Presentation is loading. Please wait.

Presentation is loading. Please wait.

OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.

Published byEthan Holland Modified over 10 years ago

Similar presentations

Presentation on theme: "OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007."— Presentation transcript:

1 OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007

2 Presentation Overview 1.Goals & non-goals of the OGSA-SP 2.0 2.Motivation 3.Secure Addressing 4.Secure Transport 5.Secure SOAP 6.Questions

3 OGSA Security Profile 2.0 (A.K.A Express Authentication Profile) GOALS 1.Profile how to convey secure-communication requirements within EPRs 2.Define well-known, composable security policies for common security mechanisms 3.Provide minor mechanism clarifications and refinements as security mechanisms are adapted to Grid 4.Establish trustworthiness of EPRs (e.g., tamper- resistance via digital signature)

4 Intent IS TO: Enable discovery of common security mechanisms Or cleanly identify when interoperability is not possible Easily be extended to accommodate new mechanisms, credentials, etc. IS NOT TO: Impose common security mechanisms Invent new security mechanisms Invent new languages for describing security mechanisms

5 Motivation SECURITY: A systems ability to protect its assets Disclosure or theft of resources Modification (including destruction) of resources Resource service interruption Crucial for OGSA/Grid adoption Participants require protection from undue risk Participants must meet legal requirements

6 First Steps: Protocol Interoperability SOA Philosophy Presume nothing regarding service implementation Message format and endpoints are public knowledge Security mechanisms affect message format What do I have to do to my messages to communicate? Message payloads defined by well-known, static service interfaces Diverse (and possibly dynamic) security action requirements for messages

7 Diverse Security Requirements Credential requirements Users & resources tied to existing credential infrastructures (e.g., Kerberos, X.509 PKI, SAML, etc.) No lowest common denominator OGSA security model tasked with integration of these trust and security domains Security action requirements Grid applications created via service composition Application-specific security requirements imposed on component services E.g., ByteIO resources may have confidentiality requirements in some cases, not others

8 Why another mechanism for security requirement discovery? Attachment of WS-SecurityPolicy requirements to WSDL and UDDI WS-I Conformance Claim Attachment Mechanism to WSDL "http://ogf.org/profiles/hpc-basic/1.0/username-token" Issues: WSDL not always fine-grained enough WSDL not always published Non-standardized conventions for locating WSDL Scope limited to interface/application

9 Why another mechanism for security requirement discovery? (Continued) CaGrid exposes requirements through reflective service operations getSecurityMetadata() Chicken-before-egg problem Extra communication required Liberty exposes requirements within EPRs urn:liberty:security:2006-08:ClientTLS:SAMLV2 Not as expressive as WS-SecurityPolicy No means to communicate individual integrity/confidentiality requirements

10 Why EPRs? Grid utility is derived from the composition (often dynamic) of services EPRs extensively incorporated into core service interfaces, e.g.: Notification (WS-Eventing) Execution management (BES activity creation) Directory services (RNS) EPRs are how services refer and address each other EPRs serve as invocation contexts: Everything one needs to know to for communication

11 OGSA SP 2.0 Document Architecture Multiple documents composed in a hierarchical, extensible fashion. OGSA-BSP Secure Addressing Defines the general WS-SecurityPolicy attachment mechanism to EPRs Profile EPR digital signature OGSA-SP Secure Transport Defines well-known policies for de-facto transport-level secure communication configurations. OGSA-SP Secure SOAP Messaging Defines analogous policies for de-facto message-level security mechanisms

12 Secure Addressing Idea : Apply WS-SecurityPolicy to the extensible portion of the EPR WS-SecurityPolicy : Extension to WS-Policy framework New OASIS standard Grammar for asserting token types, cryptographic algorithms and mechanisms, including using transport level security

13 … urn:soapaction:* http://…#CertifiedServerTLS http://...#UsernameToken …

14 Secure Addressing Cont (Optional) Digital signing of EPRs: Extend WS-Addressing to profile a element as a child of the document Such a signature MUST cover the following elements:

15 Secure Transport Defines secure transport bindings to be referenced by name: Server-authenticated TLS w/ Server Certificate Server-authenticated TLS w/o Server Certificate Mutually-authenticated TLS w/ Sever Certificate Mutually-authenticated TLS w/o Sever Certificate If the Server Certificate is present, the Profile mandates hostname verification as per RFC 2818 – HTTP over TLS TLS/SSL algorithm suites are restricted to those listed in WS-SecurityPolicy

16 TLS_RSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA Server-authenticated TLS w/o Server Cert Policy Mutually-authenticated TLS w/o Server Cert Policy

17 Back to Secure Addressing EPRs may also need to perform key distribution: Extra hostname-verification at the transport-level Message-level encryption Want to embed tokens directly into the EPR, yet WS- SecurityPolicy does not provide for this Token assertions may contain a element to indicate the EPR of a location from which to obtain a token Solution: extend WS-SecPols token assertions to optionally contain an alternative We can put embedded tokens in tags within the document

18 <wsse:Reference URI='#RecipientTransportIdentity' ValueType="http://docs.oasis-open.org/...#X509v3" /> Server-authenticated TLS w/ Server Cert Policy

19 Secure SOAP Defines common secure message-level bindings to be referenced by name: Username-token (simple) Password-digest username-token (digest of password, timestamp, and nonce) X.509 Mutual authentication

20 <wsp:Policy wsu:Id=PasswordDigest <wsp:Policy wsu:Id=UsernameToken Username-Token PolicyPassword-Digest Policy

21 (01) (02) (03) (04) (05) (06) (07) (08) (09) (10) (11) (12) (13) (14) (15) (16) (17) (18) (19) (20) (21) (22) … Mutually-Authenticated X.509 Policy

22 … (23) (24) (25) (26) (27) (28) (29) <wsse:Reference URI='#RecipientMessageIdentity ValueType="http://...wss-x509-token-profile-1.0#X509v3"/> (30) (31) (32) (33) (34) (35) … Mutually-Authenticated X.509 Policy

23 … (74) (75) (76) (77) (78) (79) (80) (81) /Envelope/Header/*[@isReferenceParameter="true"]' (82) (83) (84) (85) (86) (87) (88) (89) (90) (91) (92) Mutually-Authenticated X.509 Policy

24 Specifying Additional Protection Policy... http://www.ggf.org/ogsa/2007/05/sp-secure-soap#MutualX509...

25 Questions

Download ppt "OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007."

Similar presentations

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P1619.3 April 11, 2007 Andrea Doherty.

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.
© Siemens NV/SA, October 2004 Communications Network and Information Security Report ICTSB/NISSG Stefan Goeman.

© Siemens NV/SA, October 2004 Communications Network and Information Security Report ICTSB/NISSG Stefan Goeman.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Technical Presentation AIAC 2010-2011 Group 11. System Rationale System Architecture Secure Channel Establishment Username/Password Cartão Cidadão Digital.

Technical Presentation AIAC Group 11. System Rationale System Architecture Secure Channel Establishment Username/Password Cartão Cidadão Digital.
cetis Really Complex Web Service Specifications Scott Wilson.

cetis Really Complex Web Service Specifications Scott Wilson.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
WS – Security Policy Prabath Siriwardena Director, Security Architecture.

WS – Security Policy Prabath Siriwardena Director, Security Architecture.
Practical Digital Signature Issues. Paving the way and new opportunities. www.oasis-open.org Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.

Practical Digital Signature Issues. Paving the way and new opportunities. Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.
OOI-CI–Ragouzis–2007.10.15 Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop 17-19 October 2007.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
NHIN Specifications Richard Kernan, NHIN Specification Lead (Contractor), Office of the National Coordinator for Health IT Karen Witting, Contractor to.

NHIN Specifications Richard Kernan, NHIN Specification Lead (Contractor), Office of the National Coordinator for Health IT Karen Witting, Contractor to.
Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.

Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.
Core Web Service Security Patterns

Core Web Service Security Patterns
Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.

Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.
Peoplesoft: Building and Consuming Web Services

Peoplesoft: Building and Consuming Web Services
Web services security I

Web services security I

Similar presentations

Ads by Google