The case for devolved authentication: over-centralised security doesn't work

Similar documents
The name of our class will be Yo. Type that in where it says Class Name. Don t hit the OK button yet.

Win-Back Campaign- Re-Engagement Series

IAE Professional s (02)

5 R1 The one green in the same place so either of these could be green.

Subversion was not there a minute ago. Then I went through a couple of menus and eventually it showed up. Why is it there sometimes and sometimes not?

Part 1 - Your First algorithm

Keep Track of Your Passwords Easily

Part 1 - Your First algorithm

Spam. Time: five years from now Place: England

BBC LEARNING ENGLISH 6 Minute English Wireless furniture for phones

Watson Conversation Cheat Sheet

9 R1 Get another piece of paper. We re going to have fun keeping track of (inaudible). Um How much time do you have? Are you getting tired?

1.7 Limit of a Function

How To Get Your Word Document. Ready For Your Editor

Everything you need to know about cloud. For companies with people in them

Chapter01.fm Page 1 Monday, August 23, :52 PM. Part I of Change. The Mechanics. of Change

Monitoring Tool Made to Measure for SharePoint Admins. By Stacy Simpkins

As a programmer, you know how easy it can be to get lost in the details

Digital Certificate Operation in a Complex Environment PKI ARCHITECTURE QUESTIONNAIRE

1 Jane s dress is... yours. A the same than B the same to C similar than D similar to

Taskbar: Working with Several Windows at Once

Title: Episode 11 - Walking through the Rapid Business Warehouse at TOMS Shoes (Duration: 18:10)

Outline Key Management CS 239 Computer Security February 9, 2004

Introduction to Programming

How to Stay Safe on Public Wi-Fi Networks

Aren t computers wonderful? Well, they are when they work and do what

Hey there, I m (name) and today I m gonna talk to you about rate of change and slope.

Staff Intranet Survey Results

Fractions and their Equivalent Forms

Close Your File Template

Amber Weyland: [to cameraman] Just hold it there so we can see Mollie.

It s possible to get your inbox to zero and keep it there, even if you get hundreds of s a day.

Clickbank Domination Presents. A case study by Devin Zander. A look into how absolutely easy internet marketing is. Money Mindset Page 1

Security. 1 Introduction. Alex S. 1.1 Authentication

The 21 WORD . That Can Get You More Clients. Ian Brodie

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Hello, welcome to creating a widget in MyUW. We only have 300 seconds, so let s get going.

Transcriber(s): Aboelnaga, Eman Verifier(s): Yedman, Madeline Date Transcribed: Fall 2010 Page: 1 of 9

SIMPLE PROGRAMMING. The 10 Minute Guide to Bitwise Operators

Ackworth Howard Church of England (VC) Junior and Infant School. Child-friendly GDPR privacy notice

IMPORTANT WORDS AND WHAT THEY MEAN

Establishing Trust in Disconnected Environments, page 1

In today s video I'm going show you how you can set up your own online business using marketing and affiliate marketing.

Cryptography and Network Security

Designing a System. We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin April 10,

SECURITY AND DATA REDUNDANCY. A White Paper

Background. $VENDOR wasn t sure either, but they were pretty sure it wasn t their code.

Mr G s Java Jive. #11: Formatting Numbers

CS125 : Introduction to Computer Science. Lecture Notes #11 Procedural Composition and Abstraction. c 2005, 2004 Jason Zych

SWITCHpki Service Launch The SWITCHpki Team

Getting Started. Excerpted from Hello World! Computer Programming for Kids and Other Beginners

Welcome to the Strand Palace Hotel

ICANN Start, Episode 1: Redirection and Wildcarding. Welcome to ICANN Start. This is the show about one issue, five questions:

How to Get Your Inbox to Zero Every Day

THAT S. New Road Show CD

The state of in Mar4jn Grooten, Virus Bulle4n TROOPERS15, 19 March 2015

Word: Print Address Labels Using Mail Merge

Ages Donʼt Fall for Fake: Activity 1 Don t bite that phishing hook! Goals for children. Letʼs talk

Unit 9 Tech savvy? Tech support. 1 I have no idea why... Lesson A. A Unscramble the questions. Do you know which battery I should buy?

Blog post on updates yesterday and today:

Click on a link below for additional information.

A Guide to Condor. Joe Antognini. October 25, Condor is on Our Network What is an Our Network?

Thank You. Hello. Special offer

Module 6. Campaign Layering

textures not patterns

Hello. I'm Deborah Kaplan, and I'm the co-lead of the accessibility team at open source blogging platform Dreamwidth.

PSoC Academy: How to Create a PSoC BLE Android App Lesson 3: Configure the BLE Component 1

BEFORE you pick a web designer, ASK these 20 critical questions.

Need a Website? HERE S A SHORTCUT TO MAKING A LANDING PAGE THAT WILL HELP YOU GROW YOUR LIST

Dealer Reviews Best Practice Guide

marketing versus marketing automation What s the difference and why should B2B marketers care?

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Project Collaboration

Google Drive: Access and organize your files

Text Input and Conditionals

Valuable points from Lesson 6 Adobe Flash CS5 Professional Classroom in a Book

CS 4349 Lecture August 21st, 2017

Welcome Back! Without further delay, let s get started! First Things First. If you haven t done it already, download Turbo Lister from ebay.

DOOR Digital Open Object Repository User Manual v1.0 July 23, 2006

6 Stephanie Well. It s six, because there s six towers.

maxecurity Product Suite

Autoresponders using Mailchimp. Author List Management

Git. all meaningful operations can be expressed in terms of the rebase command. -Linus Torvalds, 2015

THE 18 POINT CHECKLIST TO BUILDING THE PERFECT LANDING PAGE

Tecra 8100 Disassembly Compliments of PaulTech Link to Us!

FAQ: Privacy, Security, and Data Protection at Libraries

Let them check their answers against a complete version of the worksheet or by listening to you reading it all out.

CSCI 1100L: Topics in Computing Lab Lab 1: Introduction to the Lab! Part I

Hello, and welcome to the presentation NHSN Enrollment Instructions for Long Term Care Facilities.

The first thing we ll need is some numbers. I m going to use the set of times and drug concentration levels in a patient s bloodstream given below.

Problem Solving through Programming In C Prof. Anupam Basu Department of Computer Science & Engineering Indian Institute of Technology, Kharagpur

VIDEO 1: WHY SHOULD YOU USE TEMPLATES TO SEND YOUR S?

Integrating Spatial Data with the rest of your E&P Data

MAXIMIZING THE UTILITY OF MICROSOFT OUTLOOK. Presented by: Lisa Hendrickson Deborah Savadra

CLIENT ONBOARDING PLAN & SCRIPT

QUIZ. What is wrong with this code that uses default arguments?

Voice. The lost piece of the BYOD puzzle.

CLIENT ONBOARDING PLAN & SCRIPT

Building your follow-up engine

Robert Ragan s TOP 3

Transcription:

The case for devolved authentication: over-centralised security doesn't work JISC Core Middleware meeting at NeSC: Developments within Security and Access Management Mark Norman

This talk The DCOCE and projects What is authentication? What is authorisation? And Shibboleth? Why do we need to devolve anything? Over-centralised PKI vs Shibboleth, a security scenario Should Shibboleth play a role with the grid? 2

The DCOCE and projects DCOCE Digital Certificate Operation in a Complex Environment Certificates shouldn t be hard to use But they are Identity management should not be done centrally Clashes a little with the idea of a central Certification Authority (CA) 3

The DCOCE and projects Evaluation of Shibboleth and PKI for Grids Shibboleth means devolved authentication PKI-minded grid folks don t really like that You must devolve authentication to stay secure and for the grid to scale! 4

What is authentication? Authentication = The act of verifying that an electronic identity (username, login name etc.) is being employed by the entity, person or process to whom it was issued. Strictly it should mean "establishing the validity of something, such as an identity". This procedure can be very difficult indeed. Initial authentication is when you establish your identity with what then becomes your Identity Provider 5

What is authorisation? Associating rights or capabilities with a subject A network resource (such as a grid node or file server) needs to decide what the subject can do The decision is taken by the resource Not by someone/something else Sometimes something else may supply some information (attributes) that enables the resource to decide. 6

What is PKI? Public Key Infrastructure Very clever! Behind much internet security Can be employed to give end users digital certificates Many users don t like certificates They don t need to be hard to handle, but they are 7

What s this Shibboleth? It isn t an authentication or authorisation system It is a means (or methodology) whereby this kind of information may be exchanged It allows for (but doesn t mandate) anonymity (or pseudonymity) which can be really useful It enables devolved authentication 8

