Transcript ESnet Authentication Fabric

ESnet
RADIUS Authentication Fabric
Michael Helm
ESnet/LBNL
GGF-12 Sec Workshop
18 Sep 2004
What Does the RAF Do?
ORNL
PNNL
OTP Service
OTP Service
r
• anl.gov
r
• anl.gov
• nersc.gov
• nersc.gov
• pnnl.gov
Realms
• pnnl.gov
• ornl.gov
• ornl.gov
• anl.gov
R
• nersc.gov
• pnnl.gov
ESnet RAF
Federation
ANL
• ornl.gov
• es.net
NERSC
OTP Service
• anl.gov
• nersc.gov
• pnnl.gov
• ornl.gov
OTP Service
r
• anl.gov
anl.gov
nersc.gov
pnnl.gov
ornl.gov
r
r RADIUS
• nersc.gov
• pnnl.gov
App
• ornl.gov
What Is the Grid Integrated RAF?
OTP
Services
3 OTP
verification
HSM
4 Sign
Proxy
2 Ask
AuthN; hint
OTP
ESnet
Radius
PAM
Subordinate
CA
Engine
4. Auth OK;
Namestring
Auth
DB
ESnet Root
CA
SIPS
Sign
Subordinate
CA
OCSP
Manage
myProxy
MyProxy
Credentials
1 Log in
5 Receive
Proxy Cert
Proposal Apr 2004
Special case of
GridLogon
7 Execute
6 (Opt) Store
Proxy
RAF Benefits & Features
• O(n) peering
• Authorization decision controlled by site
Sound familiar?
• Single token per person
• Interoperability on an open, standard,
industry-supported AAA protocol
• WAN use of RADIUS (RFC 2865)
• Federation
ESnet RAF Architecture
Site
Appli- AuthN
cation Authority
(OTP)
Rc 1
Appli- AuthN
cation Authority
(OTP)
Rc 1
Site 1
RADIUS
Appli- AuthN
cation Authority
(OTP)
Rc 1
Site 2
RADIUS
Site n
RADIUS
Replication
ESnet
RADIUS
Proxy router
RADIUS
Proxy router
RADIUS
Proxy router
RAF
VPN (IPsec)
ESnet
Network (IP)
RADIUS
Proxy router
RAF Current Issues
• Reliability – Replication
– Currently RAF issue, but also applies to site RADIUS/OTP
• * Federation
• * Application Integration
– Where’s our “Grid Integration” solution?
– PAM – more layers!
• * Name management: (Fed/App Integration)
– Essential issue for Grid integration
• *? OTP Service Reliability
– “Transit time” ; resync ; loss
• * Federation
• *? Integrity & Security
– VPN
– See later
• Market research – size/scope of deployment
* Grid issue Current: 6 – 18 mos
RAF Current Issues
OTP/C&R
Integrity/
Security
ORNL
OTP Service
PNNL
OTP Service
r
• anl.gov
r
• anl.gov
• nersc.gov
• nersc.gov
• pnnl.gov
• pnnl.gov
• ornl.gov
• ornl.gov
R
Transit
time
ANL
Reliability/
Replication
ESnet RAF
Federation
NERSC
OTP Service
• anl.gov
OTP Service
r
• nersc.gov
nersc.gov
• pnnl.gov
• ornl.gov
pnnl.gov
Federation
• anl.gov
anl.gov
ornl.gov
Application
Integration
r
• nersc.gov
• pnnl.gov
• ornl.gov
RAF Long Term Issues
• RAF support for other protocols
– Kerberos
– Web services
– EAP/TLS
• Myproxy Protocol
• End to End integrity
– “AuthA” protocol
• Application integration
– Always an issue
– Architecture: fan-out/gateway
– Firewalls
• RADIUS
* Grid issue Future: 12 – 48 mos
AuthA
An OTP-based key-exchange technology that offers protection
against:
capture of the user’s password
capture of the server’s password-database
dictionary attacks on the user’s password
denial-of-service attacks
An OTP-based DH key-exchange technology that allows
users to connect from an un-trusted terminal and still preserve
the privacy of data transmitted on the wire:
confidentially, authenticity, and integrity of the data
mutual authentication of the user and the server
Technology publication:
M. Abdalla, O. Chevassut, and D. Pointcheval, “One-time Verifier-based
Encrypted key Exchange” ,submitted for publication to the 8th International
Workshop on Practice in Public-Key Cryptography, Feb 2005.
Conclusion
•
•
•
•
•
Successful RAF demonstration project
Engineering and User experience issues
Ready to proceed to pilot
Need Grid Integration
First step toward Auth Fabric
– Support more protocols
– Federation
– Successor to RADIUS
Demo
• http://topaz.es.net/secure/index.html
• http://panda.ccs.ornl.gov/radius/index.html
Fusion Grid Firewall Issues
Michael Helm
ESnet/LBNL
GGF-12 Sec Workshop
18 Sep 2004
FusionGrid Use Case
Comments
Each site is protected by a firewall
Different firewall technology
OTP is probably a feature
Need single sign-on, delegation, autonomous processes….
Fusion Grid
• Use case comes from Dave Schissel
• Evolved from discussion of OTP
– 2 of 3 labs in FusionGrid already have a
SecurID infrastructure
• Need direct support
• Need to identify path to solution