Managing Credentials with



Similar documents
Using the MyProxy Online Credential Repository

GSI Credential Management with MyProxy

Secure Federated Light-weight Web Portals for FusionGrid

The MyProxy online credential repository

Grid Delegation Protocol

How To Understand And Understand The Security Of A Key Infrastructure

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

GT 6.0 GSI C Security: Key Concepts

TRUST RELATIONSHIPS AND SINGLE SIGN-ON IN GRID BASED DATA WAREHOUSES

Configuring Digital Certificates

Remote Authentication and Single Sign-on Support in Tk20

An Online Credential Repository for the Grid: MyProxy

IGI Portal architecture and interaction with a CA- online

SAP Single Sign-On 2.0 Overview Presentation

Globus Toolkit: Authentication and Credential Translation

Hands On Session. Bijoy M B. System Software Development Group CDAC, Bangalore. Thursday, October 07, 2010 GBC IMSC CHENNAI 1

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

Certification Practice Statement

Using Kerberos for Web Authentication. Wesley Craig University of Michigan

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Federated Login to TeraGrid

Angel Dichev RIG, SAP Labs

Prepared by Enea S.Teresa (Italy) Version October 24

Use of EASE Code of Practice. This code of practice is also qualified by The University of Edinburgh computing regulations, found at:

Certificate Management

Abstract. 1. Introduction. Ohio State University Columbus, OH

SAML-Based SSO Solution

Lecture 10 - Authentication

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Scaling TeraGrid Access: A Testbed for Identity Management and Attribute-based Authorization

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Cloud Computing. Lecture 5 Grid Security

Axway Validation Authority Suite

IVOA Single Sign-On security

ESnet SSL CA service Certificate Policy And Certification Practice Statement Version 1.0

Shibboleth Federation. Manabu Higashida

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

CA Performance Center

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

An Introduction to Entrust PKI. Last updated: September 14, 2004

What Are They, and What Are They Doing in My Browser?

GlobalSign Enterprise PKI Support. GlobalSign Enterprise Solution EPKI Administrator Guide v2.4

Lecture 10 - Authentication

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Leveraging SAML for Federated Single Sign-on:

Federated access to Grid resources

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0

Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos

Architecture of Enterprise Applications III Single Sign-On

A Credential Renewal Service for Long-Running Jobs

Authentication. Authentication in FortiOS. Single Sign-On (SSO)

Enabling SSL and Client Certificates on the SAP J2EE Engine

NIST PKI 06: Integrating PKI and Kerberos (updated April 2007) Jeffrey Altman

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

User Management Guide

Entrust IdentityGuard Comprehensive

OpenHRE Security Architecture. (DRAFT v0.5)

Web Applications Access Control Single Sign On

TIBCO Spotfire Platform IT Brief

7 Key Management and PKIs

Public Key Infrastructure for a Higher Education Environment

Leverage Active Directory with Kerberos to Eliminate HTTP Password

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Configuration Guide BES12. Version 12.3

Whitepaper: Centeris Likewise Identity 3.0 Security Benefits

PUBLIC Secure Login for SAP Single Sign-On Implementation Guide

How to Determine the Proxy Extension of a Grid Trust

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Mobile OTPK Technology for Online Digital Signatures. Dec 15, 2015

GRID COMPUTING Techniques and Applications BARRY WILKINSON

Certificate Policy for. SSL Client & S/MIME Certificates

Installation and Configuration Guide

MySQL Security: Best Practices

Windows 2000 Security Architecture. Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Installation Guide. SafeNet Authentication Service

Single Sign-on (SSO) technologies for the Domino Web Server

CS 356 Lecture 28 Internet Authentication. Spring 2013

WHITE PAPER SECURE, DEPLOYABLE BILATERAL (CLIENT/SERVER) AUTHENTICATION

LIGO Identity Management: Questions I Wish We Would Have Asked

From centralized to single sign on

Authentication Project Report

SecureAuth Authentication: How SecureAuth performs what was previously impossible using X.509 certificates

OFFICE OF KNOWLEDGE, INFORMATION, AND DATA SERVICES (KIDS) DIVISION OF ENTERPRISE DATA

Mithril: Adaptable Security for Survivability in Collaborative Computing Sites

/ Preparing to Manage a VMware Environment Page 1

Entrust Managed Services PKI

Authentication is not Authorization?! And what is a "digital signature" anyway?

