MyProxy: A Multi-Purpose Grid Authentication Service - PowerPoint PPT Presentation

About This Presentation
Title:

MyProxy: A Multi-Purpose Grid Authentication Service

Description:

MyProxy: A Multi-Purpose Grid Authentication Service Jim Basney Senior Research Scientist NCSA jbasney_at_ncsa.uiuc.edu What is MyProxy? A service for managing X.509 PKI ... – PowerPoint PPT presentation

Number of Views:58
Avg rating:3.0/5.0
Slides: 34
Provided by: JimBa55
Category:

less

Transcript and Presenter's Notes

Title: MyProxy: A Multi-Purpose Grid Authentication Service


1
MyProxy A Multi-Purpose Grid Authentication
Service
  • Jim BasneySenior Research ScientistNCSAjbasney_at_
    ncsa.uiuc.edu

2
What is MyProxy?
  • A service for managing X.509 PKI credentials
  • A credential repository and certificate authority
  • An Online Credential Repository
  • Issues short-lived X.509 Proxy Certificates
  • Long-lived private keys never leave the server
  • An Online Certificate Authority
  • Issues short-lived X.509 End Entity Certificates
  • Supporting multiple authentication methods
  • Passphrase, Certificate, PAM, SASL, Kerberos
  • Open Source Software
  • Included in Globus Toolkit, VDT, and CoG Kits
  • C, Java, Python, and Perl clients available
  • Contributions from EDG, UVA, LBNL, and others

3
MyProxy Logon
  • Authenticate to retrieve PKI credentials
  • End Entity or Proxy Certificate
  • Trusted CA Certificates
  • Certificate Revocation Lists (CRLs)
  • MyProxy maintains the users PKI context
  • Users dont need to manage long-lived credentials
  • Enables server-side monitoring and policy
    enforcement (ex. passphrase quality checks)
  • CA certificates CRLs updated automatically at
    login

4
MyProxy Authentication
  • Key Passphrase
  • X.509 Certificate
  • Used for credential renewal
  • Pluggable Authentication Modules (PAM)
  • Kerberos password
  • One Time Password (OTP)
  • Lightweight Directory Access Protocol (LDAP)
    password
  • Simple Authentication and Security Layer (SASL)
  • Kerberos ticket (SASL GSSAPI)

5
MyProxy Online Certificate Authority
  • Issues short-lived X.509 End Entity Certificates
  • Leverages MyProxy authentication mechanisms
  • Compatible with existing MyProxy clients
  • Ties in to site authentication and accounting
  • Using PAM and/or Kerberos authentication
  • Map username to certificate subject via gridmap
    file or LDAP query
  • Avoid need for long-lived user keys
  • Server can function as both CA and repository
  • Issues certificate if no credentials for user are
    stored

6
MyProxy Online Credential Repository
  • Stores X.509 End Entity and Proxy credentials
  • Private keys encrypted with user-chosen
    passphrases
  • Credentials may be stored directly or via proxy
    delegation
  • Users can store multiple credentials from
    different CAs
  • Access to credentials controlled by user and
    administrator policies
  • Set authentication requirements
  • Control whether credentials can be retrieved
    directly or if only proxy delegation is allowed
  • Restrict lifetime of retrieved proxy credentials
  • Can be deployed for a single user, a site, a
    virtual organization, a resource provider, a CA,
    etc.

7
Talk Outline
  • MyProxy Introduction
  • PKI Introduction and MyProxy CA
  • Proxy Certificates and MyProxy Repository
  • MyProxy Scenarios
  • Administratively Loaded Credentials
  • Registration Portals
  • Web Portal Authentication and Delegation
  • Password-based Delegation
  • Credential Renewal
  • Web Single Sign-On (SSO)
  • Demos
  • Conclusion

8
PKI Overview
  • Public Key Cryptography
  • Sign with private key, verify signature with
    public key
  • Encrypt with public key, decrypt with private
    key
  • Key Distribution
  • Who does a public key belong to?
  • Certification Authority (CA) verifies users
    identity and signs certificate
  • Certificate is a document that binds the users
    identity to a public key
  • Authentication
  • Signature h ( random, )

Issuer CA
Subject CA
signs
Issuer CA
Subject Jim
9
PKI Authentication
Standard SSL/TLS Protocol (summarized)
  • Client
  • Server

randomc
certificates randoms
certificatec secret pubkeys signaturec
h( randomc, randoms, )
h( secret ) secret
10
PKI Enrollment
CA
Applicant
1
2
CA
Generate new key pair
Certificate request
3
CA
Sign new end entity certificate
4
User
User
User
11
MyProxy CA with PAM
LDAPServer
gridmap
MyProxyServer
PAM
Client
RADIUSServer
TLS handshake
password
certificate request
certificate
keypair
CA key
KerberosKDC
12
MyProxy CA with Kerberos
DN lookup
GridService
LDAPServer
X.509
MyProxyServer
gridmap
SASL
SASL
TLS handshake
SASL/GSSAPI/Kerberos
Client
certificate request
certificate
keypair
CA key
ticket
KerberosKDC
13
PAM/SASL Issues
  • PAM Conversation
  • PAM modules can require multiple rounds of user
    interaction
  • No standard protocol
  • SASL/PLAIN doesnt support multiple rounds
  • Need something like SSH keyboard-interactive
    protocol
  • SASL client-side setup
  • Requires SASL library and configuration of SASL
    mechanisms
  • Alternative native Kerberos protocol support

