eurocamp
play

EuroCamp A federated framework for secure videoconference Daniel - PowerPoint PPT Presentation

Apr 17, 2023 •361 likes •594 views

EuroCamp A federated framework for secure videoconference Daniel Kouril, Michal Prochazka Acknowledgement This work is funded by CESNET Development Fund Masaryk University EuroCamp '08 - Stockholm 2 Outline Introduction

  1. EuroCamp A federated framework for secure videoconference Daniel Kouril, Michal Prochazka

  2. Acknowledgement  This work is funded by  CESNET Development Fund  Masaryk University EuroCamp '08 - Stockholm 2

  3. Outline  Introduction  PKI - Digital certificate  OpenVPN  Secured videoconferencing  Federated Online CA  CAT  Federated framework  Conclusion EuroCamp '08 - Stockholm 3

  4. Introduction  Problems with makeing applications federation-aware  Closed-source applications  Prohibited by the licence  Sometimes it is not possible  Today's federations are mainly focused on the web environment  Most of videoconferencing applications are non-web  Missing authorization or it is based on the shared password  Several groups need secure and close collaborative environment  people from medical env., secret research, ...  Users are not IT professionals, do not bother them with security technologies EuroCamp '08 - Stockholm 4

  5. Digital certificate  Has defined structure – X.509  Issued by trusted certification authority  PKI is not user-friendly but in some cases it is widely used  SSL, SSH, HTTPs, ...  Holds public information:  Issuer of the certificate  Holder of the certificate  Public key of the holder  Issue data and expiration date  Additional information in form of extensions  CRL, OSCP responder, Policy, ... EuroCamp '08 - Stockholm 5

  6. Example of the certificate Certificate: Data: Version: 3 (0x2) Serial Number: 1119039755 (0x42b3310b) Signature Algorithm: sha1WithRSAEncryption Issuer: DC=cz, DC=cesnet-ca, CN=CESNET CA Validity Not Before: Aug 29 12:34:16 2007 GMT Not After : Sep 29 13:04:16 2008 GMT Subject: DC=cz, DC=cesnet-ca, O=Masaryk University, CN=Daniel Kouril Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:95:18:71:fe:83:bb:8c:26:fd:ba:62:c3:55:d7: f9:6a:57:71:a0:e9:34:1d:e6:a6:bd:ae:a8:20:1a: 17:87:b1:c8:90:56:2a:1b:3e:cb:0c:8e:eb:ef:fa: 72:80:9a:73:33:a4:b4:df:48:0f:b1:bb:b5:d3:78: 4c:11:6c:cd:ab:9e:3e:04:8c:bd:07:5c:63:0c:2a: a4:32:5f:c5:4f:27:92:74:53:24:98:56:57:ae:eb: fa:1f:f3:a9:6c:26:24:09:88:9a:b8:c8:2c:83:89: 5d:70:78:d7:8b:cb:c4:51:35:b9:be:b6:46:ce:d5: 7e:59:01:63:7b:75:bf:e5:7f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.8057.1.2.2.2.0 X509v3 Subject Alternative Name: email:kouril@ics.muni.cz X509v3 CRL Distribution Points: DirName:/DC=cz/DC=cesnet-ca/CN=CESNET CA/CN=CRL2 URI:http://www.cesnet.cz/pki/crl/cn=CESNET%20CA,dc=cesnet-ca,dc=cz.crl URI:ldap://ldap.cesnet-ca.cz/cn=CESNET%20CA,dc=cesnet-ca,dc=cz?certificateRevocationList X509v3 Authority Key Identifier: keyid:2F:6C:05:C3:51:26:AC:AF:39:9C:3E:38:35:DD:52:29:27:80:C5:F5 X509v3 Subject Key Identifier: AA:47:80:4C:53:1F:17:D6:CD:09:1D:D8:56:36:77:4C:39:00:13:D3 EuroCamp '08 - Stockholm 6

  7. OpenVPN  Creates VPN tunnel on the application level of ISO/OSI  Creates virtual network adapter on the client  Firewall and NAT traversal  Capable of creating bridged or routed tunnels  Supports Ipv6  Supports Linux, *BSD, Mac OS X, Windows, Solaris  Primary authentication by the digital certificates  Variety of approaches for AuthN/AuthZ  PAM, scripts, username/password, static key  Transparent for the applications EuroCamp '08 - Stockholm 7

  8. OpenVPN - Latency EuroCamp '08 - Stockholm 8

  9. Secured Collaborative Env.  User needs digital certificates from the CA  Users have problems with acquireing the certificate  Need to manage users  Videoconference uses Mbone tools (VIC, RAT)  Can't be used behind the NAT - uses UDP and RTP  OpenVPN server  Assignes public IP but does not route them outside of the tunnel - prevent IP collision at the client's network  Applications are accessible only through the tunnel  Process auhtN and authZ  Instalation package for the users EuroCamp '08 - Stockholm 9

  10. EuroCamp '08 - Stockholm 10

  11. Federated Online CA  Combines RA and CA together  Clients are authenticated at theirs home institution  Automated and less administrative work  We are operating two types of Online CA  based on GridShib http://gridshib.globus.org  based on OpenSSL and Perl scripts  Issues short and mid lived certificates  Puts SAML response from IdP into the certificate EuroCamp '08 - Stockholm 11

  12. Federated Online CA  CESNET has OnlineCA in pre-production mode  Uses HSM  Can provide unlimited number of different CAs based on different profiles  We are discussing design of API to the Online CA  SAML Single Sign-on Browser/Artifact Profile Security Analysis of the SAML Single Sign-on Browser/Artifact Profile  (Thomas Groß) EuroCamp '08 - Stockholm 12

  13. Current Status  Modification to the OpenVPN  enhanced authN based on the digital certificates  added support for processing SAML extensions  Functional federated OnlineCA  AuthZ is transfered in form of attribute inside the certificate as an extension  Private key is not encrypted  do not bother us due to short live time of the certificate  allows easy integration with the applications  Installation package for videoconferening tools EuroCamp '08 - Stockholm 13

  14. Framework design EuroCamp '08 - Stockholm 14

  15. CAT  Common Access Toolkit for Federations  General framework which allows integrate applications into the federation  Secure and authenticated tunnel from application to the server  One of the main purpose is to make authN/authZ transparent for the user  GUI tool for managing credentials for users  acquiring, translating, deleting, checking validity EuroCamp '08 - Stockholm 15

  16. Network Identity Manager EuroCamp '08 - Stockholm 16 http://web.mit.edu/kerberos/

  17. Network Identity Manager EuroCamp '08 - Stockholm 17

  18. Network Identity Manager EuroCamp '08 - Stockholm 18

  19. Federated Framework  General framework - client software independent  Transparent security from appz and user point of view  Appz do not need to solve AuthN and AuthZ  Minimal requirements on the network configuration  only one specific stream which has to be enabled on the firewalls  NAT traversal, HTTP proxy support  Clients' machines could be managed EuroCamp '08 - Stockholm 19

  20. Related Work  Adobe Connect  Commercial tool for collaboration  Flash based => run inside the browser  AuthN/AuthZ only by username/password  Ongoing work on make it Shibboleth SP  During testing we have discovered some problems  missing fine graind access rights  interruptions  some bugs in UI EuroCamp '08 - Stockholm 20

  21. Future Work  Use Stunnel/OpenSSL TLS/DTLS  it doesn't require administrative rights  allow to make per port tunnels EuroCamp '08 - Stockholm 21

  22. This is the end ... EuroCamp '08 - Stockholm 22

  23. Ithanet eInfrastructure Ithanet is a Euromediterranean network of research centres conducting molecular and clinical research of thalassaemia and related haemoglobinopathies.  OpenVPN + UDP Packet reflector + MBone tools  Public IP addresses are assigned inside the tunnel, but they are not routed outside  protection against IP collision at the connected institutions  Client installation package for Win2000/XP  easy to install, easy to use (one click to start/stop the conference)  X.509 based AuthN - OTP used to obtain the certificate EuroCamp '08 - Stockholm 23

