eurocamp
play

EuroCamp A federated framework for secure videoconference Daniel - PowerPoint PPT Presentation

Apr 17, 2023 •361 likes •594 views

EuroCamp A federated framework for secure videoconference Daniel Kouril, Michal Prochazka Acknowledgement This work is funded by CESNET Development Fund Masaryk University EuroCamp '08 - Stockholm 2 Outline Introduction

  1. EuroCamp A federated framework for secure videoconference Daniel Kouril, Michal Prochazka

  2. Acknowledgement  This work is funded by  CESNET Development Fund  Masaryk University EuroCamp '08 - Stockholm 2

  3. Outline  Introduction  PKI - Digital certificate  OpenVPN  Secured videoconferencing  Federated Online CA  CAT  Federated framework  Conclusion EuroCamp '08 - Stockholm 3

  4. Introduction  Problems with makeing applications federation-aware  Closed-source applications  Prohibited by the licence  Sometimes it is not possible  Today's federations are mainly focused on the web environment  Most of videoconferencing applications are non-web  Missing authorization or it is based on the shared password  Several groups need secure and close collaborative environment  people from medical env., secret research, ...  Users are not IT professionals, do not bother them with security technologies EuroCamp '08 - Stockholm 4

  5. Digital certificate  Has defined structure – X.509  Issued by trusted certification authority  PKI is not user-friendly but in some cases it is widely used  SSL, SSH, HTTPs, ...  Holds public information:  Issuer of the certificate  Holder of the certificate  Public key of the holder  Issue data and expiration date  Additional information in form of extensions  CRL, OSCP responder, Policy, ... EuroCamp '08 - Stockholm 5

  6. Example of the certificate Certificate: Data: Version: 3 (0x2) Serial Number: 1119039755 (0x42b3310b) Signature Algorithm: sha1WithRSAEncryption Issuer: DC=cz, DC=cesnet-ca, CN=CESNET CA Validity Not Before: Aug 29 12:34:16 2007 GMT Not After : Sep 29 13:04:16 2008 GMT Subject: DC=cz, DC=cesnet-ca, O=Masaryk University, CN=Daniel Kouril Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:95:18:71:fe:83:bb:8c:26:fd:ba:62:c3:55:d7: f9:6a:57:71:a0:e9:34:1d:e6:a6:bd:ae:a8:20:1a: 17:87:b1:c8:90:56:2a:1b:3e:cb:0c:8e:eb:ef:fa: 72:80:9a:73:33:a4:b4:df:48:0f:b1:bb:b5:d3:78: 4c:11:6c:cd:ab:9e:3e:04:8c:bd:07:5c:63:0c:2a: a4:32:5f:c5:4f:27:92:74:53:24:98:56:57:ae:eb: fa:1f:f3:a9:6c:26:24:09:88:9a:b8:c8:2c:83:89: 5d:70:78:d7:8b:cb:c4:51:35:b9:be:b6:46:ce:d5: 7e:59:01:63:7b:75:bf:e5:7f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.8057.1.2.2.2.0 X509v3 Subject Alternative Name: email:kouril@ics.muni.cz X509v3 CRL Distribution Points: DirName:/DC=cz/DC=cesnet-ca/CN=CESNET CA/CN=CRL2 URI:http://www.cesnet.cz/pki/crl/cn=CESNET%20CA,dc=cesnet-ca,dc=cz.crl URI:ldap://ldap.cesnet-ca.cz/cn=CESNET%20CA,dc=cesnet-ca,dc=cz?certificateRevocationList X509v3 Authority Key Identifier: keyid:2F:6C:05:C3:51:26:AC:AF:39:9C:3E:38:35:DD:52:29:27:80:C5:F5 X509v3 Subject Key Identifier: AA:47:80:4C:53:1F:17:D6:CD:09:1D:D8:56:36:77:4C:39:00:13:D3 EuroCamp '08 - Stockholm 6

  7. OpenVPN  Creates VPN tunnel on the application level of ISO/OSI  Creates virtual network adapter on the client  Firewall and NAT traversal  Capable of creating bridged or routed tunnels  Supports Ipv6  Supports Linux, *BSD, Mac OS X, Windows, Solaris  Primary authentication by the digital certificates  Variety of approaches for AuthN/AuthZ  PAM, scripts, username/password, static key  Transparent for the applications EuroCamp '08 - Stockholm 7

  8. OpenVPN - Latency EuroCamp '08 - Stockholm 8

  9. Secured Collaborative Env.  User needs digital certificates from the CA  Users have problems with acquireing the certificate  Need to manage users  Videoconference uses Mbone tools (VIC, RAT)  Can't be used behind the NAT - uses UDP and RTP  OpenVPN server  Assignes public IP but does not route them outside of the tunnel - prevent IP collision at the client's network  Applications are accessible only through the tunnel  Process auhtN and authZ  Instalation package for the users EuroCamp '08 - Stockholm 9

  10. EuroCamp '08 - Stockholm 10

  11. Federated Online CA  Combines RA and CA together  Clients are authenticated at theirs home institution  Automated and less administrative work  We are operating two types of Online CA  based on GridShib http://gridshib.globus.org  based on OpenSSL and Perl scripts  Issues short and mid lived certificates  Puts SAML response from IdP into the certificate EuroCamp '08 - Stockholm 11

  12. Federated Online CA  CESNET has OnlineCA in pre-production mode  Uses HSM  Can provide unlimited number of different CAs based on different profiles  We are discussing design of API to the Online CA  SAML Single Sign-on Browser/Artifact Profile Security Analysis of the SAML Single Sign-on Browser/Artifact Profile  (Thomas Groß) EuroCamp '08 - Stockholm 12

  13. Current Status  Modification to the OpenVPN  enhanced authN based on the digital certificates  added support for processing SAML extensions  Functional federated OnlineCA  AuthZ is transfered in form of attribute inside the certificate as an extension  Private key is not encrypted  do not bother us due to short live time of the certificate  allows easy integration with the applications  Installation package for videoconferening tools EuroCamp '08 - Stockholm 13

  14. Framework design EuroCamp '08 - Stockholm 14

  15. CAT  Common Access Toolkit for Federations  General framework which allows integrate applications into the federation  Secure and authenticated tunnel from application to the server  One of the main purpose is to make authN/authZ transparent for the user  GUI tool for managing credentials for users  acquiring, translating, deleting, checking validity EuroCamp '08 - Stockholm 15

  16. Network Identity Manager EuroCamp '08 - Stockholm 16 http://web.mit.edu/kerberos/

  17. Network Identity Manager EuroCamp '08 - Stockholm 17

  18. Network Identity Manager EuroCamp '08 - Stockholm 18

  19. Federated Framework  General framework - client software independent  Transparent security from appz and user point of view  Appz do not need to solve AuthN and AuthZ  Minimal requirements on the network configuration  only one specific stream which has to be enabled on the firewalls  NAT traversal, HTTP proxy support  Clients' machines could be managed EuroCamp '08 - Stockholm 19

  20. Related Work  Adobe Connect  Commercial tool for collaboration  Flash based => run inside the browser  AuthN/AuthZ only by username/password  Ongoing work on make it Shibboleth SP  During testing we have discovered some problems  missing fine graind access rights  interruptions  some bugs in UI EuroCamp '08 - Stockholm 20

  21. Future Work  Use Stunnel/OpenSSL TLS/DTLS  it doesn't require administrative rights  allow to make per port tunnels EuroCamp '08 - Stockholm 21

  22. This is the end ... EuroCamp '08 - Stockholm 22

  23. Ithanet eInfrastructure Ithanet is a Euromediterranean network of research centres conducting molecular and clinical research of thalassaemia and related haemoglobinopathies.  OpenVPN + UDP Packet reflector + MBone tools  Public IP addresses are assigned inside the tunnel, but they are not routed outside  protection against IP collision at the connected institutions  Client installation package for Win2000/XP  easy to install, easy to use (one click to start/stop the conference)  X.509 based AuthN - OTP used to obtain the certificate EuroCamp '08 - Stockholm 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

9 th EuroCAMP EuroCAMP at TERENA Secretariat Licia Florio

9 th EuroCAMP EuroCAMP at TERENA Secretariat Licia Florio

TERENA EuroCAMP Workshops Cork, Ireland 18-19 May 2009 Peter Szegedi PDO szegedi@terena.org www.terena.org 9 th EuroCAMP EuroCAMP at TERENA Secretariat Licia Florio florio@terena.org Peter Szegedi

204 views • 6 slides
Andy Swiffin a.l.swiffin@dundee.ac.uk University of Dundee Terena EuroCAMP Athens. 13 November,

Andy Swiffin a.l.swiffin@dundee.ac.uk University of Dundee Terena EuroCAMP Athens. 13 November,

Andy Swiffin a.l.swiffin@dundee.ac.uk University of Dundee Terena EuroCAMP Athens. 13 November, 2008 Image courtesy of wikipedia.org To Assertions Attributes From 13 November, 2008 Terena EuroCAMP Athens. What will I be talking about?

1.05k views • 76 slides
Welcome to EuroCAMP Plus Some Introductory Matters Diego R. Lopez, RedIRIS Cork, May 2009

Welcome to EuroCAMP Plus Some Introductory Matters Diego R. Lopez, RedIRIS Cork, May 2009

Welcome to EuroCAMP Plus Some Introductory Matters Diego R. Lopez, RedIRIS Cork, May 2009 JRES2005, Marseille The Middleware Mantra Any conceivable networked service needs some basic services to run Access control Location

510 views • 12 slides
EuroCAMP Summary (in 15 mins) Diego We are at the teenager stage of IDM IDM is maturing

EuroCAMP Summary (in 15 mins) Diego We are at the teenager stage of IDM IDM is maturing

EuroCAMP Summary (in 15 mins) Diego We are at the teenager stage of IDM IDM is maturing Welcome to the schema Onion Jasmina Welcome to LDAP [the syntax] Flat tends to be better than hierarchical Feed your LDAP

297 views • 17 slides
MyFirst IdP EuroCAMP Training This work is licensed under a Creative Commons Attribution

MyFirst IdP EuroCAMP Training This work is licensed under a Creative Commons Attribution

MyFirst IdP EuroCAMP Training This work is licensed under a Creative Commons Attribution ShareAlike 3.0 Unported License . Acknowledgements Portions of this training course taken from: SWITCHaai simpleSAMLphp website EduGate

440 views • 39 slides
OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm,

OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm,

Shib Shibbolet oleth Develo Developmen ent a t and Su d Supp pport Services t Services OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm, 7 May 2008 EuroCAMP, Stockholm, 7 May 2008 Shib

666 views • 20 slides
EUROCAMP 2009, CIT, Cork May 18 th -19 th Gerard Culley, CISSP IT manager CIT Agenda Background

EUROCAMP 2009, CIT, Cork May 18 th -19 th Gerard Culley, CISSP IT manager CIT Agenda Background

EUROCAMP 2009, CIT, Cork May 18 th -19 th Gerard Culley, CISSP IT manager CIT Agenda Background Systems Landscape Challenges Possible Solutions Wrap up, Questions CIT Background History CIT was founded in 1973, one of the oldest IOTs

322 views • 9 slides
IDM@UMU.SE Presentation by Roland Hedberg at EuroCamp@Cork 2009 Tuesday, May 19, 2009 SOME FACTS

IDM@UMU.SE Presentation by Roland Hedberg at EuroCamp@Cork 2009 Tuesday, May 19, 2009 SOME FACTS

IDM@UMU.SE Presentation by Roland Hedberg at EuroCamp@Cork 2009 Tuesday, May 19, 2009 SOME FACTS ABOUT UMU Founded in 1965 ~30.000 students (of which 10.000 on distance) ~4.000 employees ~2.000 courses ~50 departments ~50 other units

742 views • 28 slides
PKI Milan Sova, CESNET EuroCAMP, Porto, 2005-11-07 Public Key Infrastructure Public key

PKI Milan Sova, CESNET EuroCAMP, Porto, 2005-11-07 Public Key Infrastructure Public key

PKI Milan Sova, CESNET EuroCAMP, Porto, 2005-11-07 Public Key Infrastructure Public key cryptography pair of keys public key (encryption, signature verification) private key (decryption, signing) Infrastructure binding

560 views • 35 slides
PKI in federations - approach to non-web services Milan Sova, CESNET EuroCAMP, Dubrovnik, 2007

PKI in federations - approach to non-web services Milan Sova, CESNET EuroCAMP, Dubrovnik, 2007

Everything you never wanted to know about PKI in federations - approach to non-web services Milan Sova, CESNET EuroCAMP, Dubrovnik, 2007 SAMLized applications HTTPS web browser What about email access network access

141 views • 11 slides
Federated Applications: Issues and Highlights TERENA EuroCAMP, 7 May 2008 Paul Caskey Technology

Federated Applications: Issues and Highlights TERENA EuroCAMP, 7 May 2008 Paul Caskey Technology

Federated Applications: Issues and Highlights TERENA EuroCAMP, 7 May 2008 Paul Caskey Technology Architect The University of Texas System (pcaskey@utsystem.edu) Background Background (cont.) Nine academic universities Six health

354 views • 9 slides
ACOnet Identity Federation Policy Experiences Peter Schober ACOnet TERENA EuroCAMP @ 4 th GN3

ACOnet Identity Federation Policy Experiences Peter Schober ACOnet TERENA EuroCAMP @ 4 th GN3

