330 likes | 352 Views
MyProxy: A Multi-Purpose Grid Authentication Service. Jim Basney Senior Research Scientist NCSA jbasney@ncsa.uiuc.edu. What is MyProxy?. A service for managing X.509 PKI credentials A credential repository and certificate authority An Online Credential Repository
E N D
MyProxy:A Multi-Purpose Grid Authentication Service Jim BasneySenior Research ScientistNCSAjbasney@ncsa.uiuc.edu
What is MyProxy? • A service for managing X.509 PKI credentials • A credential repository and certificate authority • An Online Credential Repository • Issues short-lived X.509 Proxy Certificates • Long-lived private keys never leave the server • An Online Certificate Authority • Issues short-lived X.509 End Entity Certificates • Supporting multiple authentication methods • Passphrase, Certificate, PAM, SASL, Kerberos • Open Source Software • Included in Globus Toolkit, VDT, and CoG Kits • C, Java, Python, and Perl clients available • Contributions from EDG, UVA, LBNL, and others http://myproxy.ncsa.uiuc.edu/
MyProxy Logon • Authenticate to retrieve PKI credentials • End Entity or Proxy Certificate • Trusted CA Certificates • Certificate Revocation Lists (CRLs) • MyProxy maintains the user’s PKI context • Users don’t need to manage long-lived credentials • Enables server-side monitoring and policy enforcement (ex. passphrase quality checks) • CA certificates & CRLs updated automatically at login http://myproxy.ncsa.uiuc.edu/
MyProxy Authentication • Key Passphrase • X.509 Certificate • Used for credential renewal • Pluggable Authentication Modules (PAM) • Kerberos password • One Time Password (OTP) • Lightweight Directory Access Protocol (LDAP) password • Simple Authentication and Security Layer (SASL) • Kerberos ticket (SASL GSSAPI) http://myproxy.ncsa.uiuc.edu/
MyProxy Online Certificate Authority • Issues short-lived X.509 End Entity Certificates • Leverages MyProxy authentication mechanisms • Compatible with existing MyProxy clients • Ties in to site authentication and accounting • Using PAM and/or Kerberos authentication • Map username to certificate subject via “gridmap” file or LDAP query • Avoid need for long-lived user keys • Server can function as both CA and repository • Issues certificate if no credentials for user are stored http://myproxy.ncsa.uiuc.edu/
MyProxy Online Credential Repository • Stores X.509 End Entity and Proxy credentials • Private keys encrypted with user-chosen passphrases • Credentials may be stored directly or via proxy delegation • Users can store multiple credentials from different CAs • Access to credentials controlled by user and administrator policies • Set authentication requirements • Control whether credentials can be retrieved directly or if only proxy delegation is allowed • Restrict lifetime of retrieved proxy credentials • Can be deployed for a single user, a site, a virtual organization, a resource provider, a CA, etc. http://myproxy.ncsa.uiuc.edu/
Talk Outline • MyProxy Introduction • PKI Introduction and MyProxy CA • Proxy Certificates and MyProxy Repository • MyProxy Scenarios • Administratively Loaded Credentials • Registration Portals • Web Portal Authentication and Delegation • Password-based Delegation • Credential Renewal • Web Single Sign-On (SSO) • Demos • Conclusion http://myproxy.ncsa.uiuc.edu/
PKI Overview • Public Key Cryptography • Sign with private key, verify signature with public key • Encrypt with public key, decrypt with private key • Key Distribution • Who does a public key belong to? • Certification Authority (CA) verifies user’s identity and signs certificate • Certificate is a document that binds the user’s identity to a public key • Authentication • Signature [ h ( random, … ) ] Issuer: CA Subject: CA signs Issuer: CA Subject: Jim http://myproxy.ncsa.uiuc.edu/
Client Server PKI Authentication Standard SSL/TLS Protocol (summarized) randomc certificates + randoms certificatec + { secret }pubkeys+ signaturec[ h( randomc, randoms, … ) ] { h( secret ) }secret http://myproxy.ncsa.uiuc.edu/
PKI Enrollment CA Applicant 1 2 CA Generate new key pair Certificate request 3 CA Sign new end entity certificate 4 User User User http://myproxy.ncsa.uiuc.edu/
DN lookup GridService X.509 password password TGT MyProxy CA with PAM LDAPServer MyProxyServer gridmap PAM Client RADIUSServer TLS handshake certificate request password certificate keypair CA key KerberosKDC http://myproxy.ncsa.uiuc.edu/
MyProxy CA with Kerberos DN lookup GridService LDAPServer X.509 MyProxyServer gridmap SASL SASL TLS handshake SASL/GSSAPI/Kerberos Client certificate request certificate keypair CA key ticket KerberosKDC http://myproxy.ncsa.uiuc.edu/
PAM/SASL Issues • PAM Conversation • PAM modules can require multiple rounds of user interaction • No standard protocol • SASL/PLAIN doesn’t support multiple rounds • Need something like SSH keyboard-interactive protocol • SASL client-side setup • Requires SASL library and configuration of SASL mechanisms • Alternative: native Kerberos protocol support http://myproxy.ncsa.uiuc.edu/
CA User Proxy Credentials • RFC 3820: Proxy Certificate Profile • Associate a new private key and certificate with existing credentials • Short-lived, unencrypted credentials for multiple authentications in a session • Restricted lifetime in certificate limits vulnerability of unencrypted key • Credential delegation (forwarding) without transferring private keys signs signs Proxy A signs Proxy B http://myproxy.ncsa.uiuc.edu/
Proxy Delegation Delegator Delegatee 1 2 Generate new key pair Proxy certificate request 3 Sign new proxy certificate 4 Proxy Proxy Proxy http://myproxy.ncsa.uiuc.edu/
MyProxy Put Client MyProxyServer TLS handshake certificate username proxy certificate chain certificate request password policy private key keypair cert chain private key http://myproxy.ncsa.uiuc.edu/
MyProxy Get Client MyProxyServer TLS handshake username proxy certificate chain certificate request password cert chain private key cert chain private key X.509 GridService http://myproxy.ncsa.uiuc.edu/
MyProxy Store Client MyProxyServer TLS handshake certificate username certificate policy private key private key certificate private key http://myproxy.ncsa.uiuc.edu/
MyProxy Retrieve Client MyProxyServer TLS handshake certificate chain username password private key cert chain private key cert chain private key X.509 GridService http://myproxy.ncsa.uiuc.edu/
Administratively Loaded Creds CertificateAuthority Client MyProxyServer certificate TLS handshake username proxy certificate chain certificate request password cert chain private key private key certificate private key X.509 GridService http://myproxy.ncsa.uiuc.edu/
User Registration Portal CertificateAuthority RegistrationPortal TLS handshake certificate Browser username password UserDB certificate Client MyProxyServer private key TLS handshake username username proxy certificate chain certificate request password cert chain private key certificate private key X.509 GridService http://myproxy.ncsa.uiuc.edu/
Portal UserDB cert key Gateway Portal TLS handshake Browser password username X.509 GridService http://myproxy.ncsa.uiuc.edu/
Trusted Portal MyProxy X.509 cert request username Portal cert TLS handshake Browser password username UserDB cert cert key key X.509 GridService http://myproxy.ncsa.uiuc.edu/
Password-based Portal Auth MyProxy X.509 cert request username password cert Portal TLS handshake Browser password username cert cert key key X.509 GridService http://myproxy.ncsa.uiuc.edu/
Password-based Delegation Delegator Delegatee certificate passwordrandom certificate username certificate certificate private key private key certificate certificate username MyProxy username certificate certificate request certificate certificate request passwordrandom passwordrandom TLS handshake certificate certificate TLS handshake certificate private key http://myproxy.ncsa.uiuc.edu/
Password-based Renewal Condor-G GRAM Gatekeeper proxy proxy job job proxy proxy proxy proxy proxy proxy password Client Job proxy proxy password password proxy MyProxy proxy http://myproxy.ncsa.uiuc.edu/
Certificate-based Renewal Workload ManagementService RenewalService Condor-G GRAM Gatekeeper proxy proxy job proxy proxy proxy job proxy proxy cert key Client Job proxy proxy proxy policy X.509 proxy MyProxy proxy http://myproxy.ncsa.uiuc.edu/
MyProxy and Web SSO PURSE password password cert PubcookieLogin Server password password cookie MyProxy Browser cookie cookie Portal A cookie cert password GridService X.509 X.509 cookie Portal B cert http://myproxy.ncsa.uiuc.edu/
SSO for Browser and Application Authenticate Browser Portal cookie cert JWS cookie cookie cert MyProxyServer X.509 Application X.509 GridService http://myproxy.ncsa.uiuc.edu/
SSO for Browser and Application Authenticate Browser Portal passwordrandom cert JWS cert passwordrandom passwordrandom MyProxyServer Application cert passwordrandom X.509 GridService http://myproxy.ncsa.uiuc.edu/
Demonstrations http://myproxy.ncsa.uiuc.edu/
Conclusion • MyProxy: A Multi-Purpose Grid Authentication Service • Used in many delegation and single sign-on scenarios • MyProxy provides practical authentication solutions • Minimize changes to existing software and protocols • Leverage community standards • PAM, SASL, Kerberos, LDAP, Pubcookie, Shibboleth • Active MyProxy open source community • Deploy new developments via MyProxy • Benefit from the work of others http://myproxy.ncsa.uiuc.edu/
Thank you! Obrigado! http://myproxy.ncsa.uiuc.edu/