Why do we need to devolve anything? If you try to manage everyone s identities in a central place, you can t keep them up to date If a user is used to their own institution s authentication system, that s good Your own local institution knows whether you have recently turned into a fraudster 9

Centralised PKI vs Devolved AuthN Short-hand: PKI = a high security, but (usually) centralised system relying on difficult-to-forge digital certificates DA = Let each institution use their own system of AuthN and the central system trusts the local ones You are invited to Buckingham Palace for a once in a lifetime high tea with the Queen. You can get a security pass by visiting the Palace itself (beforehand) or from one of 6 regional security centres (~= PKI) Or you can get one from the High Street branch of your bank, as long as (~= DA) 10

Centralised Security with the UK Grid Certification Authority (A national head of security ) (Regional) Registration Authorities Organisations (e.g. Universities) Personnel Officers etc. (people at the end of the chain of trust!) 11

The parable of Oldman, Newman, Rita and Devla The cast Oldman An old and wise university researcher Newman A new and keen researcher Rita The e-science Registration Authority (RitA) Devla The departmental personnel officer (Devolved authenticator) With thanks to Alun Edwards, James AJ Wilson, Jackie Hewitt and Wendy Simmonds 12

A great new resource for researchers Newman: Oldman: Newman: Oldman: Newman: What s that? It looks great! That s our new e-science building. It s got lots of cool stuff and any researcher can use it! Oooh, I can t wait! I think I ll go there now! Ah, erm You need a special security pass. Eh? 13

Newman: But I ve got my University swipe card! Oldman: That isn t good enough! You need a high security card to get in like this one. Chip and pin, you know! Newman: OK, where do I get one of those? Oldman: Because it s such high security, these babies are issued nationally, via regional centres! As we work at Cotswolds University, we don t have a centre here you need to go to Oxford e-science Centre. Newman: Blinking heck! I m only an ordinary biologist. Maybe I don t need to use the building after all Oldman: No really it s fantastic in there. Free coffee too! Newman: Oh alright then. 14

Rita: Welcome to Oxford e-science Centre. My name is Rita and I m your Registration Authority! Newman: Hello Rita. It s taken me hours to get here. Traffic was awful! Rita : Sorry to hear about that. Ah, I see you re from Cotswolds University. Your University Card looks fine to me and that is certainly your picture on it. I shall authorise a gold pass for you right away. Newman: Great. Thanks! Rita : Of course, I m kind of trusting Cotswolds University that they checked you out before giving you this card! Newman: Hmm. I see. Devla, our departmental personnel assistant issued me my Cotswolds Card. If you rely on that, why couldn t Devla issue the gold card too? Rita : Well, it s very high security, you see. Devla won t have been on a training course. 15

Newman: That seems a bit illogical to me as you re already trusting Devla to have done her job properly. But hey, I m only a biologist: I don t really understand this security stuff like you IT people. Rita : Hmm Yes, that must be it. Anyway, have a good journey back. Hope the traffic is better. Newman: Thanks. Bye! 16

High security? People equate high security with difficult And correlate HS with difficulty to obtain (This is about as wrong as you can get!) Shibboleth allows the right people to manage your on-line identity The people who know you Your identity is managed in one place and is managed accurately It s no use trusting the highly-trained Rita to carry out things she isn t really able to do 17

And sometimes, bad things happen 18

Caught on CCTV Oldman: Devla: I can t believe it it looks like Newman! This is terrible. We ve never had a thief in this department before! 19

Devla: I need your building keys, your University Card, your department swipe card I can t even look at you, I m so ashamed! Oldman: And never darken our door again 20

The conscientious Devla finishes the job I ve got to make sure his University security passes are revoked and all his accounts are closed! 21

But meanwhile, back in the Oxford e-science Centre, things are more pleasant for Rita I wonder what that nice chap from Cotswolds University is doing now 22

Ha ha! They took everything away from me, apart from the highest security pass I had! And it might be a year before anyone checks Newman s security credentials! 23

To centralise or to devolve? Devolved authentication should be more secure As long as Devla is trustworthy But when it comes down to it, we were going to have to trust Devla, anyway! More information at: http://wiki.oucs.ox.ac.uk/esp-grid/shibevaluation Send your angry emails to mark norman @ oucs ox ac uk!! o o o o 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback