grid security infrastructure: overview and problems pki-coord meeting, amsterdam november 26, 2001...
Post on 16-Dec-2015
219 Views
Preview:
TRANSCRIPT
GRID Security Infrastructure:
Overview and problems
PKI-COORD Meeting, Amsterdam November 26, 2001
Yuri Demchenko <demch@terena.nl>
©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems
Slide_2
Outlines
• Security Issues in Grid computing• Grid Security Infrastructure• OCR – Online Credential Retrieval • Restricted Delegation Certificate Profile• DataGRID Security related activity
©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems
Slide_3
Security Issues in Grid computing
General issues: Traditional systems are user/client/host centric Grid computing is data centric
Traditional systems: Protect system from its users Protect data of one user from compromise
In Grid systems: Protect applications and data from system where computation execute Stronger/mutual authentication needed (for users and code)
Ensure that resources and data not provided by a attacker
Protect local execution from remote systems Different admin domains/Security policies
©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems
Slide_4
Security Issues in Grid computing - Components
Authentication Password based Kerberos based (authentication and key distribution protocol) SSL authentication PKI/Cert based
Authorisation Integrity and confidentiality
Cryptography
Assurance Accounting Audit
©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems
Slide_5
Authentication
Traditional systems: Authenticate user/client to protect system
Grid systems: Mutual authentication required
Ensure that resources and data not provided by a attacker
Delegation of Identity Process that grants one principal the authority to act as another individual Assume another’s identity to perform certain functions E.g., in Globus: use gridmap file on a particular resource to map authenticated user
user onto another’s account, with corresponding privileges
Data origin authentication
©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems
Slide_6
Authorisation
Traditional systems: Determine whether a particular operation is allowed based on authenticated
identity of requester and local information
Grid systems: Determine whether access to resource/operation is allowed
Access control list associated with resources, principal or authorised programs
Distributed Authorisation Distributed maintenance of authorisation information One approach: Embed attributes in certificates
– Restricted proxy: authorisation certificate that grants authority to perform operation on behalf of grantor
Alternative: separate authorisation server
Use of CAS (Community Authorisation System) for group authorisation
©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems
Slide_7
Assurance, Accounting, Audit
Assurance When service is requested, to assure that candidate service provider meets
requirements
Accounting Means of tracking, limiting or changing for consumption of resources
Audit Record operations performed by systems and associate actions with
principals Find out what went wrong: typical role of Intrusion Detection Systems
©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems
Slide_8
GRID Security Infrastructure (GSI)
Current situation: Globus assumes Hierarchical CA architecture with one top-level CA Interdomain authorisation is based on X.509 identity certificates Authentication and Authorisation Mapping of user certificates to user accounts GSI uses proxy credentials to allow for single sign-on and to provide delegated
credentials for use by agent and servers Online Credential Retrieval to create and manage proxy certificates Next development: impersonation certificate and restricted delegation certificate
GSI problems: Thousands of users – thousands of Certs – many of CAs (with different policies) Grid-wide user group and roles are needed
No grid-wide logging or auditing
Need for anonymous users Protocol to access personal credential for OCR
©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems
Slide_9
GSI Roadmap: Grid Security Requirements
A Grid security solution should be based on existing standards wherever possible.
Grid authentication requirements: Single sign on Delegation Integration with various local security solutions User-based trust relationships
Grid requirements for communication protection: Flexible message protection Supports various reliable communication protocols Supports independent data units (IDU)
Grid authorization requirements: Authorization by stakeholders Restricted delegation
©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems
Slide_10
GSI authentication requirements
Single sign on Users must be able to "log on" (authenticate) just once and then have access to any
resource in the Grid that they are authorized to use, without further user intervention.
Delegation A user must be able to endow to a program the ability to run on that user's behalf, so that
the program is able to access the resources on which the user is authorized. The program should (optionally) also be able to further delegate to another program.
Integration with various local security solutions Each site or resource provider may employ any of a variety of local security solutions,
including Kerberos, Unix security, etc. The Grid security solution must be able to interoperate with these various local solutions. It cannot require wholesale replacement of local security solutions, but rather must allow mapping into the local environment.
User-based trust relationships In order for a user to use resources from multiple providers together, the security system
must not require each of the resource providers to cooperate or interact with each other in configuring the security environment. In other words, if a user has the right to use sites A and B, the user should be able to use sites A and B together without requiring the security administrators from sites A and B to interact.
©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems
Slide_11
GSI requirements for communication protection
Flexible message protection An application must be able to dynamically configure a service protocol to use various
levels of message protection, including none, just integrity, or integrity plus confidentiality. The choice may be motivated by factors such as sensitivity of the messages, performance requirements, the parties involved in the communication, and the infrastructure over which the message is transiting.
Supports various reliable communication protocols While TCP is the dominant, and widely available, reliable communication protocol for
the Internet, the security mechanisms must be usable with a wide assortment of other reliable communication protocols. For example, performance requirements may dictate the use of non-TCP protocols for use within specialized environments.
Supports independent data units (IDU) Some applications require "protection of a generic data unit (such as a file or message) in
a way which is independent of the protection of any other data unit and independent of any concurrent contact with designated 'receivers' of the data unit" [1]. For example, streaming media, email, and unreliable UDP datagrams all require this form of protection.
©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems
Slide_12
GSI authorization requirements
Authorization by stakeholders Resource owners or stakeholders must be able to control which subjects can
access the resource, and under what conditions.
Restricted delegation In order to minimize exposure from compromised or misused delegated
credentials, it is desirable to have rich support for the restriction of the authorization rights that are delegated.
©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems
Slide_13
GSI WG documents (1)
Grid Security Infrastructure (GSI) Roadmap - February 2001 An informational draft, providing an overview of GSI and the technical specifications that
define GSI http://www.gridforum.org/security/ggf1_2001-03/drafts/draft-ggf-gsi-roadmap-02.pdf
Internet X.509 Public Key Infrastructure Proxy Certificate Profile - July 2001 A technical specification draft of the X.509 certificate extensions required to support
proxies, which is used for GSI single sign-on and delegation http://www.gridforum.org/security/ggf3_2001-10/drafts/draft-ietf-pkix-proxy-01.pdf
GSI Online Credential Retrieval - Requirements - October 2001 A technical specification draft of TLS (SSL) protocol extensions to allow delegation of
X.509 Proxy Certificates http://www.gridforum.org/security/ggf3_2001-10/drafts/draft-ggf-gsi-ocr-requirements-00.pdf
Multiple Credentials - Scenarios and Requirements - September 2001 Describes a number of scenarios where entities on Grid require multiple credentials. It
details the requirements these scenarios place on the security infrastructure of the Grids
http://www.gridforum.org/security/ggf3_2001-10/drafts/draft-ggf-multi-creds-requirements-01.pdf
©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems
Slide_14
GSI WG documents (2)
Internet X.509 PKI Impersonation Certificate Profile– February 2001 http://www.gridforum.org/security/ggf1_2001-03/drafts/draft-ggf-x509-impersonation-06.pdf
Internet X.509 PKI Restricted Delegation Certificate Profile – February 2001 http://www.gridforum.org/security/ggf1_2001-03/drafts/draft-ggf-x509-res-delegation-01.pdf
TLS Delegation Protocol- July 2001 A technical specification draft of TLS (SSL) protocol extensions to allow delegation of
X.509 Proxy Certificates http://www.ietf.org/internet-drafts/draft-ietf-tls-delegation-01.txt
GSS-API Extensions - September 2001 A technical specification draft of GSS-API extensions, which are required for effective
Grid programming using GSS-API http://www.gridforum.org/security/ggf3_2001-10/drafts/draft-ggf-gss-extensions-04.pdf
Akenti Restriction Language in X509 Proxy Certificates - July 2001 http://www.gridforum.org/security/ggf2_2001-07/drafts/draft-ggf-akenti-proxyRes-00.pdf
©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems
Slide_15
Online Credential Retrieval (OCR)
Definition: OCR service defines TLS (SSL) protocol extensions to allow delegation of X.509 Proxy Certificates and secure remote access to private credentials
Goal: to avoid drawbacks in personal management of credentials by users (private key protection, mobile/remote access, need for multiple credentials)
Authentication in GSI is based on proxy credentials Proxy credential consists of proxy certificate and an associated private key Proxy certificate is an X.509 certificate that is derived from a standard X.509 end
entity (EE) certificate or another proxy certificate and signed with the private key associated with the source certificate
Proxy credential has limited lifetime to limit vulnerability of the EE private key: user create proxy credential once using its private key
©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems
Slide_16
OCR Requirements – GGF Draft
OCR usage scenarios/operations Credential Initialisation Credential renewal Transparent Credential retrieval Adding Delegation to Existing Protocols Multiple Credentials
Requirements to Protocols: Credential Retrieval Protocol, Credential Upload Protocol,
Administration Protocol Credential Server Credential Repository
©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems
Slide_17
OCR Related works
IETF SACRED WG Many of requirements are similar to OCR’s Difference:
SACRED requirements state that the credential format MUST be opaque to the protocol and the protocol MUST NOT force credentials to be present in cleartext at the server
– This requirement disallow X.509 proxy delegation as defined by OCR requirements
IETF PKIX WG OCR performs tasks similar to PKIX online management of credentials (retrieving
certificates and certificate revocation lists, online certificate status protocol) Difference: OCR involves private key that must be kept secret
©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems
Slide_18
Internet X.509 PKI Restricted Delegation Certificate Profile – GGF Draft
Extension to Impersonation Certificate (IC) Delegation extension Restricted rights extension
Address trust issues of the unrestricted Impersonation Certificate use in permitting agent to operate on behalf of an end entity in the environment of X.509 based authorisation
Describes relation between IC with Restricted Rights and Attribute Certificates (AC) and defined scenario for use of AC
Difference that current secure protocols (used by Grid) pass ICs between entities but ACs have to be searched for by the relying party
©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems
Slide_19
GGF Certificate Policy Design WG - Documents
Public Key Technology Policy Requirements for Grid Identification - October 11,2000
– http://www.gridcp.es.net/Documents/PKI_Requirements_for_Grid_Id.pdf Goals:
– develop community policy that allows grid resource managers to accept authentication certificates generated by and or for different Grid
– reduce the number of authentication certificates a grid user has to posses in order to authenticate to multiple Grids
Related to efforts within the US Federal Bridge Certification Authority to bridge top-level federal agency PKI certificate policies
Grid Certificate Policy version 5 http://www.gridcp.es.net/Documents/Draft-GGF-CP-05.pdf Defines four certificate policies representing four different assurance levels (Rudimentary, Basic, Medium, and High) for GGF public key digital certificates
Next meeting – GGF4, Toronto To discuss: Grid CP version 5, Repository model, Certificate Profile
©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems
Slide_20
DataGRID Security related activity
Collect Security requirements from different packages No official security requirements or policy definitions
Started in different Work packages: WP2, WP6, WP7 But ill coordinated Few Workshops and devoted meeting
Compare GSI to security solutions in other middleware Globus development is not not so open and speedy
All new Grid related projects (DataTAG) have special WP on Security
©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems
Slide_21
Observation – other GGF problems
GGF authority is not clear for individual Grid projects Some GGF developments are coordinated between themselves
Where to place Security issues: Data or Network Compare to work of IETF
Technical problem: contradiction with some similar IETF developments, e.g. PKIX SACRED
top related