lionshare & usher
Post on 15-Jan-2016
30 Views
Preview:
DESCRIPTION
TRANSCRIPT
LionShare & USHER
Derek Morr
Spring ’06 MM
Derek Morr
Overview
• LionShare is an academic peer-to-peer filesharing system.
• Strong emphasis on on identity management: Users must be identified to share files.
• Optional attribute-based authorization.
Derek Morr
Authentication
• To identify themselves, users digitally sign certain protocol messages and XML fragments.
• Users obtain short-term certs from an online CA, called the SASL-CA.
• Think kx509, but with SASL and in Java.
Derek Morr
Certificate Types
• Identity:
CN=DEREK VAUGHAN MORR(dvm105@psu.edu)/dvm105@psu.edu, OU=ACADEMIC SERV & EMERGING TECH, O=Pennsylvania State University, L=UNIVERSITY PARK, ST=Pennsylvania, C=US
• Opaque:
CN=6ZYEBU6OPVQSCQLEKEM463QVLLQXTUU2PTCSYDLK2VHZA3FJR27UJFUJXB5ZSEVUL3US2FZ5O4LZWIR3737THCFTX4B2RJMWC27LB2DMQFL7ZQAXMD4Q
Derek Morr
Derek Morr
Authorization
• Users can create attribute-based ACLs.
• LS 1.1 supports a subset of eduPerson; this may be expanded in a later release.
• We use a custom SAML profile to obtain and exchange attributes. This requires a plugin to Shib 1.3.
Derek Morr
Split Roots
• AuthN (the SASL-CA) is rooted in USHER.
• AuthZ (Shib) is rooted in InCommon.
• Fortunately, the two CAs have similar policies.
Derek Morr
Bridging the Roots
• Users obtain an USHER-rooted opaque cert from the SASL-CA with a CryptoShibHandle in the DN:
CN=6ZYEBU6OPVQSCQLEKEM463QVLLQXTUU2PTCSYDLK2VHZA3FJR27UJFUJXB5ZSEVUL3US2FZ5O4LZWIR3737THCFTX4B2RJMWC27LB2DMQFL7ZQAXMD4Q
• This is a symmetrically encrypted identifier that the IdP can interpret.
Derek Morr
Bridging the Roots
• Open a mutually authenticated SSL tunnel to IdP with the opaque cert to obtain an InCommon-rooted SAML AttributeAssertion.
• The AttributeAssertion is bound to the USHER-rooted opaque cert via Holder-of-Key Confirmation
Derek Morr
Holder-of-Key Confirmation
<SubjectConfirmation> <ConfirmationMethod>
urn:lionshare-test:holder-of-key</ConfirmationMethod> <SubjectConfirmationData>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data><ds:X509Certificate>Base64-encoded opaque cert here…
</ds:X509Certificate> </ds:X509Data>
</ds:KeyInfo></SubjectConfirmationData>
</SubjectConfirmation>
Derek Morr
Security ModelUSHER Foundation
Derek Morr
“Friendly Trust”
• AuthZ (Shib) has extensive metadata about each node that supplements PKIX.
• AuthN (SASL-CA) does not. Anything from USHER is trusted.
•No one wants to run a LS-specific federation.
Derek Morr
Deployment
• 1.0 - Sept ’05
• 1.1 - April/May ’06
• Penn State got its USHER CA cert last week.
• In last stages of testing, should go live “soon.”
Derek Morr
SASL-CA Future
• Version 0.4 almost ready (rc5 is being prepped).
• Version 0.5:
•Pluggable cert types, possibly based on HEPKI-TAG certprofiles
•May introduce backwards-incompatible protocol changes
top related