Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois

September 6, 2005http://myproxy.ncsa.uiuc.edu/2 What is MyProxy? l Independent Globus Toolkit add-on since 2000 u Included in Globus Toolkit 4.0 l A service for securing private keys u Keys stored encrypted with user-chosen password u Keys never leave the MyProxy server l A service for retrieving proxy credentials l A commonly-used service for grid portal security u Integrated with OGCE, GridSphere, and GridPort

September 6, 2005http://myproxy.ncsa.uiuc.edu/3 PKI Overview l Public Key Cryptography u Sign with private key, verify signature with public key u Encrypt with public key, decrypt with private key l Key Distribution u Who does a public key belong to? u Certification Authority (CA) verifies user’s identity and signs certificate u Certificate is a document that binds the user’s identity to a public key l Authentication u Signature [ h ( random, … ) ] Subject: CA signs Issuer: CA Subject: Jim Issuer: CA

September 6, 2005http://myproxy.ncsa.uiuc.edu/4 Proxy Credentials l RFC 3820: Proxy Certificate Profile l Associate a new private key and certificate with existing credentials l Short-lived, unencrypted credentials for multiple authentications in a session u Restricted lifetime in certificate limits vulnerability of unencrypted key l Credential delegation (forwarding) without transferring private keys CAUser Proxy A signs Proxy B signs

September 6, 2005http://myproxy.ncsa.uiuc.edu/5 Proxy Delegation DelegatorDelegatee Generate new key pair Sign new proxy certificate Proxy Proxy certificate request Proxy

September 6, 2005http://myproxy.ncsa.uiuc.edu/6 MyProxy System Architecture MyProxy server Credential repository Retrieve proxy Store proxy Proxy delegation over private TLS channel MyProxy client

September 6, 2005http://myproxy.ncsa.uiuc.edu/7 MyProxy: Credential Mobility myproxy.teragrid.org tg-login.uc.teragrid.org tg-login.caltech.teragrid.org tg-login.sdsc.teragrid.org tg-login.ncsa.teragrid.orgca.ncsa.uiuc.edu Obtain certificate Store proxy Retrieve proxy

September 6, 2005http://myproxy.ncsa.uiuc.edu/8 MyProxy and Grid Portals Portal MyProxy server GridFTP server Login Fetch proxy Access data

September 6, 2005http://myproxy.ncsa.uiuc.edu/9 MyProxy: User Registration MyProxy server Registration portal Certificate authority Request account Obtain user certificate Load user’s credentials Retrieve proxy Grid portal Login with username/password Set username/password ESG PURSE: Portal-based User Registration Service GAMA: Grid Account Management Architecture

September 6, 2005http://myproxy.ncsa.uiuc.edu/10 MyProxy: Key Upload/Download l Provides ability to store and retrieve keys and certificates directly over the network u Encrypted keys transferred over SSL/TLS encrypted channel u In contrast to using proxy delegation l Allows storing end-entity credentials l Key retrieval must be explicitly enabled by server administrator and key owner

September 6, 2005http://myproxy.ncsa.uiuc.edu/11 Credential Renewal l Long-lived jobs or services need credentials u Task lifetime is difficult to predict l Don’t want to delegate long-lived credentials u Fear of compromise l Instead, renew credentials as needed during the job’s lifetime u Renewal service provides a single point of monitoring and control l Renewal policy can be modified at any time u Disable renewals if compromise is detected or suspected u Disable renewals when jobs complete

September 6, 2005http://myproxy.ncsa.uiuc.edu/12 MyProxy: Credential Renewal MyProxy server Condor-G / Renewal Service Submit job Globus gatekeeper Submit job Retrieve proxy Refresh proxy Daniel Kouril and Jim Basney, "A Credential Renewal Service for Long-Running Jobs," 6th IEEE/ACM International Workshop on Grid Computing (Grid 2005), Seattle, WA, November 13-14, 2005.

September 6, 2005http://myproxy.ncsa.uiuc.edu/13 MyProxy Authentication l Key Passphrase l X.509 Certificate u Used for credential renewal l Pluggable Authentication Modules (PAM) u Kerberos password u One Time Password (OTP) u Lightweight Directory Access Protocol (LDAP) password l Simple Authentication and Security Layer (SASL) u Kerberos ticket (SASL GSSAPI)

September 6, 2005http://myproxy.ncsa.uiuc.edu/14 One Time Passwords (OTP) l Protect against stolen passwords l Hardware token generates OTP l Authenticate with OTP alone or combined with key passphrase l Tested with CryptoCard tokens at NCSA l Compatible with existing MyProxy clients

September 6, 2005http://myproxy.ncsa.uiuc.edu/15 Managing Trust Roots l Address challenge of keeping trust root configuration up-to-date across machines u CA certificates and CRLs l User’s trust roots can differ from site’s l myproxy-logon -T u Synchronizes contents of ~/.globus/certificates with MyProxy server

September 6, 2005http://myproxy.ncsa.uiuc.edu/16 MyProxy CA l MyProxy server issues short-lived certificates to authenticated clients u Leverage MyProxy authentication mechanisms u Compatible with existing MyProxy clients l Avoid managing long-lived user keys l Server can function as both CA and repository u Issue certificate if no credentials found for user Coming soon!