ACOnet Identity Federation Policy Experiences Peter Schober ACOnet TERENA EuroCAMP @ 4 th GN3 Symposium 15-16 October 2012 Agenda 1. The Politics behind Federation Policies 2. Tales from a Federation Operator: On-boarding of prospective

195 views • 16 slides
RDF 101 The Semantic Web meets Resource Management Terena EuroCAMP, 2006-04-03

RDF 101 The Semantic Web meets Resource Management Terena EuroCAMP, 2006-04-03

RDF 101 The Semantic Web meets Resource Management Terena EuroCAMP, 2006-04-03 <roland.hedberg@adm.umu.se> 1 The Resource Description Framework The Resource Description Framework (RDF) is a language for representing information about

745 views • 37 slides
Integration of N-tiers application Using CAS Single Sign On system with Horde webmail Jan Du

Integration of N-tiers application Using CAS Single Sign On system with Horde webmail Jan Du

EuroCAMP 8may2008 Integration of N-tiers application Using CAS Single Sign On system with Horde webmail Jan Du Caju ICT security officer K.U.Leuven Belgium Jan.DuCaju@icts.KULeuven.be EuroCAMP 8may2008 Integration of N-tiers application

792 views • 36 slides
Integrating running apps into federations + JANUS Terena Eurocamp, 11/2009, Budapest Ernesto

Integrating running apps into federations + JANUS Terena Eurocamp, 11/2009, Budapest Ernesto

Integrating running apps into federations + JANUS Terena Eurocamp, 11/2009, Budapest Ernesto Revilla erny@yaco.es 1 Integrating running apps into federations Background: Yaco (30 pers Open Source company) Setting up the andalusian

612 views • 16 slides
Using Google The Federated Way Mihly Hder MTA SZTAKI ITAK Eurocamp 2009. november 18.

Using Google The Federated Way Mihly Hder MTA SZTAKI ITAK Eurocamp 2009. november 18.

Using Google The Federated Way Mihly Hder MTA SZTAKI ITAK Eurocamp 2009. november 18. Contents Intro of our Institute and Department Intro of our AAI system Google@sztaki o Apps for education o The Google Apps VO scheme o

558 views • 40 slides
Security Protocols Part 9 SSL Protocol Recap Digital Certificate Authentication

Security Protocols Part 9 SSL Protocol Recap Digital Certificate Authentication

Security Protocols Part 9 SSL Protocol Recap Digital Certificate Authentication Integrity Non-repudiation CA (Certification Authority) Issue digital certificates (via digital signature) Publish/Distribute digital

491 views • 13 slides
What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes collaboration Community of developers

878 views • 16 slides
Securely Migrate Digital Identities from a Class PKI to a Blockchain Keywords : Certificate

Securely Migrate Digital Identities from a Class PKI to a Blockchain Keywords : Certificate

Securely Migrate Digital Identities from a Class PKI to a Blockchain Keywords : Certificate authority, Digital identity management, PKI, Blockchain Reading list: Bitcoin: A Peer-to-Peer Electronic Cash System https://bitcoin.org/bitcoin.pdf

464 views • 10 slides
MashSSL Quick Summary Siddharth Bajaj Ravi Ganesan VeriSign Inc. SafeMashups Inc.

MashSSL Quick Summary Siddharth Bajaj Ravi Ganesan VeriSign Inc. SafeMashups Inc.

MashSSL Quick Summary Siddharth Bajaj Ravi Ganesan VeriSign Inc. SafeMashups Inc. sbajaj@verisign.com ravi@safemashups.com www.verisign.com www.safemashups.com info@mashssl.org www.mashssl.org Outline Why do we need a new security

639 views • 17 slides
Document Document SHA256 SHA256

Document Document SHA256 SHA256

Document Document SHA256 SHA256 !$(@0 = !$(@0 !$(@0 (digest) (digest) (digest) Sign Verify K?WS0* (signature) (Modified) Document Document SHA256

843 views • 61 slides
Public-key Infrastructure Computer Center, CS, NCTU Public-key Infrastructure A set of

Public-key Infrastructure Computer Center, CS, NCTU Public-key Infrastructure A set of

Public-key Infrastructure Computer Center, CS, NCTU Public-key Infrastructure A set of hardware, software, people, policies, and procedures. To create, manage, distribute, use, store, and revoke digital certificates. Encryption,

906 views • 34 slides
What is open source ? Computer software where the source code is distributed under an open

What is open source ? Computer software where the source code is distributed under an open

What is open source ? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes collaboration Community of developers

462 views • 14 slides
Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

5/17/2017 Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges scalability and performance apps require more resources than one computer has 13B. Distributed Systems: Communication grow

572 views • 7 slides

More recommend