A Combination of Multi Factor Authentication and Single Sign-on
Event to Improve Security for Ubiquitous Desktops in Virtual and
Cloud Computing Environment
• M. Neela Muhil Vannan (30906104028)• S. Santhosh (30906104042)
Guided by, Ms. S. M. Poonkuzhali M.E.,Lecturer,
Department of Computer Science and EngineeringMeenakshi Sundararajan Engineering College.
Contents• Introduction• Existing System and Objective• Proposed System• System Architecture and Sequence of
Modules• UML Diagrams• System Specification• Implementation of the Modules• Testing Conditions• Future Enhancements• References
4/14/2010
Introduction
• Ubiquitous refers to catering of all services under a single framework• Integration of various services into a single piece of abstracted
hardware constitutes the concept of virtualization• Extending this concept to a higher level of usage in the
organizational level means the application and deployment of Cloud computing
• Cloud Computing offers various services like, Software as a Service, Platform as a Service, Storage as a Service
• Private clouds in organizations may provide all three mentioned above.
4/14/2010
Existing System And Objective
• Emphasis is on low cost and decentralization of the entire infrastructure
• Usage of Thin clients is usually encouraged in the cloud computing setup
• Private Cloud requires a higher level of authentication than the one present at this stage
• Impersonation and other types of attacks from insiders cause major loss of data
• To provide a secure ubiquitous framework for desktop virtualization and cloud computing environments using a single sign on event strengthened by multi-factor authentication.
4/14/2010
Proposed System
• Usage of multi factor authentication and single sign-on event• LDAP is used for Profile Matching and initial Authentication• Kerberos based authentication service for single sign on and
multifactor authentication• Super User / Administrator for granting and revoking privileges• Security and simplicity of each transaction makes this the most
suitable for light weight thin clients
4/14/2010
Design and Relationship
Figure 3 Relationships between Ubiquitous Desktop and Thin Clients
Figure 2 Access of Multiple Services
4/14/2010
Proposed System Architecture
4/14/2010
Sequence of Modules and Implementation
• Module 1 - Virtual Systems and Virtual Networking Environment Setup for Cloud Computing using VMWare Workstation
• Module 2 - Enabling Access and profile creation for the users using LDAP
• Module 3 - Enabling Permissions and Accesses for LDAP Users with SUDO
• Module 4 - Setting up Kerberos Server and Clients for Multifactor authentication and Single Sign on Event
4/14/2010
System DesignUML Diagrams
• The Unified Modeling Language is a tool that can be used efficiently to analyze and design any systems.
• The following slides contain the required UML diagrams for the design of the proposed system.o Activity Diagramo Use Case Diagramo Sequence Diagramo Collaboration Diagramo Class Diagram
4/14/2010
Activity Diagram
4/14/2010
Use Case Diagram
4/14/2010
Sequence Diagram 1
4/14/2010
Sequence Diagram 2
4/14/2010
Collaboration Diagram 1
4/14/2010
Collaboration Diagram 2
4/14/2010
Class Diagram
4/14/2010
System Specification
• Hardware Requiremento Powerful Server for Cloud Computing System with
high resourceso Thin Clients with minimal processing capabilities
• Software Requiremento OpenLDAP Packageo Kerberos Packageo VNC Viewer & RDP
4/14/2010
Module 1- Virtual Systems and Virtual Networking Environment Setup for Cloud Computing using VMWare
Workstation
• Creating a cloud server, with storage as a service as the purpose
• Team with an Ethernet port assigned solely for the purpose of creating the LAN between these systems
• Setting up a Repository• Setting Up the Domain Name Server and Setting Hostnames
to the Virtual Systems• Setting up the VNC viewer and RDP connection and Cloud
Setup
4/14/2010
Implementation – Module 1
4/14/2010
Module 2 - Enabling Access and profile creation for the users using LDAP
• LDIF Format, Configuration Files• The base template - OU, UID,CN, Object class,
Password, Home directory• Generation of secure password - slappasswd , crypt
algorithm• Add the user in the usual method - useradd• Convert them to LDIF format - ./migrate_passwd.pl• Add to the LDAP database - ldapadd
4/14/2010
Implementation – Module 2
4/14/2010
Module 3 - Enabling Permissions and Accesses for LDAP Users with SUDO
• Enabling Permissions and Accesses for LDAP Users with SUDO
• Access to a file is granted or withheld by comparing the identity of the user making the request against permissions associated with the file
• Sudo gives the ability for a user to execute a command or process that is not available ordinarily but by acting as a different user with privileges
4/14/2010
Implementation – Module 3
4/14/2010
• Network authentication protocol• Uses secret-key cryptography.• Firewalls assume that "the bad guys" are on the outside,
which is often a very bad assumption• Most of the really damaging incidents of computer crime
are carried out by insiders• Kerberos authentication makes use of a trusted third
party, termed a key distribution center (KDC)
Module 4 - Setting up Kerberos Server and Clients for Multifactor authentication and Single Sign on Event
4/14/2010
Module 4 - Continued.......
