210 likes | 359 Views
GRID Security Infrastructure: Overview and problems. PKI-COORD Meeting, Amsterdam November 26, 2001 Yuri Demchenko <demch@terena.nl>. Outlines. Security Issues in Grid computing Grid Security Infrastructure OCR – Online Credential Retrieval Restricted Delegation Certificate Profile
E N D
GRID Security Infrastructure: Overview and problems PKI-COORD Meeting, Amsterdam November 26, 2001 Yuri Demchenko <demch@terena.nl>
Outlines • Security Issues in Grid computing • Grid Security Infrastructure • OCR – Online Credential Retrieval • Restricted Delegation Certificate Profile • DataGRID Security related activity GRID Security Infrastructure: Overview and problems
Security Issues in Grid computing • General issues: • Traditional systems are user/client/host centric • Grid computing is data centric • Traditional systems: • Protect system from its users • Protect data of one user from compromise • In Grid systems: • Protect applications and data from system where computation execute • Stronger/mutual authentication needed (for users and code) • Ensure that resources and data not provided by a attacker • Protect local execution from remote systems • Different admin domains/Security policies GRID Security Infrastructure: Overview and problems
Security Issues in Grid computing - Components • Authentication • Password based • Kerberos based (authentication and key distribution protocol) • SSL authentication • PKI/Cert based • Authorisation • Integrity and confidentiality • Cryptography • Assurance • Accounting • Audit GRID Security Infrastructure: Overview and problems
Authentication • Traditional systems: • Authenticate user/client to protect system • Grid systems: • Mutual authentication required • Ensure that resources and data not provided by a attacker • Delegation of Identity • Process that grants one principal the authority to act as another individual • Assume another’s identity to perform certain functions • E.g., in Globus: use gridmap file on a particular resource to map authenticated user user onto another’s account, with corresponding privileges • Data origin authentication GRID Security Infrastructure: Overview and problems
Authorisation • Traditional systems: • Determine whether a particular operation is allowed based on authenticated identity of requester and local information • Grid systems: • Determine whether access to resource/operation is allowed • Access control list associated with resources, principal or authorised programs • Distributed Authorisation • Distributed maintenance of authorisation information • One approach: Embed attributes in certificates • Restricted proxy: authorisation certificate that grants authority to perform operation on behalf of grantor • Alternative: separate authorisation server • Use of CAS (Community Authorisation System) for group authorisation GRID Security Infrastructure: Overview and problems
Assurance, Accounting, Audit • Assurance • When service is requested, to assure that candidate service provider meets requirements • Accounting • Means of tracking, limiting or changing for consumption of resources • Audit • Record operations performed by systems and associate actions with principals • Find out what went wrong: typical role of Intrusion Detection Systems GRID Security Infrastructure: Overview and problems
GRID Security Infrastructure (GSI) • Current situation: • Globus assumes Hierarchical CA architecture with one top-level CA • Interdomain authorisation is based on X.509 identity certificates • Authentication and Authorisation • Mapping of user certificates to user accounts • GSI uses proxy credentials to allow for single sign-on and to provide delegated credentials for use by agent and servers • Online Credential Retrieval to create and manage proxy certificates • Next development: impersonation certificate and restricted delegation certificate • GSI problems: • Thousands of users – thousands of Certs – many of CAs (with different policies) • Grid-wide user group and roles are needed • No grid-wide logging or auditing • Need for anonymous users • Protocol to access personal credential for OCR GRID Security Infrastructure: Overview and problems
GSI Roadmap: Grid Security Requirements • A Grid security solution should be based on existing standards wherever possible. • Grid authentication requirements: • Single sign on • Delegation • Integration with various local security solutions • User-based trust relationships • Grid requirements for communication protection: • Flexible message protection • Supports various reliable communication protocols • Supports independent data units (IDU) • Grid authorization requirements: • Authorization by stakeholders • Restricted delegation GRID Security Infrastructure: Overview and problems
GSI authentication requirements • Single sign on • Users must be able to "log on" (authenticate) just once and then have access to any resource in the Grid that they are authorized to use, without further user intervention. • Delegation • A user must be able to endow to a program the ability to run on that user's behalf, so that the program is able to access the resources on which the user is authorized. The program should (optionally) also be able to further delegate to another program. • Integration with various local security solutions • Each site or resource provider may employ any of a variety of local security solutions, including Kerberos, Unix security, etc. The Grid security solution must be able to interoperate with these various local solutions. It cannot require wholesale replacement of local security solutions, but rather must allow mapping into the local environment. • User-based trust relationships • In order for a user to use resources from multiple providers together, the security system must not require each of the resource providers to cooperate or interact with each other in configuring the security environment. In other words, if a user has the right to use sites A and B, the user should be able to use sites A and B together without requiring the security administrators from sites A and B to interact. GRID Security Infrastructure: Overview and problems
GSI requirements for communication protection • Flexible message protection • An application must be able to dynamically configure a service protocol to use various levels of message protection, including none, just integrity, or integrity plus confidentiality. The choice may be motivated by factors such as sensitivity of the messages, performance requirements, the parties involved in the communication, and the infrastructure over which the message is transiting. • Supports various reliable communication protocols • While TCP is the dominant, and widely available, reliable communication protocol for the Internet, the security mechanisms must be usable with a wide assortment of other reliable communication protocols. For example, performance requirements may dictate the use of non-TCP protocols for use within specialized environments. • Supports independent data units (IDU) • Some applications require "protection of a generic data unit (such as a file or message) in a way which is independent of the protection of any other data unit and independent of any concurrent contact with designated 'receivers' of the data unit" [1]. For example, streaming media, email, and unreliable UDP datagrams all require this form of protection. GRID Security Infrastructure: Overview and problems
GSI authorization requirements • Authorization by stakeholders • Resource owners or stakeholders must be able to control which subjects can access the resource, and under what conditions. • Restricted delegation • In order to minimize exposure from compromised or misused delegated credentials, it is desirable to have rich support for the restriction of the authorization rights that are delegated. GRID Security Infrastructure: Overview and problems
GSI WG documents (1) • Grid Security Infrastructure (GSI) Roadmap - February 2001 • An informational draft, providing an overview of GSI and the technical specifications that define GSI • http://www.gridforum.org/security/ggf1_2001-03/drafts/draft-ggf-gsi-roadmap-02.pdf • Internet X.509 Public Key Infrastructure Proxy Certificate Profile - July 2001 • A technical specification draft of the X.509 certificate extensions required to support proxies, which is used for GSI single sign-on and delegation • http://www.gridforum.org/security/ggf3_2001-10/drafts/draft-ietf-pkix-proxy-01.pdf • GSI Online Credential Retrieval - Requirements - October 2001 • A technical specification draft of TLS (SSL) protocol extensions to allow delegation of X.509 Proxy Certificates • http://www.gridforum.org/security/ggf3_2001-10/drafts/draft-ggf-gsi-ocr-requirements-00.pdf • Multiple Credentials - Scenarios and Requirements - September 2001 • Describes a number of scenarios where entities on Grid require multiple credentials. It details the requirements these scenarios place on the security infrastructure of the Grids • http://www.gridforum.org/security/ggf3_2001-10/drafts/draft-ggf-multi-creds-requirements-01.pdf GRID Security Infrastructure: Overview and problems
GSI WG documents (2) • Internet X.509 PKI Impersonation Certificate Profile– February 2001 • http://www.gridforum.org/security/ggf1_2001-03/drafts/draft-ggf-x509-impersonation-06.pdf • Internet X.509 PKI Restricted Delegation Certificate Profile – February 2001 • http://www.gridforum.org/security/ggf1_2001-03/drafts/draft-ggf-x509-res-delegation-01.pdf • TLS Delegation Protocol- July 2001 • A technical specification draft of TLS (SSL) protocol extensions to allow delegation of X.509 Proxy Certificates • http://www.ietf.org/internet-drafts/draft-ietf-tls-delegation-01.txt • GSS-API Extensions - September 2001 • A technical specification draft of GSS-API extensions, which are required for effective Grid programming using GSS-API • http://www.gridforum.org/security/ggf3_2001-10/drafts/draft-ggf-gss-extensions-04.pdf • Akenti Restriction Language in X509 Proxy Certificates - July 2001 • http://www.gridforum.org/security/ggf2_2001-07/drafts/draft-ggf-akenti-proxyRes-00.pdf GRID Security Infrastructure: Overview and problems
Online Credential Retrieval (OCR) • Definition: OCR service defines TLS (SSL) protocol extensions to allow delegation of X.509 Proxy Certificates and secure remote access to private credentials • Goal: to avoid drawbacks in personal management of credentials by users (private key protection, mobile/remote access, need for multiple credentials) • Authentication in GSI is based on proxy credentials • Proxy credential consists of proxy certificate and an associated private key • Proxy certificate is an X.509 certificate that is derived from a standard X.509 end entity (EE) certificate or another proxy certificate and signed with the private key associated with the source certificate • Proxy credential has limited lifetime to limit vulnerability of the EE private key: user create proxy credential once using its private key GRID Security Infrastructure: Overview and problems
OCR Requirements – GGF Draft • OCR usage scenarios/operations • Credential Initialisation • Credential renewal • Transparent Credential retrieval • Adding Delegation to Existing Protocols • Multiple Credentials • Requirements to • Protocols: Credential Retrieval Protocol, Credential Upload Protocol, Administration Protocol • Credential Server • Credential Repository GRID Security Infrastructure: Overview and problems
OCR Related works • IETF SACRED WG • Many of requirements are similar to OCR’s • Difference: • SACRED requirements state that the credential format MUST be opaque to the protocol and the protocol MUST NOT force credentials to be present in cleartext at the server • This requirement disallow X.509 proxy delegation as defined by OCR requirements • IETF PKIX WG • OCR performs tasks similar to PKIX online management of credentials (retrieving certificates and certificate revocation lists, online certificate status protocol) • Difference: OCR involves private key that must be kept secret GRID Security Infrastructure: Overview and problems
Internet X.509 PKI Restricted Delegation Certificate Profile – GGF Draft • Extension to Impersonation Certificate (IC) • Delegation extension • Restricted rights extension • Address trust issues of the unrestricted Impersonation Certificate use in permitting agent to operate on behalf of an end entity in the environment of X.509 based authorisation • Describes relation between IC with Restricted Rights and Attribute Certificates (AC) and defined scenario for use of AC • Difference that current secure protocols (used by Grid) pass ICs between entities but ACs have to be searched for by the relying party GRID Security Infrastructure: Overview and problems
GGF Certificate Policy Design WG - Documents • Public Key Technology Policy Requirements for Grid Identification - October 11,2000 • http://www.gridcp.es.net/Documents/PKI_Requirements_for_Grid_Id.pdf • Goals: • develop community policy that allows grid resource managers to accept authentication certificates generated by and or for different Grid • reduce the number of authentication certificates a grid user has to posses in order to authenticate to multiple Grids • Related to efforts within the US Federal Bridge Certification Authority to bridge top-level federal agency PKI certificate policies • Grid Certificate Policy version 5 • http://www.gridcp.es.net/Documents/Draft-GGF-CP-05.pdf • Defines four certificate policies representing four different assurance levels (Rudimentary, Basic, Medium, and High) for GGF public key digital certificates • Next meeting – GGF4, Toronto • To discuss: Grid CP version 5, Repository model, Certificate Profile GRID Security Infrastructure: Overview and problems
DataGRID Security related activity • Collect Security requirements from different packages • No official security requirements or policy definitions • Started in different Work packages: WP2, WP6, WP7 • But ill coordinated • Few Workshops and devoted meeting • Compare GSI to security solutions in other middleware • Globus development is not not so open and speedy • All new Grid related projects (DataTAG) have special WP on Security GRID Security Infrastructure: Overview and problems
Observation – other GGF problems • GGF authority is not clear for individual Grid projects • Some GGF developments are coordinated between themselves • Where to place Security issues: Data or Network • Compare to work of IETF • Technical problem: contradiction with some similar IETF developments, e.g. • PKIX • SACRED GRID Security Infrastructure: Overview and problems