|
|
| (22 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| | = Projects: = | | = Projects: = |
| | | | |
| − | == nl.nikhef.slcshttps == | + | == Grid middleware security == |
| | | | |
| − | === Introduction ===
| + | This is all kinds of different security related work done within the Nikhef grid-middleware security group. See for example |
| − | This project is a joined project between [http://www.mpi.nl/ The Max Planck Institute for Psycholinguistics], [http://www.surfnet.nl/ SURFnet] and [http://www.nikhef.nl/ Nikhef]. | + | * the [[GLExec|gLExec wiki pages]] (An overview of the different Nikhef tools can be found in the slightly outdated [[Site Access Control]] pages). |
| | + | * [[SAC software procedures|release process of the Grid Security Middleware]] |
| | | | |
| − | The aim is to change the [http://www.mpi.nl/IMDI/tools/ IMDI BCBrowser] such that it can access corpora using client side certificates obtained from a online CA.
| + | It also covers work on the Risk Assessment Team for the [https://wiki.egi.eu/wiki/SVG:SVG EGI Software Vulnerability Group]. |
| | | | |
| − | TODO: use case description, problem, Shibboleth versus PKI Certificates...
| + | == User delegation in the CLARIN Metadata Infrastructure == |
| | | | |
| − | === Description ===
| + | This project was a joined project between CLARIN via the [http://www.mpi.nl/ The Max Planck Institute for Psycholinguistics (MPI)] and [http://www.nikhef.nl/ Nikhef] and supported by [http://www.biggrid.nl/ BiG Grid]. |
| − | Method used by the IMDI browser to obtain a certificate, see als [[#handshake|image below]].
| + | See e.g. the [[CLARIN/OAuth2|project pages]] |
| | | | |
| − | From a (mostly) '''User''' point of view:
| + | == jGridstart == |
| | | | |
| − | # '''User''' clicks/chooses initialization option
| + | This is a Java webstart application to gently guide (new) Grid user in the process of obtaining their grid certificate. |
| − | # java browser starts a webbrowser...
| + | See e.g. [[JGridstart|project page]] for more information. |
| − | # which via the online CA at SURFnet...
| |
| − | # redirects webbrowser to WAYF (Where Are You From) server where '''user''' chooses his ''Identity Provider''.
| |
| − | # '''User''' logs in at ''IdP''
| |
| − | # Webbrowser redirects back to online CA. '''User''' closes webbrowser.
| |
| − | # After confirmation by '''user''', java browser now connects itself to online CA
| |
| − | # java browser retrieves certificate from online CA and the '''user''' can use it to authenticate with client side certificates.
| |
| | | | |
| − | Technical overview:
| + | == nl.nikhef.slcshttps == |
| − | | |
| − | <ol>
| |
| − | <li> Initialization procedure:<ol style="list-style-type:lower-alpha">
| |
| − | <li> javabrowser creates a per-session keypair (i.e. never saved to disk).
| |
| − | <li> javabrowser creates a certificate signing request (CSR)</ol>
| |
| − | <li> javabrowser starts a webbrowser...
| |
| − | <li> the URL is the online CA + a hash of the CSR.
| |
| − | <li> Now the standard Shibboleth trajectory starts: Online CA redirects the browser to a WAYF where the user chooses his IdP.
| |
| − | <li> User logs in at his/her IdP.
| |
| − | <li> Webbrowser sends the user back to the online CA. The URL is now rewritten using Shibboleth, and the Online CA knows that the user, who send the CSR hash, is authorized. The user now tells the javabrowser that (s)he is finished with the webbrowser.
| |
| − | <li> The javabrowser sends the full CSR to the Online CA.
| |
| − | <li> The Online CA:
| |
| − | <ol style="list-style-type:lower-alpha">
| |
| − | <li> calculates the hash
| |
| − | <li> checks whether it is known/corresponds to a authorized user.
| |
| − | <li> if yes, signs the CSR
| |
| − | <li> sends a HTTP reply with the signed certificate.
| |
| − | </ol>
| |
| − | The signed certificate is stored inside the javabrowser and will be offered as client side certificate upon opening a HTTPS connection.
| |
| − | </ol>
| |
| − | | |
| − | Notes:
| |
| − | * In Shibboleth terminology, The Online CA is a Service Provider (SP) whose service is the creation of certificates.
| |
| − | * In standard CA/RA certificate terminology, the online CA Service Provider is the CA, while the IdP plays the role of RA.
| |
| − | * The SLCS model used here is similar (but not identical) to the Switch model, which is described in detail in [https://edms.cern.ch/document/770102/ https://edms.cern.ch/document/770102/].
| |
| − | * The main ''difficulty'' for these SLCS implementations is the interaction of a standalone, non-webbrowser based tool with Shibboleth, since Shibboleth IdP's only requirement is that they work with a webbrowser. On the other hand, the private key has to be present is the tool which eventually will be using the certificate. A number of solutions have been proposed and tried, but since the IdP is only guaranteed to work with a webbrowser we believe it is best to have the javabrowser start a webbrowser. The difficulty then is to guarantee the authentication across applications. We solved this by
| |
| − | ** sending a hash of the CSR during the authentication which can be checked later when the javabrowser sends the CSR itself
| |
| − | ** limiting the time between authentication and sending the CSR
| |
| − | ** requiring both tools to work from the same host.
| |
| − | | |
| − | :
| |
| − | {| border="1" cellpadding="10"
| |
| − | | <span id="handshake">[[Image:Imdi handshake.png||IMDI Browser handshake]]</span>
| |
| − | |}
| |
| − | | |
| − | === Code and Files ===
| |
| − | | |
| − | *[http://www.nikhef.nl/~msalle/slcshttps/slcshttps_v0.1_full.zip full zip-archive] (Full zip including jar file, build, and javadoc)
| |
| − | *[http://www.nikhef.nl/~msalle/slcshttps/slcshttps_v0.1_src.zip zip-archive] (Zip including only sources, run ant to get the rest)
| |
| − | *[http://www.nikhef.nl/~msalle/slcshttps/slcshttps_jdk15_v0.1.jar JDK1.5 jarfile]
| |
| − | *[http://www.nikhef.nl/~msalle/slcshttps/doc/ Javadoc API]
| |
| − | *[https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/pdpsoft/trunk/nl.nikhef.slcshttps/ SVN repository with source]
| |
| − | Talks:
| |
| − | *[http://www.nikhef.nl/~msalle/slcshttps/MPI_talk_27052009.pdf Talk at BiGGrid meeting, Nikhef, 27 May 2009]
| |
| − | | |
| − | Note that you also need the [http://www.bouncycastle.org/ BouncyCastle provider].
| |
| − | Direct link to the [http://www.bouncycastle.org/download/bcprov-jdk15-143.jar JDK1.5 jarfile]
| |
| | | | |
| − | == gLite security ==
| + | This project was a joined project between [http://www.mpi.nl/ The Max Planck Institute for Psycholinguistics (MPI)], [http://www.surfnet.nl/ SURFnet] and [http://www.nikhef.nl/ Nikhef] and supported by [http://www.biggrid.nl/ BiG Grid]. |
| | | | |
| − | See e.g. [http://www.nikhef.nl/pub/projects/grid/gridwiki/index.php/Site_Access_Control Nikhef Site Access Control pages] | + | See the [[User:Msalle@nikhef.nl/nl.nikhef.slcshttps|project page]] for details. |
