Michal Procházka

Improving Security in Grids Using the Smart Card Technology

Weak private key management can significantly decrease security of current grids. In this paper we present how smart cards can be used to solve private key management issues to improve security of the grid environment

Transparent security for collaborative environments

Current collaborative tools are often not able to profit from existing systems for user management. It is therefore necessary for collaborative systems to administrate their users using their own solutions, which may not be adequate in terms of scalability or security. Many users may also experience problems working with authentication credentials (e.g. digital certificates) employed by collaborative systems. In this paper, we propose a general framework to provide easy-to-use yet secure access to collaborative systems, which offers a general middleware layer to accommodate various types of collaborative tools. The framework utilizes the emerging model of federations, which allows to provide a user-friendly means of logging in to a collaborative system as well as a solid basis for specifying access control policies. The framework handles all security aspects in a transparent way without requiring the users to perform complicated tasks. Using user attributes maintained in the federation, it is also possible to implement efficient and dynamic group management of the collaborating users.

A Robust and Efficient Mechanism to Distribute Certificate Revocation Information Using the Grid Monitoring Architecture

Checking revocation information is necessary to prevent from using digital certificates whose contents become invalid. In current system either periodical retrieval of Certificate Revocation Lists (CRLs) or the Online Certificate Status Protocol (OCSP) are the most common mechanisms to access revocation information issued by the certification authorities. As both these approaches pose problems we propose a new method based on a Push model, which is based on the Grid Monitoring Architecture. Using this approach we guarantee the revocation information is distributed in a robust and timely manner. We also describe a pilot implementation of the service based on the proposed design.

Perun — Modern approach for user and service management

In this paper we are introducing the identity and access management system called Perun. The system provides functionality which covers management of the whole user life cycle in nowadays e-Infrastructures, from user enrolment into the e-Infrastructure to user expiration. The Perun system supports management of virtual organizations, rights delegation, group management and enrolment management for making flexible user management easy to use. In comparison to ordinary identity management systems Perun also provides service and access management. Perun is a complex tool which eases management of research communities or users and services within the organizations. Perun system is used in production on national and international level; selected real deployments are described in this paper too.

Reputation Based Trust Management System Supporting Collaboration in a Medical Application

In a small group of people it is quite easy to start a collaboration based on shared trust, because people quickly recognize quality of each other. But this is not true when we move to the highly distributed environment with hundreds of users, not only from one institution or town, but even from different countries. It becomes very complicated task to distinguish experienced an trusted people from malicious users.

Common ELIXIR Service for Researcher Authentication and Authorisation

A common Authentication and Authorisation Infrastructure (AAI) that would allow single sign-on to services has been identified as a key enabler for European bioinformatics. ELIXIR AAI is an ELIXIR service portfolio for authenticating researchers to ELIXIR services and assisting these services on user privileges during research usage. It relieves the scientific service providers from managing the user identities and authorisation themselves, enables the researcher to have a single set of credentials to all ELIXIR services and supports meeting the requirements imposed by the data protection laws. ELIXIR AAI was launched in late 2016 and is part of the ELIXIR Compute platform portfolio. By the end of 2017 the number of users reached 1000, while the number of relying scientific services was 36. This paper presents the requirements and design of the ELIXIR AAI and the policies related to its use, and how it can be used for serving some example services, such as document management, social media, data discovery, human data access, cloud compute and training services.

Importance of User Deprovisioning from Services

Every service uses an authorization process to determine the access rights of individuals. Lots of services make authorization decisions only during the authentication process and though the process the information about access rights is valid for the whole session. The other common approach is to run the authorization process for single each request from the user. Both of the these approaches are commonly used and they are sufficient for most services. However there are services that enable users to work with persistent resources. An example of such services are cloud infrastructures which enable users to start virtual machines or use data storages for storing large amounts of data. Apart from the aforementioned authorization done whilst user is interacting with the service, there is a need to know that the user is still authorized to use the resources, even though the user is not interacting with the service. Such knowledge enables services to free the persistent resources which were occupied by the user who is no longer authorized. Deprovisioning is the process which enables service to know about users who are no longer authorized. It is the opposite of the well-known provisioning process, which is used in cases where the services need to know the users in advance of their first usage of the service. In this paper we describe the importance of the deprovisioning process based on real use-cases and services. Moreover we will focus on possible options to implement deprovisioning in existing infrastructures. Last but not least, we will describe similarities between a standard deprovisioning process and the suspension of users on services due to security incidents. Based on those similarities, we will demonstrate on a real system how to utilize the deprovisioning process to automate mitigation of security incidents

Using PKI to Provide Credential Delegation in non Web-based Federations

Authentication is basic functionality required by most services that provide access to protected resources or personalized content. In order to authenticate to services users maintain sets of credentials that they use to prove their identity. Credential delegation allows users to seamlessly access multiple services across the network. The concept manifested their utility in the scope of single domain authentication mechanisms. Therefore, emerging identity federations are expected to provide similar functions, too. Recently, various non web-based federation models have emerged, unfortunately they do not cover properly delegation of credentials. In this paper we introduce a mechanism utilizing digital certificates and PKI, which provides support for credential delegation in non web-based federations. The viability of the concept is demonstrated on integration of the mechanism with the Moonshot federation framework. However, the solution forms an independent middleware layer that can be used by several federation models.

User Centric Identity for Grids and Clouds

Identity federations are becoming more and more discussed and deployed as new means to proof our identity in the digital world. Both Grids and Clouds are trying to incorporate identity federations to allow for much easier access to the infrastructure, with clouds best suited due to their web based access nature. However, the more widespread use of identity federations also reveals their drawbacks and limitations, both in technology and with the legal implications. These are demonstrated using our long experience with a service included in high number of national federations. A post-federated Aditi system is then presented as a possible solution, putting users in the centre. This overcomes the legal problems and also provides a fine grain control over information directly revealed to a service provider. The Aditi architecture utilizes current SAML based identity federations as much as possible and requires only minor changes to the data flow. Therefore it can be deployed in existing national identity federations without any obstacles and cloud service provides can start to provide their services to huge amount of users who have an account in the national identity federations without initial barriers. At the end of the paper we also briefly touch the complementary problem of the trust between identity and service providers and give a short

A Race for Security: Identifying Vulnerabilities on 50 000 Hosts Faster than Attackers

Unpatched security vulnerabilities are often misused by attackers to take over machines or cause other harm to computers and their legitimate users. Having proper and timely patch management is crucial to keep the system secure and resistant to common attacks targeting known weak spots. For this, a monitoring system that is able to provide a global view of the whole infrastructure is inevitable. In this paper we present service Pakiti that makes it possible to monitor patches across a number of machines and retain a fresh overview about the patching status. Using Pakiti a system administrator can detect machine where patching failed for whatever reason or was not initiated at all.