Presentation is loading. Please wait.

Presentation is loading. Please wait.

GRID Security Infrastructure: Overview and problems PKI-COORD Meeting, Amsterdam November 26, 2001 Yuri Demchenko.

Similar presentations


Presentation on theme: "GRID Security Infrastructure: Overview and problems PKI-COORD Meeting, Amsterdam November 26, 2001 Yuri Demchenko."— Presentation transcript:

1 GRID Security Infrastructure: Overview and problems PKI-COORD Meeting, Amsterdam November 26, 2001 Yuri Demchenko

2 ©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems Slide _2 Outlines Security Issues in Grid computing Grid Security Infrastructure OCR – Online Credential Retrieval Restricted Delegation Certificate Profile DataGRID Security related activity

3 ©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems Slide _3 Security Issues in Grid computing General issues:  Traditional systems are user/client/host centric  Grid computing is data centric Traditional systems:  Protect system from its users  Protect data of one user from compromise In Grid systems:  Protect applications and data from system where computation execute  Stronger/mutual authentication needed (for users and code) u Ensure that resources and data not provided by a attacker  Protect local execution from remote systems  Different admin domains/Security policies

4 ©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems Slide _4 Security Issues in Grid computing - Components  Authentication u Password based u Kerberos based (authentication and key distribution protocol) u SSL authentication u PKI/Cert based  Authorisation  Integrity and confidentiality u Cryptography  Assurance  Accounting  Audit

5 ©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems Slide _5 Authentication Traditional systems:  Authenticate user/client to protect system Grid systems:  Mutual authentication required u Ensure that resources and data not provided by a attacker  Delegation of Identity u Process that grants one principal the authority to act as another individual u Assume another’s identity to perform certain functions u E.g., in Globus: use gridmap file on a particular resource to map authenticated user user onto another’s account, with corresponding privileges  Data origin authentication

6 ©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems Slide _6 Authorisation Traditional systems:  Determine whether a particular operation is allowed based on authenticated identity of requester and local information Grid systems:  Determine whether access to resource/operation is allowed u Access control list associated with resources, principal or authorised programs  Distributed Authorisation u Distributed maintenance of authorisation information u One approach: Embed attributes in certificates –Restricted proxy: authorisation certificate that grants authority to perform operation on behalf of grantor u Alternative: separate authorisation server  Use of CAS (Community Authorisation System) for group authorisation

7 ©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems Slide _7 Assurance, Accounting, Audit  Assurance u When service is requested, to assure that candidate service provider meets requirements  Accounting u Means of tracking, limiting or changing for consumption of resources  Audit u Record operations performed by systems and associate actions with principals u Find out what went wrong: typical role of Intrusion Detection Systems

8 ©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems Slide _8 GRID Security Infrastructure (GSI) Current situation:  Globus assumes Hierarchical CA architecture with one top-level CA  Interdomain authorisation is based on X.509 identity certificates  Authentication and Authorisation  Mapping of user certificates to user accounts  GSI uses proxy credentials to allow for single sign-on and to provide delegated credentials for use by agent and servers u Online Credential Retrieval to create and manage proxy certificates u Next development: impersonation certificate and restricted delegation certificate GSI problems:  Thousands of users – thousands of Certs – many of CAs (with different policies)  Grid-wide user group and roles are needed u No grid-wide logging or auditing  Need for anonymous users  Protocol to access personal credential for OCR

9 ©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems Slide _9 GSI Roadmap: Grid Security Requirements  A Grid security solution should be based on existing standards wherever possible.  Grid authentication requirements: u Single sign on u Delegation u Integration with various local security solutions u User-based trust relationships  Grid requirements for communication protection: u Flexible message protection u Supports various reliable communication protocols u Supports independent data units (IDU)  Grid authorization requirements: u Authorization by stakeholders u Restricted delegation

10 ©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems Slide _10 GSI authentication requirements Single sign on  Users must be able to "log on" (authenticate) just once and then have access to any resource in the Grid that they are authorized to use, without further user intervention. Delegation  A user must be able to endow to a program the ability to run on that user's behalf, so that the program is able to access the resources on which the user is authorized. The program should (optionally) also be able to further delegate to another program. Integration with various local security solutions  Each site or resource provider may employ any of a variety of local security solutions, including Kerberos, Unix security, etc. The Grid security solution must be able to interoperate with these various local solutions. It cannot require wholesale replacement of local security solutions, but rather must allow mapping into the local environment. User-based trust relationships  In order for a user to use resources from multiple providers together, the security system must not require each of the resource providers to cooperate or interact with each other in configuring the security environment. In other words, if a user has the right to use sites A and B, the user should be able to use sites A and B together without requiring the security administrators from sites A and B to interact.

11 ©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems Slide _11 GSI requirements for communication protection Flexible message protection  An application must be able to dynamically configure a service protocol to use various levels of message protection, including none, just integrity, or integrity plus confidentiality. The choice may be motivated by factors such as sensitivity of the messages, performance requirements, the parties involved in the communication, and the infrastructure over which the message is transiting. Supports various reliable communication protocols  While TCP is the dominant, and widely available, reliable communication protocol for the Internet, the security mechanisms must be usable with a wide assortment of other reliable communication protocols. For example, performance requirements may dictate the use of non-TCP protocols for use within specialized environments. Supports independent data units (IDU)  Some applications require "protection of a generic data unit (such as a file or message) in a way which is independent of the protection of any other data unit and independent of any concurrent contact with designated 'receivers' of the data unit" [1]. For example, streaming media, , and unreliable UDP datagrams all require this form of protection.

12 ©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems Slide _12 GSI authorization requirements Authorization by stakeholders  Resource owners or stakeholders must be able to control which subjects can access the resource, and under what conditions. Restricted delegation  In order to minimize exposure from compromised or misused delegated credentials, it is desirable to have rich support for the restriction of the authorization rights that are delegated.

13 ©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems Slide _13 GSI WG documents (1) Grid Security Infrastructure (GSI) Roadmap - February 2001  An informational draft, providing an overview of GSI and the technical specifications that define GSI u Internet X.509 Public Key Infrastructure Proxy Certificate Profile - July 2001  A technical specification draft of the X.509 certificate extensions required to support proxies, which is used for GSI single sign-on and delegation u GSI Online Credential Retrieval - Requirements - October 2001  A technical specification draft of TLS (SSL) protocol extensions to allow delegation of X.509 Proxy Certificates u Multiple Credentials - Scenarios and Requirements - September 2001  Describes a number of scenarios where entities on Grid require multiple credentials. It details the requirements these scenarios place on the security infrastructure of the Grids u 01.pdfhttp://www.gridforum.org/security/ggf3_ /drafts/draft-ggf-multi-creds-requirements- 01.pdf

14 ©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems Slide _14 GSI WG documents (2) Internet X.509 PKI Impersonation Certificate Profile– February 2001 u Internet X.509 PKI Restricted Delegation Certificate Profile – February 2001 u TLS Delegation Protocol- July 2001  A technical specification draft of TLS (SSL) protocol extensions to allow delegation of X.509 Proxy Certificates u GSS-API Extensions - September 2001  A technical specification draft of GSS-API extensions, which are required for effective Grid programming using GSS-API u Akenti Restriction Language in X509 Proxy Certificates - July 2001 u

15 ©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems Slide _15 Online Credential Retrieval (OCR)  Definition: OCR service defines TLS (SSL) protocol extensions to allow delegation of X.509 Proxy Certificates and secure remote access to private credentials  Goal: to avoid drawbacks in personal management of credentials by users (private key protection, mobile/remote access, need for multiple credentials)  Authentication in GSI is based on proxy credentials u Proxy credential consists of proxy certificate and an associated private key u Proxy certificate is an X.509 certificate that is derived from a standard X.509 end entity (EE) certificate or another proxy certificate and signed with the private key associated with the source certificate u Proxy credential has limited lifetime to limit vulnerability of the EE private key: user create proxy credential once using its private key

16 ©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems Slide _16 OCR Requirements – GGF Draft OCR usage scenarios/operations  Credential Initialisation  Credential renewal  Transparent Credential retrieval  Adding Delegation to Existing Protocols  Multiple Credentials Requirements to  Protocols: Credential Retrieval Protocol, Credential Upload Protocol, Administration Protocol  Credential Server  Credential Repository

17 ©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems Slide _17 OCR Related works IETF SACRED WG  Many of requirements are similar to OCR’s  Difference: u SACRED requirements state that the credential format MUST be opaque to the protocol and the protocol MUST NOT force credentials to be present in cleartext at the server –This requirement disallow X.509 proxy delegation as defined by OCR requirements IETF PKIX WG u OCR performs tasks similar to PKIX online management of credentials (retrieving certificates and certificate revocation lists, online certificate status protocol) u Difference: OCR involves private key that must be kept secret

18 ©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems Slide _18 Internet X.509 PKI Restricted Delegation Certificate Profile – GGF Draft  Extension to Impersonation Certificate (IC) u Delegation extension u Restricted rights extension  Address trust issues of the unrestricted Impersonation Certificate use in permitting agent to operate on behalf of an end entity in the environment of X.509 based authorisation  Describes relation between IC with Restricted Rights and Attribute Certificates (AC) and defined scenario for use of AC u Difference that current secure protocols (used by Grid) pass ICs between entities but ACs have to be searched for by the relying party

19 ©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems Slide _19 GGF Certificate Policy Design WG - Documents  Public Key Technology Policy Requirements for Grid Identification - October 11,2000 –http://www.gridcp.es.net/Documents/PKI_Requirements_for_Grid_Id.pdfhttp://www.gridcp.es.net/Documents/PKI_Requirements_for_Grid_Id.pdf u Goals: –develop community policy that allows grid resource managers to accept authentication certificates generated by and or for different Grid –reduce the number of authentication certificates a grid user has to posses in order to authenticate to multiple Grids u Related to efforts within the US Federal Bridge Certification Authority to bridge top- level federal agency PKI certificate policies  Grid Certificate Policy version 5 u  Defines four certificate policies representing four different assurance levels (Rudimentary, Basic, Medium, and High) for GGF public key digital certificates  Next meeting – GGF4, Toronto u To discuss: Grid CP version 5, Repository model, Certificate Profile

20 ©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems Slide _20 DataGRID Security related activity  Collect Security requirements from different packages u No official security requirements or policy definitions  Started in different Work packages: WP2, WP6, WP7 u But ill coordinated u Few Workshops and devoted meeting  Compare GSI to security solutions in other middleware  Globus development is not not so open and speedy  All new Grid related projects (DataTAG) have special WP on Security

21 ©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems Slide _21 Observation – other GGF problems  GGF authority is not clear for individual Grid projects  Some GGF developments are coordinated between themselves u Where to place Security issues: Data or Network u Compare to work of IETF  Technical problem: contradiction with some similar IETF developments, e.g. u PKIX u SACRED


Download ppt "GRID Security Infrastructure: Overview and problems PKI-COORD Meeting, Amsterdam November 26, 2001 Yuri Demchenko."

Similar presentations


Ads by Google