14
Proxy Credentials
  • RFC 3820 Proxy Certificate Profile
  • Associate a new private key and certificate with
    existing credentials
  • Short-lived, unencrypted credentials for multiple
    authentications in a session
  • Restricted lifetime in certificate limits
    vulnerability of unencrypted key
  • Credential delegation (forwarding) without
    transferring private keys

signs
signs
Proxy A
signs
Proxy B
15
Proxy Delegation
Delegator
Delegatee
1
2
Generate new key pair
Proxy certificate request
3
Sign new proxy certificate
4
Proxy
Proxy
Proxy
16
MyProxy Put
Client
MyProxyServer
TLS handshake
certificate
certificate request
proxy certificate chain
username
password
policy
keypair
private key
cert chain
private key
17
MyProxy Get
Client
MyProxyServer
TLS handshake
certificate request
proxy certificate chain
username
password
cert chain
private key
cert chain
private key
X.509
GridService
18
MyProxy Store
Client
MyProxyServer
TLS handshake
certificate
certificate
username
policy
private key
private key
certificate
private key
19
MyProxy Retrieve
Client
MyProxyServer
TLS handshake
certificate chain
username
password
private key
cert chain
private key
cert chain
private key
X.509
GridService
20
Administratively Loaded Creds
CertificateAuthority
Client
MyProxyServer
certificate
TLS handshake
certificate request
proxy certificate chain
username
password
private key
cert chain
private key
certificate
private key
X.509
GridService
21
User Registration Portal
CertificateAuthority
RegistrationPortal
TLS handshake
certificate
Browser
username
password
UserDB
certificate
Client
MyProxyServer
private key
TLS handshake
username
certificate request
proxy certificate chain
username
password
cert chain
private key
certificate
private key
X.509
GridService
22
Gateway Portal
TLS handshake
Browser
password
username
X.509
GridService
23
Trusted Portal
MyProxy
X.509
cert request
username
Portal
cert
TLS handshake
Browser
password
UserDB
username
cert
cert
key
key
X.509
GridService
24
Password-based Portal Auth
MyProxy
X.509
cert request
username
password
Portal
cert
TLS handshake
Browser
password
username
cert
cert
key
key
X.509
GridService
25
Password-based Delegation
Delegatee
Delegator
certificate
passwordrandom
certificate
username
certificate
certificate
private key
private key
certificate
certificate
username
MyProxy
username
certificate
certificate request
certificate
certificate request
passwordrandom
passwordrandom
TLS handshake
certificate
certificate
TLS handshake
certificate
private key
26
Password-based Renewal
Condor-G
GRAM Gatekeeper
proxy
proxy
job
job
proxy
proxy
proxy
proxy
proxy
proxy
password
Client
Job
proxy
proxy
password
password
proxy
MyProxy
proxy
27
Certificate-based Renewal
Workload ManagementService
Condor-G
GRAM Gatekeeper
RenewalService
proxy
proxy
job
proxy
proxy
proxy
job
proxy
proxy
key
cert
Client
Job
proxy
proxy
proxy
policy
X.509
proxy
MyProxy
proxy
28
MyProxy and Web SSO
PURSE
password
password
cert
PubcookieLogin Server
password
password
cookie
MyProxy
Browser
cookie
cookie
Portal A
cookie
cert
password
GridService
X.509
X.509
cookie
Portal B
cert
29
SSO for Browser and Application
Authenticate
Portal
Browser
cookie
cert
JWS
cookie
cookie
MyProxyServer
cert
X.509
Application
X.509
GridService
30
SSO for Browser and Application
Authenticate
Portal
Browser
passwordrandom
cert
JWS
cert
passwordrandom
passwordrandom
MyProxyServer
Application
cert
passwordrandom
X.509
GridService
31
Demonstrations
32
Conclusion
  • MyProxy A Multi-Purpose Grid Authentication
    Service
  • Used in many delegation and single sign-on
    scenarios
  • MyProxy provides practical authentication
    solutions
  • Minimize changes to existing software and
    protocols
  • Leverage community standards
  • PAM, SASL, Kerberos, LDAP, Pubcookie, Shibboleth
  • Active MyProxy open source community
  • Deploy new developments via MyProxy
  • Benefit from the work of others

33
  • Thank you! Obrigado!
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "MyProxy: A Multi-Purpose Grid Authentication Service" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!