security approaches and requirements
DESCRIPTION
Security Approaches and Requirements. John Watt NCeSS Conference 2008 - Workshop 3 Data Management through e-Social Science June 18th 2008. Authentication and Authorisation. Authentication is the establishment of IDENTITY Your passport is an identity token - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/1.jpg)
Security Approaches and Requirements
John Watt
NCeSS Conference 2008 - Workshop 3Data Management through e-Social ScienceJune 18th 2008
![Page 2: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/2.jpg)
Authentication and Authorisation
• Authentication is the establishment of IDENTITY– Your passport is an identity token
– Issued by INTERNAL National Authority upon in-person presentation of information (e.g. birth certificate)
• Authorisation is the establishment of PERMITTED ACTION(S)– An entry visa is an authorisation statement
– Issued by EXTERNAL foreign authority upon presentation of specific information (e.g. work permit)
![Page 3: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/3.jpg)
Typical AuthN and AuthZ
• User registers with University IT Services when they start their course/job– Terms and Conditions form– Present staff/student ID number
• Means user has been identified to University
– User is supplied with Username and Password combination
• This is the user’s day-to-day digital identity– Issued by a well-known entity (the University)– Satisfies the University’s own registration protocol
• a trustworthy authentication token…?
![Page 4: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/4.jpg)
Authentication and Authorisation on the Grid
• Authentication on the Grid is performed through X.509 digital certificates– Issued by a trusted National/Regional
Authority• a Certification Authority (CA)
– Technically, the CA implements a Public Key Infrastructure (PKI)
• Authorisation on the Grid is performed by…– grid-mapfile, VOMS, PERMIS, OMII-SP CCP,
Attribute Certificates (ACs), Akenti, CAS, Active Directory groups….
V O M S
![Page 5: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/5.jpg)
Proxy Certificates
• X.509 Certificates have interesting properties– Short-lived copies of the original certificate can be
made to automatically propagate through the Grid• Proxy Certificates
– Short-lived to mitigate intruder actions
• Enables Single Sign-On to Grid
– They carry a digital signature that tells if the information contained in the certificates has been tampered
– MyProxy is a tool which allows repository access to the certificate via a username/password
• User doesn’t need to handle the certificate
![Page 6: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/6.jpg)
Multiple Identities
• A national CA issues a national-level ID– Large footprint, enabling certificate– Not a user’s familiar identity
• A University issues a local-level ID– Small footprint, only recognised on campus– User is familiar with this identity
• Both these identities have well-known user registration procedures– But a local identification will ALWAYS be a more
authentic token• User is known at the institution• Home site can revoke privileges faster than a remote site
![Page 7: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/7.jpg)
Shibboleth
• Shibboleth federates your local identity across a network of trusting sites– Collection of sites managed by a “Federation”
• Responsible for registering participants and supplying metadata for up-to-date resource info
• In UK, managed by the UK Access Management Federationhttp://www.ukfederation.org.uk
– Federation services may be accessed with the user’s home University credentials, regardless of location
– Resources no longer need to do user registration– Single Sign-On Solution– Pseudo-anonymous access possible
![Page 8: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/8.jpg)
Shibboleth
• Shibboleth/SAML defines interactions between– An IDENTITY PROVIDER (IdP)
• Represents a user’s home institution• Asserts user information to the federation
– A SERVICE PROVIDER (SP)• Represents the resource that is being accessed• Consumes the user’s information on behalf of the
protected application
– An optional Where Are You From? (WAYF)
• Shibboleth is an Apache module that triggers the SAML mechanism when a protected web directory is requested.
mod_shib
SP
IdP
WAYF?
![Page 9: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/9.jpg)
Shibboleth SAML Attributes
• Shibboleth provides a mechanism for additional information about the user to be securely exported
• These SAML attributes may be used for authorisation and access control– IdP provides a policy-driven set of user attributes
to be transmitted to an SP, which has a separate policy-driven reception policy
– These attributes typically hold ACCESS RIGHTS• Text String Roles (staff, student, director, minion..)
• Attribute Certificates (Certs with extra info)
– Supports Role-Based Access Control (RBAC)
![Page 10: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/10.jpg)
eduPerson Schema
• Attempts to standardise a set of core information that can be provided about users– eduPersonAffiliation
• MEMBER, STUDENT, AFFILIATE
– eduPersonTargetedID• 4TyY&[email protected]
– eduPersonEntitlement• Roles, Privileges (nanoCMOS_webManager)
– eduPersonPrincipalName• John Watt
– Only one that contains revealing information
![Page 11: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/11.jpg)
Shibboleth Operation
• Enter URL of Service Provider– https://www.nanocmos.ac.uk
![Page 12: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/12.jpg)
Shibboleth Operation
• Where Are You From?– Select your institution from the drop-down menu– Will be “National e-Science Centre (Glasgow)” for now
![Page 13: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/13.jpg)
Shibboleth Operation
• Authenticate with username/password
![Page 14: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/14.jpg)
Shibboleth Operation
• SAML is collecting attributes about the user– Then redirects you to the URL you originally
requested…
![Page 15: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/15.jpg)
Shibboleth Operation
• Logged In
![Page 16: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/16.jpg)
Shibboleth Summary
• Allows a user’s home University login to be recognised across a national-scale network of trusted sites
• Provides extra info (attributes) which may be used for access control
• Single Sign-On to Services• User management done at user’s home site
• Issues:– How to link with national CA credential?
– Coordination required between requirements of IdPs and SPs
![Page 17: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/17.jpg)
Authorisation
• Many ways to do authorisation– UNIX Permissions on account
• User abilities are enforced by sys admin on single accounts per user
– Account accessed through a grid mapfile• List of user X.509 DNs and the account they map to
• Admin nightmare when scaled up
– Role Based Access Control• Guided by concept that users may come and go
from an organisation, but the actual jobs and roles will remain relatively static.
![Page 18: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/18.jpg)
Role Based Access Control (RBAC)
TESCO (ALL STORES) ACCESS CONTROL LIST
TESCO (ALL STORES) ROLE-BASED ACCESS CONTROL
Jim Bowen 10% off all goodsRichard Whiteley 10% off all goodsNoel Edmonds 10% off all goodsDes O’Connor 10% off all goodsBob Monkhouse 10% off all goodsTerry Wogan 10% off all goods……..etc etc etc etc etc etc
Loyalty card holder 10% off all goods
Policy:
Policy:
Give all customers (Jim, Richard, Noel, Des etc….) aLoyalty Card which entitles them to 10% off
![Page 19: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/19.jpg)
Attribute Certificates
• Shibboleth provides a text string role to a service– Transport is secure and understood– Source of the attribute can never be known
• Trust of IdP essential, but safeguards needed…
• Attribute Certificates (ACs) are X.509 certificates with extra information appended– Used to convey text string roles in digital
certificate • With advantaged X.509 brings
– i.e. digital signature, validity information
+ role
Role
![Page 20: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/20.jpg)
Attribute Certificates
• Many technologies can exploit digitally signed ACs– VOMS
• Virtual Organisation Management Service– Fully supported by NGS– Involves a central repository managed by a VO admin
– PERMIS• Privilege and Role Management Infrastructure
Standards Validation– Generic PMI (privilege management infrastucture)
solution – decentralised – Recognises VOMS ACs, normal X.509, plus XACML
response/request
![Page 21: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/21.jpg)
Security Ingredients
VOMS
![Page 22: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/22.jpg)
Portals
• Browser based access to Web/Grid Services– Can hide user from
• Certificate Management and Operations
• Command line obscurity• Grid middleware atheism• Firewall restrictions
– Can implement portal side security to complement service-side security
• Joining of these two domains is another research hot-topic!
![Page 23: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/23.jpg)
The NeSC Model
• User logs into portal via Shibboleth• User’s portal view is filtered according to the SAML
attributes presented by the IdP– User can only invoke services they are entitled to
attributes
![Page 24: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/24.jpg)
The NeSC Model
• Portal retrieves non-local credentials from VOMS/PERMIS/MyProxy…– Based on DN info supplied by IdP
VOMS
(local?)
![Page 25: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/25.jpg)
The NeSC Model
• Portal exports appropriate credential to desired service
NGS
VOMS
proxy
Data
Store
![Page 26: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/26.jpg)
The Big Picture
• Complementary local and external security– Must meet the requirements of the external service
• Hide user from complex interactions
Home Institution The Outside World(Grid, data sources)
Portal
![Page 27: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/27.jpg)
Issues
• Portal side security is well known and present now– UK Federation enables a vast user base
• Every staff and student in UK academia?• A select few…?
• Challenge lies in bridging the requirements of external services– Are the resources willing to deploy alternate
security infrastructures?– Grid enabled? (GT4, OGSA-DAI)– If alternate standard prevalent, can we speak their
language?
![Page 28: Security Approaches and Requirements](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813105550346895d97347c/html5/thumbnails/28.jpg)
New Technologies
• SAML2 Holder-of-key Assertion