September 6, 2005http://myproxy.ncsa.uiuc.edu/17 MyProxy and Pubcookie l Combine web and grid single sign-on u Authenticate to MyProxy with Pubcookie granting cookie Coming soon! Jonathan Martin, Jim Basney, and Marty Humphrey, "Extending Existing Campus Trust Relationships to the Grid through the Integration of Pubcookie and MyProxy," 2005 International Conference on Computational Science (ICCS 2005), Emory University, Atlanta, GA, May 22-25, MyProxy server Pubcookie Login Server Campus Authentication Server Verify login Web Application Server Browser Retrieve proxy Redirect to authenticate and obtain granting cookie

September 6, 2005http://myproxy.ncsa.uiuc.edu/18 MyProxy Security l Keys encrypted with user-chosen passwords u Server enforces password quality u Passwords are not stored l Dedicated server less vulnerable than desktop and general-purpose systems u Professionally managed, monitored, locked down l Users retrieve short-lived credentials u Generating new proxy keys for every session l All server operations logged to syslog l Caveat: Private key database is an attack target u Compare with status quo

September 6, 2005http://myproxy.ncsa.uiuc.edu/19 Hardware-Secured MyProxy M. Lorch, J. Basney, and D. Kafura, "A Hardware-secured Credential Repository for Grid PKIs," 4th IEEE/ACM International Symposium on Cluster Computing and the Grid (CCGrid), April IBM 4758 MyProxy Server Retrieve proxy Proxy request Proxy certificate l Protect keys in tamper-resistant cryptographic hardware PKCS#11 Experimental

September 6, 2005http://myproxy.ncsa.uiuc.edu/20 MyProxy CoG Clients l Commodity Grid (CoG) Kits u Provide portable (Java, Python, and Perl) MyProxy client tools & APIs u Windows support l For more information: u

September 6, 2005http://myproxy.ncsa.uiuc.edu/21 MyProxy Commands l myproxy-init: store proxy l myproxy-logon: retrieve proxy l myproxy-info: query stored credentials l myproxy-destroy: remove credential l myproxy-change-pass-phrase: change password encrypting private key l myproxy-store: store credential l myproxy-retrieve: retrieve credential

September 6, 2005http://myproxy.ncsa.uiuc.edu/22 MyProxy Installation (Unix) l Included in GT 4.0 $ make gsi-myproxy; make install l As an add-on component to GT 3.x $ gpt-build myproxy*.tar.gz l Set $MYPROXY_SERVER environment variable to myproxy-server hostname $ export MYPROXY_SERVER=myproxy.ncsa.uiuc.edu l Set Globus Toolkit environment $. $GLOBUS_LOCATION/etc/globus-user-env.sh l Client installation/configuration complete!

September 6, 2005http://myproxy.ncsa.uiuc.edu/23 MyProxy Server Administration l Install server certificate and CA certificate(s) l Configure /etc/myproxy-server.config policy u Template provided with examples l Optionally: u Configure password quality enforcement u Install cron script to delete expired credentials l Install boot script and start server u Example boot script provided l Use myproxy-admin commands to manage server u Reset passwords, query repository, lock credentials

September 6, 2005http://myproxy.ncsa.uiuc.edu/24 MyProxy Server Policies l Who can store credentials? u Restrict to specific users or CAs u Restrict to administrator only l Who can retrieve credentials? u Allow anyone with correct password u Allow only trusted services / portals l Maximum lifetime of retrieved credentials server-wide and per-credential

September 6, 2005http://myproxy.ncsa.uiuc.edu/25 MyProxy Server Replication l Primary/Secondary model (like Kerberos) u If primary is down, fail-over to secondary for credential retrieval u Store, delete, and change passphrase on primary only u Client-side fail-over under development l Simple configuration u Run myproxy-replicate via cron u Alternatively, use rsync over ssh Coming soon!

September 6, 2005http://myproxy.ncsa.uiuc.edu/26 MyProxy and Standards l MyProxy protocol specification submitted to GGF recommendations track u Currently under steering group review l MyProxy uses: u IETF RFC 2246: Transport Layer Security (TLS) Protocol Version 1.0 u IETF RFC 3820: Internet X.509 PKI Proxy Certificate Profile u DCE RFC 86.0: Pluggable Authentication Modules (PAM) u IETF RFC 2222: Simple Authentication and Security Layer (SASL)

September 6, 2005http://myproxy.ncsa.uiuc.edu/27 Related Work l GT4 Delegation Service u Protocol based on WS-Trust and WSRF l UVA CredEx u WS-Trust credential exchange service l SACRED (RFC 3767) Credential Repository u l Kerberized Online CA (KX.509/KCA) u Kerberos -> PKI l Kerberos PKINIT u PKI -> Kerberos

September 6, 2005http://myproxy.ncsa.uiuc.edu/28 MyProxy Community l MyProxy is an open source, community project u Many contributions from outside NCSA l mailing list l Bug tracking: l Anonymous CVS access l Contributions welcome! u Feature requests, bug reports, patches, etc.

September 6, 2005http://myproxy.ncsa.uiuc.edu/29 Thank you! Questions/Comments? Contact: