Presentation is loading. Please wait.

Presentation is loading. Please wait.

MyProxy: A Multi-Purpose Grid Authentication Service Jim Basney Senior Research Scientist NCSA

Similar presentations


Presentation on theme: "MyProxy: A Multi-Purpose Grid Authentication Service Jim Basney Senior Research Scientist NCSA"— Presentation transcript:

1 MyProxy: A Multi-Purpose Grid Authentication Service Jim Basney Senior Research Scientist NCSA

2 WCGA 2006http://myproxy.ncsa.uiuc.edu/2 What is MyProxy? l A service for managing X.509 PKI credentials u A credential repository and certificate authority l An Online Credential Repository u Issues short-lived X.509 Proxy Certificates u Long-lived private keys never leave the server l An Online Certificate Authority u Issues short-lived X.509 End Entity Certificates l Supporting multiple authentication methods u Passphrase, Certificate, PAM, SASL, Kerberos l Open Source Software u Included in Globus Toolkit, VDT, and CoG Kits u C, Java, Python, and Perl clients available u Contributions from EDG, UVA, LBNL, and others

3 WCGA 2006http://myproxy.ncsa.uiuc.edu/3 MyProxy Logon l Authenticate to retrieve PKI credentials u End Entity or Proxy Certificate u Trusted CA Certificates u Certificate Revocation Lists (CRLs) l MyProxy maintains the user’s PKI context u Users don’t need to manage long-lived credentials u Enables server-side monitoring and policy enforcement (ex. passphrase quality checks) u CA certificates & CRLs updated automatically at login

4 WCGA 2006http://myproxy.ncsa.uiuc.edu/4 MyProxy Authentication l Key Passphrase l X.509 Certificate u Used for credential renewal l Pluggable Authentication Modules (PAM) u Kerberos password u One Time Password (OTP) u Lightweight Directory Access Protocol (LDAP) password l Simple Authentication and Security Layer (SASL) u Kerberos ticket (SASL GSSAPI)

5 WCGA 2006http://myproxy.ncsa.uiuc.edu/5 MyProxy Online Certificate Authority l Issues short-lived X.509 End Entity Certificates u Leverages MyProxy authentication mechanisms u Compatible with existing MyProxy clients l Ties in to site authentication and accounting u Using PAM and/or Kerberos authentication u Map username to certificate subject via “gridmap” file or LDAP query l Avoid need for long-lived user keys l Server can function as both CA and repository u Issues certificate if no credentials for user are stored

6 WCGA 2006http://myproxy.ncsa.uiuc.edu/6 MyProxy Online Credential Repository l Stores X.509 End Entity and Proxy credentials u Private keys encrypted with user-chosen passphrases u Credentials may be stored directly or via proxy delegation u Users can store multiple credentials from different CAs l Access to credentials controlled by user and administrator policies u Set authentication requirements u Control whether credentials can be retrieved directly or if only proxy delegation is allowed u Restrict lifetime of retrieved proxy credentials l Can be deployed for a single user, a site, a virtual organization, a resource provider, a CA, etc.

7 WCGA 2006http://myproxy.ncsa.uiuc.edu/7 Talk Outline l MyProxy Introduction l PKI Introduction and MyProxy CA l Proxy Certificates and MyProxy Repository l MyProxy Scenarios u Administratively Loaded Credentials u Registration Portals u Web Portal Authentication and Delegation u Password-based Delegation u Credential Renewal u Web Single Sign-On (SSO) l Demos l Conclusion

8 WCGA 2006http://myproxy.ncsa.uiuc.edu/8 PKI Overview l Public Key Cryptography u Sign with private key, verify signature with public key u Encrypt with public key, decrypt with private key l Key Distribution u Who does a public key belong to? u Certification Authority (CA) verifies user’s identity and signs certificate u Certificate is a document that binds the user’s identity to a public key l Authentication u Signature [ h ( random, … ) ] Subject: CA signs Issuer: CA Subject: Jim Issuer: CA

9 WCGA 2006http://myproxy.ncsa.uiuc.edu/9 certificate c + { secret } pubkey s + signature c [ h( random c, random s, … ) ] PKI Authentication ClientServer random c certificate s + random s { h( secret ) } secret Standard SSL/TLS Protocol (summarized)

10 WCGA 2006http://myproxy.ncsa.uiuc.edu/10 PKI Enrollment CA Sign new end entity certificate User Certificate request User CA Applicant Generate new key pair CA 1 User

11 WCGA 2006http://myproxy.ncsa.uiuc.edu/11 gridmap CA key keypair MyProxy CA with PAM Client MyProxy Server password PAMPAM Kerberos KDC RADIUS Server LDAP Server password TGT certificate requestcertificate TLS handshake Grid Service X.509 DN lookup

12 WCGA 2006http://myproxy.ncsa.uiuc.edu/12 CA key gridmap keypair MyProxy CA with Kerberos Client MyProxy Server SASLSASL Kerberos KDC LDAP Server TLS handshake Grid Service X.509 DN lookup SASLSASL ticket SASL/GSSAPI/Kerberos certificate requestcertificate

