Your SlideShare is downloading. ×
E Snet Authentication Fabric Pilot
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

E Snet Authentication Fabric Pilot

1,832
views

Published on

Fashion, apparel, textile, merchandising, garments

Fashion, apparel, textile, merchandising, garments

Published in: Business, Lifestyle

1 Comment
0 Likes
Statistics
Notes
  • Seamoon Co. Ltd is the first company made the OTP Tokens in China. All OTP Tokens are Researched & Developed by ourselves.

    Could you please feel free to check our website: http://www.seamoon.com.cn/index-english.asp to know more about us? Thanks.

    And we are interested in any of you OEM and ODM projects, Seamoon will be your good partner providing the best quality Hardware OTP
    Tokens to you and your customers;

    If you have any interested in our OTP Tokens, Please do not hesitate to contact me for more information regarding to your specific needs.

    And if you are not in charge of this field, could you let me know who is in charge of, and let me know his/her e-mail address, telephone NO.
    better, thanks very much.

    Do expect we can cooperate in near future, and look forward to reply soon.


    2010-12-13

    --------------------------------------------------------------------------------

    Thanks,

    Best Regards,

    Alice Liu
    International Marketing
    Tel: (86) 755 8366 0895 Fax: (86) 755 8366 1990
    Mobile No.: (86) 135 1099 9024 Skype: seamoon_alice
    Email: alice@seamoon.com.cn
    Msn: seamoon_alice@163.com
    ShenZhen Seamoon Technology Co., Ltd.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Views
Total Views
1,832
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
1
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Transcript

