ESnet RADIUS Authentication Fabric - PowerPoint PPT Presentation

About This Presentation
Title:

ESnet RADIUS Authentication Fabric

Description:

ESnet RADIUS Authentication Fabric Michael Helm ESnet/LBNL GGF-12 Sec Workshop 18 Sep 2004 What Does the RAF Do? RAF Benefits & Features O(n) peering Authorization ... – PowerPoint PPT presentation

Number of Views:60
Avg rating:3.0/5.0
Slides: 16
Provided by: Michael1999
Category:

less

Transcript and Presenter's Notes

Title: ESnet RADIUS Authentication Fabric


1
ESnet RADIUS Authentication Fabric
  • Michael Helm
  • ESnet/LBNL
  • GGF-12 Sec Workshop
  • 18 Sep 2004

2
What Does the RAF Do?
ORNL
PNNL
OTP Service
OTP Service
r
r
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov

Realms
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov
  • es.net

R
ESnet RAF Federation
ANL
NERSC
OTP Service
OTP Service
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov

anl.gov nersc.gov pnnl.gov ornl.gov
r
r
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov

App
3
What Is the Grid Integrated RAF?
ESnet Root CA
OTP Services
Sign Subordinate CA
3 OTP verification
HSM
OCSP
Subordinate CA Engine
4 Sign Proxy
2 Ask AuthN hint OTP
ESnet Radius
PAM
4. Auth OK Namestring
MyProxy Credentials
Manage myProxy
SIPS
Auth DB
1 Log in
5 Receive Proxy Cert
7 Execute
Proposal Apr 2004 Special case of GridLogon
6 (Opt) Store Proxy
4
RAF Benefits Features
  • O(n) peering
  • Authorization decision controlled by site
  • Sound familiar?
  • Single token per person
  • Interoperability on an open, standard,
    industry-supported AAA protocol
  • WAN use of RADIUS (RFC 2865)
  • Federation

5
ESnet RAF Architecture
Site
Repli- cation
RADIUS Proxy router
RADIUS Proxy router
RADIUS Proxy router
RADIUS Proxy router
ESnet RAF
VPN (IPsec)
ESnet
Network (IP)
6
RAF Current Issues
  • Reliability Replication
  • Currently RAF issue, but also applies to site
    RADIUS/OTP
  • Federation
  • Application Integration
  • Wheres our Grid Integration solution?
  • PAM more layers!
  • Name management (Fed/App Integration)
  • Essential issue for Grid integration
  • ? OTP Service Reliability
  • Transit time resync loss
  • Federation
  • ? Integrity Security
  • VPN
  • See later
  • Market research size/scope of deployment
  • Grid issue Current 6 18 mos

7
RAF Current Issues
OTP/CR
Integrity/Security
ORNL
PNNL
OTP Service
OTP Service
r
r
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov

R
Reliability/Replication
Transit time
ESnet RAF Federation
ANL
NERSC
OTP Service
OTP Service
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov

anl.gov nersc.gov pnnl.gov ornl.gov
r
r
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov

Application Integration
Federation
8
RAF Long Term Issues
  • RAF support for other protocols
  • Kerberos
  • Web services
  • EAP/TLS
  • Myproxy Protocol
  • End to End integrity
  • AuthA protocol
  • Application integration
  • Always an issue
  • Architecture fan-out/gateway
  • Firewalls
  • RADIUS
  • Grid issue Future 12 48 mos

9
AuthA
  • An OTP-based key-exchange technology that offers
    protection against
  • capture of the users password
  • capture of the servers password-database
  • dictionary attacks on the users password
  • denial-of-service attacks
  • An OTP-based DH key-exchange technology that
    allows users to connect from an un-trusted
    terminal and still preserve the privacy of data
    transmitted on the wire
  • confidentially, authenticity, and integrity of
    the data
  • mutual authentication of the user and the server
  • Technology publication
  • M. Abdalla, O. Chevassut, and D. Pointcheval,
    One-time Verifier-based Encrypted key Exchange
    ,submitted for publication to the 8th
    International Workshop on Practice in Public-Key
    Cryptography, Feb 2005.

10
RAFCollaboration Introduction
  • Motivation Eliminate reusable passwords
    (movement in US DOE Science institutions, and
    others)
  • Collaborators Steve Chan NOPS group ESnet
    PKI team (now ATF) vendors others
  • Technology OTP (One time password) RADIUS
    applications

11
Collaboration Introduction (3)
  • Hacking incidents in late 2003-2004
  • Problem of re-usable passwords
  • Not just for accounts, but to unlock key pairs
    and other authorizations
  • Grid
  • Investment
  • threats

12
Grid Integrated RADIUS Authentication Fabric
  • RADIUS (RFC 2865, 3579 (EAP))
  • Federation
  • Proxy
  • Widely used and supported
  • OTP (One Time Password)
  • Multiple vendor support
  • Single use/challenge-response support
  • Site responsibility
  • Grid integration SIPS
  • On demand proxy provision
  • Myproxy
  • NB Each application has its own story

