Скачать презентацию A PPARC funded project Single Sign-On Proposal Guy Скачать презентацию A PPARC funded project Single Sign-On Proposal Guy

eedbdad77d1d707bacc715f274cdd76d.ppt

  • Количество слайдов: 11

A PPARC funded project Single Sign-On Proposal Guy Rixon IVOA Interoperability Meeting Cambridge MA, A PPARC funded project Single Sign-On Proposal Guy Rixon IVOA Interoperability Meeting Cambridge MA, May 2004

Goals Software-to-software authentication n Protect services from misuse User signs on once per interactive Goals Software-to-software authentication n Protect services from misuse User signs on once per interactive session Minimal impact on service providers n n No shared DBs of passwords Don’t register each user at each service Minimal impact on users n n n Register once for entire VObs, on-line One password for entire VObs. No p(r)oxy certificates for user to manage <> 2 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Parts of proposal Proposal text on IVOA wiki http: //www. ivoa. net/twiki/bin/view/IVOA/Single. Sign. On." src="https://present5.com/presentation/eedbdad77d1d707bacc715f274cdd76d/image-3.jpg" alt="Parts of proposal Proposal text on IVOA wiki http: //www. ivoa. net/twiki/bin/view/IVOA/Single. Sign. On." /> Parts of proposal Proposal text on IVOA wiki http: //www. ivoa. net/twiki/bin/view/IVOA/Single. Sign. On. Proposal n Proposal in two parts: 1. 2. Message-level protocol for authentication How client s/w gets its credentials 2 nd expands on 1 st part n n n <dd-mmm-yyyy> More architectural More sociological Could adopt 1 st part but not 2 nd part <<title>> 3 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Message-level protocol (1) Digitally sign body of message n n n Prevents alteration of" src="https://present5.com/presentation/eedbdad77d1d707bacc715f274cdd76d/image-4.jpg" alt="Message-level protocol (1) Digitally sign body of message n n n Prevents alteration of" /> Message-level protocol (1) Digitally sign body of message n n n Prevents alteration of message Dig-sig mark-up goes in SOAP header Use WS-Security encoding Put X. 509 ID certificate in message n n n Certificate contains public key + user ID Put certificate in SOAP header WS-Security encoding again Certificate + signature = authentication n n <dd-mmm-yyyy> Signature on msg ties msg to key pair Certificate ties key pair to account ID <<title>> 4 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Message-level protocol (2) Basic signed message is vulnerable to replay attack Use “nonce” and" src="https://present5.com/presentation/eedbdad77d1d707bacc715f274cdd76d/image-5.jpg" alt="Message-level protocol (2) Basic signed message is vulnerable to replay attack Use “nonce” and" /> Message-level protocol (2) Basic signed message is vulnerable to replay attack Use “nonce” and timestamp to defeat this n n Nonce = unique message-ID Timestamp = time of message creation Service uses nonce & timestamp to detect bad messages n n n Rejects messages older than (say) 5 minutes Records nonces from msgs in last 5 minutes Rejects messages with duplicate nonces Nonce + timestamp travel in SOAP header n n <dd-mmm-yyyy> WS-Security encoding again Sender signs them to avoid tampering <<title>> 5 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Example SOAP header <wsse: Security xmlns: wsse="http: //docs. oasis-open. org/wss/2004/01/oasis-200401 -wssecurity-secext 1. 0. xsd"" src="https://present5.com/presentation/eedbdad77d1d707bacc715f274cdd76d/image-6.jpg" alt="Example SOAP header <wsse: Security xmlns: wsse="http: //docs. oasis-open. org/wss/2004/01/oasis-200401 -wssecurity-secext 1. 0. xsd"" /> Example SOAP header <wsse: Security xmlns: wsse="http: //docs. oasis-open. org/wss/2004/01/oasis-200401 -wssecurity-secext 1. 0. xsd" xmlns: wsu="http: //docs. oasis-open. org/wss/2004/01/oasis-200401 -wssecurityutility-1. 