JISC

Robust authentication and authorisation services are key to the development of a secure virtual organisational (VO) environment where scientists, researchers, and students with different roles and responsibilities from different institutions can access data, applications and/or computational resources distributed on the Internet with components administered locally and independently. This VO collaborative environment requires the tools that can support heterogeneous authentication and authorisation mechanisms and dissimilar local security policies.

Currently web-based access management systems are largely based upon username/password pair solution. Existing authentication middleware developed by the Grid community is largely based on the use of digital certificates in the form of soft tokens, and it does not support the use of heterogeneous or more advanced authentication technologies. In addition, there is no middleware solution that links authentication strength to access control decision making, and such a linkage is necessary for the provision of fine-grained access control and privilege allocation in VO environments in which different applications may have highly varied authentication requirements. Finally, there is no support for user roaming.

Aims and Objectives

The overall aim of the project is to design and develop middleware extensions to facilitate multi-factor authentication and authentication strength linked fine-grained access control supporting a wide range of authentication methods including IP addresses, username and password pairs, and certificate-based soft as well as hard tokens such as smart/Java cards. It will give a user the freedom to use the right authentication token to achieve a required level of authentication strength, or the Level of Assurance (LoA), and feed this LoA to the PERMIS decision engine so as to facilitate LoA linked fine-grained user authorisation and access control.

To summarise, the project objectives are to:

• develop middleware extensions capable of supporting a wide range of authentication methods and devices named above.
• design and implement an algorithm for the derivation of authentication strength, LoA, from a single-factor or multi-factor authentication instance using one or more of the above supported authentication methods/devices.
• develop APIs to serve authentication and application requests made through Shibboleth.
• feed the LoA into PERMIS so as to enable authentication strength linked access control.
• enhance our existing Grid infrastructure to support PERMIS via its SAML interface, and to couple this with our existing fine grained access control.
• test and evaluate our FAME-PERMIS middleware solution using our Grid trial applications.

Project Methodology

The activities involved are, firstly, to develop the FAME subsystem consisted of a Device Manager (DM), Network Manager (NM) and Authentication Token Manager (ATM) to facilitate multiple strengths and multi-factor authentication of an individual through web browser, and integrate it with the Shibboleth’s Handle Service; secondly, to continue our existing standardisation work with the GGF, Internet 2 and OASIS bodies to define the best way of incorporating the LoA into the SAML and Shibboleth protocols in a standard conforming manner, to add the equivalent functionality to the PERMIS JAVA API, to facilitate local activation of the LoA functionality and to modify the PERMIS policy and Policy GUI (being built under an existing JISC project) to take account of the LoA; thirdly, to add support for PERMIS attribute certificates and PERMIS/SAML authorisation service to GridSite, and by extension to the industry standard Apache Web server.

Implications / Deliverables / Stakeholders

Authentication is the first line of defence in any secure systems, and strong authentication offers secure identification of users, which is required for the implementation of a number of security services including access control, authorisation and accounting. The authentication strength linked access control solution together with its multi-factor authentication support provided by the FAME-PERMIS project will bring viable support for secure implementation and operation of VOs enhancing collaboration and resource sharing among the communities.