13
Collaboration Introduction (4)
  • Collaborators Steve Chan NERSC requirements
    doc (Apr 2004)
  • http//www.doegrids.org/CA/Research/OTP-final.pdf
  • ESnet PKI/ATF
  • http//www.doegrids.org/CA/Research/GIRAF.pdf
  • T Genovese, M Helm, R Morelli, D Muruganantham, J
    Webster
  • NOPS NERSC, ESnet, ANL, PNNL, ORNL
  • CryptoGRID O Chevassut, F Siebenlist, A
    Essiari
  • RADIUS vendor InfoBlox (Edwin Menor)
  • Status at milestone 2.3, prep 2.4 (pilot)
  • NOPS group working OTP issues

14
Collaboration Introduction (5)
  • Hacking incidents in late 2003-2004
  • Problem of re-usable passwords
  • Not just for accounts, but to unlock key pairs
    and other authorizations
  • Burden of multiple tokens
  • Grid
  • Investment
  • Threats

15
What Does the RAF Do?
ORNL
PNNL
OTP Service
OTP Service
r
r
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov

Realms
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov
  • es.net

R
ESnet RAF Federation
ANL
NERSC
OTP Service
OTP Service
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov

anl.gov nersc.gov pnnl.gov ornl.gov
r
r
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov

16
What Does the RAF Do? (2)Local Exclusion of a
Realm
ORNL
PNNL
OTP Service
OTP Service
r
r
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov
  • anl.gov
  • nersc.gov
  • ornl.gov
  • pnnl.gov

Realms
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov
  • es.net

R
ESnet RAF Federation
ANL
NERSC
OTP Service
OTP Service
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov

r
r
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov

17
What Does the RAF Do? (3)goodlab.org Joins the
Federation
ORNL
PNNL
OTP Service
OTP Service
r
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov

r
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov

Realms
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov
  • es.net
  • goodlab.org
  • goodlab.org?
  • goodlab.org?

R
ESnet RAF Federation
NERSC
ANL
OTP Service
OTP Service
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov

r
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov

r
  • anl.gov ?
  • nersc.gov ?
  • pnnl.gov ?
  • ornl.gov ?
  • goodlab.org

r
  • goodlab.org?
  • goodlab.org?

OTP Service
18
What Does the RAF Do? (4)Site Manages Separate
Relationship
XAuth Service
r
ORNL
PNNL
  • vendi.com

OTP Service
OTP Service
r
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov

r
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov

Realms
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov
  • es.net
  • goodlab.org
  • goodlab.org?
  • vendi.com
  • goodlab.org?

R
ESnet RAF Federation
NERSC
ANL
OTP Service
OTP Service
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov

r
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov

r
  • anl.gov ?
  • nersc.gov ?
  • pnnl.gov ?
  • ornl.gov ?
  • goodlab.org

r
  • goodlab.org?
  • goodlab.org?

OTP Service
19
ESnet RAF Architecture
Site
Repli- cation
RADIUS Proxy router
RADIUS Proxy router
RADIUS Proxy router
RADIUS Proxy router
ESnet RAF
VPN (IPsec)
ESnet
Network (IP)
20
RAF Benefits Features
  • O(n) peering
  • Authorization decision controlled by site
  • Sound familiar?
  • Single token per person
  • Interoperability on an open, standard,
    industry-supported AAA protocol
  • WAN use of RADIUS

21
RAF Current Issues
OTP/CR
Integrity/Security
ORNL
PNNL
OTP Service
OTP Service
r
r
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov

Realms
R
Reliability/Replication
Transit time
ESnet RAF Federation
ANL
NERSC
OTP Service
OTP Service
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov

anl.gov nersc.gov pnnl.gov ornl.gov
r
r
  • anl.gov
  • nersc.gov
  • pnnl.gov
  • ornl.gov

Application Integration
Federation
22
RAF Current Issues
  • Reliability Replication
  • Currently RAF issue, but also applies to site
    RADIUS/OTP
  • Federation
  • Application Integration
  • Wheres our Grid Integration solution?
  • PAM more layers!
  • Name management (Fed/App Integration)
  • Essential issue for Grid integration
  • ? OTP Service Reliability
  • Transit time resync loss
  • Federation
  • ? Integrity Security
  • VPN
  • See later
  • Market research size/scope of deployment
  • Grid issue Current 6 18 mos

23
What Is the Grid Integrated RAF?
ESnet Root CA
OTP Services
Sign Subordinate CA
3 OTP verification
HSM
OCSP
Subordinate CA Engine
4 Sign Proxy
2 Ask AuthN hint OTP
ESnet Radius
PAM
4. Auth OK Namestring
MyProxy Credentials
Manage myProxy
SIPS
Auth DB
1 Log in
5 Receive Proxy Cert
7 Execute
Proposal Apr 2004 Special case of GridLogon
6 (Opt) Store Proxy
24
RAF Long Term Issues
  • RAF support for other protocols
  • Kerberos
  • Web services
  • EAP/TLS
  • Myproxy Protocol
  • End to End integrity
  • AuthA protocol
  • Application integration
  • Always an issue
  • Architecture fan-out/gateway
  • Firewalls
  • RADIUS
  • Grid issue Future 12 48 mos