Recommend

9 th EuroCAMP EuroCAMP at TERENA Secretariat Licia Florio

9 th EuroCAMP EuroCAMP at TERENA Secretariat Licia Florio

TERENA EuroCAMP Workshops Cork, Ireland 18-19 May 2009 Peter Szegedi PDO szegedi@terena.org www.terena.org 9 th EuroCAMP EuroCAMP at TERENA Secretariat Licia Florio florio@terena.org Peter Szegedi

204 views • 6 slides
Andy Swiffin a.l.swiffin@dundee.ac.uk University of Dundee Terena EuroCAMP Athens. 13 November,

Andy Swiffin a.l.swiffin@dundee.ac.uk University of Dundee Terena EuroCAMP Athens. 13 November,

Andy Swiffin a.l.swiffin@dundee.ac.uk University of Dundee Terena EuroCAMP Athens. 13 November, 2008 Image courtesy of wikipedia.org To Assertions Attributes From 13 November, 2008 Terena EuroCAMP Athens. What will I be talking about?

1.05k views • 76 slides
Welcome to EuroCAMP Plus Some Introductory Matters Diego R. Lopez, RedIRIS Cork, May 2009

Welcome to EuroCAMP Plus Some Introductory Matters Diego R. Lopez, RedIRIS Cork, May 2009

Welcome to EuroCAMP Plus Some Introductory Matters Diego R. Lopez, RedIRIS Cork, May 2009 JRES2005, Marseille The Middleware Mantra Any conceivable networked service needs some basic services to run Access control Location

510 views • 12 slides
EuroCAMP Summary (in 15 mins) Diego We are at the teenager stage of IDM IDM is maturing

EuroCAMP Summary (in 15 mins) Diego We are at the teenager stage of IDM IDM is maturing

EuroCAMP Summary (in 15 mins) Diego We are at the teenager stage of IDM IDM is maturing Welcome to the schema Onion Jasmina Welcome to LDAP [the syntax] Flat tends to be better than hierarchical Feed your LDAP

297 views • 17 slides
MyFirst IdP EuroCAMP Training This work is licensed under a Creative Commons Attribution

MyFirst IdP EuroCAMP Training This work is licensed under a Creative Commons Attribution

MyFirst IdP EuroCAMP Training This work is licensed under a Creative Commons Attribution ShareAlike 3.0 Unported License . Acknowledgements Portions of this training course taken from: SWITCHaai simpleSAMLphp website EduGate

440 views • 39 slides
OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm,

OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm,

Shib Shibbolet oleth Develo Developmen ent a t and Su d Supp pport Services t Services OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm, 7 May 2008 EuroCAMP, Stockholm, 7 May 2008 Shib

666 views • 20 slides
EUROCAMP 2009, CIT, Cork May 18 th -19 th Gerard Culley, CISSP IT manager CIT Agenda Background

EUROCAMP 2009, CIT, Cork May 18 th -19 th Gerard Culley, CISSP IT manager CIT Agenda Background

EUROCAMP 2009, CIT, Cork May 18 th -19 th Gerard Culley, CISSP IT manager CIT Agenda Background Systems Landscape Challenges Possible Solutions Wrap up, Questions CIT Background History CIT was founded in 1973, one of the oldest IOTs

322 views • 9 slides
IDM@UMU.SE Presentation by Roland Hedberg at EuroCamp@Cork 2009 Tuesday, May 19, 2009 SOME FACTS

IDM@UMU.SE Presentation by Roland Hedberg at EuroCamp@Cork 2009 Tuesday, May 19, 2009 SOME FACTS

