|
Size: 5082
Comment: Hepix Links complete
|
Size: 5112
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 57: | Line 57: |
| * NIKHEF (Apr 03) [http://www.nikhef.nl/hepix/pres/groep.ppt D.Groep: Grid security and site authorization in EDG] | * NIKHEF (May 03) [http://www.nikhef.nl/hepix/pres/groep.ppt D.Groep: Grid security and site authorization in EDG] |
| Line 59: | Line 59: |
| ==== One time passwords ==== * Roma (Apr 06) [http://hepix.caspur.it/spring2006/agenda.php R.Petkus: One-time-password integration at BNL] |
|
| Line 60: | Line 62: |
| * Roma (Apr 06) [http://hepix.caspur.it/spring2006/agenda.php R.Petkus: One-time-password integration at BNL] |
Authentication technologies
Authentication using symmetric key cryptography
Key for encryption and decryption is the same (or easily derived from the other key). Needs a third party to establish a trust relation. In High energy Physics (HEP) Kerberos4 and Kerberos5 are used. Kerberos4 has security flaws and is largely replaced by Kerberos5.
Kerberos5
Defined in [http://www.ietf.org/rfc/rfc4120.txt RFC4120], API defined in [http://www.ietf.org/rfc/rfc4121.txt RFC4121]
Currently implemented in 3 major variants: MIT Kerberos, Heimdal Kerberos, Windows Kerberos
Talks at HEPiX meetings related to Kerberos
BNL (Oct 04) [http://www.rhic.bnl.gov/hepix/talks/041018pm/fasanelli.pdf E.Fasanelli: INFN K5 project]
Edinburgh (May 04) [http://hepwww.rl.ac.uk/hepix/nesc/friebel.ppt W.Friebel: AFS file space administration with ARC version 2]
TRIUMF (Oct 03) [http://www.triumf.ca/hepix2003/pres/21-13/efasanelli/ E.Fasanelli: AFS cross cell authentication using Kerberos5]
NIKHEF (May 03) [http://www.nikhef.nl/hepix/pres/friebel4.ppt W.Friebel: Kerberos5 at DESY]
INFN (Apr 02) [http://www.ts.infn.it/events//hepix2002/talks/efasanelli1.ppt E.Fasanelli: W2K integration in the Kerberos 5 based AFS cell]
LAL (Apr 01) [http://events.lal.in2p3.fr/conferences/HEPIX/presentations/Thursday/Skow-FNAL-Security D.Skow: Strong Authentication Report at FNAL]
LAL (Apr 01) [http://events.lal.in2p3.fr/conferences/HEPIX/presentations/Tuesday/Kaletka-W2000-Kerberos.ppt M.Kaletka: W2000 Kerberos Experience]
Software with Kerberos Support
Usually the software mentioned below does not come with Kerberos support by default, configuration or recompilation is required in most cases.
- Webserver: IIS, Apache (so called Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) support)
- Webclients: Internet Explorer, Mozilla, Firefox
- Mailserver: Cyrus-IMAP, UW-IMAP
- Mailclients: pine, Mozilla, Thunderbird
Batchsystems: SunGridEngine, LSF
- Filesystems: AFS, NFSv4
Libraries: PAM, GSSAPI ([http://www.ietf.org/rfc/rfc1508.txt version 1] and [http://www.ietf.org/rfc/rfc2743.txt version2]), [http://www.ietf.org/rfc/rfc2222.txt SASL], perl Modules(Authen-SASL, Authen-Krb5)
- Protocols: LDAP, IMAP, SMTP (via SASL) Socks5
- Client/Server programs: openssh, telnet, ftp, su, arc, arcx
Other UNIX software is or could be made Kerberos5 aware by using the SASL or GSS API.
Authentication using public key infrastructure
Public key cryptography is an assymetric key method. It uses a pair of keys, called public and private key. The public key is intended for distribution, while the private key needs to be kept secret. Both keys are connected through a mathematical relation, which is highly asymmetric in terms of computational effort to derive one key from the other.
Knowing the public key it should be practically impossible to derive the private key.
In order to verify that a public key is associated with the real issuer, a Public Key Infrastructure (PKI) is installed. In most practical cases within HEP the keys used are so called X.509 Certificates. The verification of these certificates is done trough a hierarchy of trusted third parties, called Certification Authorities (CA).
The various deployed grid solutions (e.g. LCG) all use authentification with certificates
===== Talks at HEPiX meetings related to authentication using certificates ====
Single Sign On
Talks at HEPiX meetings related to Single Sign On
Roma (Apr 06) [http://hepix.caspur.it/spring2006/agenda.php Jens Jensen: Single sign-on at RAL]
Roma (Apr 06) [http://hepix.caspur.it/spring2006/agenda.php Alberto Pace: Integrating Grid Certificates and Kerberos Authentication services]
SLAC (Oct 05) [http://www.slac.stanford.edu/conf/hepix05/talks/tuesday/aparicio.ppt R.G.Aparicio: Progress report in CERN Certification authority deployment and Single Sign On with Certificates]
SLAC (Oct 05) [http://www.slac.stanford.edu/conf/hepix05/talks/tuesday/gordon.ppt J.Gordon: RAL Progress in Single Sign On]
Karlsruhe (May 05) [http://hepix.fzk.de/upload/lectures/2005-04-29%20SSO-Hepix.ppt E.Ormancy, A.Pace: Cross platform single-sign-on using client certificates]
Triumf (Oct 03) [http://www.triumf.ca/hepix2003/pres/23-06/apace/ A.Pace: An introduction to PKI and a few deployment hints]
NIKHEF (May 03) [http://www.nikhef.nl/hepix/pres/groep.ppt D.Groep: Grid security and site authorization in EDG]
Other topics
One time passwords
Roma (Apr 06) [http://hepix.caspur.it/spring2006/agenda.php R.Petkus: One-time-password integration at BNL]
Synchronisation of passwords across platforms
Karlsruhe (May 05) [http://hepix.fzk.de/upload/lectures/DESY-jahnke-zumbusch-HEPiX2005.pdf D.Jahnke: DESY-Registry -- cross-platform user administration]
BNL (Oct 04) [http://www.rhic.bnl.gov/hepix/talks/041018pm/corosu.ppt M.Corosu: INFN TRIP Project] (authenticated WLAN access)