E Snet Authentication Fabric Pilot

ESnet RADIUS Authentication Fabric Michael Helm ESnet/LBNL GGF-12 Sec Workshop 18 Sep 2004

What Does the RAF Do? NERSC r ANL r OTP Service ORNL r PNNL OTP Service OTP Service OTP Service anl.gov nersc.gov pnnl.gov ornl.gov es.net Realms R anl.gov nersc.gov pnnl.gov ornl.gov anl.gov nersc.gov pnnl.gov ornl.gov r anl.gov nersc.gov pnnl.gov ornl.gov anl.gov nersc.gov pnnl.gov ornl.gov ESnet RAF Federation anl.gov nersc.gov pnnl.gov ornl.gov App r RADIUS

What Is the Grid Integrated RAF? ESnet Radius Auth DB ESnet Root CA MyProxy Credentials PAM 1 Log in 2 Ask AuthN; hint OTP 5 Receive Proxy Cert Manage myProxy 6 (Opt) Store Proxy 7 Execute OTP Services OCSP HSM Subordinate CA Engine 4. Auth OK; Namestring 3 OTP verification 4 Sign Proxy Sign Subordinate CA SIPS Proposal Apr 2004 Special case of GridLogon

RAF Benefits & Features O(n) peering Authorization decision controlled by site Sound familiar? Single token per person Interoperability on an open, standard, industry-supported AAA protocol WAN use of RADIUS (RFC 2865) Federation

ESnet RAF Architecture Repli- cation Network (IP) VPN (IPsec) RADIUS Proxy router RADIUS Proxy router RADIUS Proxy router RADIUS Proxy router ESnet RAF Site ESnet AuthN Authority ( OTP ) Appli- cation 1 Rc Site n RADIUS AuthN Authority ( OTP ) Appli- cation 1 Rc Site 1 RADIUS AuthN Authority ( OTP ) Appli- cation 1 Rc Site 2 RADIUS

RAF Current Issues Reliability – Replication Currently RAF issue, but also applies to site RADIUS/OTP * Federation * Application Integration Where’s our “Grid Integration” solution? PAM – more layers! * Name management: (Fed/App Integration) Essential issue for Grid integration *? OTP Service Reliability “ Transit time” ; resync ; loss * Federation *? Integrity & Security VPN See later Market research – size/scope of deployment * Grid issue Current: 6 – 18 mos

RAF Current Issues NERSC r ANL r OTP Service ORNL r PNNL OTP Service OTP Service OTP Service R anl.gov nersc.gov pnnl.gov ornl.gov anl.gov nersc.gov pnnl.gov ornl.gov r anl.gov nersc.gov pnnl.gov ornl.gov anl.gov nersc.gov pnnl.gov ornl.gov ESnet RAF Federation anl.gov nersc.gov pnnl.gov ornl.gov Reliability/Replication Integrity/Security OTP/C&R Federation Transit time Application Integration

RAF Long Term Issues RAF support for other protocols Kerberos Web services EAP/TLS Myproxy Protocol End to End integrity “ AuthA” protocol Application integration Always an issue Architecture: fan-out/gateway Firewalls RADIUS * Grid issue Future: 12 – 48 mos

AuthA An OTP-based key-exchange technology that offers protection against: capture of the user’s password capture of the server’s password-database dictionary attacks on the user’s password denial-of-service attacks An OTP-based DH key-exchange technology that allows users to connect from an un-trusted terminal and still preserve the privacy of data transmitted on the wire: confidentially, authenticity, and integrity of the data mutual authentication of the user and the server Technology publication : M. Abdalla, O. Chevassut, and D. Pointcheval, “One-time Verifier-based Encrypted key Exchange” ,submitted for publication to the 8 th International Workshop on Practice in Public-Key Cryptography, Feb 2005.

RAF Collaboration Introduction Motivation: Eliminate reusable passwords (movement in US DOE Science institutions, and others) Collaborators: Steve Chan & “NOPS” group; ESnet PKI team (now ATF); vendors; others Technology: OTP (“One time password”); RADIUS; applications

Collaboration Introduction (3) Hacking incidents in late 2003-2004 Problem of re-usable passwords Not just for accounts, but to unlock key pairs and other authorizations Grid Investment threats

Grid Integrated RADIUS Authentication Fabric RADIUS (RFC 2865, 3579 (EAP)) Federation Proxy Widely used and supported OTP (One Time Password) Multiple vendor support Single use/challenge-response support “ Site” responsibility Grid integration: “SIPS” On demand proxy provision “ Myproxy” NB : Each application has its own story

Collaboration Introduction (4) Collaborators: Steve Chan & NERSC requirements doc (Apr 2004) http://www.doegrids.org/CA/Research/OTP-final.pdf ESnet PKI/ATF http://www.doegrids.org/CA/Research/GIRAF.pdf T Genovese, M Helm, R Morelli, D Muruganantham, J Webster NOPS: NERSC, ESnet, ANL, PNNL, ORNL “ CryptoGRID”: O Chevassut, F Siebenlist, A Essiari RADIUS vendor: InfoBlox ( Edwin Menor ) Status: at milestone 2.3, prep 2.4 (pilot) NOPS group working OTP issues

Collaboration Introduction (5) Hacking incidents in late 2003-2004 Problem of re-usable passwords Not just for accounts, but to unlock key pairs and other authorizations Burden of multiple tokens Grid Investment Threats

What Does the RAF Do? NERSC r ANL r OTP Service ORNL r PNNL OTP Service OTP Service OTP Service anl.gov nersc.gov pnnl.gov ornl.gov es.net Realms R anl.gov nersc.gov pnnl.gov ornl.gov anl.gov nersc.gov pnnl.gov ornl.gov r anl.gov nersc.gov pnnl.gov ornl.gov anl.gov nersc.gov pnnl.gov ornl.gov ESnet RAF Federation anl.gov nersc.gov pnnl.gov ornl.gov r RADIUS

What Does the RAF Do? (2) Local Exclusion of a Realm NERSC r ANL r OTP Service ORNL r PNNL OTP Service OTP Service OTP Service anl.gov nersc.gov pnnl.gov ornl.gov es.net Realms R ESnet RAF Federation anl.gov nersc.gov pnnl.gov ornl.gov anl.gov nersc.gov pnnl.gov ornl.gov r anl.gov nersc.gov ornl.gov pnnl.gov anl.gov nersc.gov pnnl.gov ornl.gov

What Does the RAF Do? (3) goodlab.org Joins the Federation NERSC r ANL r OTP Service ORNL r PNNL OTP Service OTP Service OTP Service anl.gov nersc.gov pnnl.gov ornl.gov es.net goodlab.org Realms R ESnet RAF Federation anl.gov nersc.gov pnnl.gov ornl.gov anl.gov nersc.gov pnnl.gov ornl.gov r anl.gov nersc.gov pnnl.gov ornl.gov anl.gov nersc.gov pnnl.gov ornl.gov r OTP Service anl.gov ? nersc.gov ? pnnl.gov ? ornl.gov ? goodlab.org goodlab.org? goodlab.org? goodlab.org? goodlab.org?

What Does the RAF Do? (4) Site Manages Separate Relationship XAuth Service NERSC r ANL r OTP Service ORNL r PNNL OTP Service OTP Service OTP Service anl.gov nersc.gov pnnl.gov ornl.gov es.net goodlab.org Realms R ESnet RAF Federation anl.gov nersc.gov pnnl.gov ornl.gov anl.gov nersc.gov pnnl.gov ornl.gov r anl.gov nersc.gov pnnl.gov ornl.gov anl.gov nersc.gov pnnl.gov ornl.gov r OTP Service anl.gov ? nersc.gov ? pnnl.gov ? ornl.gov ? goodlab.org goodlab.org? goodlab.org? goodlab.org? goodlab.org? vendi.com r vendi.com

RAF Benefits & Features O(n) peering Authorization decision controlled by site Sound familiar? Single token per person Interoperability on an open, standard, industry-supported AAA protocol WAN use of RADIUS

