GRIDportal RFC01 : authentication mechanism

pages: cert_new | cert_sign | myproxy_reg | user_login

Version 1.1
For reasons of maintaining better security, a new authentication model was devised. The main security threat is seen to be the system of sending certificates to the server. A compromised server could allow an attacker to intercept private keys. A compromise solution is presented here, which will hopefully both improve security and still accomodate a reasonably user friendly mechanism.

User interface

Log in to GRIDportal

Provide a valid username and password to log into GRIDportal.
NOTE: the login procedure assumes you already have stored your certificate on the server, otherwise you must complete that procedure first.

username:
password:

Design

The user supplies a username/password, which is used to query myProxy for a proxy. Once a proxy is available, the authentication is deemed successful. The proxy is now used to interact with NorduGrid/ARC. The session is managed on GRIDportal rules (default WebKit session timeout is 1h). GRIDportal renews the proxy if necessary (if it were to expire before the session).

Implementation

We can use the Authentication.pm perl module from gridport and write a simple client to query myProxy.