ESnet RADIUS Authentication Fabric - PowerPoint PPT Presentation

1 / 15

About This Presentation

Title:

ESnet RADIUS Authentication Fabric

Description:

Interoperability on an open, standard, industry-supported AAA protocol ... confidentially, authenticity, and integrity of the data ... – PowerPoint PPT presentation

Number of Views:30

Avg rating:3.0/5.0

Slides: 16

Provided by: michae184

Category:

more less

Transcript and Presenter's Notes

Title: ESnet RADIUS Authentication Fabric

1
ESnet RADIUS Authentication Fabric

Michael Helm
ESnet/LBNL
GGF-12 Sec Workshop
18 Sep 2004

2
What Does the RAF Do?
ORNL
PNNL
OTP Service
OTP Service
r
r

anl.gov
nersc.gov
pnnl.gov
ornl.gov

anl.gov
nersc.gov
pnnl.gov
ornl.gov

Realms

anl.gov
nersc.gov
pnnl.gov
ornl.gov
es.net

R
ESnet RAF Federation
ANL
NERSC
OTP Service
OTP Service

anl.gov
nersc.gov
pnnl.gov
ornl.gov

anl.gov nersc.gov pnnl.gov ornl.gov
r
r

anl.gov
nersc.gov
pnnl.gov
ornl.gov

App
3
What Is the Grid Integrated RAF?
ESnet Root CA
OTP Services
Sign Subordinate CA
3 OTP verification
HSM
OCSP
Subordinate CA Engine
4 Sign Proxy
2 Ask AuthN hint OTP
ESnet Radius
PAM
4. Auth OK Namestring
MyProxy Credentials
Manage myProxy
SIPS
Auth DB
1 Log in
5 Receive Proxy Cert
7 Execute
Proposal Apr 2004 Special case of GridLogon
6 (Opt) Store Proxy
4
RAF Benefits Features

O(n) peering
Authorization decision controlled by site
Sound familiar?
Single token per person
Interoperability on an open, standard,
industry-supported AAA protocol
WAN use of RADIUS (RFC 2865)
Federation

5
ESnet RAF Architecture
Site
Repli- cation
RADIUS Proxy router
RADIUS Proxy router
RADIUS Proxy router
RADIUS Proxy router
ESnet RAF
VPN (IPsec)
ESnet
Network (IP)
6
RAF Current Issues

Reliability Replication
Currently RAF issue, but also applies to site
RADIUS/OTP
Federation
Application Integration
Wheres our Grid Integration solution?
PAM more layers!
Name management (Fed/App Integration)
Essential issue for Grid integration
? OTP Service Reliability
Transit time resync loss
Federation
? Integrity Security
VPN
See later
Market research size/scope of deployment
Grid issue Current 6 18 mos

7
RAF Current Issues
OTP/CR
Integrity/Security
ORNL
PNNL
OTP Service
OTP Service
r
r

anl.gov
nersc.gov
pnnl.gov
ornl.gov

anl.gov
nersc.gov
pnnl.gov
ornl.gov

R
Reliability/Replication
Transit time
ESnet RAF Federation
ANL
NERSC
OTP Service
OTP Service

anl.gov
nersc.gov
pnnl.gov
ornl.gov

anl.gov nersc.gov pnnl.gov ornl.gov
r
r

anl.gov
nersc.gov
pnnl.gov
ornl.gov

Application Integration
Federation
8
RAF Long Term Issues

RAF support for other protocols
Kerberos
Web services
EAP/TLS
Myproxy Protocol
End to End integrity
AuthA protocol
Application integration
Always an issue
Architecture fan-out/gateway
Firewalls
RADIUS
Grid issue Future 12 48 mos

9
AuthA

An OTP-based key-exchange technology that offers
protection against
capture of the users password
capture of the servers password-database
dictionary attacks on the users password
denial-of-service attacks
An OTP-based DH key-exchange technology that
allows users to connect from an un-trusted
terminal and still preserve the privacy of data
transmitted on the wire
confidentially, authenticity, and integrity of
the data
mutual authentication of the user and the server
Technology publication
M. Abdalla, O. Chevassut, and D. Pointcheval,
One-time Verifier-based Encrypted key Exchange
,submitted for publication to the 8th
International Workshop on Practice in Public-Key
Cryptography, Feb 2005.

10
RAFCollaboration Introduction

Motivation Eliminate reusable passwords
(movement in US DOE Science institutions, and
others)
Collaborators Steve Chan NOPS group ESnet
PKI team (now ATF) vendors others
Technology OTP (One time password) RADIUS
applications

11
Collaboration Introduction (3)

Hacking incidents in late 2003-2004
Problem of re-usable passwords
Not just for accounts, but to unlock key pairs
and other authorizations
Grid
Investment
threats

12
Grid Integrated RADIUS Authentication Fabric

RADIUS (RFC 2865, 3579 (EAP))
Federation
Proxy
Widely used and supported
OTP (One Time Password)
Multiple vendor support
Single use/challenge-response support
Site responsibility
Grid integration SIPS
On demand proxy provision
Myproxy
NB Each application has its own story

13
Collaboration Introduction (4)

Collaborators Steve Chan NERSC requirements
doc (Apr 2004)
http//www.doegrids.org/CA/Research/OTP-final.pdf
ESnet PKI/ATF
http//www.doegrids.org/CA/Research/GIRAF.pdf
T Genovese, M Helm, R Morelli, D Muruganantham, J
Webster
NOPS NERSC, ESnet, ANL, PNNL, ORNL
CryptoGRID O Chevassut, F Siebenlist, A
Essiari
RADIUS vendor InfoBlox (Edwin Menor)
Status at milestone 2.3, prep 2.4 (pilot)
NOPS group working OTP issues

14
Collaboration Introduction (5)

Hacking incidents in late 2003-2004
Problem of re-usable passwords
Not just for accounts, but to unlock key pairs
and other authorizations
Burden of multiple tokens
Grid
Investment
Threats

15
What Does the RAF Do?
ORNL
PNNL
OTP Service
OTP Service
r
r

anl.gov
nersc.gov
pnnl.gov
ornl.gov

anl.gov
nersc.gov
pnnl.gov
ornl.gov

Realms

anl.gov
nersc.gov
pnnl.gov
ornl.gov
es.net

R
ESnet RAF Federation
ANL
NERSC
OTP Service
OTP Service

anl.gov
nersc.gov
pnnl.gov
ornl.gov

anl.gov nersc.gov pnnl.gov ornl.gov
r
r

anl.gov
nersc.gov
pnnl.gov
ornl.gov

16
What Does the RAF Do? (2)Local Exclusion of a
Realm
ORNL
PNNL
OTP Service
OTP Service
r
r

anl.gov
nersc.gov
pnnl.gov
ornl.gov

anl.gov
nersc.gov
ornl.gov
pnnl.gov

Realms

anl.gov
nersc.gov
pnnl.gov
ornl.gov
es.net

R
ESnet RAF Federation
ANL
NERSC
OTP Service
OTP Service

anl.gov
nersc.gov
pnnl.gov
ornl.gov

r
r

anl.gov
nersc.gov
pnnl.gov
ornl.gov

17
What Does the RAF Do? (3)goodlab.org Joins the
Federation
ORNL
PNNL
OTP Service
OTP Service
r

anl.gov
nersc.gov
pnnl.gov
ornl.gov

anl.gov
nersc.gov
pnnl.gov
ornl.gov

Realms

anl.gov
nersc.gov
pnnl.gov
ornl.gov
es.net
goodlab.org

goodlab.org?

goodlab.org?

R
ESnet RAF Federation
NERSC
ANL
OTP Service
OTP Service

anl.gov
nersc.gov
pnnl.gov
ornl.gov

anl.gov
nersc.gov
pnnl.gov
ornl.gov

anl.gov ?
nersc.gov ?
pnnl.gov ?
ornl.gov ?
goodlab.org

goodlab.org?

goodlab.org?

OTP Service
18
What Does the RAF Do? (4)Site Manages Separate
Relationship
XAuth Service
r
ORNL
PNNL

vendi.com

OTP Service
OTP Service
r

anl.gov
nersc.gov
pnnl.gov
ornl.gov

anl.gov
nersc.gov
pnnl.gov
ornl.gov

Realms

anl.gov
nersc.gov
pnnl.gov
ornl.gov
es.net
goodlab.org

goodlab.org?

vendi.com

goodlab.org?

R
ESnet RAF Federation
NERSC
ANL
OTP Service
OTP Service

anl.gov
nersc.gov
pnnl.gov
ornl.gov

anl.gov
nersc.gov
pnnl.gov
ornl.gov

anl.gov ?
nersc.gov ?
pnnl.gov ?
ornl.gov ?
goodlab.org

goodlab.org?

goodlab.org?

OTP Service
19
ESnet RAF Architecture
Site
Repli- cation
RADIUS Proxy router
RADIUS Proxy router
RADIUS Proxy router
RADIUS Proxy router
ESnet RAF
VPN (IPsec)
ESnet
Network (IP)
20
RAF Benefits Features

O(n) peering
Authorization decision controlled by site
Sound familiar?
Single token per person
Interoperability on an open, standard,
industry-supported AAA protocol
WAN use of RADIUS

21
RAF Current Issues
OTP/CR
Integrity/Security
ORNL
PNNL
OTP Service
OTP Service
r
r

anl.gov
nersc.gov
pnnl.gov
ornl.gov

anl.gov
nersc.gov
pnnl.gov
ornl.gov

Realms
R
Reliability/Replication
Transit time
ESnet RAF Federation
ANL
NERSC
OTP Service
OTP Service

anl.gov
nersc.gov
pnnl.gov
ornl.gov

anl.gov nersc.gov pnnl.gov ornl.gov
r
r

anl.gov
nersc.gov
pnnl.gov
ornl.gov

Application Integration
Federation
22
RAF Current Issues

Reliability Replication
Currently RAF issue, but also applies to site
RADIUS/OTP
Federation
Application Integration
Wheres our Grid Integration solution?
PAM more layers!
Name management (Fed/App Integration)
Essential issue for Grid integration
? OTP Service Reliability
Transit time resync loss
Federation
? Integrity Security
VPN
See later
Market research size/scope of deployment
Grid issue Current 6 18 mos

