Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois

Slides:

Advertisements

Similar presentations

MyProxy Jim Basney Senior Research Scientist NCSA

Advertisements

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

MyProxy: A Multi-Purpose Grid Authentication Service

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Lecture 23 Internet Authentication Applications

Jim Basney GSI Credential Management with MyProxy GGF8 Production Grid Management RG Workshop June.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Grid Security. Typical Grid Scenario Users Resources.

1/13/05NCASSR PNNL Visit1 Security Tools Area Overview, Credential Management Services, and the PKI Testbed Jim Basney Senior Research Scientist

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

Deploying the TeraGrid PKI Grid Forum Korea Winter Workshop December 1, 2003 Jim Basney Senior Research Scientist National Center for Supercomputing Applications.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

Chapter 11: Active Directory Certificate Services

Mechanisms to Secure x.509 Grid Certificates Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

MyProxy NMI Integration Jim Basney, NCSA Marty Humphrey, University of Virginia

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10.

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Managing Credentials with MyProxy Jim Basney National Center for Supercomputing Applications University of Illinois

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

Module 9: Fundamentals of Securing Network Communication.

GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA

E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.

Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.

An OGSI CredentialManager Service Jim Basney, Shiva Shankar Chetan, Feng Qin, Sumin Song, Xiao Tu National Center for Supercomputing Applications, University.

National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.

Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.

Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.

Part 9: MyProxy Pragmatics This presentation and lab ends the GRIDS Center agenda Q: When do we convene again tomorrow?

The MyProxy Online Credential Repository Jim Basney NCSA

1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.

Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005 Von Welch

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.

Grid technology Security issues Andrey Nifatov A hacker.

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.

1 st Generation of Grid portals. 1st Generation Portals The first generation of Grid portals mainly used a three-tier architecture:

1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.

4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,

1 Example security systems n Kerberos n Secure shell.

Authentication, Authorisation and Security

Viet Tran Institute of Informatics Slovakia

Presentation transcript:

Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois

GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/2 What is MyProxy? l Independent Globus Toolkit add-on since 2000 u To be included in Globus Toolkit 4.0 l A service for securing private keys u Keys stored encrypted with user-chosen password u Keys never leave the MyProxy server l A service for retrieving proxy credentials l A commonly-used service for grid portal security u Integrated with OGCE, GridSphere, and GridPort

GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/3 PKI Overview l Public Key Cryptography u Sign with private key, verify signature with public key u Encrypt with public key, decrypt with private key l Key Distribution u Who does a public key belong to? u Certification Authority (CA) verifies user’s identity and signs certificate u Certificate is a document that binds the user’s identity to a public key l Authentication u Signature [ h ( random, … ) ] Subject: CA signs Issuer: CA Subject: Jim Issuer: CA

GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/4 Proxy Credentials l RFC 3820: Proxy Certificate Profile l Associate a new private key and certificate with existing credentials l Short-lived, unencrypted credentials for multiple authentications in a session u Restricted lifetime in certificate limits vulnerability of unencrypted key l Credential delegation (forwarding) without transferring private keys CAUser Proxy A signs Proxy B signs

GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/5 Proxy Delegation DelegatorDelegatee Generate new key pair Sign new proxy certificate Proxy Proxy certificate request Proxy

GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/6 MyProxy System Architecture MyProxy server Credential repository Retrieve proxy Store proxy Proxy delegation over private TLS channel MyProxy client

GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/7 MyProxy: Credential Mobility myproxy.teragrid.org tg-login.uc.teragrid.org tg-login.caltech.teragrid.org tg-login.sdsc.teragrid.org tg-login.ncsa.teragrid.orgca.ncsa.uiuc.edu Obtain certificate Store proxy Retrieve proxy

GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/8 MyProxy and Grid Portals Portal MyProxy server GridFTP server Login Fetch proxy Access data

GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/9 MyProxy: User Registration MyProxy server Registration portal Certificate authority Request account Obtain user certificate Load user’s credentials Retrieve proxy Grid portal Login with username/password Set username/password ESG PURSE: Portal-based User Registration Service

GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/10 MyProxy Security l Keys encrypted with user-chosen passwords u Server enforces password quality u Passwords are not stored l Dedicated server less vulnerable than desktop and general-purpose systems u Professionally managed, monitored, locked down l Users retrieve short-lived credentials u Generating new proxy keys for every session l All server operations logged to syslog l Caveat: Private key database is an attack target u Compare with status quo

GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/11 Hardware-Secured MyProxy M. Lorch, J. Basney, and D. Kafura, "A Hardware-secured Credential Repository for Grid PKIs," 4th IEEE/ACM International Symposium on Cluster Computing and the Grid (CCGrid), April IBM 4758 MyProxy Server Retrieve proxy Proxy request Proxy certificate l Protect keys in tamper-resistant cryptographic hardware

GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/12 GlobusWORLD 2003 Flashback

GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/13 Credential Renewal l Long-lived jobs or services need credentials u Task lifetime is difficult to predict l Don’t want to delegate long-lived credentials u Fear of compromise l Instead, renew credentials as needed during the job’s lifetime u Renewal service provides a single point of monitoring and control l Renewal policy can be modified at any time u Disable renewals if compromise is detected or suspected u Disable renewals when jobs complete

GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/14 MyProxy: Credential Renewal MyProxy server Condor-G Submit job Globus gatekeeper Submit job Fetch proxy Refresh proxy

GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/15 MyProxy Installation (Unix) l Included in GT 4.0 l As an add-on component to GT 3.x $ gpt-build myproxy*.tar.gz l Set $MYPROXY_SERVER environment variable to myproxy-server hostname $ export MYPROXY_SERVER=myproxy.ncsa.uiuc.edu l Set Globus Toolkit environment $. $GLOBUS_LOCATION/etc/globus-user-env.sh l Client installation/configuration complete!

GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/16 MyProxy CoG Clients l Commodity Grid (CoG) Kits u Provide portable (Java and Python) MyProxy client tools & APIs u Windows support l For more information: u

GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/17 MyProxy Commands l myproxy-init: store proxy l myproxy-get-delegation: retrieve proxy l myproxy-info: query stored credentials l myproxy-destroy: remove credential l myproxy-change-pass-phrase: change password encrypting private key

GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/18 MyProxy Server Administration l Install server certificate and CA certificate(s) l Configure /etc/myproxy-server.config policy u Template provided with examples l Optionally: u Configure password quality enforcement u Install cron script to delete expired credentials l Install boot script and start server u Example boot script provided l Use myproxy-admin commands to manage server u Reset passwords, query repository, lock credentials

GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/19 MyProxy Server Policies l Who can store credentials? u Restrict to specific users or CAs u Restrict to administrator only l Who can retrieve credentials? u Allow anyone with correct password u Allow only trusted services / portals l Maximum lifetime of retrieved credentials server-wide and per-credential

GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/20 MyProxy and SASL l MyProxy supports additional authentication mechanisms via SASL (RFC 2222) l One Time Passwords (SASL PLAIN with PAM) u Protect against stolen passwords u Hardware token generates OTP u Authenticate with OTP plus MyProxy password u Tested with CryptoCard tokens l Kerberos (SASL GSSAPI) u Authenticate with Kerberos ticket plus MyProxy password

GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/21 Related Work l GT4 Delegation Service u Protocol based on WS-Trust and WSRF l SACRED (RFC 3767) Credential Repository u l Kerberized Online CA (KX.509/KCA) u Kerberos -> PKI l PKINIT for Heimdal Kerberos u PKI -> Kerberos

GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/22 GridLogon l Work in progress l Inspired by Peter Gutmann’s PKIBoot u “Plug-and-Play PKI: A PKI your Mother can Use” l Password-based authentication to initialize user’s security environment u Install identity/attribute/authorization credentials u Install CA certificates and CRLs u Install additional security configurations

GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/23 MyProxy Community l mailing list l Bug tracking: l Anonymous CVS access l Contributions welcome! u Feature requests, bug reports, patches, etc.

GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/24 Thank you! Questions/Comments? Contact: