slide1
Download
Skip this Video
Download Presentation
Yuri Demchenko <[email protected]> AIRG, University of Amsterdam

Loading in 2 Seconds...

play fullscreen
1 / 21

Yuri Demchenko <[email protected]> AIRG, University of Amsterdam - PowerPoint PPT Presentation


  • 94 Views
  • Uploaded on

Policy Enforcement Framework for Web Services and Grid Operational Security Advanced Internet Research Group Update. Yuri Demchenko &lt;[email protected]&gt; AIRG, University of Amsterdam. Outline. Goals AIRG projects and Generic AAA Architecture development

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Yuri Demchenko <[email protected]> AIRG, University of Amsterdam' - king


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Policy Enforcement Framework for Web Services and Grid Operational SecurityAdvanced Internet Research Group Update

Yuri Demchenko <[email protected]>

AIRG, University of Amsterdam

outline
Outline
  • Goals
  • AIRG projects and Generic AAA Architecture development
  • Implementation in CNL project Access Control infrastructure
  • Grid Operational Security and Grid Security Incident definition

AIRG Update 2004

goals
Goals
  • Update TF-EMC2 on AIRG research and developments
  • Discuss possible approaches for early detection of the security credentials compromise

AIRG Update 2004

airg projects
AIRG projects
  • Gigaport NG - NL
    • Further development of the Generic AAA architecture for policy/token based networking
  • Collaboratory.nl (CNL)
    • Security Architecture for Open Collaborative Environment and RBAC
    • Considered as a use case for EGEE and OGSA
  • EGEE and other Grid related projects - EU
    • Grid operational security and WS/Grid security threats analysis
    • Policy enforcement framework and Authorisation portType
    • WS-Security and OGSA Security

AIRG Update 2004

generic aaa architecture by airg uva

Request/Response

Request/Response

Request/Response

Generic AAA

Policy

Policy

Policy

ASM

ASM

ASM

Generic AAA Architecture by AIRG (UvA)
  • Policy based Authorization decision
    • Req {AuthNtoken, Attr/Roles, PolicyTypeId, ConditionExt}
    • RBE (Req + Policy) => => Decision {ResponseAAA, ActionExt}
    • ActionExt = {ReqAAAExt, ASMcontrol}
    • ResponseAAA = {AckAAA/RejectAAA, ReqAttr, ReqAuthN, BindAAA (Resource, Id/Attr)}
  • Defined by Resource owner
  • Translate logDecision => Action
  • Translate State => LogCondition

AIRG Update 2004

generic aaa implementations
Generic AAA implementations
  • Bandwidth-on-demand (BoD) for optical network
    • Using driving policy approach for multidomain optical path building
  • Access control and privilege management for Collaborative environment
    • Policy/role based access control to experimental equipment and resources
  • Authorisation Web Service and Authorisation portType for Grid applications
    • Policy binding to Web/Grid service definition
  • Technology background
    • AAA Policy Rule Based Engine (RBE) and XACML based policy exchange format
    • XML Web Services
      • Attempting to use WSRF and trying to avoid OGSI and ProxyCert

AIRG Update 2004

distributed security architecture for collaborative environment
Distributed Security Architecture for Collaborative environment
  • Based on the Job-centric security model
  • Extended RBAC functionality including RBAC administration terminal (using GAAA Toolkits)
  • XACML based policy exchange and integration
  • Uses WS-Security Framework and OGSA/WSRF
    • Policy binding to WSDL and AuthZ portType definition
  • VO functionality - policy based user and resource management
  • Proxy-Certificate (Grid approach) vs SAML security credentials management

AIRG Update 2004

security built around job description

Scheduler/

JobMngr

  • JobDescr
  • ---------------
  • Job#
  • Job Attributes
  • Job Priority
  • ---------------
  • User list
  • User roles/attr
  • Admin RBAC

OrderDescr

  • AccessCtr
  • (AuthN/Z)
  • UserDB
  • Policy
Security built around Job description
  • Job Description as a semantic object defining Job attributes and User attributes
    • Requires document based or semantic oriented Security paradigm
  • Trust domain based on Business Agreement (BA) or Trust Agreement (TA) via PKI

AIRG Update 2004

xacml implementation library for cnl
XACML implementation library for CNL
  • Contains specific modules for AAA services
    • PEP, PDP, PAP and XACML messaging
    • Implemented in Java
  • Policy editor in XACML
    • XACML provides standard solution for RBAC with powerful policy combination functionality
    • Version 0.1 is available for policy construction and translating to AAA-policy format
  • Set of typical policy profiles in XACML (with correspondent profiles in AAA) are under development

AIRG Update 2004

main components and dataflow in rbac pmi
Main components and dataflow inRBAC/PMI
  • PEP(Policy Enforcement Point)/AEF (authorisation enforcement function)
  • PDP (Policy Decision Point)/ADF (authorisation decision function)
  • PIP (Policy Information Point)/AA (Attribute Authority)
  • PA – Policy Authority