0. xsd" xmlns: ds="http: //www. w 3. org/2000/09/xmldsig#"> <ds: Signature> <!-- Signature for wsse: Username. Token -->. . . </ds: Signature> <wsse: Username. Token> <!-- Guards against replay attacks --> <!-- Username here is NOT authenticated as not signed by CA --> <wsse: Username>ivo: //ast. cam. ac. uk/Community/Guy. Rixon</wsse: Username> <wsse: Nonce>4 cz 8 rn. Ehdsjmcie 2138 ck==</wsse: Nonce> <wsu: Created>2004 -05 -12 T 14: 26: 00+01: 00</wsu: Created> </wsse: Username. Token> <dd-mmm-yyyy> <<title>> 6 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="SOAP-header example (cont. ) <ds: Signature> <!-- Signature for SOAP body -->. . ." src="https://present5.com/presentation/eedbdad77d1d707bacc715f274cdd76d/image-7.jpg" alt="SOAP-header example (cont. ) <ds: Signature> <!-- Signature for SOAP body -->. . ." /> SOAP-header example (cont. ) <ds: Signature> <!-- Signature for SOAP body -->. . . </ds: Signature> <wsse: Binary. Token> <!-- Certificate used in digital signatures --> <!-- Certficate contains the authenticated username signed by CA -->. . . </wsse: Binary. Token> </wsse: Security> <dd-mmm-yyyy> <<title>> 7 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Certifcate authority (1) All X. 509 certs come from a certificate authority (CA) n" src="https://present5.com/presentation/eedbdad77d1d707bacc715f274cdd76d/image-8.jpg" alt="Certifcate authority (1) All X. 509 certs come from a certificate authority (CA) n" /> Certifcate authority (1) All X. 509 certs come from a certificate authority (CA) n n Signs cert. Establishes link between public key and user ID There are external Cas n n E. g. UK e-Science CA E. g. Verisign Service provider trusts authentication process only if he/she trust the CA <dd-mmm-yyyy> <<title>> 8 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Certificate authority (2) There are problems with CAs in the IVO n n n" src="https://present5.com/presentation/eedbdad77d1d707bacc715f274cdd76d/image-9.jpg" alt="Certificate authority (2) There are problems with CAs in the IVO n n n" /> Certificate authority (2) There are problems with CAs in the IVO n n n High-security CAs demand off-line registration Not all astronomers have access to recognized CAs Set of all relevant CAs is open… …but CA details need to be preloaded in each service How to trust CAs? However, can run own CA locally n n <dd-mmm-yyyy> Commonly done in early grid projects Toolkits exist <<title>> 9 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="Proposal VObs community services: n n n Registration point for users Represent real-world communities" src="https://present5.com/presentation/eedbdad77d1d707bacc715f274cdd76d/image-10.jpg" alt="Proposal VObs community services: n n n Registration point for users Represent real-world communities" /> Proposal VObs community services: n n n Registration point for users Represent real-world communities Allows user sign-on to VObs with password Issues X. 509 certs in exchange for password Also handles authorization w E. g. service provider authorizes whole community w E. g. service provider authorized group within community <dd-mmm-yyyy> <<title>> 10 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="How the credentials are passed User Sign in with password Portal/ Desktop app. Issue" src="https://present5.com/presentation/eedbdad77d1d707bacc715f274cdd76d/image-11.jpg" alt="How the credentials are passed User Sign in with password Portal/ Desktop app. Issue" /> How the credentials are passed User Sign in with password Portal/ Desktop app. Issue X. 509 cert. Community service Send signed message Service <dd-mmm-yyyy> <<title>> 11 </p> </div> <div style="width: auto;" class="description columns twelve"><p><img class="imgdescription" title="" src="" alt="" /> </p> </div> </div> <div id="inputform"> <script>$("#inputform").load("https://present5.com/wp-content/plugins/report-content/inc/report-form-aj.php"); </script> </div> </p> <!--end entry-content--> </div> </article><!-- .post --> </section><!-- #content --> <div class="three columns"> <div class="widget-entry"> <div id="sidebarrelated"> <div id="text-2" class="box_small box widget widget_text"><div class="crp_related crp_related_shortcode "><div class="gallery_entry_related"><a href="https://present5.com/1-k-k-lixarev-odnoelektronika-v-mire/" ><img src="https://present5.com/wp-content/uploads/noc-single-electronics-180x135.jpg" alt="1 К. К. Лихарев, Одноэлектроника, В мире" title="1 К. К. Лихарев, Одноэлектроника, В мире" width="180" height="135" class="crp_thumb crp_featured" /></a><a href="https://present5.com/1-k-k-lixarev-odnoelektronika-v-mire/" class="crp_title">1 К. К. Лихарев, Одноэлектроника, В мире</a></div><div class="gallery_entry_related"><a href="https://present5.com/project-work-dostizhenie-planiruemyx-rezultatov-fgos-noo/" ><img src="https://present5.com/wp-content/uploads/umk_perspektiva._okrughayuschiy_mir._avt_a.a._pleshakov_m.yu_.__novickaya._0-180x135.jpg" alt="Project work ДОСТИЖЕНИЕ ПЛАНИРУЕМЫХ РЕЗУЛЬТАТОВ ФГОС НОО" title="Project work ДОСТИЖЕНИЕ ПЛАНИРУЕМЫХ РЕЗУЛЬТАТОВ ФГОС НОО" width="180" height="135" class="crp_thumb crp_featured" /></a><a href="https://present5.com/project-work-dostizhenie-planiruemyx-rezultatov-fgos-noo/" class="crp_title">Project work ДОСТИЖЕНИЕ ПЛАНИРУЕМЫХ РЕЗУЛЬТАТОВ ФГОС НОО</a></div><div class="gallery_entry_related"><a href="https://present5.com/project-management-methodology-prof-sergey-bushuyev-putting/" ><img src="https://present5.com/wp-content/uploads/methodology_of_pm-180x135.jpg" alt="Project Management Methodology prof. Sergey Bushuyev Putting" title="Project Management Methodology prof. Sergey Bushuyev Putting" width="180" height="135" class="crp_thumb crp_featured" /></a><a href="https://present5.com/project-management-methodology-prof-sergey-bushuyev-putting/" class="crp_title">Project Management Methodology prof. Sergey Bushuyev Putting</a></div><div class="gallery_entry_related"><a href="https://present5.com/m-s-medicina/" ><img src="https://present5.com/wp-content/uploads/kөkіrekaralyқ_aurular_0-180x135.jpg" alt="м с Медицина" title="м с Медицина" width="180" height="135" class="crp_thumb crp_featured" /></a><a href="https://present5.com/m-s-medicina/" class="crp_title">м с Медицина</a></div><div class="gallery_entry_related"><a href="https://present5.com/glava-7-m-i-k/" ><img src="https://present5.com/wp-content/uploads/ddca_ch7_0-180x135.jpg" alt="Глава 7 М И К" title="Глава 7 М И К" width="180" height="135" class="crp_thumb crp_featured" /></a><a href="https://present5.com/glava-7-m-i-k/" class="crp_title">Глава 7 М И К</a></div><div class="gallery_entry_related"><a href="https://present5.com/eia-methods-methods-for-identifying-environmental-impacts/" ><img src="https://present5.com/wp-content/uploads/lecture_6_eia_methods-180x135.jpg" alt="EIA: methods Methods for identifying environmental impacts" title="EIA: methods Methods for identifying environmental impacts" width="180" height="135" class="crp_thumb crp_featured" /></a><a href="https://present5.com/eia-methods-methods-for-identifying-environmental-impacts/" class="crp_title">EIA: methods Methods for identifying environmental impacts</a></div><div class="gallery_entry_related"><a href="https://present5.com/maternal-infant-health-project-mihp-mozmozmoz/" ><img src="https://present5.com/wp-content/uploads/part_6_pshymotor_development_well_baby_visits_15.05.08_ukr-180x135.jpg" alt="Maternal & Infant Health Project — MIHP МОЗМОЗМОЗ" title="Maternal & Infant Health Project — MIHP МОЗМОЗМОЗ" width="180" height="135" class="crp_thumb crp_featured" /></a><a href="https://present5.com/maternal-infant-health-project-mihp-mozmozmoz/" class="crp_title">Maternal & Infant Health Project — MIHP МОЗМОЗМОЗ</a></div><div class="gallery_entry_related"><a href="https://present5.com/mother-and-infant-health-project-mozmozmoz-ukra%d1%97niukra%d1%97niklinichnij-protokol/" ><img src="https://present5.com/wp-content/uploads/part_3_organization_of_routine_visit_15.05.08_ukr-180x135.jpg" alt="Mother and Infant Health Project МОЗМОЗМОЗ УКРАЇНИУКРАЇНИКлінічний протокол" title="Mother and Infant Health Project МОЗМОЗМОЗ УКРАЇНИУКРАЇНИКлінічний протокол" width="180" height="135" class="crp_thumb crp_featured" /></a><a href="https://present5.com/mother-and-infant-health-project-mozmozmoz-ukra%d1%97niukra%d1%97niklinichnij-protokol/" class="crp_title">Mother and Infant Health Project МОЗМОЗМОЗ УКРАЇНИУКРАЇНИКлінічний протокол</a></div><div class="crp_clear"></div></div></div></div> </div> </div> </div> </div> <!-- #content-wrapper --> <footer id="footer" style="padding: 5px 0 5px;"> <div class="container"> <div class="columns twelve"> <!--noindex--> <!--LiveInternet counter--><script type="text/javascript"><!-- document.write("<img src='//counter.yadro.ru/hit?t26.10;r"+ escape(document.referrer)+((typeof(screen)=="undefined")?"": ";s"+screen.width+"*"+screen.height+"*"+(screen.colorDepth? screen.colorDepth:screen.pixelDepth))+";u"+escape(document.URL)+ ";"+Math.random()+ "' alt='' title='"+" ' "+ "border='0' width='1' height='1'><\/a>") //--></script><!--/LiveInternet--> <a href="https://slidetodoc.com/" alt="Наш международный проект SlideToDoc.com!" target="_blank"><img src="https://present5.com/SlideToDoc.png"></a> <script> $(window).load(function() { var owl = document.getElementsByClassName('owl-carousel owl-theme owl-loaded owl-drag')[0]; document.getElementById("owlheader").insertBefore(owl, null); $('#owlheader').css('display', 'inline-block'); }); </script> <script type="text/javascript"> var yaParams = {'typepage': '1000_top_300k', 'author': '1000_top_300k' }; </script> <!-- Yandex.Metrika counter --> <script type="text/javascript"> (function (d, w, c) { (w[c] = w[c] || []).push(function() { try { w.yaCounter32395810 = new Ya.Metrika({ id:32395810, clickmap:true, trackLinks:true, accurateTrackBounce:true, webvisor:true, params: yaParams }); } catch(e) { } }); var n = d.getElementsByTagName("script")[0], s = d.createElement("script"), f = function () { n.parentNode.insertBefore(s, n); }; s.type = "text/javascript"; s.async = true; s.src = "https://mc.yandex.ru/metrika/watch.js"; if (w.opera == "[object Opera]") { d.addEventListener("DOMContentLoaded", f, false); } else { f(); } })(document, window, "yandex_metrika_callbacks"); </script> <noscript><div><img src="https://mc.yandex.ru/watch/32395810" style="position:absolute; left:-9999px;" alt="" /></div></noscript> <!-- /Yandex.Metrika counter --> <!--/noindex--> <nav id="top-nav"> <ul id="menu-top" class="top-menu clearfix"> </ul> </nav> </div> </div><!--.container--> </footer> <script type='text/javascript'> /* <![CDATA[ */ var wpcf7 = {"apiSettings":{"root":"https:\/\/present5.com\/wp-json\/contact-form-7\/v1","namespace":"contact-form-7\/v1"}}; /* ]]> */ </script> <script type='text/javascript' src='https://present5.com/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=5.1.4'></script> <script type='text/javascript' src='https://present5.com/wp-content/themes/sampression-lite/lib/js/jquery.shuffle.js?ver=4.9.18'></script> <script type='text/javascript' src='https://present5.com/wp-content/themes/sampression-lite/lib/js/scripts.js?ver=1.1'></script> <script type='text/javascript' src='https://present5.com/wp-content/themes/sampression-lite/lib/js/shuffle.js?ver=4.9.18'></script> <!--[if lt IE 9]> <script type='text/javascript' src='https://present5.com/wp-content/themes/sampression-lite/lib/js/selectivizr.js?ver=1.0.2'></script> <![endif]--> </body> </html>