Overview Background Our solution Conclusions Credential Mapping in Grids Esteban Talavera González Center for Parallel Computers (PDC) Royal Institute of Technology (KTH) Stockholm – March 16, 2007 Esteban Talavera González Credential Mapping in Grids 1
Overview Background Our solution Conclusions Outline Overview 1 Background 2 Authentication mechanisms Web services Our solution 3 Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion Conclusions 4 Contributions Future Work Esteban Talavera González Credential Mapping in Grids 2
Overview Background Our solution Conclusions Outline Overview 1 Background 2 Authentication mechanisms Web services Our solution 3 Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion Conclusions 4 Contributions Future Work Esteban Talavera González Credential Mapping in Grids 2
Overview Background Our solution Conclusions Outline Overview 1 Background 2 Authentication mechanisms Web services Our solution 3 Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion Conclusions 4 Contributions Future Work Esteban Talavera González Credential Mapping in Grids 2
Overview Background Our solution Conclusions Outline Overview 1 Background 2 Authentication mechanisms Web services Our solution 3 Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion Conclusions 4 Contributions Future Work Esteban Talavera González Credential Mapping in Grids 2
Overview Background Our solution Conclusions Outline Overview 1 Background 2 Authentication mechanisms Web services Our solution 3 Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion Conclusions 4 Contributions Future Work Esteban Talavera González Credential Mapping in Grids 3
Overview Background Our solution Conclusions Security Credentials Authentication vs. Authorization A piece of information used to prove the identity of a subject (i.e. Authentication ) There are many different ones, from passwords to certificates Must be trusted by the party the entity is authenticating to Once the subject is authenticated, he will or will not be authorized to perform a desired action depending on his identity and the security policy Esteban Talavera González Credential Mapping in Grids 4
Overview Background Our solution Conclusions Grid security In Grids clients and resources from different security domains interact with each other Each domain is governed by its own administration and security policy Service requests may cross domains where different security models are used Authentication is needed before using a resource, located locally or remotely It is difficult to know which resources will be requested beforehand, and therefore which credentials will be needed, too Esteban Talavera González Credential Mapping in Grids 5
Overview Background Our solution Conclusions Problem Statement The client’s credential could be invalid at the resource’s domain in terms of: Format : Different security mechanisms used in each side, recipient cannot understand the credential Trust : Pre-established trust relationship between credential issuer and recipient is needed to validate it If authentication is not successful, the client’s application could be aborted or stopped before finishing its job Goal: Translating security credentials from a format comprehensible in the requester domain into an understandable format in the relying domain. The resulting credential needs also to be trusted by the recipient Esteban Talavera González Credential Mapping in Grids 6
Overview Background Authentication mechanisms Our solution Web services Conclusions Outline Overview 1 Background 2 Authentication mechanisms Web services Our solution 3 Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion Conclusions 4 Contributions Future Work Esteban Talavera González Credential Mapping in Grids 7
Overview Background Authentication mechanisms Our solution Web services Conclusions Authentication Mechanisms The security credentials that will be taken into account for mapping are: Kerberos tickets : Widely used for authentication and authorization of users in intra-domain networks X.509 certificates : Well known credential, mostly used for inter-domain authentication (e.g. on the Internet) SAML assertions : Emerging standard providing XML-based credentials Esteban Talavera González Credential Mapping in Grids 8
Overview Background Authentication mechanisms Our solution Web services Conclusions Kerberos Based on symmetric cryptography (shared keys): The same key is used for encryption and decryption Clients , identified by Principal and Realm name (e.g. esteban@KTH.SE ), want to access to Services provided by one or more Application Servers (hosts) These operations are supervised by the Authentication Server (AS) and one Ticket Granting Server (TGS) Secret keys are shared between the AS and the TGS, the AS and the clients, and between the TGS and every server in the realm ( master keys ) Esteban Talavera González Credential Mapping in Grids 9
Overview Background Authentication mechanisms Our solution Web services Conclusions Kerberos operation Application Server ���������� ���������� ���������� ���������� (serv) KEYtgs−serv KEYtgs−serv ���������� ���������� ���������� ���������� TGS ���������� ���������� KEYas−tgs ���������� ���������� ���������� ���������� ���������� ���������� Login ���������� ���������� KDC (user+passwd) ���������� ���������� ���������� ���������� Client ���������� ���������� 1 ���������� ���������� ���������� ���������� AS ���������� ���������� User KEYas−tgs ���������� ���������� ���������� ���������� ���������� ���������� 1) The user authenticates locally with the user name and password Esteban Talavera González Credential Mapping in Grids 10
Overview Background Authentication mechanisms Our solution Web services Conclusions Kerberos operation Application Server ���������� ���������� ���������� ���������� (serv) KEYtgs−serv ���������� ���������� KEYtgs−serv ���������� ���������� TGS ���������� ���������� KEYas−tgs ���������� ���������� ���������� ���������� ���������� ���������� Login ���������� ���������� KDC (user+passwd) ���������� ���������� ���������� ���������� Client Request TGT ���������� ���������� 1 ���������� ���������� 2 ���������� ���������� AS ���������� ���������� User + TGT: KEYas−tgs [KEYclient−tgs] ���������� ���������� passwd ���������� ���������� [KEYclient−tgs, clientID,...] KEYas−tgs ���������� ���������� 2) The client requests a Ticket Granting Ticket (TGT), presenting the password as credential to the Authentication Server (AS) Esteban Talavera González Credential Mapping in Grids 11
Recommend
More recommend