BlackBerry Enterprise Service 10. Version: Configuration Guide

Aon Secure File Transfer EMEA

Red Hat Identity Management

Likewise Security Benefits

SSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc.

HMRC Secure Electronic Transfer (SET)

Security Digital Certificate Manager

HTTP connections can use transport-layer security (SSL or its successor, TLS) to provide data integrity

Cosign Multi-Factor Specification 20 March 2006 Draft 6 Wesley Craig & Johanna Craig cosign@umich.edu

How To Secure An Emr-Link System Architecture

Critical Issues with Lotus Notes and Domino 8.5 Password Authentication, Security and Management

Configuration Guide BES12. Version 12.2

Transcription:

Managing Credentials with MyProxy Jim Basney National Center for Supercomputing Applications University of Illinois jbasney@ncsa.uiuc.edu http://myproxy.ncsa.uiuc.edu/

What is MyProxy? A service for managing X.509 PKI credentials A credential repository and certificate authority An Online Credential Repository Issues short-lived X.509 Proxy Certificates Long-lived private keys never leave the server An Online Certificate Authority Issues short-lived X.509 End Entity Certificates Supporting multiple authentication methods Passphrase, Certificate, PAM, SASL, Kerberos Open Source Software Included in Globus Toolkit 4.0 and CoG Kits C, Java, Python, and Perl clients available SC05 http://myproxy.ncsa.uiuc.edu/ 2

MyProxy Logon Authenticate to retrieve PKI credentials End Entity or Proxy Certificate Trusted CA Certificates Certificate Revocation Lists (CRLs) MyProxy maintains the user s PKI context Users don t need to manage long-lived credentials Enables server-side monitoring and policy enforcement (ex. passphrase quality checks) CA certificates & CRLs updated automatically at login SC05 http://myproxy.ncsa.uiuc.edu/ 3

MyProxy Authentication Key Passphrase X.509 Certificate Used for credential renewal Pluggable Authentication Modules (PAM) Kerberos password One Time Password (OTP) Lightweight Directory Access Protocol (LDAP) password Simple Authentication and Security Layer (SASL) Kerberos ticket (SASL GSSAPI) SC05 http://myproxy.ncsa.uiuc.edu/ 4

MyProxy Online Credential Repository Stores X.509 End Entity and Proxy credentials Private keys encrypted with user-chosen passphrases Credentials may be stored directly or via proxy delegation Users can store multiple credentials from different CAs Access to credentials controlled by user and administrator policies Set authentication requirements Control whether credentials can be retrieved directly or if only proxy delegation is allowed Restrict lifetime of retrieved proxy credentials Can be deployed for a single user, a site, a virtual organization, a resource provider, a CA, etc. SC05 http://myproxy.ncsa.uiuc.edu/ 5

MyProxy Online Certificate Authority Issues short-lived X.509 End Entity Certificates Leverages MyProxy authentication mechanisms Compatible with existing MyProxy clients Ties in to site authentication and accounting Using PAM and/or Kerberos authentication Gridmap file maps username to certificate subject LDAP support under development Avoid need for long-lived user keys Server can function as both CA and repository Issues certificate if no credentials for user are stored SC05 http://myproxy.ncsa.uiuc.edu/ 6

PKI Overview Public Key Cryptography Sign with private key, verify signature with public key Encrypt with public key, decrypt with private key Key Distribution Who does a public key belong to? Certification Authority (CA) verifies user s identity and signs certificate Certificate is a document that binds the user s identity to a public key Authentication Signature [ h ( random, ) ] signs Issuer: CA Subject: CA Issuer: CA Subject: Jim SC05 http://myproxy.ncsa.uiuc.edu/ 7

