![Page 1: Presentation at NeSC 20 Oct 05 - projects.oucs.ox.ac.ukprojects.oucs.ox.ac.uk/dcoce/docs/JiscNeSCMiddwareBriefingOct05.… · – An old and wise university researcher • Newman](https://reader036.vdocument.in/reader036/viewer/2022090606/605b316f6d170b5608484176/html5/thumbnails/1.jpg)
ESP-GRID
The case for devolved authentication: over-centralised security doesn't work
JISC Core Middleware meeting at NeSC: Developments within Security and Access
Management
Mark Norman 20 October 2005
![Page 2: Presentation at NeSC 20 Oct 05 - projects.oucs.ox.ac.ukprojects.oucs.ox.ac.uk/dcoce/docs/JiscNeSCMiddwareBriefingOct05.… · – An old and wise university researcher • Newman](https://reader036.vdocument.in/reader036/viewer/2022090606/605b316f6d170b5608484176/html5/thumbnails/2.jpg)
20 October 2005 2
ESP-GRID This talk
• The DCOCE and ESP-GRID projects
• What is authentication?
• What is authorisation?
• And Shibboleth…?
• Why do we need to devolve anything?
• Over-centralised PKI vs Shibboleth, a security scenario…– Should Shibboleth play a role with the grid?
![Page 3: Presentation at NeSC 20 Oct 05 - projects.oucs.ox.ac.ukprojects.oucs.ox.ac.uk/dcoce/docs/JiscNeSCMiddwareBriefingOct05.… · – An old and wise university researcher • Newman](https://reader036.vdocument.in/reader036/viewer/2022090606/605b316f6d170b5608484176/html5/thumbnails/3.jpg)
20 October 2005 3
ESP-GRID The DCOCE and ESP-GRID projects
• DCOCE– Digital Certificate Operation in a Complex
Environment
– Certificates shouldn’t be hard to use• But they are…
– Identity management should not be done centrally• Clashes a little with the idea of a central Certification
Authority (CA)
![Page 4: Presentation at NeSC 20 Oct 05 - projects.oucs.ox.ac.ukprojects.oucs.ox.ac.uk/dcoce/docs/JiscNeSCMiddwareBriefingOct05.… · – An old and wise university researcher • Newman](https://reader036.vdocument.in/reader036/viewer/2022090606/605b316f6d170b5608484176/html5/thumbnails/4.jpg)
20 October 2005 4
ESP-GRID The DCOCE and ESP-GRID projects
• ESP-GRID– Evaluation of Shibboleth and PKI for Grids
– Shibboleth means devolved authentication• PKI-minded grid folks don’t really like that
• You must devolve authentication to stay secure and for the grid to scale!
![Page 5: Presentation at NeSC 20 Oct 05 - projects.oucs.ox.ac.ukprojects.oucs.ox.ac.uk/dcoce/docs/JiscNeSCMiddwareBriefingOct05.… · – An old and wise university researcher • Newman](https://reader036.vdocument.in/reader036/viewer/2022090606/605b316f6d170b5608484176/html5/thumbnails/5.jpg)
20 October 2005 5
ESP-GRID What is authentication?
• Authentication = – The act of verifying that an electronic identity
(username, login name etc.) is being employed by the entity, person or process to whom it was issued.
• Strictly it should mean "establishing the validity of something, such as an identity". This procedure can be very difficult indeed.
• Initial authentication– is when you establish your identity with what then
becomes your ‘Identity Provider’
![Page 6: Presentation at NeSC 20 Oct 05 - projects.oucs.ox.ac.ukprojects.oucs.ox.ac.uk/dcoce/docs/JiscNeSCMiddwareBriefingOct05.… · – An old and wise university researcher • Newman](https://reader036.vdocument.in/reader036/viewer/2022090606/605b316f6d170b5608484176/html5/thumbnails/6.jpg)
20 October 2005 6
ESP-GRID What is authorisation?
• Associating rights or capabilities with a subject
• A network resource (such as a grid node or file server) needs to decide what the ‘subject’ can do– The decision is taken by the resource
– Not by someone/something else
– Sometimes something else may supply some information (attributes) that enables the resource to decide.
![Page 7: Presentation at NeSC 20 Oct 05 - projects.oucs.ox.ac.ukprojects.oucs.ox.ac.uk/dcoce/docs/JiscNeSCMiddwareBriefingOct05.… · – An old and wise university researcher • Newman](https://reader036.vdocument.in/reader036/viewer/2022090606/605b316f6d170b5608484176/html5/thumbnails/7.jpg)
20 October 2005 7
ESP-GRID What is PKI?
• Public Key Infrastructure– Very clever!
– Behind much internet security
– Can be employed to give end users digital certificates
• Many users don’t like certificates– They don’t need to be hard to handle, but they are
![Page 8: Presentation at NeSC 20 Oct 05 - projects.oucs.ox.ac.ukprojects.oucs.ox.ac.uk/dcoce/docs/JiscNeSCMiddwareBriefingOct05.… · – An old and wise university researcher • Newman](https://reader036.vdocument.in/reader036/viewer/2022090606/605b316f6d170b5608484176/html5/thumbnails/8.jpg)
20 October 2005 8
ESP-GRID What’s this Shibboleth?
• It isn’t an authentication or authorisation system
• It is a means (or methodology) whereby this kind of information may be exchanged– It allows for (but doesn’t mandate) anonymity (or
pseudonymity) which can be really useful
• It enables devolved authentication
![Page 9: Presentation at NeSC 20 Oct 05 - projects.oucs.ox.ac.ukprojects.oucs.ox.ac.uk/dcoce/docs/JiscNeSCMiddwareBriefingOct05.… · – An old and wise university researcher • Newman](https://reader036.vdocument.in/reader036/viewer/2022090606/605b316f6d170b5608484176/html5/thumbnails/9.jpg)
20 October 2005 9
ESP-GRIDWhy do we need to devolve anything?
• If you try to manage everyone’s identities in a central place, you can’t keep them up to date
• If a user is used to their own institution’s authentication system, that’s good…
• Your own local institution knows whether you have recently turned into a fraudster
![Page 10: Presentation at NeSC 20 Oct 05 - projects.oucs.ox.ac.ukprojects.oucs.ox.ac.uk/dcoce/docs/JiscNeSCMiddwareBriefingOct05.… · – An old and wise university researcher • Newman](https://reader036.vdocument.in/reader036/viewer/2022090606/605b316f6d170b5608484176/html5/thumbnails/10.jpg)
20 October 2005 10
ESP-GRID Centralised PKI vs Devolved AuthN
• Short-hand:– PKI = a high security, but (usually) centralised system relying on
difficult-to-forge digital certificates
– DA = Let each institution use their own system of AuthN and the central ‘system’ trusts the local ones
• You are invited to Buckingham Palace for a once in a lifetime high tea with the Queen.
• You can get a security pass by visiting the Palace itself (beforehand) or from one of 6 regional security centres (~= PKI)
• Or you can get one from the High Street branch of your bank, as long as… (~= DA)
![Page 11: Presentation at NeSC 20 Oct 05 - projects.oucs.ox.ac.ukprojects.oucs.ox.ac.uk/dcoce/docs/JiscNeSCMiddwareBriefingOct05.… · – An old and wise university researcher • Newman](https://reader036.vdocument.in/reader036/viewer/2022090606/605b316f6d170b5608484176/html5/thumbnails/11.jpg)
20 October 2005 11
ESP-GRIDCentralised Security with the UK Grid
Certification Authority
(A national ‘head of security’)
(Regional)RegistrationAuthorities
PersonnelOfficers etc.(people at the end of the chain of trust!)
Organisations(e.g. Universities)
![Page 12: Presentation at NeSC 20 Oct 05 - projects.oucs.ox.ac.ukprojects.oucs.ox.ac.uk/dcoce/docs/JiscNeSCMiddwareBriefingOct05.… · – An old and wise university researcher • Newman](https://reader036.vdocument.in/reader036/viewer/2022090606/605b316f6d170b5608484176/html5/thumbnails/12.jpg)
20 October 2005 12
ESP-GRIDThe parable of Oldman, Newman, Rita
and Devla
The cast• Oldman
– An old and wise university researcher
• Newman– A new and keen researcher
• Rita– The e-Science Registration Authority (RitA)
• Devla– The departmental personnel officer (Devolved authenticator)
• With thanks to…– Alun Edwards, James AJ Wilson, Jackie Hewitt and Wendy Simmonds
![Page 13: Presentation at NeSC 20 Oct 05 - projects.oucs.ox.ac.ukprojects.oucs.ox.ac.uk/dcoce/docs/JiscNeSCMiddwareBriefingOct05.… · – An old and wise university researcher • Newman](https://reader036.vdocument.in/reader036/viewer/2022090606/605b316f6d170b5608484176/html5/thumbnails/13.jpg)
20 October 2005 13
ESP-GRID A great new resource for researchers
Newman: What’s that? It looks great!Oldman: That’s our new e-Science building. It’s got lots of cool stuff and any researcher can use it!Newman: Oooh, I can’t wait! I think I’ll go there now!Oldman: Ah, erm… You need a special security pass.Newman: Eh?
![Page 14: Presentation at NeSC 20 Oct 05 - projects.oucs.ox.ac.ukprojects.oucs.ox.ac.uk/dcoce/docs/JiscNeSCMiddwareBriefingOct05.… · – An old and wise university researcher • Newman](https://reader036.vdocument.in/reader036/viewer/2022090606/605b316f6d170b5608484176/html5/thumbnails/14.jpg)
20 October 2005 14
ESP-GRID Newman: But I’ve got my University swipe card!Oldman: That isn’t good enough! You need a high security card to get in – like this one. Chip
and pin, you know!Newman: OK, where do I get one of those?Oldman: Because it’s such high security, these babies are issued nationally, via regional centres!
As we work at Cotswolds University, we don’t have a centre here – you need to go to Oxford e-Science Centre.
Newman: Blinking heck! I’m only an ordinary biologist. Maybe I don’t need to use the building after all…
Oldman: No really – it’s fantastic in there. Free coffee too!Newman: Oh… alright then.
![Page 15: Presentation at NeSC 20 Oct 05 - projects.oucs.ox.ac.ukprojects.oucs.ox.ac.uk/dcoce/docs/JiscNeSCMiddwareBriefingOct05.… · – An old and wise university researcher • Newman](https://reader036.vdocument.in/reader036/viewer/2022090606/605b316f6d170b5608484176/html5/thumbnails/15.jpg)
20 October 2005 15
ESP-GRID
Rita: Welcome to Oxford e-Science Centre. My name is Rita and I’m yourRegistration Authority!
Newman: Hello Rita. It’s taken me hours to get here. Traffic was awful!Rita : Sorry to hear about that. Ah, I see you’re from Cotswolds University. Your University
Card looks fine to me and that is certainly your picture on it. I shall authorise a gold pass for you right away.
Newman: Great. Thanks!Rita : Of course, I’m kind of trusting Cotswolds University that they checked you out before
giving you this card!Newman: Hmm. I see. Devla, our departmental personnel assistant issued me my Cotswolds Card.
If you rely on that, why couldn’t Devla issue the gold card too?Rita : Well, it’s very high security, you see. Devla won’t have been on a training course.
![Page 16: Presentation at NeSC 20 Oct 05 - projects.oucs.ox.ac.ukprojects.oucs.ox.ac.uk/dcoce/docs/JiscNeSCMiddwareBriefingOct05.… · – An old and wise university researcher • Newman](https://reader036.vdocument.in/reader036/viewer/2022090606/605b316f6d170b5608484176/html5/thumbnails/16.jpg)
20 October 2005 16
ESP-GRID Newman: That seems a bit illogical to me as you’re already trusting Devla to have done her job properly.But hey, I’m only a biologist: I don’t really understand this security stuff like you IT people.
Rita : Hmm…Yes, that must be it.Anyway, have a good journey back. Hope the traffic is better.
Newman: Thanks. Bye!
![Page 17: Presentation at NeSC 20 Oct 05 - projects.oucs.ox.ac.ukprojects.oucs.ox.ac.uk/dcoce/docs/JiscNeSCMiddwareBriefingOct05.… · – An old and wise university researcher • Newman](https://reader036.vdocument.in/reader036/viewer/2022090606/605b316f6d170b5608484176/html5/thumbnails/17.jpg)
20 October 2005 17
ESP-GRID High security?
• People equate high security with ‘difficult’– And correlate HS with difficulty to obtain
• (This is about as wrong as you can get!)
• Shibboleth allows the right people to manage your on-line identity– The people who know you– Your identity is managed in one place and is managed
accurately
• It’s no use trusting the highly-trained Rita to carry out things she isn’t really able to do
![Page 18: Presentation at NeSC 20 Oct 05 - projects.oucs.ox.ac.ukprojects.oucs.ox.ac.uk/dcoce/docs/JiscNeSCMiddwareBriefingOct05.… · – An old and wise university researcher • Newman](https://reader036.vdocument.in/reader036/viewer/2022090606/605b316f6d170b5608484176/html5/thumbnails/18.jpg)
20 October 2005 18
ESP-GRID And sometimes, bad things happen…
![Page 19: Presentation at NeSC 20 Oct 05 - projects.oucs.ox.ac.ukprojects.oucs.ox.ac.uk/dcoce/docs/JiscNeSCMiddwareBriefingOct05.… · – An old and wise university researcher • Newman](https://reader036.vdocument.in/reader036/viewer/2022090606/605b316f6d170b5608484176/html5/thumbnails/19.jpg)
20 October 2005 19
ESP-GRID
Oldman: I can’t believe it – it looks like Newman!
Devla: This is terrible. We’ve never had a thief in this department before!
Caught on CCTV…
![Page 20: Presentation at NeSC 20 Oct 05 - projects.oucs.ox.ac.ukprojects.oucs.ox.ac.uk/dcoce/docs/JiscNeSCMiddwareBriefingOct05.… · – An old and wise university researcher • Newman](https://reader036.vdocument.in/reader036/viewer/2022090606/605b316f6d170b5608484176/html5/thumbnails/20.jpg)
20 October 2005 20
ESP-GRID
Oldman: And never darken our door again…Devla: I need your building keys, your University Card, your department swipe card…I can’t even look at you, I’m so ashamed!
![Page 21: Presentation at NeSC 20 Oct 05 - projects.oucs.ox.ac.ukprojects.oucs.ox.ac.uk/dcoce/docs/JiscNeSCMiddwareBriefingOct05.… · – An old and wise university researcher • Newman](https://reader036.vdocument.in/reader036/viewer/2022090606/605b316f6d170b5608484176/html5/thumbnails/21.jpg)
20 October 2005 21
ESP-GRID
I’ve got to make sure his University security passes are revoked and all his accounts are closed!
The conscientious Devla finishes the job…
![Page 22: Presentation at NeSC 20 Oct 05 - projects.oucs.ox.ac.ukprojects.oucs.ox.ac.uk/dcoce/docs/JiscNeSCMiddwareBriefingOct05.… · – An old and wise university researcher • Newman](https://reader036.vdocument.in/reader036/viewer/2022090606/605b316f6d170b5608484176/html5/thumbnails/22.jpg)
20 October 2005 22
ESP-GRID
But meanwhile, back in the Oxford e-Science Centre, things are more pleasant for Rita…
I wonder what that nice chap from
Cotswolds University is doing now…
![Page 23: Presentation at NeSC 20 Oct 05 - projects.oucs.ox.ac.ukprojects.oucs.ox.ac.uk/dcoce/docs/JiscNeSCMiddwareBriefingOct05.… · – An old and wise university researcher • Newman](https://reader036.vdocument.in/reader036/viewer/2022090606/605b316f6d170b5608484176/html5/thumbnails/23.jpg)
20 October 2005 23
ESP-GRIDHa ha! They took everything away from me, apart from the highest security pass I had!
And it might be a year before anyone checks Newman’s security credentials!
![Page 24: Presentation at NeSC 20 Oct 05 - projects.oucs.ox.ac.ukprojects.oucs.ox.ac.uk/dcoce/docs/JiscNeSCMiddwareBriefingOct05.… · – An old and wise university researcher • Newman](https://reader036.vdocument.in/reader036/viewer/2022090606/605b316f6d170b5608484176/html5/thumbnails/24.jpg)
20 October 2005 24
ESP-GRID To centralise or to devolve?
• Devolved authentication should be more secure– As long as Devla is trustworthy
– But when it comes down to it, we were going to have to trust Devla, anyway!
• More information at:– http://wiki.oucs.ox.ac.uk/esp-grid/ShibEvaluation
• Send your angry emails to– markonorman @ oucsooxoacouk !!