ESnet RADIUS Authentication Fabric - PowerPoint PPT Presentation
Title:
ESnet RADIUS Authentication Fabric
Description:
ESnet RADIUS Authentication Fabric Michael Helm ESnet/LBNL GGF-12 Sec Workshop 18 Sep 2004 What Does the RAF Do? RAF Benefits & Features O(n) peering Authorization ... – PowerPoint PPT presentation
Number of Views:57
Avg rating:3.0/5.0
Title: ESnet RADIUS Authentication Fabric
1
ESnet RADIUS Authentication Fabric
- Michael Helm
- ESnet/LBNL
- GGF-12 Sec Workshop
- 18 Sep 2004
2
What Does the RAF Do?
ORNL
PNNL
OTP Service
OTP Service
r
r
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
Realms
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
- es.net
R
ESnet RAF Federation
ANL
NERSC
OTP Service
OTP Service
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
anl.gov nersc.gov pnnl.gov ornl.gov
r
r
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
App
3
What Is the Grid Integrated RAF?
ESnet Root CA
OTP Services
Sign Subordinate CA
3 OTP verification
HSM
OCSP
Subordinate CA Engine
4 Sign Proxy
2 Ask AuthN hint OTP
ESnet Radius
PAM
4. Auth OK Namestring
MyProxy Credentials
Manage myProxy
SIPS
Auth DB
1 Log in
5 Receive Proxy Cert
7 Execute
Proposal Apr 2004 Special case of GridLogon
6 (Opt) Store Proxy
4
RAF Benefits Features
- O(n) peering
- Authorization decision controlled by site
- Sound familiar?
- Single token per person
- Interoperability on an open, standard,
industry-supported AAA protocol - WAN use of RADIUS (RFC 2865)
- Federation
5
ESnet RAF Architecture
Site
Repli- cation
RADIUS Proxy router
RADIUS Proxy router
RADIUS Proxy router
RADIUS Proxy router
ESnet RAF
VPN (IPsec)
ESnet
Network (IP)
6
RAF Current Issues
- Reliability Replication
- Currently RAF issue, but also applies to site
RADIUS/OTP - Federation
- Application Integration
- Wheres our Grid Integration solution?
- PAM more layers!
- Name management (Fed/App Integration)
- Essential issue for Grid integration
- ? OTP Service Reliability
- Transit time resync loss
- Federation
- ? Integrity Security
- VPN
- See later
- Market research size/scope of deployment
- Grid issue Current 6 18 mos
7
RAF Current Issues
OTP/CR
Integrity/Security
ORNL
PNNL
OTP Service
OTP Service
r
r
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
R
Reliability/Replication
Transit time
ESnet RAF Federation
ANL
NERSC
OTP Service
OTP Service
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
anl.gov nersc.gov pnnl.gov ornl.gov
r
r
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
Application Integration
Federation
8
RAF Long Term Issues
- RAF support for other protocols
- Kerberos
- Web services
- EAP/TLS
- Myproxy Protocol
- End to End integrity
- AuthA protocol
- Application integration
- Always an issue
- Architecture fan-out/gateway
- Firewalls
- RADIUS
- Grid issue Future 12 48 mos
9
AuthA
- An OTP-based key-exchange technology that offers
protection against - capture of the users password
- capture of the servers password-database
- dictionary attacks on the users password
- denial-of-service attacks
- An OTP-based DH key-exchange technology that
allows users to connect from an un-trusted
terminal and still preserve the privacy of data
transmitted on the wire - confidentially, authenticity, and integrity of
the data - mutual authentication of the user and the server
- Technology publication
- M. Abdalla, O. Chevassut, and D. Pointcheval,
One-time Verifier-based Encrypted key Exchange
,submitted for publication to the 8th
International Workshop on Practice in Public-Key
Cryptography, Feb 2005.
10
RAFCollaboration Introduction
- Motivation Eliminate reusable passwords
(movement in US DOE Science institutions, and
others) - Collaborators Steve Chan NOPS group ESnet
PKI team (now ATF) vendors others - Technology OTP (One time password) RADIUS
applications
11
Collaboration Introduction (3)
- Hacking incidents in late 2003-2004
- Problem of re-usable passwords
- Not just for accounts, but to unlock key pairs
and other authorizations - Grid
- Investment
- threats
12
Grid Integrated RADIUS Authentication Fabric
- RADIUS (RFC 2865, 3579 (EAP))
- Federation
- Proxy
- Widely used and supported
- OTP (One Time Password)
- Multiple vendor support
- Single use/challenge-response support
- Site responsibility
- Grid integration SIPS
- On demand proxy provision
- Myproxy
- NB Each application has its own story
13
Collaboration Introduction (4)
- Collaborators Steve Chan NERSC requirements
doc (Apr 2004) - http//www.doegrids.org/CA/Research/OTP-final.pdf
- ESnet PKI/ATF
- http//www.doegrids.org/CA/Research/GIRAF.pdf
- T Genovese, M Helm, R Morelli, D Muruganantham, J
Webster - NOPS NERSC, ESnet, ANL, PNNL, ORNL
- CryptoGRID O Chevassut, F Siebenlist, A
Essiari - RADIUS vendor InfoBlox (Edwin Menor)
- Status at milestone 2.3, prep 2.4 (pilot)
- NOPS group working OTP issues
14
Collaboration Introduction (5)
- Hacking incidents in late 2003-2004
- Problem of re-usable passwords
- Not just for accounts, but to unlock key pairs
and other authorizations - Burden of multiple tokens
- Grid
- Investment
- Threats
15
What Does the RAF Do?
ORNL
PNNL
OTP Service
OTP Service
r
r
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
Realms
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
- es.net
R
ESnet RAF Federation
ANL
NERSC
OTP Service
OTP Service
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
anl.gov nersc.gov pnnl.gov ornl.gov
r
r
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
16
What Does the RAF Do? (2)Local Exclusion of a
Realm
ORNL
PNNL
OTP Service
OTP Service
r
r
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
- anl.gov
- nersc.gov
- ornl.gov
- pnnl.gov
Realms
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
- es.net
R
ESnet RAF Federation
ANL
NERSC
OTP Service
OTP Service
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
r
r
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
17
What Does the RAF Do? (3)goodlab.org Joins the
Federation
ORNL
PNNL
OTP Service
OTP Service
r
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
r
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
Realms
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
- es.net
- goodlab.org
- goodlab.org?
- goodlab.org?
R
ESnet RAF Federation
NERSC
ANL
OTP Service
OTP Service
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
r
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
r
- anl.gov ?
- nersc.gov ?
- pnnl.gov ?
- ornl.gov ?
- goodlab.org
r
- goodlab.org?
- goodlab.org?
OTP Service
18
What Does the RAF Do? (4)Site Manages Separate
Relationship
XAuth Service
r
ORNL
PNNL
- vendi.com
OTP Service
OTP Service
r
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
r
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
Realms
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
- es.net
- goodlab.org
- goodlab.org?
- vendi.com
- goodlab.org?
R
ESnet RAF Federation
NERSC
ANL
OTP Service
OTP Service
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
r
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
r
- anl.gov ?
- nersc.gov ?
- pnnl.gov ?
- ornl.gov ?
- goodlab.org
r
- goodlab.org?
- goodlab.org?
OTP Service
19
ESnet RAF Architecture
Site
Repli- cation
RADIUS Proxy router
RADIUS Proxy router
RADIUS Proxy router
RADIUS Proxy router
ESnet RAF
VPN (IPsec)
ESnet
Network (IP)
20
RAF Benefits Features
- O(n) peering
- Authorization decision controlled by site
- Sound familiar?
- Single token per person
- Interoperability on an open, standard,
industry-supported AAA protocol - WAN use of RADIUS
21
RAF Current Issues
OTP/CR
Integrity/Security
ORNL
PNNL
OTP Service
OTP Service
r
r
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
Realms
R
Reliability/Replication
Transit time
ESnet RAF Federation
ANL
NERSC
OTP Service
OTP Service
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
anl.gov nersc.gov pnnl.gov ornl.gov
r
r
- anl.gov
- nersc.gov
- pnnl.gov
- ornl.gov
Application Integration
Federation
22
RAF Current Issues
- Reliability Replication
- Currently RAF issue, but also applies to site
RADIUS/OTP - Federation
- Application Integration
- Wheres our Grid Integration solution?
- PAM more layers!
- Name management (Fed/App Integration)
- Essential issue for Grid integration
- ? OTP Service Reliability
- Transit time resync loss
- Federation
- ? Integrity Security
- VPN
- See later
- Market research size/scope of deployment
- Grid issue Current 6 18 mos
23
What Is the Grid Integrated RAF?
ESnet Root CA
OTP Services
Sign Subordinate CA
3 OTP verification
HSM
OCSP
Subordinate CA Engine
4 Sign Proxy
2 Ask AuthN hint OTP
ESnet Radius
PAM
4. Auth OK Namestring
MyProxy Credentials
Manage myProxy
SIPS
Auth DB
1 Log in
5 Receive Proxy Cert
7 Execute
Proposal Apr 2004 Special case of GridLogon
6 (Opt) Store Proxy
24
RAF Long Term Issues
- RAF support for other protocols
- Kerberos
- Web services
- EAP/TLS
- Myproxy Protocol
- End to End integrity
- AuthA protocol
- Application integration
- Always an issue
- Architecture fan-out/gateway
- Firewalls
- RADIUS
- Grid issue Future 12 48 mos
25
Password-based Authentication Technology
- One-Time Password (OTP) authentication (e.g,
S/Key, RSA SecurID) - protects against passive attacks based on
replaying captured reusable passwords (i.e.
passive eavesdropping/replay attacks) - Password-authentication key-exchange (e.g, SRP,
AuthA) - protect against active attacks such as session
hijacking - provide privacy of transmitted data
- gt OTP-based authenticated key-exchange for the
Grid
26
OTP-based Authenticated Key-Exchange
- A single-use password is derived from the users
secret pass-phrase - The password is used to encrypt the flows of the
(Diffie-Hellman) key-exchange at the end of which
a session-key is exchanged - The session-key implements an encrypted/authentica
ted channel
Encrypt ( pw, gy)
Derive one-time password pw from stored password
pw
Derive one-time password pw from pass-phrase
Encrypt ( pw, gx)
Compute session key sk gxy
Compute session key sk gxy
Update the stored password pw pw
Encrypt ( sk, pw)
27
Accomplishments
- An OTP-based key-exchange technology that offers
protection against - capture of the users password
- capture of the servers password-database
- dictionary attacks on the users password
- denial-of-service attacks
- An OTP-based key-exchange technology that allows
users to connect from an un-trusted terminal and
still preserve the privacy of data transmitted on
the wire - confidentially, authenticity, and integrity of
the data - mutual authentication of the user and the server
- Technology publication
- M. Abdalla, O. Chevassut, and D. Pointcheval,
One-time Verifier-based Encrypted key Exchange
,submitted for publication to the 8th
International Workshop on Practice in Public-Key
Cryptography, Feb 2005.
28
Work in Progress
- Make this OTP-authenticated key-exchange a cipher
suite for TLS - develop of a patch for OpenSSL
- investigate the IP Property issue (i.e. US
Patents 5,241,599 and 5,440.635) - preliminary contacts with the OpenSSL developers
- Integrate this OTP-based technology with MyProxy
and GridLogon - Integrate this OTP-based technology with
WS-SecureConversation - L. , S. Meder, O. Chevassut, F. Siebenlist,
Secure Password-Based Authenticated Key Exchange
for Web Services, submitted to ACM Workshop on
Secure Web Services, Nov 2003. - Integrate this OTP-based technology with the
Authentication and Authorization Fabric for
Office Science
29
Radius Software availability
- Commercial
- InfoBlox
- Interlink
- Open Source
- Clients
- Servers
- ESnet RAF test bed usage
- Argonne easyRadius
- ESnet InfoBlox
- NERSC InfoBlox/freeRadius
- PNNL N.A
30
Open Issues
- Radius Server
- Transit time/latency
- Radius Vs OTP lockouts
- Availability of OTP back ends offline
- Application issues
- Name Management
- Local Acct mapping to RAF names
- PAM
- Refresh page tries to re-authenticate
31
Radius Security and Operation
- VPN/IPSec to protect server communication
- Shared Secret issues
- Management
- Policies needed
- Architecture/demark point
- Robustness/Reliability
- Replication of management data
- Load balancing
32
Issues OTP
- No issues ?
- How does a new vendor play?
- Challenge/Response
- Secure ID
- Resync, Users experience
- Denial of Service
- If lockout is enabled, others could lock you out.
33
Conclusion
- Successful RAF demonstration project
- Engineering and User experience issues
- Ready to proceed to pilot
- Need Grid Integration
- First step toward Auth Fabric
- Support more protocols
- Federation
- Successor to RADIUS
34
Demo
- http//topaz.es.net/secure/index.html
- http//panda.ccs.ornl.gov/radius/index.html
35
Fusion Grid Firewall Issues
- Michael Helm
- ESnet/LBNL
- GGF-12 Sec Workshop
- 18 Sep 2004
36
FusionGrid Use Case
37
Comments
Each site is protected by a firewall Different
firewall technology OTP is probably a feature
Need single sign-on, delegation, autonomous
processes.
38
Fusion Grid
- Use case comes from Dave Schissel
- Evolved from discussion of OTP
- 2 of 3 labs in FusionGrid already have a SecurID
infrastructure - Need direct support
- Need to identify path to solution
Recommended
CrystalGraphics Presentations