RAF Current Issues NERSC r ANL r OTP Service ORNL r PNNL OTP Service OTP Service OTP Service Realms R anl.gov nersc.gov pnnl.gov ornl.gov anl.gov nersc.gov pnnl.gov ornl.gov r anl.gov nersc.gov pnnl.gov ornl.gov anl.gov nersc.gov pnnl.gov ornl.gov ESnet RAF Federation anl.gov nersc.gov pnnl.gov ornl.gov Reliability/Replication Integrity/Security OTP/C&R Federation Transit time Application Integration

Password-based Authentication Technology One-Time Password (OTP) authentication (e.g, S/Key, RSA SecurID): protects against passive attacks based on replaying captured reusable passwords (i.e. passive eavesdropping/replay attacks) Password-authentication key-exchange (e.g, SRP, AuthA) protect against active attacks such as session hijacking provide privacy of transmitted data => OTP-based authenticated key-exchange for the Grid

OTP-based Authenticated Key-Exchange A single-use password is derived from the user’s secret pass-phrase The password is used to encrypt the flows of the (Diffie-Hellman) key-exchange at the end of which a session-key is exchanged The session-key implements an encrypted/authenticated channel Encrypt ( pw’, g y ) Derive one-time password pw’ from pass-phrase Compute session key: sk = g xy Encrypt ( pw’ , g x ) Derive one-time password pw’ from stored password pw Compute session key: sk = g xy Encrypt ( sk, pw’) Update the stored password: pw= pw’ Client Server

Accomplishments An OTP-based key-exchange technology that offers protection against: capture of the user’s password capture of the server’s password-database dictionary attacks on the user’s password denial-of-service attacks An OTP-based key-exchange technology that allows users to connect from an un-trusted terminal and still preserve the privacy of data transmitted on the wire: confidentially, authenticity, and integrity of the data mutual authentication of the user and the server Technology publication : M. Abdalla, O. Chevassut, and D. Pointcheval, “One-time Verifier-based Encrypted key Exchange” ,submitted for publication to the 8 th International Workshop on Practice in Public-Key Cryptography, Feb 2005.

Work in Progress Make this OTP-authenticated key-exchange a cipher suite for TLS develop of a patch for OpenSSL investigate the IP Property issue (i.e. US Patents 5,241,599 and 5,440.635) preliminary contacts with the OpenSSL developers Integrate this OTP-based technology with MyProxy and GridLogon Integrate this OTP-based technology with WS-SecureConversation L. , S. Meder, O. Chevassut, F. Siebenlist, “Secure Password-Based Authenticated Key Exchange for Web Services”, submitted to ACM Workshop on Secure Web Services, Nov 2003. Integrate this OTP-based technology with the Authentication and Authorization Fabric for Office Science

Radius Software availability Commercial InfoBlox Interlink Open Source Clients Servers ESnet RAF test bed usage Argonne = easyRadius ESnet = InfoBlox NERSC = InfoBlox/freeRadius PNNL = N.A

Open Issues Radius Server Transit time/latency Radius Vs OTP lockouts Availability of OTP back ends offline Application issues Name Management Local Acct mapping to RAF names PAM Refresh page tries to re-authenticate

Radius Security and Operation VPN/IPSec to protect server communication Shared Secret issues Management Policies needed Architecture/demark point Robustness/Reliability Replication of management data Load balancing

Issues: OTP No issues  How does a new vendor play? Challenge/Response Secure ID Resync, User’s experience Denial of Service If lockout is enabled, others could lock you out.

Conclusion Successful RAF demonstration project Engineering and User experience issues Ready to proceed to pilot Need Grid Integration First step toward Auth Fabric Support more protocols Federation Successor to RADIUS

Demo http://topaz.es.net/secure/index.html http://panda.ccs.ornl.gov/radius/index.html

Fusion Grid Firewall Issues Michael Helm ESnet/LBNL GGF-12 Sec Workshop 18 Sep 2004

Comments Each site is protected by a firewall Different firewall technology OTP is probably a feature Need single sign-on, delegation, autonomous processes….

Fusion Grid Use case comes from Dave Schissel Evolved from discussion of OTP 2 of 3 labs in FusionGrid already have a SecurID infrastructure Need direct support Need to identify path to solution

E Snet Authentication Fabric Pilot

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to E Snet Authentication Fabric Pilot (20)

More from FNian (20)

Recently uploaded (20)

E Snet Authentication Fabric Pilot