1 / 34

GT 3 Security Features

GT 3 Security Features. Sam Meder. Assumptions. Familiarity with PKI concepts Certificates (CA, EEC, Proxy) Delegation Some knowledge of Web Services Security Standards: WS-Security XML-Signature XML-Encryption Some knowledge of GSSAPI. GT Security Overview.

lavi
Download Presentation

GT 3 Security Features

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GT 3 Security Features Sam Meder

  2. Assumptions • Familiarity with PKI concepts • Certificates (CA, EEC, Proxy) • Delegation • Some knowledge of Web Services Security Standards: • WS-Security • XML-Signature • XML-Encryption • Some knowledge of GSSAPI

  3. GT Security Overview • GT 3.0 Authentication Mechanisms • X509/SSL/GSSAPI based (GSI Secure Conversation) • X509/public key based (GSI Secure Message) • GT 3.0 Authorization Mechanisms • Gridmap • Host • Self • None

  4. Hosting Environment/Container Incoming Handler Incoming Handler Pivot Handler Service Outgoing Handler Outgoing Handler WS Background • Most security work is done in JAX-RPC/Axis Handlers

  5. Server Hosting Environment JAAS Security Policy Handler Authorization Handler WS-Security Handler Client Service Sec Msg Handler Sec Conv Msg Handler SecConv Service Server Side Implementation

  6. Server Side ImplementationContinued • Handlers, Handlers, Handlers • WS-Security Handler • Decrypts/verifies signature on incoming messages • Populates the JAAS Peer Subject • Security Policy Handler • Checks that the security meets the requirements specified in the security deployment descriptor • Authentication Policy Handler • Sets the invocation (JAAS) subject as specified by the run-as policy in the security deployment descriptor • Run As Handler

  7. Server Side ImplementationContinued • Even more handlers • Authorization Handler • Authorizes incoming messages – more later • Credential Refresh Handler • Refreshes credential in invocation subject based on delegated credential • Authentication Service Handler • Redirects messages to Secure Conversation Service • Secure Message Handler (aka X509 Sign Handler) • Signs GSI Secure Message secured communications

  8. Server Side ImplementationContinued • Only one more I promise • Secure Conversation Message Handler (aka GSS Handler) • Signs and encrypts GSI Secure Conversation secured communication • Other pieces: • Context Manager • Keeps track of established contexts • Destroy contexts on expiration

  9. Server Side Programming • Declarative Model: • Security properties (for incoming communication) are specified in a deployment descriptor • Wrapper handler(s) reads descriptor and populate security parameters • Handlers act on security parameters • Generally requires no explicit security calls by service implementer

  10. Client Hosting Environment Server Hosting Environment SecConv Service Sec Msg Handler SecConv Message Handler Sec Conv Service Handler Client Service WS-Sec Client Handler Client Side Implementation

  11. Client Side ImplementationContinued • Clients Side Handlers • Secure Conversation Service Handler • Establishes new Secure Conversation context if needed • Secure Message Handler • Secure Conversation Message Handler • WS-Security (Client) Handler • Above three are equivalent/same as server side handlers • Client side Authorization • Handled by the Secure Conversation Service and the WS-Security Client Handler • Host authorization by default

  12. Client Side Programming • Clients need to set security properties explicitly – programmatic model • Server/Service acting as client • Handlers pick up security properties and act accordingly

  13. JAAS • Java Authentication & Authorization Service • Currently (3.0) only used for managing/storing credentials • JAAS Subject object • Authorization checks • Outgoing Connections • Different Subject Types: • System • Container • Peer • Invocation Subject

  14. GRIM(Grid Resource Identity Mapper) • Allows GT3 components to run without special privileges • Setuid to user with access to (host) credentials • Reads credentials • Creates GRIM Proxy from credentials and configuration information

  15. GRIM Proxy • Proxy contains a GRIM Policy • GRIM Policy currently (3.0) consists of • List of authorized porttypes • List of authorized DNs • GRIM Policy in 3.x will change to • Always list GRAM porttype • Backwards compatibility • No other porttypes will ever be listed • List of authorized DNs

  16. GRIM Wish List • Make GRIM produce independent proxy • Proxy should contain non-critical extension • Extension should contain SAML assertion on allowed DNs • Does not require special handling of proxy in cases where you don’t care about the extension

  17. Authorization – Cooking your own • Replace the Authorization Handler • Check out the current one • Write your own • Build/Compile it • Replace existing handler in server-config.wsdd and make sure that handler is available in your CLASSPATH

  18. public class AuthorizationHandler extends BasicHandler { ... public void invoke(MessageContext messageContext) throws AxisFault { Subject subject = (Subject) messageContext.getProperty(Constants.PEER_SUBJECT); ServiceProperties props = DescriptorHandler.getService(messageContext); ServiceAuthorization auth = null; String tmp = (String)props.getProperty(Authorization.AUTHORIZATION); if (tmp == null) { auth = DefaultAuthorization.getInstance(); } else if (tmp.equalsIgnoreCase("none")) { auth = NoAuthorization.getInstance(); } else if (tmp.equalsIgnoreCase("self")) { auth = SelfAuthorization.getInstance(); } else if (tmp.equalsIgnoreCase("gridmap")) { auth = GridMapAuthorization.getInstance(); } else { Exception e = new AuthorizationException( i18n.getMessage("badAuthMethod", new Object[] {tmp})); throw AxisFault.makeFault(e); } try { auth.authorize(subject, props, messageContext); } catch (AuthorizationException e) { throw AxisFault.makeFault(e); } } }

  19. server-config.wsdd <?xml version="1.0" encoding="UTF-8"?> <deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"> … <globalConfiguration> … <requestFlow> … <handler type="java:org.globus.ogsa.impl.security.authorization.AuthorizationHandler"/> … </requestFlow> … </globalConfiguration> … </deployment>

  20. GSI Secure Conversation • Based on GSSAPI, WS-Security, XML-Signature and XML-Encryption • Session based • Support for delegation • Automatic refresh of delegated proxy on re-delegation • Uses our SSL based GSSAPI mechanism • Protocol is driven by gss_init/accept_sec_context • get_mic/verify_mic and wrap/unwrap

  21. Secure Conversation PortType <gwsdl:portType name="SecureContextEstablishmentPortType"> <operation name="initTokenExchange"> <input message="tns:InitTokenExchangeInputMessage"/> <output message="tns:InitTokenExchangeOutputMessage"/> <fault name="MechanismTypeNotSupportedFault" message="tns:MechanismTypeNotSupportedFault"/> </operation> <operation name="continueTokenExchange"> <input message="tns:ContinueTokenExchangeInputMessage"/> <output message="tns:ContinueTokenExchangeOutputMessage"/> <fault name="InvalidContextIdFault" message="tns:InvalidContextIdFault"/> </operation> </gwsdl:portType>

  22. Secure Conversation Messages <complexType name="ContextTokenType"> <sequence> <element name="base64Token" type="base64Binary"/> <element name="context-id" type="string"/> </sequence> <attribute name="continue-needed" type="boolean"/> </complexType> <complexType name="ContextTokenElementType"> <sequence> <element name="contextToken" type="auth- types:ContextTokenType"/> </sequence> </complexType>

  23. Secure Conversation MessagesContinued <complexType name="ContextTokenOutType"> <sequence> <element name="base64Token" type="base64Binary"/> <element name="context-id" type="string"/> </sequence> <attribute name="continue-needed" type="boolean"/> </complexType> <complexType name="ContextTokenOutElementType"> <sequence> <element name="contextTokenOut" type="auth- types:ContextTokenOutType"/> </sequence> </complexType>

  24. Secure Conversation MessagesContinued <complexType name="InitContextTokenType"> <complexContent> <extension base="auth-types:ContextTokenType"> <attribute name="mechanism-type" use="required" type="string"/> </extension> </complexContent> </complexType> <complexType name="InitContextTokenElementType"> <sequence> <element name="initContextToken" type="auth-types:InitContextTokenType"/> </sequence> </complexType>

  25. Secure Conversation MessagesRecap • Context establishment messages contain: • Base 64 encoded GSS token • Context Identifier • Continue Needed indicator • Mechanism OID – initial message only

  26. GSI Secure Conversation &XML-Encryption <soapenv:Envelope …> <soapenv:Header> <wsse:Security soapenv:actor="" soapenv:mustUnderstand="0" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"> <xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:DataReference URI="EncryptedBody"/> </xenc:ReferenceList> </wsse:Security> </soapenv:Header> <soapenv:Body> <xenc:EncryptedData Id="EncryptedBody" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:EncryptionMethod Algorithm="http://www.globus.org/2002/04/xmlenc#gssapi-enc"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:KeyName> 00000000-7562-527e-00000000-0000322d926f</ds:KeyName> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue> FwMAAQ………….kwn55YyoSCw92ILu </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </soapenv:Body> </soapenv:Envelope>

  27. GSI Secure Conversation &XML-Signature <soapenv:Envelope …> <soapenv:Header> <wsse:Security soapenv:actor="" soapenv:mustUnderstand="0" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <ds:SignatureMethod Algorithm="http://www.globus.org/2002/04/xmlenc#gssapi-sign"/> <ds:Reference URI="#digestSource"> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>CGnV0ogSVvsS+dpABEJI2+hs4o4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> AAAAAAAAAAEAAALI9CswCadOGScGWbGsrSkAD6PcyS0=</ds:SignatureValue> <ds:KeyInfo> <ds:KeyName> 00000000-5680-d374-00000000-00001223536a</ds:KeyName> </ds:KeyInfo> </ds:Signature> </wsse:Security> </soapenv:Header> <soapenv:Body> <shutdownResponse wsu:Id="digestSource" … /> </soapenv:Body> </soapenv:Envelope>

  28. Performance • Needs to be improved • Currently about 10x slower than insecure • Initialization is very slow • Apache XML security libraries add large overhead (3x/message processed) • JSR 105/106 are moving along • Apache will adopt • We don’t want to make major changes now • Concentrate on low cost high impact improvements • Move some interactions to Secure Message • Fewer roundtrips

  29. New Secure Conversation Features (3.x) • Support for anonymous authentication • Support for specifying context lifetime • Some performance improvements

  30. GSI Secure Message • Supports integrity protection with X509 certificates • Support for proxy certificates • Can be combined with GSI Secure Conversation • Not fully featured • No replay attack prevention • No encryption support • Missing features slated for 3.x

  31. GSI Secure MessageExample <soapenv:Envelope ...> <soapenv:Header> <wsse:Security soapenv:actor="" soapenv:mustUnderstand="0" …> <wsse:BinarySecurityToken EncodingType="wsse:Base64Binary" ValueType="wsse:PKIPath" wsu:Id="token1073175857792" …> 3glkeh6.....wvZFY1waVEKaQ==</wsse:BinarySecurityToken> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#digestSource"> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue> v8iQBeaSs9/XZNEyWb00z/23nuE=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>IFQS5..........12mCw== </ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#token1073175857792"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </soapenv:Header> <soapenv:Body> <pingResponse wsu:Id="digestSource" .../> </soapenv:Body> </soapenv:Envelope>

  32. Username/Password • Not clear which release this will show up in • Potential mechanisms: • WS-Security Username/Password token • Should be used in combination with anonymous Secure Conversation • More advanced/secure Username/Password schemes - AuthA

  33. The AuthA Protocol • Client has password • Server has • secret = f(servername|username|password) • f is a secure one way function • Client & Server created Session Key using a encrypted Diffie-Hellman exchange • Client & Server authenticate each other • Security Proof Exists • Details at http://grouper.ieee.org/groups/1363/passwdPK/contributions/autha.pdf

  34. Discussion • WS-Resource Impact • One time passwords • Smart Card support • Kerberos • Other authentication mechanisms? • …

More Related