

More information

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For Secure Socket Layer Secure Socket Layer Introduction Overview of SSL What SSL is Useful For Introduction Secure Socket Layer (SSL) Industry-standard method for protecting web communications. - Data encryption

More information

Encrypted Connections

Encrypted Connections EMu Documentation Encrypted Connections Document Version 1 EMu Version 4.0.03 www.kesoftware.com 2010 KE Software. All rights reserved. Contents SECTION 1 Encrypted Connections 1 How it works 2 Requirements

More information

Configuring SSL Termination

Configuring SSL Termination CHAPTER 4 This chapter describes the steps required to configure a CSS as a virtual SSL server for SSL termination. It contains the following major sections: Overview of SSL Termination Creating an SSL

More information

TRUST RELATIONSHIPS AND SINGLE SIGN-ON IN GRID BASED DATA WAREHOUSES

TRUST RELATIONSHIPS AND SINGLE SIGN-ON IN GRID BASED DATA WAREHOUSES TRUST RELATIONSHIPS AND SINGLE SIGN-ON IN GRID BASED DATA WAREHOUSES Xiaoyu Li a and Maree Pather b a Department of Information Technology, Nelson Mandela Metropolitan University b Department of Applied

More information

SECURITY IN ELECTRONIC COMMERCE MULTIPLE-CHOICE QUESTIONS

SECURITY IN ELECTRONIC COMMERCE MULTIPLE-CHOICE QUESTIONS MULTIPLE-CHOICE QUESTIONS Each question has only one correct answer, which ought to be clearly pointed out with an 'X'. Each question incorrectly answered will be evaluated as minus one third of the mark

More information

Ciphire Mail. Abstract

Ciphire Mail. Abstract Ciphire Mail Technical Introduction Abstract Ciphire Mail is cryptographic software providing email encryption and digital signatures. The Ciphire Mail client resides on the user's computer between the

More information

Cryptography and Network Security Sicurezza delle reti e dei sistemi informatici SSL/TSL

Cryptography and Network Security Sicurezza delle reti e dei sistemi informatici SSL/TSL Cryptography and Network Security Sicurezza delle reti e dei sistemi informatici SSL/TSL Security architecture and protocol stack Applicat. (SHTTP) SSL/TLS TCP IPSEC IP Secure applications: PGP, SHTTP,

More information

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Email Gateway

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Email Gateway Unifying Information Security Implementing TLS on the CLEARSWIFT SECURE Email Gateway Contents 1 Introduction... 3 2 Understanding TLS... 4 3 Clearswift s Application of TLS... 5 3.1 Opportunistic TLS...

More information

GRID COMPUTING Techniques and Applications BARRY WILKINSON

GRID COMPUTING Techniques and Applications BARRY WILKINSON GRID COMPUTING Techniques and Applications BARRY WILKINSON Contents Preface About the Author CHAPTER 1 INTRODUCTION TO GRID COMPUTING 1 1.1 Grid Computing Concept 1 1.2 History of Distributed Computing

More information

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Socket Layer (SSL) and Transport Layer Security (TLS) Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available

More information

Overview. SSL Cryptography Overview CHAPTER 1

Overview. SSL Cryptography Overview CHAPTER 1 CHAPTER 1 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. The features in this chapter apply to IPv4 and IPv6 unless otherwise noted. Secure

More information

Netzwerksicherheit Übung 6 SSL/TLS, OpenSSL

Netzwerksicherheit Übung 6 SSL/TLS, OpenSSL Netzwerksicherheit Übung 6 SSL/TLS, Thomas Schneider Computer Networks and Communication Systems Dept. of Computer Sciences, University of Erlangen-Nuremberg, Germany 10. 14.12.2007 Thomas Schneider: Netzwerksicherheit

More information

GSI Credential Management with MyProxy

GSI Credential Management with MyProxy GSI Credential Management with MyProxy GGF8 Production Grid Management RG Workshop June 26, 2003 Jim Basney jbasney@ncsa.uiuc.edu http://myproxy.ncsa.uiuc.edu/ MyProxy Online repository of encrypted GSI

More information

Using BroadSAFE TM Technology 07/18/05

Using BroadSAFE TM Technology 07/18/05 Using BroadSAFE TM Technology 07/18/05 Layers of a Security System Security System Data Encryption Key Negotiation Authentication Identity Root Key Once root is compromised, all subsequent layers of security

More information

Cloud Computing. Lecture 5 Grid Case Studies 2014-2015

Cloud Computing. Lecture 5 Grid Case Studies 2014-2015 Cloud Computing Lecture 5 Grid Case Studies 2014-2015 Up until now Introduction. Definition of Cloud Computing. Grid Computing: Schedulers Globus Toolkit Summary Grid Case Studies: Monitoring: TeraGRID

More information

Globus Toolkit: Authentication and Credential Translation

Globus Toolkit: Authentication and Credential Translation Globus Toolkit: Authentication and Credential Translation JET Workshop, April 14, 2004 Frank Siebenlist franks@mcs.anl.gov http://www.globus.org/ Copyright (c) 2002 University of Chicago and The University

More information

2 Transport-level and Message-level Security

2 Transport-level and Message-level Security Globus Toolkit Version 4 Grid Security Infrastructure: A Standards Perspective The Globus Security Team 1 Version 4 updated September 12, 2005 Abstract This document provides an overview of the Grid Security

More information

Is Your SSL Website and Mobile App Really Secure?

Is Your SSL Website and Mobile App Really Secure? Is Your SSL Website and Mobile App Really Secure? Agenda What is SSL / TLS SSL Vulnerabilities PC/Server Mobile Advice to the Public Hong Kong Computer Emergency Response Team Coordination Centre 香 港 電

More information

Security. Learning Objectives. This module will help you...

Security. Learning Objectives. This module will help you... Security 5-1 Learning Objectives This module will help you... Understand the security infrastructure supported by JXTA Understand JXTA's use of TLS for end-to-end security 5-2 Highlights Desired security

More information

Security. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Security. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1 Contents Security requirements Public key cryptography Key agreement/transport schemes Man-in-the-middle attack vulnerability Encryption. digital signature, hash, certification Complete security solutions

More information

Design Notes for an Efficient Password-Authenticated Key Exchange Implementation Using Human-Memorable Passwords

Design Notes for an Efficient Password-Authenticated Key Exchange Implementation Using Human-Memorable Passwords Design Notes for an Efficient Password-Authenticated Key Exchange Implementation Using Human-Memorable Passwords Author: Paul Seymer CMSC498a Contents 1 Background... 2 1.1 HTTP 1.0/1.1... 2 1.2 Password

More information

AD Image Encryption. Format Version 1.2

AD Image Encryption. Format Version 1.2 AD Image Encryption Format Version 1.2 17 May 2010 Table of Contents Introduction... 3 Overview... 3 Image Formats... 4 Keys... 4 Credentials... 4 Certificates... 4 Image Key encryption... 5 Appendix A

More information

Enabling SSL and Client Certificates on the SAP J2EE Engine

Enabling SSL and Client Certificates on the SAP J2EE Engine Enabling SSL and Client Certificates on the SAP J2EE Engine Angel Dichev RIG, SAP Labs SAP AG 1 Learning Objectives As a result of this session, you will be able to: Understand the different SAP J2EE Engine

More information

Angel Dichev RIG, SAP Labs

Angel Dichev RIG, SAP Labs Enabling SSL and Client Certificates on the SAP J2EE Engine Angel Dichev RIG, SAP Labs Learning Objectives As a result of this session, you will be able to: Understand the different SAP J2EE Engine SSL

More information

Grid Security : Authentication and Authorization

Grid Security : Authentication and Authorization Grid Security : Authentication and Authorization IFIP Workshop 2/7/05 Jong Kim Dept. of Computer Sci. and Eng. Pohang Univ. of Sci. and Tech. (POSTECH) Contents Grid Security Grid Security Challenges Grid

More information

SBClient SSL. Ehab AbuShmais

SBClient SSL. Ehab AbuShmais SBClient SSL Ehab AbuShmais Agenda SSL Background U2 SSL Support SBClient SSL 2 What Is SSL SSL (Secure Sockets Layer) Provides a secured channel between two communication endpoints Addresses all three

More information

02267: Software Development of Web Services

02267: Software Development of Web Services 02267: Software Development of Web Services Week 11 Hubert Baumeister huba@dtu.dk Department of Applied Mathematics and Computer Science Technical University of Denmark Fall 2015 1 Contents WS-Policy Web

More information

Execution Management: Key Concepts

Execution Management: Key Concepts Execution Management: Key Concepts Execution Management: Key Concepts Overview The Globus Toolkit provides a service to submit, monitor, and cancel jobs on Grid computing resources called GRAM. In GRAM,

More information

IVOA Single Sign-On security

IVOA Single Sign-On security IVOA Single Sign-On security Guy Rixon Presentation to ACCIS meeting Caltech, February 2007 Grid of secured services VOSpace App-server Restricted archive IVOA SSO, ACCIS meeting, February 2007 2 Client-server

More information

Today s Topics SSL/TLS. Certification Authorities VPN. Server Certificates Client Certificates. Trust Registration Authorities

Today s Topics SSL/TLS. Certification Authorities VPN. Server Certificates Client Certificates. Trust Registration Authorities SSL/TLS Today s Topics Server Certificates Client Certificates Certification Authorities Trust Registration Authorities VPN IPSec Client tunnels LAN-to-LAN tunnels Secure Sockets Layer Secure Sockets Layer

More information

Security. Friends and Enemies. Overview Plaintext Cryptography functions. Secret Key (DES) Symmetric Key

Security. Friends and Enemies. Overview Plaintext Cryptography functions. Secret Key (DES) Symmetric Key Friends and Enemies Security Outline Encryption lgorithms Protocols Message Integrity Protocols Key Distribution Firewalls Figure 7.1 goes here ob, lice want to communicate securely Trudy, the intruder

More information

Configuring Secure Socket Layer (SSL)

Configuring Secure Socket Layer (SSL) 7 Configuring Secure Socket Layer (SSL) Contents Overview...................................................... 7-2 Terminology................................................... 7-3 Prerequisite for Using

More information

Central Desktop Enterprise Edition (Security Pack)

Central Desktop Enterprise Edition (Security Pack) Central Desktop Enterprise Edition (Security Pack) The Central Desktop Security Pack is included in the Enterprise Edition of Central Desktop. The Enterprise Edition is for companies and organizations

More information

Certificate Policy and Certification Practice Statement CNRS/CNRS-Projets/Datagrid-fr

Certificate Policy and Certification Practice Statement CNRS/CNRS-Projets/Datagrid-fr Certificate Policy and Certification Practice Statement CNRS/CNRS-Projets/Datagrid-fr Version 0.3 August 2002 Online : http://www.urec.cnrs.fr/igc/doc/datagrid-fr.policy.pdf Old versions Version 0.2 :

More information

Concepts and Architecture of the Grid. Summary of Grid 2, Chapter 4

Concepts and Architecture of the Grid. Summary of Grid 2, Chapter 4 Concepts and Architecture of the Grid Summary of Grid 2, Chapter 4 Concepts of Grid Mantra: Coordinated resource sharing and problem solving in dynamic, multi-institutional virtual organizations Allows

More information

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Certificate Management. PAN-OS Administrator s Guide. Version 7.0 Certificate Management PAN-OS Administrator s Guide Version 7.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us

More information

IGI Portal architecture and interaction with a CA- online

IGI Portal architecture and interaction with a CA- online IGI Portal architecture and interaction with a CA- online Abstract In the framework of the Italian Grid Infrastructure, we are designing a web portal for the grid and cloud services provisioning. In following

More information

Mobile Admin Security

Mobile Admin Security Mobile Admin Security Introduction Mobile Admin is an enterprise-ready IT Management solution that generates significant cost savings by dramatically increasing the responsiveness of IT organizations facing

More information

CSE/EE 461 Lecture 23

CSE/EE 461 Lecture 23 CSE/EE 461 Lecture 23 Network Security David Wetherall djw@cs.washington.edu Last Time Naming Application Presentation How do we name hosts etc.? Session Transport Network Domain Name System (DNS) Data

More information

Network Security Essentials Chapter 5

Network Security Essentials Chapter 5 Network Security Essentials Chapter 5 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 5 Transport-Level Security Use your mentality Wake up to reality From the song, "I've Got

More information

CRYPTOGRAPHY IN NETWORK SECURITY

CRYPTOGRAPHY IN NETWORK SECURITY ELE548 Research Essays CRYPTOGRAPHY IN NETWORK SECURITY AUTHOR: SHENGLI LI INSTRUCTOR: DR. JIEN-CHUNG LO Date: March 5, 1999 Computer network brings lots of great benefits and convenience to us. We can

More information

Chapter 7 Transport-Level Security

Chapter 7 Transport-Level Security Cryptography and Network Security Chapter 7 Transport-Level Security Lectured by Nguyễn Đức Thái Outline Web Security Issues Security Socket Layer (SSL) Transport Layer Security (TLS) HTTPS Secure Shell

More information

Chapter 17. Transport-Level Security

Chapter 17. Transport-Level Security Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics

More information

CICS Identity and Security

CICS Identity and Security CICS Identity and Security Leigh Y Compton IBM zgrowth Team Insert Custom Session QR if Desired. lcompton@us.ibm.com Abstract User identity and security is critical to businesses today. This session will

More information

SSL Overview for Resellers

SSL Overview for Resellers Web Security Enterprise Security Identity Verification Services Signing Services SSL Overview for Resellers What We ll Cover Understanding SSL SSL Handshake 101 Market Opportunity for SSL Obtaining an

More information

Chapter 10. Cloud Security Mechanisms

Chapter 10. Cloud Security Mechanisms Chapter 10. Cloud Security Mechanisms 10.1 Encryption 10.2 Hashing 10.3 Digital Signature 10.4 Public Key Infrastructure (PKI) 10.5 Identity and Access Management (IAM) 10.6 Single Sign-On (SSO) 10.7 Cloud-Based

More information

Internet Programming. Security

Internet Programming. Security Internet Programming Security Introduction Security Issues in Internet Applications A distributed application can run inside a LAN Only a few users have access to the application Network infrastructures

More information

SECURITY IN ELECTRONIC COMMERCE - SOLUTION MULTIPLE-CHOICE QUESTIONS

SECURITY IN ELECTRONIC COMMERCE - SOLUTION MULTIPLE-CHOICE QUESTIONS MULTIPLE-CHOICE QUESTIONS Each question has only one correct answer, which ought to be clearly pointed out with an 'X'. Each question incorrectly answered will be evaluated as minus one third of the mark

More information

Is your data safe out there? -A white Paper on Online Security

Is your data safe out there? -A white Paper on Online Security Is your data safe out there? -A white Paper on Online Security Introduction: People should be concerned of sending critical data over the internet, because the internet is a whole new world that connects

More information

Solutions for Web Services Security

Solutions for Web Services Security Solutions for Web Services Security Lessons Learned in a Department of Defense Program Kevin T. Smith McDonald Bradley, Inc. Chief Security Architect, The Virtual Knowledge Base Background Virtual Knowledge

More information

As enterprises conduct more and more

As enterprises conduct more and more Efficiently handling SSL transactions is one cornerstone of your IT security infrastructure. Do you know how the protocol actually works? Wesley Chou Inside SSL: The Secure Sockets Layer Protocol Inside

More information

Security Policy Revision Date: 23 April 2009

Security Policy Revision Date: 23 April 2009 Security Policy Revision Date: 23 April 2009 Remote Desktop Support Version 3.2.1 or later for Windows Version 3.1.2 or later for Linux and Mac 4 ISL Light Security Policy This section describes the procedure

More information

An Introduction to Cryptography as Applied to the Smart Grid

An Introduction to Cryptography as Applied to the Smart Grid An Introduction to Cryptography as Applied to the Smart Grid Jacques Benoit, Cooper Power Systems Western Power Delivery Automation Conference Spokane, Washington March 2011 Agenda > Introduction > Symmetric

More information

Using Globus Toolkit

Using Globus Toolkit Using Globus Toolkit G. Poghosyan & D. Nilsen GridKa School 11-15 September 2006 Basic Grid Services in GT Security Services GSI (Grid Security Infrastructure) Data Services GridFTP RFT (Reliable File

More information

Savitribai Phule Pune University

Savitribai Phule Pune University Savitribai Phule Pune University Centre for Information and Network Security Course: Introduction to Cyber Security / Information Security Module : Pre-requisites in Information and Network Security Chapter

More information

An Online Credential Repository for the Grid: MyProxy

An Online Credential Repository for the Grid: MyProxy An Online Credential Repository for the Grid: MyProxy Jason Novotny Lawrence Berkeley Laboratory JDNovotny@lbl.gov Steven Tuecke Mathematics and Computer Science Division Argonne National Laboratory tuecke@mcs.anl.gov

More information

SSL Protect your users, start with yourself

SSL Protect your users, start with yourself SSL Protect your users, start with yourself Kulsysmn 14 december 2006 Philip Brusten Overview Introduction Cryptographic algorithms Secure Socket Layer Certificate signing service

More information

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009 16 th lecture Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009 1 25 Organization Welcome to the New Year! Reminder: Structure of Communication Systems lectures

More information

GSI with OpenSSL. Vincenzo Ciaschini. Prague, 4-7/11/08. www.eu-egee.org. EGEE and glite are registered trademarks. egee EGEE-II INFSO-RI-031688

GSI with OpenSSL. Vincenzo Ciaschini. Prague, 4-7/11/08. www.eu-egee.org. EGEE and glite are registered trademarks. egee EGEE-II INFSO-RI-031688 GSI with OpenSSL Vincenzo Ciaschini EGEE-3 All-Hands Prague, 4-7/11/08 www.eu-egee.org egee EGEE and glite are registered trademarks Layout GSI/SSL Differences and Issues VOMS without Globus GSI/SSL Differences

More information

USING ENCRYPTION TO PROTECT SENSITIVE INFORMATION Commonwealth Office of Technology Security Month Seminars October 29, 2013

USING ENCRYPTION TO PROTECT SENSITIVE INFORMATION Commonwealth Office of Technology Security Month Seminars October 29, 2013 USING ENCRYPTION TO PROTECT SENSITIVE INFORMATION Commonwealth Office of Technology Security Month Seminars Alternate Title? Boy, am I surprised. The Entrust guy who has mentioned PKI during every Security

More information

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security UNIT 4 SECURITY PRACTICE Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security Slides Courtesy of William Stallings, Cryptography & Network Security,

More information

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2 BlackBerry Enterprise Service 10 BlackBerry Device Service Solution Version: 10.2 Security Technical Overview Published: 2014-09-10 SWD-20140908123239883 Contents 1 About BlackBerry Device Service solution

More information

Internet Mail Client Control Library SSL Supplement

Internet Mail Client Control Library SSL Supplement Codestone Ltd Internet Mail Client Control Library SSL Supplement Codestone Ltd 2004 Page 1 / 22 Welcome to the Internet Mail Client Control Library SSL Supplement we hope you will find the library to

More information

Implementing Secure Sockets Layer on iseries

Implementing Secure Sockets Layer on iseries Implementing Secure Sockets Layer on iseries Presented by Barbara Brown Alliance Systems & Programming, Inc. Agenda SSL Concepts Digital Certificate Manager Local Certificate Authority Server Certificates

More information

Quickstream Connectivity Options

Quickstream Connectivity Options A division of Westpac Banking Corporation ABN 33 007 457 141 Quickstream Connectivity Options Document History Date 25-Jun-2003 1-Jul-2003 3-July-2003 18-July-2003 18-Aug-2003 8-Sep-2003 19-Sep-2003 31-Oct-2003

More information

Authentication Types. Password-based Authentication. Off-Line Password Guessing

Authentication Types. Password-based Authentication. Off-Line Password Guessing Authentication Types Chapter 2: Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter 3: Security on Network and Transport Layer Chapter 4:

More information

Secure Email Frequently Asked Questions

Secure Email Frequently Asked Questions Secure Email Frequently Asked Questions Frequently Asked Questions Contents General Secure Email Questions and Answers Forced TLS Questions and Answers SecureMail Questions and Answers Glossary Support

More information

Announcement. Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed.

Announcement. Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1 We have learned Symmetric encryption: DES, 3DES, AES,

More information

Spirent Abacus. SIP over TLS Test 编 号 版 本 修 改 时 间 说 明

Spirent Abacus. SIP over TLS Test 编 号 版 本 修 改 时 间 说 明 Spirent Abacus SIP over TLS Test 编 号 版 本 修 改 时 间 说 明 1 1. TLS Interview (Transport Layer Security Protocol) (1) TLS Feature Introduction: 1. TLS is a successor of Secure Sockets Layer (SSL), a cryptographic

More information

Overview SSL/TLS HTTPS SSH. TLS Protocol Architecture TLS Handshake Protocol TLS Record Protocol. SSH Protocol Architecture SSH Transport Protocol

Overview SSL/TLS HTTPS SSH. TLS Protocol Architecture TLS Handshake Protocol TLS Record Protocol. SSH Protocol Architecture SSH Transport Protocol SSL/TLS TLS Protocol Architecture TLS Handshake Protocol TLS Record Protocol HTTPS SSH SSH Protocol Architecture SSH Transport Protocol Overview SSH User Authentication Protocol SSH Connection Protocol

More information

Clearswift Information Governance

Clearswift Information Governance Clearswift Information Governance Implementing the CLEARSWIFT SECURE Encryption Portal on the CLEARSWIFT SECURE Email Gateway Version 1.10 02/09/13 Contents 1 Introduction... 3 2 How it Works... 4 3 Configuration

More information

CRYPTOGRAPHY AS A SERVICE

CRYPTOGRAPHY AS A SERVICE CRYPTOGRAPHY AS A SERVICE Peter Robinson RSA, The Security Division of EMC Session ID: ADS R01 Session Classification: Advanced Introduction Deploying cryptographic keys to end points such as smart phones,

More information

High Security Online Backup. A Cyphertite White Paper February, 2013. Cloud-Based Backup Storage Threat Models

High Security Online Backup. A Cyphertite White Paper February, 2013. Cloud-Based Backup Storage Threat Models A Cyphertite White Paper February, 2013 Cloud-Based Backup Storage Threat Models PG. 1 Definition of Terms Secrets Passphrase: The secrets passphrase is the passphrase used to decrypt the 2 encrypted 256-bit

More information

Building a Secure RedHat Apache Server HOWTO

Building a Secure RedHat Apache Server HOWTO Table of Contents Building a Secure RedHat Apache Server HOWTO...1 Richard Sigle, Richard.sigle@equifax.com...1 1. Purpose/Scope of this Guide...1 2. Introduction to Secure Sockets Layer/Private Key Infrastructure...1

More information

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries Chapter 2: Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application

More information

Authentication Applications

Authentication Applications Authentication Applications CSCI 454/554 Authentication Applications will consider authentication functions developed to support application-level authentication & digital signatures Kerberos a symmetric-key

More information

Authentication Applications

Authentication Applications Authentication Applications will consider authentication functions developed to support application-level authentication & digital signatures will consider Kerberos a private-key authentication service

More information

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security? 7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk

More information