August 2013

Introduction to Moonshot

Why Moonshot?

•Within education, there are a number of specialised federations:– UK federation - Access to web-based resources– eduroam - International wireless roaming– edugain - Access to resources worldwide

•To build a single unified federation, we need a common interface, to allow us to federate anything and everything.

Federations: Why Federate?

•Costs can be reduced and shared•Users take better care of a single, reusable credential

•Adding services is simple•Offers enhanced privacy to users•Access decisions can be delegated to the identity provider

Federations: Why Federate?

•The ATM doesn’t decide whether you get your money or not - that’s decided by your own bank

•The ATM doesn’t validate your PIN and card either - again, that’s checked by your own bank

ABFABApplication Bridging for Federated Access Beyond web

Interface: GSS

•GSS-API is used by Moonshot to interface between applications and the relying party.– GSS is not the only API supported here - SASL and SSPI work

too!

Transport

Credentials are transmitted from the end user to the RP using GSS - but how do the credentials then move credentials from the RP to the IdP?

Transport: RadSec

RadSec is a security focused evolution of RADIUS - a proven technology that you could be using right now.

Moonshot uses RadSec to transport credentials between a Relying Party and the Identity Provider.

Transport: RadSec

•eduroam has been operating using RADIUS for 10 years

•In the UK alone, there are currently 229 members

•Last month, the UK saw 200,000 unique devices, and handled almost 10,000,000 successful authentications

•54 countries worldwide

Confidentiality

One weakness that may be apparent is that credentials are sent to the RP - they could potentially alter them or worse, steal them.

Confidentiality: EAP

EAP provides a standard to encapsulate credentials, and protect them from being read by anything but the IdP - even the RP.

EAP also provides “Channel Bindings” - allowing the IdP to verify the user is connecting to the RP they think they are.

Rich Identity: SAML

SAML provides a language to describe the properties a user might have - their role, email address, or name for example.

Moonshot supports SAML, allowing the IdP to give this information to the RP.

Moonshot Architecture

13

SSH client SSH server RADIUS server

(2) SSH negotiation

(3) Authentication

(4) RADIUS

(1) Credentialing

(5) Attributes(6) SSH session

OpenSSH used as example of application; many others also apply

Scaling

•Moonshot brings together a number of technologies:– GSS - a common interface between applications and services– RadSec - Secure AAA Transport– EAP - Protection for credentials– SAML - Rich identity information

•How can these technologies be scaled for use beyond a single institution?

Scaling: The Trust Router

The trust router uses the concept of a “Web of Trust” to find a trusted path to a resource.You don’t necessarily trust the person holding the resource - but you do trust the judgement of someone that can vouch for them.

Scaling: The Trust Router

University of

Camford

Blue Book Publishing

Inc.

Internet2

Janet

Oxfordshire NHS Trust

Jisc Collections

Scaling: The Trust Router

RadSecRadSec

RadSecRadSec

TrustRouter

RadSecRadSec

RadSecRadSec

TPQTPQTPQTPQ

Temporary IdentityTemporary IdentityTemporary IdentityTemporary Identity

GSSGSSGSSGSS EAPEAPEAPEAP

EAPEAP

EAPEAP

RelyingParty

Client

TrustRouter

TrustRouter

RPProxy

IdPProxy

T.I.T.I.T.I.T.I.

Access-AcceptAccess-Accept

Access-AcceptAccess-Accept

Access-AcceptAccess-Accept

Access-AcceptAccess-Accept

SessionSessionSessionSession

Moonshot and Trust Router Architecture

Using Moonshot: UX

[This slide intentionally left blank.]

Using Moonshot: UX

Using Moonshot: Why?

•Enhanced UX and privacy– Improved SSO: users can access more resources more easily

•No credential management– Home institution is responsible for provisioning credentials

and support

•Fine-grained security policies with minimal effort•Reduced management overhead

Using Moonshot: Use Cases

•Primarily Janet is supporting research users•Strong demand from local and central government, health, education and research for a federated desktop experience–Many desktops in these institutions run Windows– Janet’s SSPI provides this functionality already, but UX could

be improved even further by tighter integration

Using Moonshot: Use Cases

“We aim to streamline access services using Moonshot technology, which will take the burden of authentication out of the hands of our users.”

-- Dr Peter Oliver, Group Leader

Science and Technology Facilities Council

Using Moonshot: Use Cases

“Moonshot is a valuable enabler for Cancer Research across the UK. It will make collaboration systems easy to build internally so that we can quickly share large data sets ,between institutes without complicating the management of that system.”

-- Peter Maccallum, Head of IT & Scientific Computing

CRUK Cambridge Research Institute

Using Moonshot: Use Cases

“Moonshot technology will give our university a better means of cooperating for research purposes using High Performance Computing”

-- Alex Brulo, Senior Server Engineer (HPC)

Aston University

Using Moonshot: How

•Anything that understands GSS or Kerberos can already support Moonshot.

•Web based applications will be able to implement the Moonshot web plugin.

•Non web applications - integrate GSS, SASL or SSPI directly.– Doing this will mean that it will work with not just Moonshot,

but Kerberos/Active Directory, and more

Janet’s Moonshot Pilot

Moonshot Pilot Service

•To assist pilot sites in implementing Moonshot to solve real use cases.•To fully test Janet support and infrastructure operations.•To develop, test & refine documentation, training and policies.•To inform and shape the business case for a full production service.

Janet Pilot Sites

• London Research Institute

• Norfolk County Council

• Loughborough University

• Swansea University• Newcastle University• QCIF (also working

with Monash Uni) • Deutsches Elektronen-

Synchrotron • Universidade do Porto • University of Leicester • Georgia Tech • University of Leeds • University of

Nottingham • Universidade Lusofona• University of

Westminster • CANARIE Inc..• London Metropolitan

University

• Francis Crick Institute• E2BN (East of

England RBC) • University of

Edinburgh• Research Data, ISD,

UCL • Queen Mary,

University of London • Wellcome Trust

Sanger Institute • GSI Darmstadt • University of Liverpoo• l University of Kent • University of Glasgow • University of

Cambridge• University for the

Creative Arts • Cardiff University and

LIGO Scientific Collaboration

• University of Leicester

• STFC

• Brunel University

• Harper Adams University

• University of Huddersfield

• University of Southampton

• Brunel University

• Coleg Sir Gar

• University of Sussex

• University of Exeter

• University of South Australia

• Arkivum

• Microsoft

GÉANT GN3+ MOONSHOT PILOT

GN3+ Pilot

2 year project to implement an eduGAIN pilot service to:

•investigate the peering requirements between different NREN Trust Router infrastructures;•promote uptake of a standard non-web SSO solution across eduGAIN members; •implement non-web SSO for specific user-defined problems;•establish a policy framework within eduGAIN for pilot Communities of Interest

Further Information

Moonshot Community website:•https://community.ja.net/groups/moonshot

Software:•https://community.ja.net/groups/moonshot/wiki/getting-started-moonshot-using-live-dvd

Standards:•https://tools.ietf.org/wg/abfab

THANK YOUJanet, Lumen House Library Avenue, Harwell OxfordDidcot, Oxfordshiret: +44 (0) 1235 822200f: +44 (0) 1235 822399e: service@ja.net