23
What Is the Grid Integrated RAF?
ESnet Root CA
OTP Services
Sign Subordinate CA
3 OTP verification
HSM
OCSP
Subordinate CA Engine
4 Sign Proxy
2 Ask AuthN hint OTP
ESnet Radius
PAM
4. Auth OK Namestring
MyProxy Credentials
Manage myProxy
SIPS
Auth DB
1 Log in
5 Receive Proxy Cert
7 Execute
Proposal Apr 2004 Special case of GridLogon
6 (Opt) Store Proxy
24
RAF Long Term Issues

RAF support for other protocols
Kerberos
Web services
EAP/TLS
Myproxy Protocol
End to End integrity
AuthA protocol
Application integration
Always an issue
Architecture fan-out/gateway
Firewalls
RADIUS
Grid issue Future 12 48 mos

25
Password-based Authentication Technology

One-Time Password (OTP) authentication (e.g,
S/Key, RSA SecurID)
protects against passive attacks based on
replaying captured reusable passwords (i.e.
passive eavesdropping/replay attacks)
Password-authentication key-exchange (e.g, SRP,
AuthA)
protect against active attacks such as session
hijacking
provide privacy of transmitted data
gt OTP-based authenticated key-exchange for the
Grid

26
OTP-based Authenticated Key-Exchange

A single-use password is derived from the users
secret pass-phrase
The password is used to encrypt the flows of the
(Diffie-Hellman) key-exchange at the end of which
a session-key is exchanged
The session-key implements an encrypted/authentica
ted channel

Encrypt ( pw, gy)
Derive one-time password pw from stored password
pw
Derive one-time password pw from pass-phrase
Encrypt ( pw, gx)
Compute session key sk gxy
Compute session key sk gxy
Update the stored password pw pw
Encrypt ( sk, pw)
27
Accomplishments

An OTP-based key-exchange technology that offers
protection against
capture of the users password
capture of the servers password-database
dictionary attacks on the users password
denial-of-service attacks
An OTP-based key-exchange technology that allows
users to connect from an un-trusted terminal and
still preserve the privacy of data transmitted on
the wire
confidentially, authenticity, and integrity of
the data
mutual authentication of the user and the server
Technology publication
M. Abdalla, O. Chevassut, and D. Pointcheval,
One-time Verifier-based Encrypted key Exchange
,submitted for publication to the 8th
International Workshop on Practice in Public-Key
Cryptography, Feb 2005.

28
Work in Progress

Make this OTP-authenticated key-exchange a cipher
suite for TLS
develop of a patch for OpenSSL
investigate the IP Property issue (i.e. US
Patents 5,241,599 and 5,440.635)
preliminary contacts with the OpenSSL developers
Integrate this OTP-based technology with MyProxy
and GridLogon
Integrate this OTP-based technology with
WS-SecureConversation
L. , S. Meder, O. Chevassut, F. Siebenlist,
Secure Password-Based Authenticated Key Exchange
for Web Services, submitted to ACM Workshop on
Secure Web Services, Nov 2003.
Integrate this OTP-based technology with the
Authentication and Authorization Fabric for
Office Science

29
Radius Software availability

Commercial
InfoBlox
Interlink
Open Source
Clients
Servers
ESnet RAF test bed usage
Argonne easyRadius
ESnet InfoBlox
NERSC InfoBlox/freeRadius
PNNL N.A

30
Open Issues

Radius Server
Transit time/latency
Radius Vs OTP lockouts
Availability of OTP back ends offline
Application issues
Name Management
Local Acct mapping to RAF names
PAM
Refresh page tries to re-authenticate

31
Radius Security and Operation

VPN/IPSec to protect server communication
Shared Secret issues
Management
Policies needed
Architecture/demark point
Robustness/Reliability
Replication of management data
Load balancing

32
Issues OTP

No issues ?
How does a new vendor play?
Challenge/Response
Secure ID
Resync, Users experience
Denial of Service
If lockout is enabled, others could lock you out.

33
Conclusion

Successful RAF demonstration project
Engineering and User experience issues
Ready to proceed to pilot
Need Grid Integration
First step toward Auth Fabric
Support more protocols
Federation
Successor to RADIUS

34
Demo

http//topaz.es.net/secure/index.html
http//panda.ccs.ornl.gov/radius/index.html

35
Fusion Grid Firewall Issues

Michael Helm
ESnet/LBNL
GGF-12 Sec Workshop
18 Sep 2004

36
FusionGrid Use Case
37
Comments
Each site is protected by a firewall Different
firewall technology OTP is probably a feature
Need single sign-on, delegation, autonomous
processes.
38
Fusion Grid