Robust authentication and authorisation services are crucial for the development of a secure environment for the UK academic community, enabling students, researchers and staff from different institutions and with different roles and responsibilities to access data or computational resources that are distributed over the Internet, but administered independantly and locally.
The current UK academic community access management system, Athens, is a simple username/password solution. On the other hand, the existing Grid security technologies only support the use of highly secure digital certificates for identification purposes. More advanced authentication methods, such as Smart- or Java-cards are not supported, nor are access control decisions made according to the strenght of the authentication method used.
Authentication and Authorisation Issues
FAME-PERMIS-GridSite is a 2-year collaborative project jointly undertaken beteween Schools of Computer Science and Physics (University of Manchester) and Information Systems Security Research Group (University of Kent). The aim of the project is to address issues of multi-faceted authentication and to take the Level of Assurance (LoA) acheieved in an authentication process into account when making access control decisions. In this way, users authenticated by stronger means (e.g. smartcards or biometrics) and, thus, achieving a higher LoA, will receive more privileges and will be allowed to access security-sensitive resources. On the other hand, users authenticated by methods achieving lower LoAs (such as username and password based authentication), will receive a restricted set of services. However, a user that normally uses his smart card for authentication from his lab or typical working environment will not be completely restricted or cut off from accessing resources when at home or an Internet caffe. In these circumstances, the user will be allowed to choose a different authentication method (e.g. username and password) but receive a limited set of services due to a lower LoA.
Level of (Authentication) Assurance
The Level of Assurance (LoA) has been specified in the NIST Electronic Authentication Guideline.
It clasifies LoAs into four Levels, with Level 1 being the lowest and Level 4 the highest. Authentication methods have been classified based on a likely consequence of an authentication error and the cryptographic strenght of an authentication token (authenticator) and authentication method used. The FAME-PERMIS-GridSite project has defined the LoA attribute passed between the entities involved in authentication and authorisation processes using the following LDAP schema.
FAME, PERMIS and GridSite
FAME part of the project is developing an exstension to be used by the Identity Providers (IdPs) in the Shibboleth infrastructure to authenticate users and, based on the used method, assing the user his current LoA value. PERMIS (Priviledge and Role Management Infrastructure Standards Validation) and GridSite both provide decision engines on the Service Providers' (SPs) side for user authorisation but currently have no linkage between the authorisation decision and the strength of the actual authentication method used. The designed solution's parts FAME and PERMIS/GridSite are to be linked by Shibboleth, an open source VO (Virtual Organisation) technology for secure tranfer of user's attributes from the user's home site to other remote resource sites, as part of inter-institutional Web resources sharing. Shibboleth will carry LoA as one of the user's attributes and pass it to the access control engines (along with user's other attributes) in order to determine whether the user is allowed to access the requested resource or not.
- Develop a solution capable of supporting a wide range of authentication methods and devices - passwords, certificates, IP addresses, smart- and Java-cards, etc., and allow a user to authenticate himself through a Web browser using one of these methods.
- Design an algorithm for derivation of authentication strenth LoA (Level of Assurance) of the above authentication methods.
- Develop APIs to serve authentication requests made through Shibboleth.
- Feed the LoA into PERMIS and Gridsite to link the access control with authentication strength.