• Consists of two logically separate parts: an Authentication Server (AS) and a Ticket Granting Server (TGS)
• Works on the basis of "tickets" which serve to prove the identity of users
• Each entity on the network — whether a client or a server — shares a secret key known only to itself and to the KDC which has a database of the secret keys
• Knowledge of this key serves to prove an entity's identity• The security of the protocol relies heavily on participants maintaining
loosely synchronized time and on short-lived assertions of authenticity called Kerberos tickets
4/14/2010
Implementation – Module 4
4/14/2010
Working of the project
4/14/2010
Testing Conditions• Unit Testing - Testing Script
• Network Connectivity and DNS Testing• Wrong Username or Password Testing• Sudo Permissions Testing• Ticket Expiry and Time Skew
4/14/2010
Testing – Case 1 – Network Connectivity and DNS Testing
4/14/2010
Testing – Case 2 – Wrong Username or Password Testing
4/14/2010
Testing – Case 3 – Sudo Permissions Testing
4/14/2010
Testing – Case 4 – Ticket Expiry and Time Skew Testing
4/14/2010
Testing – Case 4 – Ticket Expiry and Time Skew Testing
4/14/2010
Conclusion
• Multifactor authentication & Single sign-on event increases security
• Ubiqutousness of this environment is made available if the fully qualified domain name [FQDN] is known
4/14/2010
Future Enhancements and Possibilities
• Need not be a single type of Operating System like the experimental setup we were using throughout this project
• This might also be ported to hybrid clouds that span a large region and have high level of dedicated resources specified for the cloud server
• Graphical version of the sudo can be also used but the future holds much more extent of improvements to be made possible for this project
4/14/2010
References• Amazon Web Services;
http://www.amazon.com/gp/browse.html?node=201590011
• C. Border (2007), “The development and deployment of a multi-user, remote access virtualization system for networking, security, and system administration classes,” Proceedings of the 38th SIGCSE technical symposium on Computer science education, Covington, Kentucky, USA: ACM, pp. 576-580.
• “IBM Press room - 2007-11-15 IBM Introduces Ready-to-Use Cloud Computing - United States”;
http://www-03.ibm.com/press/us/en/pressrelease/22613.wss.
• “Kerberos: The Network Authentication Protocol” http://web.mit.edu/kerberos
• “OpenLDAP 2.2 Administrator’s Guide” http://www.openldap.org/doc/admin22/
• Paul Doyle, Mark Deegan, Ciaran O’Driscoll, Michael Gleeson, and Brian Gillespie (2008), Ubiquitous Desktops with Multi-factor Authentication published in Third International Conference on Digital Information Management, 2008. ICDIM 2008 - IEEE.
• Roderick W. Smith (2005), Linux in a Windows World, O’Reilly Publishers, First Edition.
4/14/2010
Thank You
4/14/2010
Recommended
