grid security infrastructure: overview and problems pki-coord meeting, amsterdam november 26, 2001...

GRID Security Infrastructure:

Overview and problems

PKI-COORD Meeting, Amsterdam November 26, 2001

Yuri Demchenko <[email protected]>

©2001. Yu.Demchenko. TERENA GRID Security Infrastructure: Overview and problems

Slide_2

Outlines

• Security Issues in Grid computing• Grid Security Infrastructure• OCR – Online Credential Retrieval • Restricted Delegation Certificate Profile• DataGRID Security related activity


Slide_3

Security Issues in Grid computing

General issues: Traditional systems are user/client/host centric Grid computing is data centric

Traditional systems: Protect system from its users Protect data of one user from compromise

In Grid systems: Protect applications and data from system where computation execute Stronger/mutual authentication needed (for users and code)

Ensure that resources and data not provided by a attacker

Protect local execution from remote systems Different admin domains/Security policies


Slide_4

Security Issues in Grid computing - Components

Authentication Password based Kerberos based (authentication and key distribution protocol) SSL authentication PKI/Cert based

Authorisation Integrity and confidentiality

Cryptography

Assurance Accounting Audit


Slide_5

Authentication

Traditional systems: Authenticate user/client to protect system

Grid systems: Mutual authentication required

Ensure that resources and data not provided by a attacker

Delegation of Identity Process that grants one principal the authority to act as another individual Assume another’s identity to perform certain functions E.g., in Globus: use gridmap file on a particular resource to map authenticated user

user onto another’s account, with corresponding privileges

Data origin authentication


Slide_6

Authorisation

Traditional systems: Determine whether a particular operation is allowed based on authenticated

identity of requester and local information

Grid systems: Determine whether access to resource/operation is allowed

Access control list associated with resources, principal or authorised programs

Distributed Authorisation Distributed maintenance of authorisation information One approach: Embed attributes in certificates

– Restricted proxy: authorisation certificate that grants authority to perform operation on behalf of grantor

Alternative: separate authorisation server

Use of CAS (Community Authorisation System) for group authorisation


Slide_7

Assurance, Accounting, Audit

Assurance When service is requested, to assure that candidate service provider meets

requirements

Accounting Means of tracking, limiting or changing for consumption of resources

Audit Record operations performed by systems and associate actions with

principals Find out what went wrong: typical role of Intrusion Detection Systems


Slide_8

GRID Security Infrastructure (GSI)

Current situation: Globus assumes Hierarchical CA architecture with one top-level CA Interdomain authorisation is based on X.509 identity certificates Authentication and Authorisation Mapping of user certificates to user accounts GSI uses proxy credentials to allow for single sign-on and to provide delegated

credentials for use by agent and servers Online Credential Retrieval to create and manage proxy certificates Next development: impersonation certificate and restricted delegation certificate

GSI problems: Thousands of users – thousands of Certs – many of CAs (with different policies) Grid-wide user group and roles are needed

No grid-wide logging or auditing

Need for anonymous users Protocol to access personal credential for OCR


Slide_9

GSI Roadmap: Grid Security Requirements

A Grid security solution should be based on existing standards wherever possible.

Grid authentication requirements: Single sign on Delegation Integration with various local security solutions User-based trust relationships

Grid requirements for communication protection: Flexible message protection Supports various reliable communication protocols Supports independent data units (IDU)

Grid authorization requirements: Authorization by stakeholders Restricted delegation


Slide_10

GSI authentication requirements

Single sign on Users must be able to "log on" (authenticate) just once and then have access to any

resource in the Grid that they are authorized to use, without further user intervention.

Delegation A user must be able to endow to a program the ability to run on that user's behalf, so that

the program is able to access the resources on which the user is authorized. The program should (optionally) also be able to further delegate to another program.

Integration with various local security solutions Each site or resource provider may employ any of a variety of local security solutions,

including Kerberos, Unix security, etc. The Grid security solution must be able to interoperate with these various local solutions. It cannot require wholesale replacement of local security solutions, but rather must allow mapping into the local environment.

User-based trust relationships In order for a user to use resources from multiple providers together, the security system

must not require each of the resource providers to cooperate or interact with each other in configuring the security environment. In other words, if a user has the right to use sites A and B, the user should be able to use sites A and B together without requiring the security administrators from sites A and B to interact.


Slide_11

GSI requirements for communication protection

Flexible message protection An application must be able to dynamically configure a service protocol to use various

levels of message protection, including none, just integrity, or integrity plus confidentiality. The choice may be motivated by factors such as sensitivity of the messages, performance requirements, the parties involved in the communication, and the infrastructure over which the message is transiting.

Supports various reliable communication protocols While TCP is the dominant, and widely available, reliable communication protocol for

the Internet, the security mechanisms must be usable with a wide assortment of other reliable communication protocols. For example, performance requirements may dictate the use of non-TCP protocols for use within specialized environments.

Supports independent data units (IDU) Some applications require "protection of a generic data unit (such as a file or message) in

a way which is independent of the protection of any other data unit and independent of any concurrent contact with designated 'receivers' of the data unit" [1]. For example, streaming media, email, and unreliable UDP datagrams all require this form of protection.


Slide_12

GSI authorization requirements

Authorization by stakeholders Resource owners or stakeholders must be able to control which subjects can

access the resource, and under what conditions.

Restricted delegation In order to minimize exposure from compromised or misused delegated

credentials, it is desirable to have rich support for the restriction of the authorization rights that are delegated.


Slide_13

GSI WG documents (1)

Grid Security Infrastructure (GSI) Roadmap - February 2001 An informational draft, providing an overview of GSI and the technical specifications that

define GSI http://www.gridforum.org/security/ggf1_2001-03/drafts/draft-ggf-gsi-roadmap-02.pdf

Internet X.509 Public Key Infrastructure Proxy Certificate Profile - July 2001 A technical specification draft of the X.509 certificate extensions required to support

proxies, which is used for GSI single sign-on and delegation http://www.gridforum.org/security/ggf3_2001-10/drafts/draft-ietf-pkix-proxy-01.pdf

GSI Online Credential Retrieval - Requirements - October 2001 A technical specification draft of TLS (SSL) protocol extensions to allow delegation of

X.509 Proxy Certificates http://www.gridforum.org/security/ggf3_2001-10/drafts/draft-ggf-gsi-ocr-requirements-00.pdf

Multiple Credentials - Scenarios and Requirements - September 2001 Describes a number of scenarios where entities on Grid require multiple credentials. It

details the requirements these scenarios place on the security infrastructure of the Grids

http://www.gridforum.org/security/ggf3_2001-10/drafts/draft-ggf-multi-creds-requirements-01.pdf


Slide_14

GSI WG documents (2)

Internet X.509 PKI Impersonation Certificate Profile– February 2001 http://www.gridforum.org/security/ggf1_2001-03/drafts/draft-ggf-x509-impersonation-06.pdf

Internet X.509 PKI Restricted Delegation Certificate Profile – February 2001 http://www.gridforum.org/security/ggf1_2001-03/drafts/draft-ggf-x509-res-delegation-01.pdf

TLS Delegation Protocol- July 2001 A technical specification draft of TLS (SSL) protocol extensions to allow delegation of

X.509 Proxy Certificates http://www.ietf.org/internet-drafts/draft-ietf-tls-delegation-01.txt

GSS-API Extensions - September 2001 A technical specification draft of GSS-API extensions, which are required for effective

Grid programming using GSS-API http://www.gridforum.org/security/ggf3_2001-10/drafts/draft-ggf-gss-extensions-04.pdf

Akenti Restriction Language in X509 Proxy Certificates - July 2001 http://www.gridforum.org/security/ggf2_2001-07/drafts/draft-ggf-akenti-proxyRes-00.pdf


Slide_15

Online Credential Retrieval (OCR)

Definition: OCR service defines TLS (SSL) protocol extensions to allow delegation of X.509 Proxy Certificates and secure remote access to private credentials

Goal: to avoid drawbacks in personal management of credentials by users (private key protection, mobile/remote access, need for multiple credentials)

Authentication in GSI is based on proxy credentials Proxy credential consists of proxy certificate and an associated private key Proxy certificate is an X.509 certificate that is derived from a standard X.509 end

entity (EE) certificate or another proxy certificate and signed with the private key associated with the source certificate

Proxy credential has limited lifetime to limit vulnerability of the EE private key: user create proxy credential once using its private key


Slide_16

OCR Requirements – GGF Draft

OCR usage scenarios/operations Credential Initialisation Credential renewal Transparent Credential retrieval Adding Delegation to Existing Protocols Multiple Credentials

Requirements to Protocols: Credential Retrieval Protocol, Credential Upload Protocol,

Administration Protocol Credential Server Credential Repository


Slide_17

OCR Related works

IETF SACRED WG Many of requirements are similar to OCR’s Difference:

SACRED requirements state that the credential format MUST be opaque to the protocol and the protocol MUST NOT force credentials to be present in cleartext at the server

– This requirement disallow X.509 proxy delegation as defined by OCR requirements

IETF PKIX WG OCR performs tasks similar to PKIX online management of credentials (retrieving

certificates and certificate revocation lists, online certificate status protocol) Difference: OCR involves private key that must be kept secret


Slide_18

Internet X.509 PKI Restricted Delegation Certificate Profile – GGF Draft

Extension to Impersonation Certificate (IC) Delegation extension Restricted rights extension

Address trust issues of the unrestricted Impersonation Certificate use in permitting agent to operate on behalf of an end entity in the environment of X.509 based authorisation

Describes relation between IC with Restricted Rights and Attribute Certificates (AC) and defined scenario for use of AC

Difference that current secure protocols (used by Grid) pass ICs between entities but ACs have to be searched for by the relying party


Slide_19

GGF Certificate Policy Design WG - Documents

Public Key Technology Policy Requirements for Grid Identification - October 11,2000

– http://www.gridcp.es.net/Documents/PKI_Requirements_for_Grid_Id.pdf Goals:

– develop community policy that allows grid resource managers to accept authentication certificates generated by and or for different Grid

– reduce the number of authentication certificates a grid user has to posses in order to authenticate to multiple Grids

Related to efforts within the US Federal Bridge Certification Authority to bridge top-level federal agency PKI certificate policies

Grid Certificate Policy version 5 http://www.gridcp.es.net/Documents/Draft-GGF-CP-05.pdf Defines four certificate policies representing four different assurance levels (Rudimentary, Basic, Medium, and High) for GGF public key digital certificates

Next meeting – GGF4, Toronto To discuss: Grid CP version 5, Repository model, Certificate Profile


Slide_20

DataGRID Security related activity

Collect Security requirements from different packages No official security requirements or policy definitions

Started in different Work packages: WP2, WP6, WP7 But ill coordinated Few Workshops and devoted meeting

Compare GSI to security solutions in other middleware Globus development is not not so open and speedy

All new Grid related projects (DataTAG) have special WP on Security


Slide_21

Observation – other GGF problems

GGF authority is not clear for individual Grid projects Some GGF developments are coordinated between themselves

Where to place Security issues: Data or Network Compare to work of IETF

Technical problem: contradiction with some similar IETF developments, e.g. PKIX SACRED

grid security infrastructure: overview and problems pki-coord meeting, amsterdam november 26, 2001...

Documents

problems slide

system grid systems

u kerberos

code u

principals u

individual u

audit assurance u

group authorisation