A Combination of Multi Factor Authentication and Single Sign-on

Event to Improve Security for Ubiquitous Desktops in Virtual and

Cloud Computing Environment

• M. Neela Muhil Vannan (30906104028)• S. Santhosh (30906104042)

Guided by, Ms. S. M. Poonkuzhali M.E.,Lecturer,

Department of Computer Science and EngineeringMeenakshi Sundararajan Engineering College.

Contents• Introduction• Existing System and Objective• Proposed System• System Architecture and Sequence of

Modules• UML Diagrams• System Specification• Implementation of the Modules• Testing Conditions• Future Enhancements• References

4/14/2010

Introduction

• Ubiquitous refers to catering of all services under a single framework• Integration of various services into a single piece of abstracted

hardware constitutes the concept of virtualization• Extending this concept to a higher level of usage in the

organizational level means the application and deployment of Cloud computing

• Cloud Computing offers various services like, Software as a Service, Platform as a Service, Storage as a Service

• Private clouds in organizations may provide all three mentioned above.

4/14/2010

Existing System And Objective

• Emphasis is on low cost and decentralization of the entire infrastructure

• Usage of Thin clients is usually encouraged in the cloud computing setup

• Private Cloud requires a higher level of authentication than the one present at this stage

• Impersonation and other types of attacks from insiders cause major loss of data

• To provide a secure ubiquitous framework for desktop virtualization and cloud computing environments using a single sign on event strengthened by multi-factor authentication.

4/14/2010

Proposed System

• Usage of multi factor authentication and single sign-on event• LDAP is used for Profile Matching and initial Authentication• Kerberos based authentication service for single sign on and

multifactor authentication• Super User / Administrator for granting and revoking privileges• Security and simplicity of each transaction makes this the most

suitable for light weight thin clients

4/14/2010

Design and Relationship

Figure 3 Relationships between Ubiquitous Desktop and Thin Clients

Figure 2 Access of Multiple Services

4/14/2010

Proposed System Architecture

4/14/2010

Sequence of Modules and Implementation

• Module 1 - Virtual Systems and Virtual Networking Environment Setup for Cloud Computing using VMWare Workstation

• Module 2 - Enabling Access and profile creation for the users using LDAP

• Module 3 - Enabling Permissions and Accesses for LDAP Users with SUDO

• Module 4 - Setting up Kerberos Server and Clients for Multifactor authentication and Single Sign on Event

4/14/2010

System DesignUML Diagrams

• The Unified Modeling Language is a tool that can be used efficiently to analyze and design any systems.

• The following slides contain the required UML diagrams for the design of the proposed system.o Activity Diagramo Use Case Diagramo Sequence Diagramo Collaboration Diagramo Class Diagram

4/14/2010

Activity Diagram

4/14/2010

Use Case Diagram

4/14/2010

Sequence Diagram 1

4/14/2010

Sequence Diagram 2

4/14/2010

Collaboration Diagram 1

4/14/2010

Collaboration Diagram 2

4/14/2010

Class Diagram

4/14/2010

System Specification

• Hardware Requiremento Powerful Server for Cloud Computing System with

high resourceso Thin Clients with minimal processing capabilities

• Software Requiremento OpenLDAP Packageo Kerberos Packageo VNC Viewer & RDP

4/14/2010

Module 1- Virtual Systems and Virtual Networking Environment Setup for Cloud Computing using VMWare

Workstation

• Creating a cloud server, with storage as a service as the purpose

• Team with an Ethernet port assigned solely for the purpose of creating the LAN between these systems

• Setting up a Repository• Setting Up the Domain Name Server and Setting Hostnames

to the Virtual Systems• Setting up the VNC viewer and RDP connection and Cloud

Setup

4/14/2010

Implementation – Module 1

4/14/2010

Module 2 - Enabling Access and profile creation for the users using LDAP

• LDIF Format, Configuration Files• The base template - OU, UID,CN, Object class,