PKI Enrollment CA CA 2 Certificate request User 1 Generate new key pair 3 Sign new end entity certificate User 4 User CA User SC05 http://myproxy.ncsa.uiuc.edu/ 8

Proxy Credentials RFC 3820: Proxy Certificate Profile Associate a new private key and certificate with existing credentials Short-lived, unencrypted credentials for multiple authentications in a session Restricted lifetime in certificate limits vulnerability of unencrypted key Credential delegation (forwarding) without transferring private keys signs signs signs CA User Proxy A Proxy B SC05 http://myproxy.ncsa.uiuc.edu/ 9

Proxy Delegation Delegator Delegatee 2 Proxy certificate request 1 Generate new key pair 3 Sign new proxy certificate Proxy 4 Proxy Proxy SC05 http://myproxy.ncsa.uiuc.edu/ 10

MyProxy Repository MyProxy client Store proxy Retrieve proxy MyProxy server Proxy delegation over private TLS channel Credential repository SC05 http://myproxy.ncsa.uiuc.edu/ 11

MyProxy Certificate Authority MyProxy client Retrieve certificate MyProxy server CA Private TLS channel PAM Site Authentication Service SC05 http://myproxy.ncsa.uiuc.edu/ 12

MyProxy: Credential Mobility tg-login.ncsa.teragrid.org Obtain certificate Store proxy ca.ncsa.uiuc.edu tg-login.purdue.teragrid.org tg-login.ornl.teragrid.org tg-login.sdsc.teragrid.org tg-login1.iu.teragrid.org tg-login.uc.teragrid.org tg-login.psc.teragrid.org Retrieve proxy myproxy.teragrid.org SC05 http://myproxy.ncsa.uiuc.edu/ 13

MyProxy and Grid Portals SC05 http://myproxy.ncsa.uiuc.edu/ 14

User Registration Portals PURSE: Portal-based User Registration Service GAMA: Grid Account Management Architecture ESG SC05 http://myproxy.ncsa.uiuc.edu/ 15

MyProxy: Key Upload/Download Store and retrieve keys and certificates directly over the network Encrypted keys transferred over SSL/TLS encrypted channel In contrast to using proxy delegation Allows storing end-entity credentials Key retrieval must be explicitly enabled by server administrator and key owner SC05 http://myproxy.ncsa.uiuc.edu/ 16

Credential Renewal Long-lived jobs or services need credentials Task lifetime is difficult to predict Don t want to delegate long-lived credentials Fear of compromise Instead, renew credentials as needed during the job s lifetime Renewal service provides a single point of monitoring and control Renewal policy can be modified at any time Disable renewals if compromise is detected or suspected Disable renewals when jobs complete SC05 http://myproxy.ncsa.uiuc.edu/ 17

MyProxy: Credential Renewal Submit job Condor-G / Renewal Service Submit job Refresh proxy Globus gatekeeper Retrieve proxy MyProxy server Daniel Kouril and Jim Basney, "A Credential Renewal Service for Long-Running Jobs," 6th IEEE/ACM International Workshop on Grid Computing (Grid 2005), Seattle, WA, November 13-14, 2005. SC05 http://myproxy.ncsa.uiuc.edu/ 18

MyProxy and Pubcookie Combine web and grid single sign-on Authenticate to MyProxy with Pubcookie granting cookie Coming soon! Pubcookie Login Server Redirect to authenticate and obtain granting cookie Verify login Campus Authentication Server Browser Web Application Server Retrieve proxy MyProxy server Jonathan Martin, Jim Basney, and Marty Humphrey, "Extending Existing Campus Trust Relationships to the Grid through the Integration of Pubcookie and MyProxy," 2005 International Conference on Computational Science (ICCS 2005), Emory University, Atlanta, GA, May 22-25, 2005. SC05 http://myproxy.ncsa.uiuc.edu/ 19

