Скачать презентацию Rad Sec and DAMe University of Stuttgart University Скачать презентацию Rad Sec and DAMe University of Stuttgart University

f7ca10c6fd944fdf6ba702cfa09d1dca.ppt

  • Количество слайдов: 15

Rad. Sec and DAMe University of Stuttgart University of Murcia Vienna, 18. 02. 2010 Rad. Sec and DAMe University of Stuttgart University of Murcia Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe Overview § § DAMe Project Rad. Sec and DAMe: Dynamic Rad. Sec and DAMe Overview § § DAMe Project Rad. Sec and DAMe: Dynamic Server Discovery DAMe Testbed Next Steps Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe Project § DAMe stands for: Deploying Authorization Mechanisms for Federated Rad. Sec and DAMe Project § DAMe stands for: Deploying Authorization Mechanisms for Federated Services in the eduroam Architecture § Subproject of GÉANT 2 § Partners: DFN, Red. IRIS, University of Murcia, University of Stuttgart § Goals: § Adding attribute-based Authorization to eduroam § Unified Single Sign On, using edu. Token in SAML format Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe Attribute-based Authorization in eduroam Vienna, 18. 02. 2010 Sascha Neinert Rad. Sec and DAMe Attribute-based Authorization in eduroam Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe Unified Single Sign On Vienna, 18. 02. 2010 Sascha Neinert Rad. Sec and DAMe Unified Single Sign On Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe-2 Project § Additional Goals: § Support for Level of Assurance Rad. Sec and DAMe-2 Project § Additional Goals: § Support for Level of Assurance (Lo. A): § Including Lo. A in the edu. Token, in the Auth. NContext § Protocol extended for Re-Authentication with higher Lo. A § Integration of Rad. Sec § Adding Rad. Sec proxy servers in front of both remote (SP) and home (Id. P) institution § edu. Token transport over Rad. Sec § Inclusion of Attribute Conversion in DAMe Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe: Dynamic Server Discovery § Rad. Sec: RADIUS over TCP and Rad. Sec and DAMe: Dynamic Server Discovery § Rad. Sec: RADIUS over TCP and TLS § § Implementations: radsecproxy and Radiator eduroam with Rad. Sec 1. mutual authentication with valid server certificates from a trusted CA (edu. GAIN CA / SCA, others) 2. subject. Alt. Name (URI) specifying the role of a server (e. g. urn: geant: eduroam: component: sp: ABC may act as a Rad. Sec client, urn: geant: eduroam: component: idp: XYZ may act as a server) § Rad. Sec enables dynamic server discovery: 1. Lookup for a Rad. Sec server serving a specific home domain 2. Mutual authentication using server certificates 3. TLS connection is established Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe: Dynamic Server Discovery § Dynamic Discovery can be done. . Rad. Sec and DAMe: Dynamic Server Discovery § Dynamic Discovery can be done. . . § Using DNS § radsecproxy can query for _radsec. _tcp. § Radiator can also use this mechanism § Using MDS § § radsecproxy calls radsec 2 mds tool SAML metadata is retrieved from edu. GAIN MDS is part of DAMe / edu. GAIN already MDS is flexible + secure (efficient? reliable? ) Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe: Dynamic Server Discovery (MDS) Vienna, 18. 02. 2010 Sascha Neinert Rad. Sec and DAMe: Dynamic Server Discovery (MDS) Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe: Dynamic Server Discovery (MDS) Meta data snippet: <md: Entity. Descriptor Rad. Sec and DAMe: Dynamic Server Discovery (MDS) Meta data snippet: uni-stuttgart. de Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe Testbed – Overall View DNS AP RADIUS Shib Id. P Rad. Sec and DAMe Testbed – Overall View DNS AP RADIUS Shib Id. P Rad. Sec Proxy DAMe. BE USTUTT („home“) Vienna, 18. 02. 2010 Client RADIUS XACML PDP edu. GAIN MDS UMU („remote“) Sascha Neinert

Rad. Sec and DAMe Testbed – UMU § Client § wpa_supplicant § Network SP Rad. Sec and DAMe Testbed – UMU § Client § wpa_supplicant § Network SP § Free. RADIUS 1. 1. 3 with dame-dictionary § radsecproxy 1. 3. 1 § edu. GAINSCA certificate including eduroam URN (urn: geant: eduroam: component: . . . ) Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe Testbed – USTUTT § Network Id. P § Free. RADIUS Rad. Sec and DAMe Testbed – USTUTT § Network Id. P § Free. RADIUS 2. 0. 2 with dame-enabled peap-module and damedictionary § radsecproxy 1. 3. 1 § can be discovered querying DNS for _radsec. _tcp. dame. unistuttgart. de § edu. GAINSCA certificate including eduroam URN (urn: geant: eduroam: component: . . . ) § SAML Id. P § Shibboleth Id. P 1. 3. 2 + DAMe-BE § Issuing edu. Tokens Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe Next Steps § USTUTT: separate network SP and network Id. Rad. Sec and DAMe Next Steps § USTUTT: separate network SP and network Id. P § Finish deployment of DAMe including dynamic discovery components § Publish metadata to mds. edugain. org § Run federated tests UMU USTUTT § Optimize radsec 2 mds tool § Measure performance of DNS-based and MDS-based discovery § Compare both methods Vienna, 18. 02. 2010 Sascha Neinert

Rad. Sec and DAMe Any questions or comments? DAMe website: http: //dame. inf. um. Rad. Sec and DAMe Any questions or comments? DAMe website: http: //dame. inf. um. es/ Vienna, 18. 02. 2010 Sascha Neinert