57,267 research outputs found
SciTokens: Capability-Based Secure Access to Remote Scientific Data
The management of security credentials (e.g., passwords, secret keys) for
computational science workflows is a burden for scientists and information
security officers. Problems with credentials (e.g., expiration, privilege
mismatch) cause workflows to fail to fetch needed input data or store valuable
scientific results, distracting scientists from their research by requiring
them to diagnose the problems, re-run their computations, and wait longer for
their results. In this paper, we introduce SciTokens, open source software to
help scientists manage their security credentials more reliably and securely.
We describe the SciTokens system architecture, design, and implementation
addressing use cases from the Laser Interferometer Gravitational-Wave
Observatory (LIGO) Scientific Collaboration and the Large Synoptic Survey
Telescope (LSST) projects. We also present our integration with widely-used
software that supports distributed scientific computing, including HTCondor,
CVMFS, and XrootD. SciTokens uses IETF-standard OAuth tokens for
capability-based secure access to remote scientific data. The access tokens
convey the specific authorizations needed by the workflows, rather than
general-purpose authentication impersonation credentials, to address the risks
of scientific workflows running on distributed infrastructure including NSF
resources (e.g., LIGO Data Grid, Open Science Grid, XSEDE) and public clouds
(e.g., Amazon Web Services, Google Cloud, Microsoft Azure). By improving the
interoperability and security of scientific workflows, SciTokens 1) enables use
of distributed computing for scientific domains that require greater data
protection and 2) enables use of more widely distributed computing resources by
reducing the risk of credential abuse on remote systems.Comment: 8 pages, 6 figures, PEARC '18: Practice and Experience in Advanced
Research Computing, July 22--26, 2018, Pittsburgh, PA, US
The Horcrux Protocol: A Method for Decentralized Biometric-based Self-sovereign Identity
Most user authentication methods and identity proving systems rely on a
centralized database. Such information storage presents a single point of
compromise from a security perspective. If this system is compromised it poses
a direct threat to users' digital identities. This paper proposes a
decentralized authentication method, called the Horcrux protocol, in which
there is no such single point of compromise. The protocol relies on
decentralized identifiers (DIDs) under development by the W3C Verifiable Claims
Community Group and the concept of self-sovereign identity. To accomplish this,
we propose specification and implementation of a decentralized biometric
credential storage option via blockchains using DIDs and DID documents within
the IEEE 2410-2017 Biometric Open Protocol Standard (BOPS)
CernVM Online and Cloud Gateway: a uniform interface for CernVM contextualization and deployment
In a virtualized environment, contextualization is the process of configuring
a VM instance for the needs of various deployment use cases. Contextualization
in CernVM can be done by passing a handwritten context to the user data field
of cloud APIs, when running CernVM on the cloud, or by using CernVM web
interface when running the VM locally. CernVM Online is a publicly accessible
web interface that unifies these two procedures. A user is able to define,
store and share CernVM contexts using CernVM Online and then apply them either
in a cloud by using CernVM Cloud Gateway or on a local VM with the single-step
pairing mechanism. CernVM Cloud Gateway is a distributed system that provides a
single interface to use multiple and different clouds (by location or type,
private or public). Cloud gateway has been so far integrated with OpenNebula,
CloudStack and EC2 tools interfaces. A user, with access to a number of clouds,
can run CernVM cloud agents that will communicate with these clouds using their
interfaces, and then use one single interface to deploy and scale CernVM
clusters. CernVM clusters are defined in CernVM Online and consist of a set of
CernVM instances that are contextualized and can communicate with each other.Comment: Conference paper at the 2013 Computing in High Energy Physics (CHEP)
Conference, Amsterda
- …