IDM@UMU.SE Presentation by Roland Hedberg at EuroCamp@Cork 2009 Tuesday, May 19, 2009 SOME FACTS ABOUT UMU Founded in 1965 ~30.000 students (of which 10.000 on distance) ~4.000 employees ~2.000 courses ~50 departments ~50 other units

742 views • 28 slides
PKI Milan Sova, CESNET EuroCAMP, Porto, 2005-11-07 Public Key Infrastructure Public key

PKI Milan Sova, CESNET EuroCAMP, Porto, 2005-11-07 Public Key Infrastructure Public key

PKI Milan Sova, CESNET EuroCAMP, Porto, 2005-11-07 Public Key Infrastructure Public key cryptography pair of keys public key (encryption, signature verification) private key (decryption, signing) Infrastructure binding

560 views • 35 slides
PKI in federations - approach to non-web services Milan Sova, CESNET EuroCAMP, Dubrovnik, 2007

PKI in federations - approach to non-web services Milan Sova, CESNET EuroCAMP, Dubrovnik, 2007

Everything you never wanted to know about PKI in federations - approach to non-web services Milan Sova, CESNET EuroCAMP, Dubrovnik, 2007 SAMLized applications HTTPS web browser What about email access network access

141 views • 11 slides
Federated Applications: Issues and Highlights TERENA EuroCAMP, 7 May 2008 Paul Caskey Technology

Federated Applications: Issues and Highlights TERENA EuroCAMP, 7 May 2008 Paul Caskey Technology

Federated Applications: Issues and Highlights TERENA EuroCAMP, 7 May 2008 Paul Caskey Technology Architect The University of Texas System (pcaskey@utsystem.edu) Background Background (cont.) Nine academic universities Six health

354 views • 9 slides
ACOnet Identity Federation Policy Experiences Peter Schober ACOnet TERENA EuroCAMP @ 4 th GN3

ACOnet Identity Federation Policy Experiences Peter Schober ACOnet TERENA EuroCAMP @ 4 th GN3

ACOnet Identity Federation Policy Experiences Peter Schober ACOnet TERENA EuroCAMP @ 4 th GN3 Symposium 15-16 October 2012 Agenda 1. The Politics behind Federation Policies 2. Tales from a Federation Operator: On-boarding of prospective

195 views • 16 slides
RDF 101 The Semantic Web meets Resource Management Terena EuroCAMP, 2006-04-03

RDF 101 The Semantic Web meets Resource Management Terena EuroCAMP, 2006-04-03

RDF 101 The Semantic Web meets Resource Management Terena EuroCAMP, 2006-04-03 <roland.hedberg@adm.umu.se> 1 The Resource Description Framework The Resource Description Framework (RDF) is a language for representing information about

745 views • 37 slides
Integration of N-tiers application Using CAS Single Sign On system with Horde webmail Jan Du

Integration of N-tiers application Using CAS Single Sign On system with Horde webmail Jan Du

EuroCAMP 8may2008 Integration of N-tiers application Using CAS Single Sign On system with Horde webmail Jan Du Caju ICT security officer K.U.Leuven Belgium Jan.DuCaju@icts.KULeuven.be EuroCAMP 8may2008 Integration of N-tiers application

792 views • 36 slides
Integrating running apps into federations + JANUS Terena Eurocamp, 11/2009, Budapest Ernesto

Integrating running apps into federations + JANUS Terena Eurocamp, 11/2009, Budapest Ernesto

Integrating running apps into federations + JANUS Terena Eurocamp, 11/2009, Budapest Ernesto Revilla erny@yaco.es 1 Integrating running apps into federations Background: Yaco (30 pers Open Source company) Setting up the andalusian

612 views • 16 slides
Using Google The Federated Way Mihly Hder MTA SZTAKI ITAK Eurocamp 2009. november 18.

Using Google The Federated Way Mihly Hder MTA SZTAKI ITAK Eurocamp 2009. november 18.

Using Google The Federated Way Mihly Hder MTA SZTAKI ITAK Eurocamp 2009. november 18. Contents Intro of our Institute and Department Intro of our AAI system Google@sztaki o Apps for education o The Google Apps VO scheme o

558 views • 40 slides
Major SAML 2.0 Changes Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

Major SAML 2.0 Changes Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

Major SAML 2.0 Changes Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007 Tokens, Protocols, Bindings, and Profiles Tokens are requests and assertions Protocols bindings are communication mechanisms for transfer of

324 views • 19 slides
SimpleSAMLphp EuroCAMP 2010 Olav Morken olav.morken@uninett.no SimpleSAMLphp Mainly a SAML

SimpleSAMLphp EuroCAMP 2010 Olav Morken olav.morken@uninett.no SimpleSAMLphp Mainly a SAML

SimpleSAMLphp EuroCAMP 2010 Olav Morken olav.morken@uninett.no SimpleSAMLphp Mainly a SAML 2.0 Service Provider and Identity Provider 2 Targets the SP lite and IdP lite profiles (with some limitations) Written entirely in PHP

713 views • 29 slides
IDENTITY MANAGEMENT Presentation at EuroCAMP 2009-05-17 by Roland Hedberg

IDENTITY MANAGEMENT Presentation at EuroCAMP 2009-05-17 by Roland Hedberg

IDENTITY MANAGEMENT Presentation at EuroCAMP 2009-05-17 by Roland Hedberg <roland.hedberg@adm.umu.se> Tuesday, May 19, 2009 WHAT IS IDM ? Identity management is the management of the identity life cycle of entities. --- wikipedia

534 views • 26 slides
AA enabling a closed source legacy application Jan Du Caju ICT security officer K.U.Leuven

AA enabling a closed source legacy application Jan Du Caju ICT security officer K.U.Leuven

EuroCAMP 15nov2007 AA enabling a closed source legacy application Jan Du Caju ICT security officer K.U.Leuven Belgium Jan.DuCaju@icts.KULeuven.be EuroCAMP 15nov2007 AA enabling a closed source legacy application Introduction: context

426 views • 26 slides
Federation-enabled ticketing system The RT Case EuroCAMP Dubrovnik 14 th - 15 th November 2007

Federation-enabled ticketing system The RT Case EuroCAMP Dubrovnik 14 th - 15 th November 2007

Federation-enabled ticketing system The RT Case EuroCAMP Dubrovnik 14 th - 15 th November 2007 Jaime Perez <jaime.perez@rediris.es> on behalf of Carlos Fuentes <carlos.fuentes@rediris.es> 1.What is RT? 2.RTIR-WG 3.RT

459 views • 15 slides
From LDAP to IdM Presentation at the Athens Eurocamp 2008 by Roland Hedberg

From LDAP to IdM Presentation at the Athens Eurocamp 2008 by Roland Hedberg

From LDAP to IdM Presentation at the Athens Eurocamp 2008 by Roland Hedberg <roland.hedberg@adm.umu.se> The transition -starting point Admin interface LDAP Scripts The transition - toward nirvana Admin interface LDAP Scripts

497 views • 22 slides
Authoritative Quality From Campus Identity Management to a Federated Solution EuroCAMP, Porto,

Authoritative Quality From Campus Identity Management to a Federated Solution EuroCAMP, Porto,

Authoritative Quality From Campus Identity Management to a Federated Solution EuroCAMP, Porto, 2005-11-07 Ingrid Melve, FEIDE manager From campus identity management to a federated solution Case: FEIDE Campus Identity Management 2

655 views • 30 slides
OpenWiki Andreas kre Solberg andreas.solberg@uninett.no EuroCAMP , Athens, 2008-11-06

OpenWiki Andreas kre Solberg andreas.solberg@uninett.no EuroCAMP , Athens, 2008-11-06

OpenWiki Andreas kre Solberg andreas.solberg@uninett.no EuroCAMP , Athens, 2008-11-06 OpenWiki First step was to find the right wiki . Second step to federate it . Third step was OpenWiki . To find the right wiki To us, simplicity was very

306 views • 11 slides

More recommend