1 / 15

Enhancing Security with RADIUS and OTP Services in ESnet's RAF Architecture

This document outlines the functionalities and significance of Remote Authentication Dial-In User Service (RADIUS) and One-Time Passwords (OTP) within the context of the ESnet's Rapid Authentication Framework (RAF). Highlighted are the benefits of interoperability, authorization control, and enhanced reliability in grid environments, along with discussions on federation and integration challenges. The insights provided stem from the GGF-12 Sec Workshop held on September 18, 2004, emphasizing the need for secure authentication solutions as technology evolves in high-performance computing and research institutions.

marlis
Télécharger la présentation

Enhancing Security with RADIUS and OTP Services in ESnet's RAF Architecture

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ESnet RADIUS Authentication Fabric Michael Helm ESnet/LBNL GGF-12 Sec Workshop 18 Sep 2004

  2. r RADIUS What Does the RAF Do? ORNL PNNL OTP Service OTP Service r r • anl.gov • nersc.gov • pnnl.gov • ornl.gov • anl.gov • nersc.gov • pnnl.gov • ornl.gov Realms • anl.gov • nersc.gov • pnnl.gov • ornl.gov • es.net R ESnet RAF Federation ANL NERSC OTP Service OTP Service anl.gov nersc.gov pnnl.gov ornl.gov • anl.gov • nersc.gov • pnnl.gov • ornl.gov r • anl.gov • nersc.gov • pnnl.gov • ornl.gov r App

  3. What Is the Grid Integrated RAF? ESnet Root CA OTP Services Sign Subordinate CA 3 OTP verification HSM Subordinate CA Engine OCSP 4 Sign Proxy 2 Ask AuthN; hint OTP ESnet Radius PAM 4. Auth OK; Namestring Manage myProxy MyProxy Credentials SIPS Auth DB 1 Log in 5 Receive Proxy Cert Proposal Apr 2004 Special case of GridLogon 7 Execute 6 (Opt) Store Proxy

  4. RAF Benefits & Features • O(n) peering • Authorization decision controlled by site Sound familiar? • Single token per person • Interoperability on an open, standard, industry-supported AAA protocol • WAN use of RADIUS (RFC 2865) • Federation

  5. AuthN Authority (OTP) AuthN Authority (OTP) AuthN Authority (OTP) Appli- cation 1 Appli- cation 1 Appli- cation 1 Rc Rc Rc Site 1 RADIUS Site 2 RADIUS Site n RADIUS ESnet RAF Architecture Site Repli- cation ESnet RAF RADIUS Proxy router RADIUS Proxy router RADIUS Proxy router RADIUS Proxy router VPN (IPsec) ESnet Network (IP)

  6. RAF Current Issues • Reliability – Replication • Currently RAF issue, but also applies to site RADIUS/OTP • * Federation • * Application Integration • Where’s our “Grid Integration” solution? • PAM – more layers! • * Name management: (Fed/App Integration) • Essential issue for Grid integration • *? OTP Service Reliability • “Transit time” ; resync ; loss • * Federation • *? Integrity & Security • VPN • See later • Market research – size/scope of deployment * Grid issue Current: 6 – 18 mos

  7. RAF Current Issues OTP/C&R Integrity/Security ORNL PNNL OTP Service OTP Service r r • anl.gov • nersc.gov • pnnl.gov • ornl.gov • anl.gov • nersc.gov • pnnl.gov • ornl.gov R Reliability/Replication Transit time ESnet RAF Federation ANL NERSC OTP Service OTP Service anl.gov nersc.gov pnnl.gov ornl.gov • anl.gov • nersc.gov • pnnl.gov • ornl.gov r • anl.gov • nersc.gov • pnnl.gov • ornl.gov r Application Integration Federation

  8. RAF Long Term Issues • RAF support for other protocols • Kerberos • Web services • EAP/TLS • Myproxy Protocol • End to End integrity • “AuthA” protocol • Application integration • Always an issue • Architecture: fan-out/gateway • Firewalls • RADIUS * Grid issue Future: 12 – 48 mos

  9. AuthA • An OTP-based key-exchange technology that offers protection against: • capture of the user’s password • capture of the server’s password-database • dictionary attacks on the user’s password • denial-of-service attacks • An OTP-based DH key-exchange technology that allows users to connect from an un-trusted terminal and still preserve the privacy of data transmitted on the wire: • confidentially, authenticity, and integrity of the data • mutual authentication of the user and the server • Technology publication: • M. Abdalla, O. Chevassut, and D. Pointcheval, “One-time Verifier-based Encrypted key Exchange” ,submitted for publication to the 8th International Workshop on Practice in Public-Key Cryptography, Feb 2005.

  10. Conclusion • Successful RAF demonstration project • Engineering and User experience issues • Ready to proceed to pilot • Need Grid Integration • First step toward Auth Fabric • Support more protocols • Federation • Successor to RADIUS

  11. Demo • http://topaz.es.net/secure/index.html • http://panda.ccs.ornl.gov/radius/index.html

  12. Fusion Grid Firewall Issues Michael Helm ESnet/LBNL GGF-12 Sec Workshop 18 Sep 2004

  13. FusionGrid Use Case

  14. Comments Each site is protected by a firewall Different firewall technology OTP is probably a feature Need single sign-on, delegation, autonomous processes….

  15. Fusion Grid • Use case comes from Dave Schissel • Evolved from discussion of OTP • 2 of 3 labs in FusionGrid already have a SecurID infrastructure • Need direct support • Need to identify path to solution

More Related