    • 1. ESnet RADIUS Authentication Fabric Michael Helm ESnet/LBNL GGF-12 Sec Workshop 18 Sep 2004
    • 2. What Does the RAF Do? NERSC r ANL r OTP Service ORNL r PNNL OTP Service OTP Service OTP Service
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      • es.net
      Realms R
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      r
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      ESnet RAF Federation anl.gov nersc.gov pnnl.gov ornl.gov App r RADIUS
    • 3. What Is the Grid Integrated RAF? ESnet Radius Auth DB ESnet Root CA MyProxy Credentials PAM 1 Log in 2 Ask AuthN; hint OTP 5 Receive Proxy Cert Manage myProxy 6 (Opt) Store Proxy 7 Execute OTP Services OCSP HSM Subordinate CA Engine 4. Auth OK; Namestring 3 OTP verification 4 Sign Proxy Sign Subordinate CA SIPS Proposal Apr 2004 Special case of GridLogon
    • 4. RAF Benefits & Features
      • O(n) peering
      • Authorization decision controlled by site
        • Sound familiar?
      • Single token per person
      • Interoperability on an open, standard, industry-supported AAA protocol
      • WAN use of RADIUS (RFC 2865)
      • Federation
    • 5. ESnet RAF Architecture Repli- cation Network (IP) VPN (IPsec) RADIUS Proxy router RADIUS Proxy router RADIUS Proxy router RADIUS Proxy router ESnet RAF Site ESnet AuthN Authority ( OTP ) Appli- cation 1 Rc Site n RADIUS AuthN Authority ( OTP ) Appli- cation 1 Rc Site 1 RADIUS AuthN Authority ( OTP ) Appli- cation 1 Rc Site 2 RADIUS
    • 6. RAF Current Issues
      • Reliability – Replication
        • Currently RAF issue, but also applies to site RADIUS/OTP
      • * Federation
      • * Application Integration
        • Where’s our “Grid Integration” solution?
        • PAM – more layers!
      • * Name management: (Fed/App Integration)
        • Essential issue for Grid integration
      • *? OTP Service Reliability
        • “ Transit time” ; resync ; loss
      • * Federation
      • *? Integrity & Security
        • VPN
        • See later
      • Market research – size/scope of deployment
      • * Grid issue Current: 6 – 18 mos
    • 7. RAF Current Issues NERSC r ANL r OTP Service ORNL r PNNL OTP Service OTP Service OTP Service R
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      r
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      ESnet RAF Federation anl.gov nersc.gov pnnl.gov ornl.gov Reliability/Replication Integrity/Security OTP/C&R Federation Transit time Application Integration
    • 8. RAF Long Term Issues
      • RAF support for other protocols
        • Kerberos
        • Web services
        • EAP/TLS
      • Myproxy Protocol
      • End to End integrity
        • “ AuthA” protocol
      • Application integration
        • Always an issue
        • Architecture: fan-out/gateway
        • Firewalls
      • RADIUS
      • * Grid issue Future: 12 – 48 mos
    • 9. AuthA
      • An OTP-based key-exchange technology that offers protection against:
        • capture of the user’s password
        • capture of the server’s password-database
        • dictionary attacks on the user’s password
        • denial-of-service attacks
      • An OTP-based DH key-exchange technology that allows users to connect from an un-trusted terminal and still preserve the privacy of data transmitted on the wire:
        • confidentially, authenticity, and integrity of the data
        • mutual authentication of the user and the server
      • Technology publication :
        • M. Abdalla, O. Chevassut, and D. Pointcheval, “One-time Verifier-based Encrypted key Exchange” ,submitted for publication to the 8 th International Workshop on Practice in Public-Key Cryptography, Feb 2005.
    • 10. RAF Collaboration Introduction
      • Motivation: Eliminate reusable passwords (movement in US DOE Science institutions, and others)
      • Collaborators: Steve Chan & “NOPS” group; ESnet PKI team (now ATF); vendors; others
      • Technology: OTP (“One time password”); RADIUS; applications
    • 11. Collaboration Introduction (3)
      • Hacking incidents in late 2003-2004
      • Problem of re-usable passwords
        • Not just for accounts, but to unlock key pairs and other authorizations
      • Grid
        • Investment
        • threats
    • 12. Grid Integrated RADIUS Authentication Fabric
      • RADIUS (RFC 2865, 3579 (EAP))
        • Federation
        • Proxy
        • Widely used and supported
      • OTP (One Time Password)
        • Multiple vendor support
        • Single use/challenge-response support
        • “ Site” responsibility
      • Grid integration: “SIPS”
        • On demand proxy provision
        • “ Myproxy”
        • NB : Each application has its own story
    • 13. Collaboration Introduction (4)
      • Collaborators: Steve Chan & NERSC requirements doc (Apr 2004)
        • http://www.doegrids.org/CA/Research/OTP-final.pdf
      • ESnet PKI/ATF
        • http://www.doegrids.org/CA/Research/GIRAF.pdf
        • T Genovese, M Helm, R Morelli, D Muruganantham, J Webster
      • NOPS: NERSC, ESnet, ANL, PNNL, ORNL
      • “ CryptoGRID”: O Chevassut, F Siebenlist, A Essiari
      • RADIUS vendor: InfoBlox ( Edwin Menor )
      • Status: at milestone 2.3, prep 2.4 (pilot)
      • NOPS group working OTP issues
    • 14. Collaboration Introduction (5)
      • Hacking incidents in late 2003-2004
      • Problem of re-usable passwords
        • Not just for accounts, but to unlock key pairs and other authorizations
      • Burden of multiple tokens
      • Grid
        • Investment
        • Threats
    • 15. What Does the RAF Do? NERSC r ANL r OTP Service ORNL r PNNL OTP Service OTP Service OTP Service
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      • es.net
      Realms R
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      r
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      ESnet RAF Federation anl.gov nersc.gov pnnl.gov ornl.gov r RADIUS
    • 16. What Does the RAF Do? (2) Local Exclusion of a Realm NERSC r ANL r OTP Service ORNL r PNNL OTP Service OTP Service OTP Service
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      • es.net
      Realms R ESnet RAF Federation
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      r
      • anl.gov
      • nersc.gov
      • ornl.gov
      • pnnl.gov
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
    • 17. What Does the RAF Do? (3) goodlab.org Joins the Federation NERSC r ANL r OTP Service ORNL r PNNL OTP Service OTP Service OTP Service
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      • es.net
      • goodlab.org
      Realms R ESnet RAF Federation
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      r
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      r OTP Service
      • anl.gov ?
      • nersc.gov ?
      • pnnl.gov ?
      • ornl.gov ?
      • goodlab.org
      • goodlab.org?
      • goodlab.org?
      • goodlab.org?
      • goodlab.org?
    • 18. What Does the RAF Do? (4) Site Manages Separate Relationship XAuth Service NERSC r ANL r OTP Service ORNL r PNNL OTP Service OTP Service OTP Service
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      • es.net
      • goodlab.org
      Realms R ESnet RAF Federation
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      r
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      r OTP Service
      • anl.gov ?
      • nersc.gov ?
      • pnnl.gov ?
      • ornl.gov ?
      • goodlab.org
      • goodlab.org?
      • goodlab.org?
      • goodlab.org?
      • goodlab.org?
      • vendi.com
      r
      • vendi.com
    • 19. ESnet RAF Architecture Repli- cation Network (IP) VPN (IPsec) RADIUS Proxy router RADIUS Proxy router RADIUS Proxy router RADIUS Proxy router ESnet RAF Site ESnet AuthN Authority ( OTP ) Appli- cation 1 Rc Site n RADIUS AuthN Authority ( OTP ) Appli- cation 1 Rc Site 1 RADIUS AuthN Authority ( OTP ) Appli- cation 1 Rc Site 2 RADIUS
    • 20. RAF Benefits & Features
      • O(n) peering
      • Authorization decision controlled by site
        • Sound familiar?
      • Single token per person
      • Interoperability on an open, standard, industry-supported AAA protocol
      • WAN use of RADIUS
    • 21. RAF Current Issues NERSC r ANL r OTP Service ORNL r PNNL OTP Service OTP Service OTP Service Realms R
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      r
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      • anl.gov
      • nersc.gov
      • pnnl.gov
      • ornl.gov
      ESnet RAF Federation anl.gov nersc.gov pnnl.gov ornl.gov Reliability/Replication Integrity/Security OTP/C&R Federation Transit time Application Integration
    • 22. RAF Current Issues
      • Reliability – Replication
        • Currently RAF issue, but also applies to site RADIUS/OTP
      • * Federation
      • * Application Integration
        • Where’s our “Grid Integration” solution?
        • PAM – more layers!
      • * Name management: (Fed/App Integration)
        • Essential issue for Grid integration
      • *? OTP Service Reliability
        • “ Transit time” ; resync ; loss
      • * Federation
      • *? Integrity & Security
        • VPN
        • See later
      • Market research – size/scope of deployment
      • * Grid issue Current: 6 – 18 mos
    • 23. What Is the Grid Integrated RAF? ESnet Radius Auth DB ESnet Root CA MyProxy Credentials PAM 1 Log in 2 Ask AuthN; hint OTP 5 Receive Proxy Cert Manage myProxy 6 (Opt) Store Proxy 7 Execute OTP Services OCSP HSM Subordinate CA Engine 4. Auth OK; Namestring 3 OTP verification 4 Sign Proxy Sign Subordinate CA SIPS Proposal Apr 2004 Special case of GridLogon
    • 24. RAF Long Term Issues
      • RAF support for other protocols
        • Kerberos
        • Web services
        • EAP/TLS
      • Myproxy Protocol
      • End to End integrity
        • “ AuthA” protocol
      • Application integration
        • Always an issue
        • Architecture: fan-out/gateway
        • Firewalls
      • RADIUS
      • * Grid issue Future: 12 – 48 mos
    • 25. Password-based Authentication Technology
      • One-Time Password (OTP) authentication (e.g, S/Key, RSA SecurID):
        • protects against passive attacks based on replaying captured reusable  passwords (i.e. passive eavesdropping/replay attacks)
      • Password-authentication key-exchange (e.g, SRP, AuthA)
        • protect against active attacks such as session hijacking
        • provide privacy of transmitted data
      • => OTP-based authenticated key-exchange for the Grid
    • 26. OTP-based Authenticated Key-Exchange
      • A single-use password is derived from the user’s secret pass-phrase
      • The password is used to encrypt the flows of the (Diffie-Hellman) key-exchange at the end of which a session-key is exchanged
      • The session-key implements an encrypted/authenticated channel
      Encrypt ( pw’, g y ) Derive one-time password pw’ from pass-phrase Compute session key: sk = g xy Encrypt ( pw’ , g x ) Derive one-time password pw’ from stored password pw Compute session key: sk = g xy Encrypt ( sk, pw’) Update the stored password: pw= pw’ Client Server
    • 27. Accomplishments
      • An OTP-based key-exchange technology that offers protection against:
        • capture of the user’s password
        • capture of the server’s password-database
        • dictionary attacks on the user’s password
        • denial-of-service attacks
      • An OTP-based key-exchange technology that allows users to connect from an un-trusted terminal and still preserve the privacy of data transmitted on the wire:
        • confidentially, authenticity, and integrity of the data
        • mutual authentication of the user and the server
      • Technology publication :
        • M. Abdalla, O. Chevassut, and D. Pointcheval, “One-time Verifier-based Encrypted key Exchange” ,submitted for publication to the 8 th International Workshop on Practice in Public-Key Cryptography, Feb 2005.
    • 28. Work in Progress
      • Make this OTP-authenticated key-exchange a cipher suite for TLS
        • develop of a patch for OpenSSL
        • investigate the IP Property issue (i.e. US Patents 5,241,599 and 5,440.635)
        • preliminary contacts with the OpenSSL developers
      • Integrate this OTP-based technology with MyProxy and GridLogon
      • Integrate this OTP-based technology with WS-SecureConversation
        • L. , S. Meder, O. Chevassut, F. Siebenlist, “Secure Password-Based Authenticated Key Exchange for Web Services”, submitted to ACM Workshop on Secure Web Services, Nov 2003.
      • Integrate this OTP-based technology with the Authentication and Authorization Fabric for Office Science
    • 29. Radius Software availability
      • Commercial
        • InfoBlox
        • Interlink
      • Open Source
        • Clients
        • Servers
      • ESnet RAF test bed usage
        • Argonne = easyRadius
        • ESnet = InfoBlox
        • NERSC = InfoBlox/freeRadius
        • PNNL = N.A
    • 30. Open Issues
      • Radius Server
        • Transit time/latency
        • Radius Vs OTP lockouts
        • Availability of OTP back ends offline
      • Application issues
        • Name Management
          • Local Acct mapping to RAF names
        • PAM
          • Refresh page tries to re-authenticate
    • 31. Radius Security and Operation
      • VPN/IPSec to protect server communication
      • Shared Secret issues
        • Management
        • Policies needed
        • Architecture/demark point
      • Robustness/Reliability
        • Replication of management data
        • Load balancing
    • 32. Issues: OTP
      • No issues 
      • How does a new vendor play?
      • Challenge/Response
      • Secure ID
        • Resync, User’s experience
      • Denial of Service
        • If lockout is enabled, others could lock you out.
    • 33. Conclusion
      • Successful RAF demonstration project
      • Engineering and User experience issues
      • Ready to proceed to pilot
      • Need Grid Integration
      • First step toward Auth Fabric
        • Support more protocols
        • Federation
        • Successor to RADIUS
    • 34. Demo
      • http://topaz.es.net/secure/index.html
      • http://panda.ccs.ornl.gov/radius/index.html
    • 35. Fusion Grid Firewall Issues Michael Helm ESnet/LBNL GGF-12 Sec Workshop 18 Sep 2004
    • 36. FusionGrid Use Case
    • 37. Comments Each site is protected by a firewall Different firewall technology OTP is probably a feature Need single sign-on, delegation, autonomous processes….
    • 38. Fusion Grid
      • Use case comes from Dave Schissel
      • Evolved from discussion of OTP
        • 2 of 3 labs in FusionGrid already have a SecurID infrastructure
      • Need direct support
      • Need to identify path to solution

    ×