SSH Key Management Challenges and Requirements

Invited paperSSH (Secure Shell) uses public keys for authenticating servers and users. This paper summarizes progress in SSH key management so far, highlights outstanding problems, and presents requirements for a long-term solution. Proposals are solicited from the research community to address the issue. The problem is of high practical importance, as most of our critical Internet infrastructure, cloud services, and open source software development is protected using these keys.Non peer reviewe

Towards the definition of a quality model for mail servers

The paper presents an approach for building a Mail Server Quality Model, based on the ISO/IEC software quality standard. We start by defining the mail system domain to be used as general framework and the relevant technologies involved. Then a general overview of the ISO/IEC standard is given. The basic steps, the relevant considerations and criteria used to select the appropriated subcharacteristics and quality attributes are also presented. The selected attributes are categorized under the six ISO/IEC quality characteristics conforming the model. Finally some case studies requirements and two commercial mail server tools are used to evaluate the model.Postprint (published version

ARC Computing Element System Administrator Guide

The ARC Computing Element (CE) is an EMI product allowing submission and management of applications running on DCI computational resourc

A New Simplified Federated Single Sign-on System

The work presented in this MPhil thesis addresses this challenge by developing a new simplified FSSO system that allows end-users to access desktop systems, web-based services/applications and non-web based services/applications using one authentication process. This new system achieves this using two major components: an “Authentication Infrastructure Integration Program (AIIP) and an “Integration of Desktop Authentication and Web-based Authentication (IDAWA). The AIIP acquires Kerberos tickets (for end-users who have been authenticated by a Kerberos single sign-on system in one net- work domain) from Kerberos single sign-on systems in different network domains without establishing trust between these Kerberos single sign-on systems. The IDAWA is an extension to the web-based authentication systems (i.e. the web portal), and it authenticates end-users by verifying the end-users\u27 Kerberos tickets. This research also developed new criteria to determine which FSSO system can deliver true single sign-on to the end-users (i.e. allowing end-users to access desktop systems, web-based services/applications and non-web based services/applications using one authentication process). The evaluation shows that the new simplified FSSO system (i.e. the combination of AIIP and IDAWA) can deliver true single sign-on to the end- users. In addition, the evaluation shows the new simplified FSSO system has advantages over existing FSSO systems as it does not require additional modifications to network domains\u27 existing non-web based authentication infrastructures (i.e. Kerberos single sign- on systems) and their firewall rules

Support of Multiple Replica Types in FreeIPA

Velmi rozšířeným prostředkem pro správu uživatelských účtů a řízení přístupu k výpočetní infrastruktuře a službám je kombinace protokolů LDAP a Kerberos. Instalace jakož i samotná správa sítě postavené nad těmito technologiemi však skýtá mnoho překážek. Jedním z řešení je použití open-sourcové aplikace FreeIPA, která patří mezi takzvané řešení pro správu identit a bezpečnostních politik. FreeIPA výrazně usnadňuje práci s těmito protokoly od samotného nasazení až po správu celého systému. Cílem této práce je rozšíření aplikace FreeIPA o možnost použití read-only replik, které přispěje k snadnější a účinnější škálovatelnosti.LDAP and Kerberos together are widely used for management of user accounts and authorization. The installation and administration of a system based on these protocols might be difficult and full of obstacles. An open source solution exists that is capable of handling the entire life cycle of such system. It is the FreeIPA identity management system. FreeIPA significantly simplify the usage of LDAP and Kerberos from the administrator's point of view. This thesis focuses on extending the replication capabilities of FreeIPA by adding a support for read-only replicas. The read-only replicas should improve scalability features of FreeIPA controlled systems.

The Development of a graduate course on identity management for the Department of Networking, Security, and Systems Administration

Digital identities are being utilized more than ever as a means to authenticate computer users in order to control access to systems, web services, and networks. To maintain these digital identities, administrators turn to Identity Management solutions to offer protection for users, business partners, and networks. This paper proposes an analysis of Identity Management to be accomplished in the form of a graduate level course of study for a ten-week period for the Networking, Security, and Systems Administration department at Rochester Institute of Technology. This course will be designed for this department because of its emphasis on securing, protecting, and managing the identities of users within and across networks. Much of the security-related courses offered by the department focus primarily on security within enterprises. Therefore, Identity Management, a topic that is becoming more popular within enterprises each day, would compliment these courses. Students that enroll in this course will be more equipped to satisfy the needs of modern enterprises when they graduate because they will have a better understanding of how to address security issues that involve managing user identities across networks, systems, and enterprises. This course will focus on several aspects of Identity Management and its use in enterprises today. Covered during the course will be the frameworks of Identity Management, for instance, Liberty Identity Federation Framework and OASIS SAML 2.0; the Identity Management models; and some of the major Identity Management solutions that are in use today such as Liberty Alliance, Microsoft Passport, and Shibboleth. This course will also provide the opportunity to gain hands on experience by facilitating exemplar technologies used in laboratory investigations

Authentication and Authorization Modules for Open Messaging Interface (O-MI)

With the constant rise of new technology, developments in the fields of computer science, wireless networks, storage capabilities and sensing possibilities along with the demand for continuous connectivity have lead to the formation of the Internet of Things (IoT) concept. Today, there are numerous organizations working on the IoT technology aimed at developing smart products and services. Each company proposes its own methods directed for a particular field of industry thus, it ends up with having several protocols. This has poorly followed the concept of a unified system. The Open Group attempted to address this issue by proposing Open Messaging Interface (O-MI) and Open Data Format (O-DF) protocols and claimed O-MI to be an IoT messaging standard as that of HTTP for world-wide-web (WWW). The proposed protocols have been designed to ensure robust development, data standardization, and required security level. However, the security model needs to be upgraded with the recent security techniques. This thesis attempts to specify appropriate authentication and authorization (access control) mechanisms that manage various consumers and provide functionalities that fit into O-MI/O-DF standards. The thesis first discusses several challenges regarding IoT security and then different authentication and authorization techniques available today. It then describes in detail the design decisions and implementation technicalities of the autonomous services created for the reference implementation of O-MI and O-DF