1 / 20

X.509 Proxy Certificates for Dynamic Delegation

X.509 Proxy Certificates for Dynamic Delegation. Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven Tuecke, Von Welch (Presenter: vwelch@ncsa.uiuc.edu). Outline. Problem Statement, Motivations, Approach Proxy Certificate Solution

rosalia
Download Presentation

X.509 Proxy Certificates for Dynamic Delegation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven Tuecke,Von Welch (Presenter: vwelch@ncsa.uiuc.edu)

  2. Outline • Problem Statement, Motivations, Approach • Proxy Certificate Solution • What are they? • What can they do? • Status: Standardization, Implementation, Deployment Proxy Certificates

  3. Domain C Use Case Data Store Domain B Doman A Job Broker Job Domain D Proxy Certificates

  4. Motivation • Dynamic Delegation • Run-time decision on who and what • Support late binding of jobs to resources • Dynamic Entities • Entities (e.g. Jobs) created at same time • Single Sign On • Avoid repeated manual authentication • Easy (user-driven) cross-domain use Proxy Certificates

  5. Approach • Start with PKI • Aids cross-domain trust issues since trust relationships can be set up by individual • Build off of existing standards • Needs to be easily understood by security folks at many sites • Ease of implementation • Use with existing PKI libraries as much as possible • Start with identity-based authz systems Proxy Certificates

  6. Our solution: Proxy Certificates • Allow users to delegate on the fly by granting other entities the right to use their name • Prototypes in ’98 • Standardized in IETF/PKIX 2004 • Fully implemented, deployed and widely used Proxy Certificates

  7. Proxy Certificates • Same format as X.509 Public Key Identify Certificate, but signed by user (or another proxy certificate) • Name scoped to issuer’s name • Support restricted delegation from issuer to bearer • Includes critical extension to identify as Proxy and express delegation Proxy Certificates

  8. Proxy Certificates

  9. ProxyCertInfo Extension • Critical X.509 Extension • Identifies a certificate as a Proxy Cert • Allows issuer to express delegation intentions Proxy Certificates

  10. ProxyCertInfo Delegation Policy • Does not specify any method of expression • No language will be right for everyone all the time • Instead OID to identify language and language-specific field • Any language can be used as long as understood by relying party • Two methods defined: All and none Proxy Certificates

  11. Single Sign On • User creates key pair locally • Signs new public key with identity private key • Gives short life span • E.g. 8 hours • Probably all rights • Allows for weak (filesystem) protection of private key and easy use Proxy Certificates

  12. Delegation Proxy Certificates

  13. Performance and Security Issues • Proxy generate requires key pair generation • Those accepting delegation must take care to prevent DoS • Validate delegation request before generating key pair Proxy Certificates

  14. Authorization Methods • All rights/impersonation • Works great if you don’t mind ignoring least privilege • Delegation with restrictions • Issue: How does authentication mechanisms know restrictions will be enforced? • Identity from Proxy Certificate plus addition assertions to grant rights Proxy Certificates

  15. Standardization Status • Proxy certificates have passed PKIX and IETF last calls • Awaiting editorial process to become RFC • Latest version is draft-ietf-pkix-proxy-10: • http://www.ietf.org/internet-drafts/draft-ietf-pkix-proxy-10.txt • Defines specifics of Proxy certificate creation and path validation Proxy Certificates

  16. Implementation • Fully implemented in Globus Toolkit’s Grid Security Infrastructure (GSI) • www.globus.org/security/ • Build on OpenSSL • Changes are additions to handle Proxy Cert path validation as error handlers to normal path validation • Similar Java implementation • GSSAPI-based library • Also integrated with SSH, FTP, CVS Proxy Certificates

  17. Deployment • Many CAs issuing certificates for use with Proxy certificates for production Grids around the world • Master CA list at http://www.gridpma.org/ • Two dozen plus CAs, including DOE, NSF, NASA • Old Globus CA with 5k+ certs Proxy Certificates

  18. Future Work • One-time passwords/Two-factor authentication • Lot of recent attacks using keyboard sniffing • Service that hands out proxies authenticating with OTP • Poor man’s hardware tokens • Reasonable Restrictions • Where from? Intended use? • IP addresses too fragile (NAT, mobility, multi-homed) • Allow for late binding to resources • Revocation • Even with short lifetime, interest in revocation Proxy Certificates

  19. Summary • Proxy Certificates are extension to X.509 identify certificates to allow for real-time delegation and naming • Implemented with minimal changes to existing PKI libraries • In production use in Grids world-wide • Implementation available as part of Globus Toolkit (www.globus.org) Proxy Certificates

  20. Acknowledgements • DOE • SciDAC “Security for Group Collaboration” • Many colleagues in Global Grid Forum and IETF for ideas and discussions • Questions? Proxy Certificates

More Related