1 / 42

Grid Security Infrastructure

Grid Security Infrastructure. Adam Belloum Computer Architecture & Parallel Systems group University of Amsterdam adam@science.uva.nl. Security Network (local security policy. Security Network (local security policy. We have all The needed Resources!!!. How can I make

risa
Download Presentation

Grid Security Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Grid Security Infrastructure Adam Belloum Computer Architecture & Parallel Systems group University of Amsterdam adam@science.uva.nl

  2. Security Network (local security policy Security Network (local security policy We have all The needed Resources!!! How can I make Satisfy all the different Security domains Security Network (local security policy Cross Organization Authentication Infrastructure Security Network (local security policy Security Network (local security policy)

  3. User point of view “For users, the primary requirement is simplicity: Access to the virtual organization’s resources should not be significantly different from access to the local organization’s resources.” • There should be a single sign-on, where users need to log on only once to access all permitted resources. • Programs running on a user’s behalf should possess a subset of the user’s rights and have access to the permitted resources. Protected channel passwd Randy Butler et al. “A Natioanal-Scale Authentication Infrastructure”

  4. Sites point of view The concerns of resource-providing sites constrain an authentication and authorization infrastructure in two ways: • Sites have there local (intra-domain) security policy • Sites typically cannot easily replace or modify their intra-domain security solution. How they see inter-domain security: • a distinct inter-domain solution that interoperates with local security solutions and is: at least as strong as local solutions (will not weaken site security), is easy to understand (administrators can trust it). • Site administrators must have tight control over policies governing access to their resources, including how users establish their identity and which users have access to which resources. Randy Butler et al. “A Natioanal-Scale Authentication Infrastructure”

  5. What does security mean? • Authentication (at the source site) • Digital Signature (PKI, kerberos, etc.) • Secure connection (between the source the destination sites) • Authentication • Message protection • Confidentiality (Cryptography) • Encryption • Decryption • Integrity (Digital Signature) • Authorization (At the destination site) • Access restrictions (access control, content filtering, etc…

  6. Digital Signature It is really X who Has sent this message I’m want to send IMPORTANT data to Y Internet Digital signature Impersonate X And send false news http://www-fp.mcs.anl.gov/~gregor/grid-iit/

  7. Public Security Infrastructure It is really the public key Of X ? How can provide my Public key to Y? Internet Impersonate X Sending false news http://www-fp.mcs.anl.gov/~gregor/grid-iit/

  8. Secure Socket layer It is really X who Has sent this message I’m want to send Confidential data to Y Internet Try to read confidential messages

  9. A cross organizations Security infrastructure “Grid Security Infrastructure lets users access resources at any participating site without repeated authentication, while preserving a site’s ability to use site-specific security mechanisms and enforce local access control.” “Security requirements within the Grid environment are driven by the need to support scalable, dynamic, distributed virtual organizations (VOs)” Note: • A VO is collections of diverse and distributed individuals that seek to share and use diverse resources in a coordinated fashion. • From security perspective a key attribute of VOs is that participants and resources are governed by the rules and policies of the classical organizations of which they are members. Randy Butler et al. “A Natioanal-Scale Authentication Infrastructure”

  10. Fundamental Requirements of VO • Access to resources that exist within classical organizations and that have policies in place that speak only about local users. • This VO access must be established and coordinated only through binary trust relationships that exist between • the local user and their organization and • the VO and the user. Von Welch et al. “Security for Grd Services”

  11. Security cross Grid (V.O.) Global policy Local policy Local policy Certification Authority (signs the certificates) Global policy Resources providers can delegate Some of the authority for maintaining a fine-grained access Control Policies to communities While still maintaining ultimate Control over their resources Security Network Security Network Global policy Local policy Security Network Global policy Global policy Local policy Local policy Security Network Security Network Lauroa Pearlman et al. A Community Authorization Service for Group Collaboration

  12. Key Functions in a Grid Security Model • Multiple security mechanisms. Organizations participating in a VO have significant investment in existing security mechanisms and infrastructure. Grid security must interoperate with, rather than replace, those mechanisms • Dynamic creation of services. Users must be able to create new services dynamically without administrator intervention. • Dynamic establishment of trust domains. In order to coordinate resources, VOs need to establish trust among not only users and resources in the VO but also among the VO’s resources, so that they can be coordinated. Von Welch et al. “Security for Grd Services”

  13. Overview of Grid Security Infrastructure • The Grid Security Infrastructure (GSI) is a set of protocols, libraries, and tools that allow users and applications to securely access Grid resources. It is build on some standard security mechanisms such as: • Public Key Infrastructure • Secure Socket Layer And some Specific security mechanisms • Proxy Credentials • Delegation Jason Novotny “An Online Credential Repository for the Grid: MyProxy”

  14. Grid Security Infrastructure (GSI) • The GSI system is based on a Public Key Infrastructure (PKI). • In a PKI, all entities (users and resources) are identified by a globally unique name known as a • Distinguished Name (DN). • Authentication with the GSI is a matter of proving that a user or resource is the entity identified by a DN. • Resources then typically have local configuration for mapping the DN to a local identity Jason Novotny “An Online Credential Repository for the Grid: MyProxy”

  15. GSI uses the PKI • In order for entities to prove their identity, they possess of Grid credentials consisting of a certificate and a cryptographic key known as the private key. • The certificate, simple terms, is a binding of the entity’s DN to their private key. • This binding is done by means of a digital signature from a trusted party known as a Certificate Authority (CA). • This allows an entity to authenticate (using their credentials) by a process that involves presenting their certificate and proving possession of their private key. Jason Novotny “An Online Credential Repository for the Grid: MyProxy”

  16. GSI uses SSL • GSI uses Secure Socket Layer (SSL) to implement authentication, message integrity and message privacy. • SSL is a standard software tool used in web browsers, web servers, and other applications. It uses PKI credentials for authentication and is used in GSI without modification. Jason Novotny “An Online Credential Repository for the Grid: MyProxy”C

  17. GSI introduces Proxy Credentials • A proxy credential is a short-term credential that is created by a user, which can be used in place of the long-term credential to authenticate that user. The proxy credential has its own private key and certificate, and is signed using the user’s long-term credential. • The proxy certificate, is a short-term binding of the user’s DN to an alternate private key. Proxy credentials are stored unencrypted on the local file system, protected only by file system permissions, and so can be used by the user repeatedly without inconvenience. Jason Novotny “An Online Credential Repository for the Grid: MyProxy”

  18. GSI introduces Delegation • Delegation is very similar to proxy credential creation as that an existing set of credentials is used to create a new set of proxy credentials that is identical in function. • The difference is that the creation occurs over a GSI-authenticated connection, with the result being the remote process acquiring proxy credentials for the user. Note: It is also worth noting that delegation can be chained. In other words one can delegate credentials to host A and then the process on host A can delegate credentials to host B and so forth. Jason Novotny “An Online Credential Repository for the Grid: MyProxy”

  19. Grid Security Architecture

  20. Large Scale Distributed Computation Site B Site A Kerberos physicist Data Site C SSL ap Data Data 1. Request data analysis 2. Contact resource broker Site D SSL guest29 3. Initiate task farm 4. Access parameter values Plaintext ap6 Site G Data Plaintext bcollab Data Plaintext physicist Site F Site E Ian Foster et al. “A Security Architecture for Computational Grids”

  21. Grid Security Requirements • Single sign-on • Protection of credentials • Uniform credentials/certification infrastructure • Support for secure group communication • Support for multiple implementations Ian Foster et al. “A Security Architecture for Computational Grids”

  22. Grid Security Policy: terminology • A subject is a participant in a security operation. • A credentialis a piece of information that is used to prove the identity of a subject. Passwords and certificates are examples of credentials. • Authenticationis the process by which a subject proves its identity to a requestor, typically through the use of a credential • An objectis a resource that is being protected by the security policy. • Authorizationis the process by which we determine whether a subject is allowed to access or use an object. • A trust domainis a logical, administrative structure within which a single, consistent local security policy holds. Ian Foster et al. “A Security Architecture for Computational Grids”

  23. Grid Security Policy: definition of the security policy • The grid environment consists of multiple trust domains. • Operations that are conned to a single trust domain are subject to local security policy only. • Both global and local subjects exist. For each trust domain, there exists a partial mapping from global to local subjects. • Operations between entities located in different trust domains require mutual authentication. • An authenticated global subject mapped into a local subject is assumed to be equivalent to being locally authenticated as that local subject. • All access control decisions are made locally on the basis of the local subject. • A program or process is allowed to act on behalf of a user and be delegated a subset of the user's rights. • Processes running on behalf of the same subject within, the same trust domain may share a single set of credentials. Ian Foster et al. “A Security Architecture for Computational Grids”

  24. A Computational Grid Security Architecture Protocol 1: creation of a user Proxy Long-lived credential user user proxy CU Cup Temporary credential Protocol 4: creation of a local Global mapping Protocol 2: Allocation of a Remote resource Global to local Mapping table Global to local Mapping table Resource proxy process Resource proxy process Crp Cp Cp Protocol 3: resource Allocation From a process process Local policy And mechanisms Local policy And mechanisms Cp Cp Ian Foster et al. “A Security Architecture for Computational Grids”

  25. Protocol 1: user proxy creation 2. The user produces the user proxy credential, CUP, by using their credential, CU, to sign a tuple containing: - the user's id, - the name of the local host, • the validity interval for CUP, • and any other information that will be required by the authentication protocol used to implement the architecture (such as a public key if certificate based authentication is used) 3. A user proxy process is created an provided with CUP. It is up to the local security policy to protect the integrity of CUP on the computer on which the user proxy is located. 1. The user gains access to the computer from which the user proxy is to be created, using the local authentication is placed on that computer. Protocol 1: creation of a user Proxy user user proxy CU Cup Ian Foster et al. “A Security Architecture for Computational Grids”

  26. Protocol 2: Resource allocation 1. The user/resource proxy authenticate each other usng CUP and CRP . 2. The user proxy presents the resource proxy with a signed request. 3. The resource proxy checks to see whether the user who signed the proxy's credentials is authorized by local policy to make the allocation request. 4. If the request can be honored, the resource proxy creates a RESOURCE-CREDENTIALS tuple containing the name of the user for whom the resource is being allocated, the resource name, etc. 5. The resource proxy securely passes the RESOURCE-CREDENTIALS to the user proxy. 6. The user proxy examines the RESOURCE- CREDENTIALS request, and, if it wishes to approve it, signs the tuple to produce CP , a credential for the requesting resource. 7. The user proxy securely passes CP to the resource proxy. (This is again possible due to step 1.) 8. The resource proxy allocates the resource and passes the new process(es) CP . user proxy Cup Resource proxy Resource proxy Crp Crp process Cp Local policy And mechanisms Local policy And mechanisms Ian Foster et al. “A Security Architecture for Computational Grids”

  27. Protocol 3: Resource Allocation from a Process Protocol user proxy • The process and its user proxy authenticate each other using CP and CUP . • The process issues a signed request to its user proxy • If the user proxy decides to honor the request, it initiates a resource allocation request to the specified resource proxy using Protocol 2. • The resulting process handle is signed by the user proxy and returned to the requesting process Cup Resource proxy Resource proxy Crp process process Crp Cp Cp Protocol 3: resource Allocation From a process Local policy And mechanisms Local policy And mechanisms Ian Foster et al. “A Security Architecture for Computational Grids”

  28. Protocol 4: Mapping Registration Protocol 1.a User proxy authenticates with the resource proxy. 1.b User proxy issues a signed MAP-SUBJECT-UP request to resource proxy, providing as arguments both global and resource subject names. 2.a User logs on to the resource using the resource's authentication method and starts a map registration process. 2.b Map registration process issues MAP-SUBJECT-P request to resource proxy, providing as arguments both global and resource subject names 3. Resource proxy waits for MAP SUBJECT-UP and MAP SUBJECT-P Requests with matching arguments. 4. Resource proxy ensures that map registration process belongs to the resource subject specified in the map request 5. If a match is found, resource proxy sets up a mapping and sends acknowledgments to map registration process and user proxy. 6. If a match is not found within MAP- TIMEOUT, resource proxy purges the outstanding request and sends an acknowledgment to the waiting entity. 7. If acknowledgment is not received within MAP-TIMEOUT, request is considered to have failed user proxy user proxy Cup Cup Protocol 4: creation of a local Global mapping Ian Foster et al. “A Security Architecture for Computational Grids”

  29. Security Network (local security policy Security Network (local security policy I Want to access Grid from my home ????????????????? ???????????? Security Network (local security policy Use Web Portals I Want to access The grid resource From every location There is an Internet Connection Security Network (local security policy Security Network (local security policy)

  30. Web portals Security requirements • Discussions with the portal development community revealed a number of requirements that impact security. These included: • Users must be able to use any standard web browser to access the Grid portals. • Users must be able to use a web browser from locations where their Grid credentials would not normally be available to them. • Users must be able to do anything through a Grid portal that their credentials would entitle them to do. For example, a user should be able to access the Grid using a web browser at an airport kiosk in the same manner they could from a web browser installed on a system on their desktop in their office. Jason Novotny et al. “An online Credential Repository for Grid: MyProxy”

  31. Goals of myProxy system • Allows users to access their credentials from anywhere on the Grid, even if they are on a system without Grid software and without secure access to their long-term credentials. • Allows them to delegate credentials to resources to which they normally would not be able to, since the applications involved do not support the GSI delegation mechanism (e.g. from a web browser to a portal). • Remove, as much as possible, any credentials from the portal except when they are actually needed, in order to lower the risk of compromise if the portal is compromised. • Multiple portals should be able to use a single system in the case of a domain having more than one portal, and a portal should be able to use multiple systems in the case of a portal that supports users from multiple domains. • Gives the user as much control of their credentials and proxy credentials as possible. Portals should only be able to get a user’s credentials if allowed to do so by a user. Jason Novotny et al. “An online Credential Repository for Grid: MyProxy”

  32. Delegation to the repository • A user starts by using the myproxy-init client program along with their permanent credentials to contact the repository and delegate a set of proxy credentials to the server along with authentication information and retrieval restrictions • The user identity is typically different from the user’s Distinguished Name (DN) in the Grid credentials, as it is actually hand-typed by the user at later times. • The credentials delegated to the repository normally have a lifetime of a week. The user can change this to any length of time desired. • The user can also, at any point, use the myproxy-destroy client program to destroy any credentials they previously delegated to the repository. Myproxy-init Myproxy Credential Repository Jason Novotny et al. “An online Credential Repository for Grid: MyProxy”

  33. Retrieve Credential from the repository • The user, or a service acting on behalf of the user, uses the myproxy-get-delegation program to contact the server and request a delegation of the user’s credentials. • The user must supply the same user identity and pass phrase that they provided when initially delegating the credentials to the server. • After verifying this information and checking any restrictions that the user presented with the delegation , the repository will in turn delegate a proxy credential back to the user or service. • This delegated proxy from the repository may then be used as any other proxy credential generated by the user to initiate actions on the user’s behalf on the Grid. Myproxy-init Myproxy Credential Repository Jason Novotny et al. “An online Credential Repository for Grid: MyProxy”

  34. Using the Myproxy Reposistory with a Grid Portal • 1. The first step to using MyProxy system • with a portal is to delegate a proxy • Credential to the repository. • 2. The portal would then connect to the • MyProxy repository using the myproxy- • get-delegation program, • - authenticates itself using it’s own • Grid credentials, • The repository then, after verifying all • the presented information, would delegate • a proxy credential for the user back to the • portal Step 2: Web portal authenticates to repository & sends requests, including user authentication data Myproxy Credential Repository Myproxy-init Step 3: Repository delegates user credential to portal Step 1: User sends authentication data to portal Web browser Jason Novotny et al. “An online Credential Repository for Grid: MyProxy”

  35. Global policy CAS keep track of the memberships and fine-grained access control policies Community Authorization Service Local policy Security Network I want to use All the available resources Global policy Community Authorization Service Security Network Local policy Global policy Community Authorization Service Local policy Security Network

  36. Community Authorization Service • The CAS server contains entries for: • CAs, users, • servers and resources that comprise the community • and groups that organize these entities. • It also contains policy statements that specify: • who (which user or group) has the permission, • which resource or resource group the permission is granted on, • and what permission is granted. • What permission is denoted by a service type and an action; • the action describes the type of action (e.g., “read” or “execute program”), • the service type defines the namespace in which the action is defined. Laura Pearlman et al. “A community Authorization Service for Group Collaboration”

  37. user CAS community perspective • An individual representing a community can instantiate a CAS server by acquiring an identity certificate for the CAS server, and running the CAS server software. • That individual can then send requests to the CAS server to enroll users and resources into the server and to create policy information • Depending on a community’s policies, a CAS server may have a single administrator who controls everything, or it may take a more distributed approach. • Community users request a capability for a set of actions from the CAS server using the CAS client library or tools built on it. CAS Server CAS- Maintained Community policy database What rights does the community grant to this user CAS request authenticated user credential CAS reply with Capability Laura Pearlman et al. “A community Authorization Service for Group Collaboration”

  38. user Resource Provider Perspective • A resource provider accepts credentials from CAS servers must be able to enforce: • its own local policies • also the community policies carried in CAS credentials. • Server software on the resource must be modified to parse/evaluate the policy statements contained in CAS credentials. • Prior to granting that access, the resource providers may use offline methods to verify that the CAS server is run by someone who actually represents the community, and that the community’s policies are compatible with those of the resource provider. Resource Server Local Policy information Is the resource Authorized For The community Does the capability Authorize this request Resource Request with Capability Resource reply Laura Pearlman et al. “A community Authorization Service for Group Collaboration”

  39. Restricted access • The CAS server grants rights to community members using GSI delegation mechanisms. • The CAS extended the GSI delegation feature to support rich restriction policies to allow grantors to place specific limits on rights that they grant. • The CAS server uses restricted proxy credentials to delegate to each user only those rights granted to that user by the community policy. • The CAS server delegates the user a restricted proxy credential that both authorizes the user to act as a member of the community and limits what the user can do as part of that community. Laura Pearlman et al. “A community Authorization Service for Group Collaboration”

  40. Security considerations • CAS ensures that an entity cannot delegate more authority than it has and that a server process that does not know how to enforce the restrictions in a restricted proxy certificate will reject the certificate outright. • The effective validity time for a proxy certificate is the intersection of the validity times of all the certificates in the certificate chain; the effective set of allowed operations is the intersection of what’s allowed by all the certificates in the chain. • Proxy restrictions are encoded in a critical X.509 extension, so restricted proxies are rejected by authentication libraries that don’t understand restrictions. • The authentication libraries that do understand restrictions reject restricted proxies unless the calling program has indicated its willingness to enforce proxy restrictions. Note: The CAS currently doesn’t provide a mechanism for the revocation of proxy certificates, relying instead on their short lifetimes. Laura Pearlman et al. “A community Authorization Service for Group Collaboration”

  41. Compromised CAS Server • If a CAS server is compromised or untrustworthy, it can issue credentials that do not reflect the policies of the community that it represents. • A resource provider would honor such a credential for any access that its local policies grant to that community. • A compromised CAS server might also issue credentials that (attempt to) grant access to resources that don’t belong to the community, but unless a resource server has been configured to grant access on those resources to that community, those credentials will be rejected. • If a CAS server is discovered to have been compromised, resource servers can use their local access control mechanisms to revoke any permissions granted to that server. Laura Pearlman et al. “A community Authorization Service for Group Collaboration”

  42. Compromised Resource Server • Although a compromised or untrustworthy resource server is likely to be a serious problem, this does not create cascaded security issues. For example, if a user uses a CAS credential to authenticate to a compromised resource server, that server cannot use that CAS credential to gain additional access, because the resource server never sees the private key. • For highly-sensitive applications where greater assurance of resource enforcement of community policy is required, a mechanism such as Law-Governed Interaction can be used to help assure this. Laura Pearlman et al. “A community Authorization Service for Group Collaboration”

More Related