Assignment: Answer the questions as specified. Turn in your answers to me on paper or by e-mail on the due date.
You may need to read about GT Security (GSI) at http://www.globus.org/toolkit/security/, "Globus Toolkit 4.0 Security" at http://www-unix.globus.org/toolkit/docs/4.0/security/ and "A Community Authorization Service for Group Collaboration" at http://www.globus.org/alliance/publications/papers/CAS_2002_Revised.pdf to complete your answers.
Compare and contrast Shibboleth, GSI, and Kerberos. First, create a table that lists the steps of each protocol as we discussed in class. As much as possible, try to aline the steps in each protocol to their counterparts. This will not be possible for every step. For example, the table may begin with:
Shibboleth | GSI | Kerberos | |
0. | Assumes that Identity Provider components HS and AA and Service Provider components ACS and AR have certificates from a trusted CA. | Assumes that every user and every service has a certificate from a trusted CA. | Assumes that each pair of {user, Authentication Server}, {Authentication Server, TGS}, and {TGS, Service Server} share a secret key. |
1. | User logs in to local authentication system. | User logs in to local authentication system. | User logs in to local authentication system. |
2. | User creates a proxy certificate. | ||
3. | User contacts the target Service Provider directly. | ||
4. | The user is redirected to the WAYF, and then to the Identity Provider and is authenticated. | User contacts the CAS and is authenticated. | User contacts the Authentication Server and is authenticated. |
5. | User receives a unique handle for this session. The handle consists of ... | User receives a community proxy. The proxy consists of ... | User receives a Ticket Granting Ticket (TGT). The TGT consists of ... |
etc. | ... | ... | ... |
I suggest that you use the HTML in the source of this document for formatting your table, although you are free to come up with a better way of formatting the table.
After you have completed your table, write three (moderate length) paragraphs, one for each of the three protocols, and comment with respect to the following points:
% grid-cert-request
$ ls /home/yourusername/.globus/usercert.pem /home/yourusername/.globus/usercert_request.pem /home/yourusername/.globus/userkey.pem
mail farrell@cs.kent.edu < usercert_request.pem
Since you cannot access your mail on cohn, you need to use webmail or
your usual mail client on neptune or poseidon to receive the reply, save it to a file,
and sftp or
/home/yourusername/.globus/
and rename it as usercert.pem, thus replacing the old usercert.pem file
% grid-proxy-init -debug -verify
globus-url-copy gsiftp://cohn.cs.kent.edu/etc/group file:///tmp/yourusername.copy diff /tmp/yourusername.copy /etc/group
export JAVA_HOME=/opt/IBMJava2-142/ export ANT_HOME=/usr/local/apache-ant-1.6.5/ export PATH=$ANT_HOME/bin:$JAVA_HOME/bin:$PATH counter-client -s https://cohn.cs.kent.edu:8443/wsrf/services/CounterServicePrint the results to turn in or e-mail it along with question 1 above.