13 WCGA 2006http://myproxy.ncsa.uiuc.edu/13 PAM/SASL Issues l PAM Conversation u PAM modules can require multiple rounds of user interaction u No standard protocol l SASL/PLAIN doesn’t support multiple rounds l Need something like SSH keyboard-interactive protocol l SASL client-side setup u Requires SASL library and configuration of SASL mechanisms u Alternative: native Kerberos protocol support

14 WCGA 2006http://myproxy.ncsa.uiuc.edu/14 Proxy Credentials l RFC 3820: Proxy Certificate Profile l Associate a new private key and certificate with existing credentials l Short-lived, unencrypted credentials for multiple authentications in a session u Restricted lifetime in certificate limits vulnerability of unencrypted key l Credential delegation (forwarding) without transferring private keys CAUser Proxy A signs Proxy B signs

15 WCGA 2006http://myproxy.ncsa.uiuc.edu/15 Proxy Delegation DelegatorDelegatee Generate new key pair Sign new proxy certificate Proxy Proxy certificate request Proxy

16 WCGA 2006http://myproxy.ncsa.uiuc.edu/16 keypair MyProxy Put Client MyProxy Server certificate private key certificate requestproxy certificate chainusernamepasswordpolicy private key cert chain TLS handshake

17 WCGA 2006http://myproxy.ncsa.uiuc.edu/17 private key MyProxy Get Client MyProxy Server certificate requestproxy certificate chainusernamepassword private key cert chain TLS handshake Grid Service X.509 cert chain

18 WCGA 2006http://myproxy.ncsa.uiuc.edu/18 MyProxy Store Client MyProxy Server certificate private key certificateusernamepolicy private key certificate TLS handshake private key

19 WCGA 2006http://myproxy.ncsa.uiuc.edu/19 MyProxy Retrieve Client MyProxy Server certificate chainusernamepassword private key cert chain TLS handshake Grid Service X.509 private key cert chain

20 WCGA 2006http://myproxy.ncsa.uiuc.edu/20 Administratively Loaded Creds Client MyProxy Server Grid Service Certificate Authority certificate private key certificate private key TLS handshake certificate requestproxy certificate chainusernamepassword X.509 cert chain

21 WCGA 2006http://myproxy.ncsa.uiuc.edu/21 User Registration Portal Client MyProxy Server Grid Service Certificate Authority certificate private key certificate private key TLS handshake certificate requestproxy certificate chainusernamepassword X.509 cert chain Registration Portal certificate private key TLS handshake usernamepassword User DB username Browser

22 WCGA 2006http://myproxy.ncsa.uiuc.edu/22 Gateway Portal Browser Portal User DB cert key Grid Service X.509 password username TLS handshake

23 WCGA 2006http://myproxy.ncsa.uiuc.edu/23 Trusted Portal Browser Portal User DB cert key Grid Service X.509 password username TLS handshake MyProxy X.509 cert key cert cert request username

24 WCGA 2006http://myproxy.ncsa.uiuc.edu/24 Password-based Portal Auth Browser Portal cert key Grid Service X.509 password username TLS handshake MyProxy X.509 cert key cert cert request password username

25 WCGA 2006http://myproxy.ncsa.uiuc.edu/25 Password-based Delegation MyProxy DelegateeDelegator certificate private key password random username private key certificate username TLS handshake password random certificate certificate request certificate username password random TLS handshake certificate request certificate

26 WCGA 2006http://myproxy.ncsa.uiuc.edu/26 Password-based Renewal MyProxy Condor-GGRAM Gatekeeper Client proxy job password proxy job Job proxy password proxy

27 WCGA 2006http://myproxy.ncsa.uiuc.edu/27 Certificate-based Renewal MyProxy Condor-GGRAM Gatekeeper Client proxy job policy proxy job Job proxy X.509 proxy Workload Management Service Renewal Service keycert

28 WCGA 2006http://myproxy.ncsa.uiuc.edu/28 MyProxy and Web SSO PURSE MyProxy Browser Portal A Portal B Pubcookie Login Server password cert cookie password cookie cert password Grid Service cookie X.509

29 WCGA 2006http://myproxy.ncsa.uiuc.edu/29 SSO for Browser and Application Portal MyProxy Server Browser Application Authenticate cookie JWS cert Grid Service X.509 cookie

30 WCGA 2006http://myproxy.ncsa.uiuc.edu/30 SSO for Browser and Application Portal MyProxy Server Browser Application Authenticate password random JWS cert Grid Service X.509 password random cert

31 WCGA 2006http://myproxy.ncsa.uiuc.edu/31 Demonstrations

32 WCGA 2006http://myproxy.ncsa.uiuc.edu/32 Conclusion l MyProxy: A Multi-Purpose Grid Authentication Service u Used in many delegation and single sign-on scenarios l MyProxy provides practical authentication solutions u Minimize changes to existing software and protocols u Leverage community standards l PAM, SASL, Kerberos, LDAP, Pubcookie, Shibboleth l Active MyProxy open source community u Deploy new developments via MyProxy u Benefit from the work of others

33 WCGA 2006http://myproxy.ncsa.uiuc.edu/33 Thank you! Obrigado!


Download ppt "MyProxy: A Multi-Purpose Grid Authentication Service Jim Basney Senior Research Scientist NCSA"

Similar presentations


Ads by Google