Password, Home directory• Generation of secure password - slappasswd , crypt

algorithm• Add the user in the usual method - useradd• Convert them to LDIF format - ./migrate_passwd.pl• Add to the LDAP database - ldapadd

4/14/2010

Implementation – Module 2

4/14/2010

Module 3 - Enabling Permissions and Accesses for LDAP Users with SUDO

• Enabling Permissions and Accesses for LDAP Users with SUDO

• Access to a file is granted or withheld by comparing the identity of the user making the request against permissions associated with the file

• Sudo gives the ability for a user to execute a command or process that is not available ordinarily but by acting as a different user with privileges

4/14/2010

Implementation – Module 3

4/14/2010

• Network authentication protocol• Uses secret-key cryptography.• Firewalls assume that "the bad guys" are on the outside,

which is often a very bad assumption• Most of the really damaging incidents of computer crime

are carried out by insiders• Kerberos authentication makes use of a trusted third

party, termed a key distribution center (KDC)

Module 4 - Setting up Kerberos Server and Clients for Multifactor authentication and Single Sign on Event

4/14/2010

Module 4 - Continued.......

• Consists of two logically separate parts: an Authentication Server (AS) and a Ticket Granting Server (TGS)

• Works on the basis of "tickets" which serve to prove the identity of users

• Each entity on the network — whether a client or a server — shares a secret key known only to itself and to the KDC which has a database of the secret keys

• Knowledge of this key serves to prove an entity's identity• The security of the protocol relies heavily on participants maintaining

loosely synchronized time and on short-lived assertions of authenticity called Kerberos tickets

4/14/2010

Implementation – Module 4

4/14/2010

Working of the project

4/14/2010

Testing Conditions• Unit Testing - Testing Script

• Network Connectivity and DNS Testing• Wrong Username or Password Testing• Sudo Permissions Testing• Ticket Expiry and Time Skew

4/14/2010

Testing – Case 1 – Network Connectivity and DNS Testing

4/14/2010

Testing – Case 2 – Wrong Username or Password Testing

4/14/2010

Testing – Case 3 – Sudo Permissions Testing

4/14/2010

Testing – Case 4 – Ticket Expiry and Time Skew Testing

4/14/2010

Testing – Case 4 – Ticket Expiry and Time Skew Testing

4/14/2010

Conclusion

• Multifactor authentication & Single sign-on event increases security

• Ubiqutousness of this environment is made available if the fully qualified domain name [FQDN] is known

4/14/2010

Future Enhancements and Possibilities

• Need not be a single type of Operating System like the experimental setup we were using throughout this project

• This might also be ported to hybrid clouds that span a large region and have high level of dedicated resources specified for the cloud server

• Graphical version of the sudo can be also used but the future holds much more extent of improvements to be made possible for this project

4/14/2010

References• Amazon Web Services;

http://www.amazon.com/gp/browse.html?node=201590011

• C. Border (2007), “The development and deployment of a multi-user, remote access virtualization system for networking, security, and system administration classes,” Proceedings of the 38th SIGCSE technical symposium on Computer science education, Covington, Kentucky, USA: ACM, pp. 576-580.

• “IBM Press room - 2007-11-15 IBM Introduces Ready-to-Use Cloud Computing - United States”;

http://www-03.ibm.com/press/us/en/pressrelease/22613.wss.

• “Kerberos: The Network Authentication Protocol” http://web.mit.edu/kerberos

• “OpenLDAP 2.2 Administrator’s Guide” http://www.openldap.org/doc/admin22/

• Paul Doyle, Mark Deegan, Ciaran O’Driscoll, Michael Gleeson, and Brian Gillespie (2008), Ubiquitous Desktops with Multi-factor Authentication published in Third International Conference on Digital Information Management, 2008. ICDIM 2008 - IEEE.

• Roderick W. Smith (2005), Linux in a Windows World, O’Reilly Publishers, First Edition.

4/14/2010

Thank You

4/14/2010