AIRG Update 2004

gaaapi implementation xacml request message format 2
GAAAPI implementation – XACML Request message format (2)
  • <?xmlversion="1.0"encoding="UTF-8"?>
  • <AAA:AAARequestxmlns:AAA="http://www.AAA.org/ns/AAA_BoD"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.AAA.org/ns/AAA_BoD http://146.50.22.64/CNLdemo1.xsd"version="0.1"type="CNLdemo1">
  • <Subject>
  • <SubjectID>[email protected]</SubjectID>
  • <Role>Analyst</Role>
  • <JobID>JobID-XPS1-212</JobID>
  • <Token>2SeDFGVHYTY83ZXxEdsweOP8Iok)yGHxVfHom90</Token>
  • </Subject>
  • <Resource><ResourceID>
  • http://resources.collaboratory.nl/Phillips_XPS1
  • </ResourceID>
  • </Resource>
  • <Action>
  • <ActionID>ControlInstrument</AttributeID>
  • </Action>
  • </AAA:AAARequest>

AIRG Update 2004

gaaapi implementation xacml response message format 2
GAAAPI implementation – XACML Response message format (2)
  • <?xmlversion="1.0"encoding="UTF-8"?>
  • <AAA:AAAResponsexmlns:xsi="http://www.w3.org/2001/X_LSchema-instance"xsi:noNamespaceSchemaLocation="aaa-cnl-response-00.xsd"version="0.0">
  • <ResultResourceId="String">
  • <Decision>Permit</Decision>
  • <Status>
  • <StatusCodeValue="OK"/>
  • <StatusMessage>Request succes7ful</StatusMessage>
  • </Status>
  • </Result>
  • </AAA:AAAResponse>

AIRG Update 2004

binding policy to wsdl service description
Binding policy to WSDL service description
  • WS-PolicyAttachment defines two mechanisms that together allow to bind policy to the WSDL components (portType, Operation, Message)
    • wsp:PolicyRefs="URI | QName"
    • <wsp:UsingPolicy wsdl:Required="true"/>

AIRG Update 2004

binding policy to wsdl example
Binding policy to WSDL - Example
  • <definitions xmlns="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:wsa="http://schemas.xmlsoap.org/ws/2003/03/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext" xmlns:wst="http://schemas.xmlsoap.org/ws/2004/04/trust"xmlns:cnl="http://cnl.telin.nl/cnl" xmlns:policy="cnl-policy-schema.xsd" targetNamespace="http://cnl.telin.nl/cnl">     <message name="ViewExperimentRequest" wsp:PolicyRefs="cnl-policy-02example.xml">         <part name="JobID" type="xs:string"/>         <part name="coordinateX" type="xs:string"/>         <part name="coordinateY" type="xs:string"/>         <part name="zoom" type="xs:int"/>     </message> <<< snip >>>>  <wsp:UsingPolicy wsdl:Required="true"/></definitions>

AIRG Update 2004

security related activities in egee fyi
Security related activities in EGEE - FYI
  • EGEE – Enabling Grids for E-sciencE
    • JRA3 – Security
    • MWSG – Middleware Security Group
    • JSPG – Joint with LCG and OSG Security Policy Group
      • OSG Incident Handling Activity
  • Recent Security related deliverables
    • Grid User/Site Security Requirements – MJRA3.1 (https://edms.cern.ch/document/485295/1)
    • Global Security Architecture (GSA) rev. 1 - DJRA3.1 (https://edms.cern.ch/document/487004/1.1)
    • Grid Security Incident definition and exchange format – MJRA3.4
      • Ongoing development, current version - https://edms.cern.ch/document/501422/1
      • As a part of joint OSG/LCG/EGEE Operational Security activity

AIRG Update 2004

grid security incident gsinc definition
Grid Security Incident (GSInc) definition
  • GSInc definition
    • Depends on the scope and range of the Security Policy, ULA, or SLA - TODO
    • Should be based on threats analysis and vulnerabilities model – MJRA3.4
    • Should be based on Grid processes/workflow analysis - TODO
  • GSInc definition is a base for GSInc description format
    • What information should be collected and how to exchange and handle it
      • Requirements to Events logging and Intrusion/compromise detection
    • Common format is a basis for community wide statistics and coordinated response
    • Incident statistics provides feedback for the Security Policy improvement
  • Note. Grid Security model is based on delegation of security credentials to a service

AIRG Update 2004

security credentials related gsinc and audit events
Security credentials related GSInc and audit events
  • Security credentials compromise (e.g., private key, proxy credentials, etc.)
    • patterns of credential usage
    • broken chain of PKC/keys/credentials
    • copy is discovered in not a proper place
    • originated not from the default location
    • sequent fault attempt to request action(s)
      • PDP/PEP logging/audit
  • Remaining problems and topics for discussion
    • How to define at the early stage that a private key has been compromised?
    • May require credentials storing (not caching) and adding history/evidence chain to credentials format
      • X.509 credentials are not capable of this
      • Does SAML have required functionality
  • Note: Audit/log events together with related data can be also referred to as an Evidence

AIRG Update 2004

discussion security credentials compromise detection
Discussion: security credentials compromise detection
  • How to define at the early stage that a private key or other security credentials have been compromised?
  • Will it require credentials storing (not caching) and adding history/evidence chain to credentials format?
    • X.509 credentials are not capable of this
    • Does SAML have required functionality

AIRG Update 2004

ad