25
Password-based Authentication Technology
  • One-Time Password (OTP) authentication (e.g,
    S/Key, RSA SecurID)
  • protects against passive attacks based on
    replaying captured reusable  passwords (i.e.
    passive eavesdropping/replay attacks)
  • Password-authentication key-exchange (e.g, SRP,
    AuthA)
  • protect against active attacks such as session
    hijacking
  • provide privacy of transmitted data
  • gt OTP-based authenticated key-exchange for the
    Grid

26
OTP-based Authenticated Key-Exchange
  • A single-use password is derived from the users
    secret pass-phrase
  • The password is used to encrypt the flows of the
    (Diffie-Hellman) key-exchange at the end of which
    a session-key is exchanged
  • The session-key implements an encrypted/authentica
    ted channel

Encrypt ( pw, gy)
Derive one-time password pw from stored password
pw
Derive one-time password pw from pass-phrase
Encrypt ( pw, gx)
Compute session key sk gxy
Compute session key sk gxy
Update the stored password pw pw
Encrypt ( sk, pw)
27
Accomplishments
  • An OTP-based key-exchange technology that offers
    protection against
  • capture of the users password
  • capture of the servers password-database
  • dictionary attacks on the users password
  • denial-of-service attacks
  • An OTP-based key-exchange technology that allows
    users to connect from an un-trusted terminal and
    still preserve the privacy of data transmitted on
    the wire
  • confidentially, authenticity, and integrity of
    the data
  • mutual authentication of the user and the server
  • Technology publication
  • M. Abdalla, O. Chevassut, and D. Pointcheval,
    One-time Verifier-based Encrypted key Exchange
    ,submitted for publication to the 8th
    International Workshop on Practice in Public-Key
    Cryptography, Feb 2005.

28
Work in Progress
  • Make this OTP-authenticated key-exchange a cipher
    suite for TLS
  • develop of a patch for OpenSSL
  • investigate the IP Property issue (i.e. US
    Patents 5,241,599 and 5,440.635)
  • preliminary contacts with the OpenSSL developers
  • Integrate this OTP-based technology with MyProxy
    and GridLogon
  • Integrate this OTP-based technology with
    WS-SecureConversation
  • L. , S. Meder, O. Chevassut, F. Siebenlist,
    Secure Password-Based Authenticated Key Exchange
    for Web Services, submitted to ACM Workshop on
    Secure Web Services, Nov 2003.
  • Integrate this OTP-based technology with the
    Authentication and Authorization Fabric for
    Office Science

29
Radius Software availability
  • Commercial
  • InfoBlox
  • Interlink
  • Open Source
  • Clients
  • Servers
  • ESnet RAF test bed usage
  • Argonne easyRadius
  • ESnet InfoBlox
  • NERSC InfoBlox/freeRadius
  • PNNL N.A

30
Open Issues
  • Radius Server
  • Transit time/latency
  • Radius Vs OTP lockouts
  • Availability of OTP back ends offline
  • Application issues
  • Name Management
  • Local Acct mapping to RAF names
  • PAM
  • Refresh page tries to re-authenticate

31
Radius Security and Operation
  • VPN/IPSec to protect server communication
  • Shared Secret issues
  • Management
  • Policies needed
  • Architecture/demark point
  • Robustness/Reliability
  • Replication of management data
  • Load balancing

32
Issues OTP
  • No issues ?
  • How does a new vendor play?
  • Challenge/Response
  • Secure ID
  • Resync, Users experience
  • Denial of Service
  • If lockout is enabled, others could lock you out.

33
Conclusion
  • Successful RAF demonstration project
  • Engineering and User experience issues
  • Ready to proceed to pilot
  • Need Grid Integration
  • First step toward Auth Fabric
  • Support more protocols
  • Federation
  • Successor to RADIUS

34
Demo
  • http//topaz.es.net/secure/index.html
  • http//panda.ccs.ornl.gov/radius/index.html

35
Fusion Grid Firewall Issues
  • Michael Helm
  • ESnet/LBNL
  • GGF-12 Sec Workshop
  • 18 Sep 2004

36
FusionGrid Use Case
37
Comments
Each site is protected by a firewall Different
firewall technology OTP is probably a feature
Need single sign-on, delegation, autonomous
processes.
38
Fusion Grid
  • Use case comes from Dave Schissel
  • Evolved from discussion of OTP
  • 2 of 3 labs in FusionGrid already have a SecurID
    infrastructure
  • Need direct support
  • Need to identify path to solution
Write a Comment
User Comments (0)
About PowerShow.com