Example: TeraGrid User Portal Use TeraGrid-wide Kerberos username and password for portal authentication Obtain PKI credentials for resource access across TeraGrid sites via portal & externally Plan to use MyProxy CA with Kerberos PAM authentication Leverage existing NCSA Online CA SC05 http://myproxy.ncsa.uiuc.edu/ 20

Example: LTER Grid Pilot Study Build a portal for environmental acoustics analysis Leverage existing LDAP usernames and passwords for portal authentication Obtain PKI credentials for job submission and data transfer Using MyProxy PAM LDAP authentication Long Term Ecological Research Network Information System SC05 http://myproxy.ncsa.uiuc.edu/ 21

Example: NERSC OTP PKI Address usability issues for One Time Passwords Obtain session credentials using OTP authentication Prototyping MyProxy CA with PAM Radius authentication ESnet Radius Authentication Fabric federates OTP authentication across sites National Energy Research Scientific Computing Center SC05 http://myproxy.ncsa.uiuc.edu/ 22

MyProxy Security Keys encrypted with user-chosen passwords Server enforces password quality Passwords are not stored Dedicated server less vulnerable than desktop and general-purpose systems Professionally managed, monitored, locked down Users retrieve short-lived credentials Generating new proxy keys for every session All server operations logged to syslog Caveat: Private key database is an attack target Compare with status quo SC05 http://myproxy.ncsa.uiuc.edu/ 23

Hardware-Secured MyProxy Protect keys in tamper-resistant cryptographic hardware Retrieve proxy MyProxy Server Proxy request Proxy certificate IBM 4758 PKCS#11 Experimental M. Lorch, J. Basney, and D. Kafura, "A Hardware-secured Credential Repository for Grid PKIs," 4th IEEE/ACM International Symposium on Cluster Computing and the Grid (CCGrid), April 2004. SC05 http://myproxy.ncsa.uiuc.edu/ 24

MyProxy Server Administration Install server certificate and CA certificate(s) Configure /etc/myproxy-server.config policy Template provided with examples Optionally: Configure password quality enforcement Install cron script to delete expired credentials Install boot script and start server Example boot script provided Use myproxy-admin commands to manage server Reset passwords, query repository, lock credentials SC05 http://myproxy.ncsa.uiuc.edu/ 25

MyProxy Server Policies Who can store credentials? Restrict to specific users or CAs Restrict to administrator only Who can retrieve credentials? Allow anyone with correct password Allow only trusted services / portals Maximum lifetime of retrieved credentials server-wide and per-credential SC05 http://myproxy.ncsa.uiuc.edu/ 26

MyProxy Server Replication Primary/Secondary model (like Kerberos) If primary is down, fail-over to secondary for credential retrieval Store, delete, and change passphrase on primary only Client-side fail-over under development Simple configuration Run myproxy-replicate via cron Alternatively, use rsync over ssh Coming soon! SC05 http://myproxy.ncsa.uiuc.edu/ 27

Related Work GT4 Delegation Service Protocol based on WS-Trust and WSRF UVA CredEx WS-Trust credential exchange service SACRED (RFC 3767) Credential Repository http://sacred.sf.net/ Kerberized Online CA (KX.509/KCA) Kerberos -> PKI Kerberos PKINIT PKI -> Kerberos SC05 http://myproxy.ncsa.uiuc.edu/ 28

MyProxy Community MyProxy is an open source, community project Many contributions from outside NCSA myproxy-users@ncsa.uiuc.edu mailing list Bug tracking: http://bugzilla.ncsa.uiuc.edu/ Anonymous CVS access :pserver:anonymous@cvs.ncsa.uiuc.edu:/cvs/myproxy Contributions welcome! Feature requests, bug reports, patches, etc. Please report your experiences SC05 http://myproxy.ncsa.uiuc.edu/ 29

Thank you! Questions/Comments? Contact: jbasney@ncsa.uiuc.edu SC05 http://myproxy.ncsa.uiuc.edu/ 30

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information