GSI – Grid Security Infrastructure and the EU DataGrid Authentication Infrastructure For the EDG CACG: David Groep
David Groep – GSI and EU DataGrid Authentication – Outline u The Grid in one line u The Grid Security Infrastructure (from Globus) u EU DataGrid (EDG) u The EDG CA Coordination Group (CACG)
David Groep – GSI and EU DataGrid Authentication – The Grid: coordinated resource sharing and problem solving in dynamic, multi institutional virtual organizations Carl Kesselman, Ian Foster, The Anatomy of the Grid u Extension of “meta-computing” to ubiquitous resources u Pioneered by the I-WAY, GUSTO and the Globus Project u Vision: getting resources like you get electricity nowadays
David Groep – GSI and EU DataGrid Authentication – A Quick Refresher Grid Security Infrastructure (GSI) = X.509 (PKI certificate format)* + proxy certificates (single sign-on & delegation) + TLS/SSL (authentication & msg protection)* + delegation protocol (remote delegation) + GSS-API (standard API)* + GSS-API Extensions (better Grid support) * = Existing IETF standards Others are GGF & IETF drafts
David Groep – GSI and EU DataGrid Authentication – X.509 Proxy Certificates Work u Defines how a short term, restricted credential can be created from a normal, long-term X.509 credential n A “proxy certificate” is a special type of X.509 certificate that is signed by the normal end entity cert, or by another proxy n Supports single sign-on & delegation through “impersonation” u ANL, ISI, LBNL
David Groep – GSI and EU DataGrid Authentication – Restricted Proxies u Q: How to restrict rights of delegated proxy to a subset of those associated with the issuer? u A: Embed restriction policy in proxy cert n Policy is evaluated by resource upon proxy use n Reduces rights available to the proxy to a subset of those held by the user u But how to avoid policy language wars? n Proxy cert just contains a container for a policy specification, without defining the language s Container = OID + blob n Can evolve policy languages over time
David Groep – GSI and EU DataGrid Authentication – Delegation Tracing u Often want to know through what entities a proxy certificate has been delegated n Audit (retrace footsteps) n Authorization (deny from bad entities) u Solved by adding information to the signed proxy certificate about each entity to which a proxy is delegated. n Does NOT guarantee proper use of proxy n Just tells you which entities were purposely involved in a delegation
David Groep – GSI and EU DataGrid Authentication – Proxy Certificate Standards Work u “Internet Public Key Infrastructure X.509 Proxy Certificate Profile” n draft-ietf-pkix-proxy-00.txt s Draft being considered by IETF PKIX working group, and by GGF GSI working group n Defines proxy certificate format, including restricted rights and delegation tracing u LBNL student is implementing into OpenSSL u Demonstrated a prototype of restricted proxies at HPDC as part of CAS demo
David Groep – GSI and EU DataGrid Authentication – Delegation Protocol Work u “TLS Delegation Protocol” n draft-ietf-tls-delegation-01.txt s Draft being considered by IETF TLS working group, and by GGF GSI working group n Defines how to remotely delegate an X.509 Proxy Certificate using extensions to the TLS (SSL) protocol
David Groep – GSI and EU DataGrid Authentication – Community Authorization Service u Question: How does a large community grant its users access to a large set of resources? n Should minimize burden on both the users and resource providers u Solution: Community Authorization Service (CAS) n Community negotiates access to resources n Resource outsources fine-grain authorization to CAS n Resource only needs to know about “CAS user” credential s CAS handles user registration, group membership… n User who wants access to resource asks CAS for a capability credential s Restricted proxy of the “CAS user” credential, checked by resource
David Groep – GSI and EU DataGrid Authentication – CAS Operation 2. CAS reply, with and resource CA info user/group membership resource/collective membership collective policy information CAS Does the collective policy authorize this request for this user? User 1. CAS request, with resource names and operations Resource Is this request authorized for the CAS? Is this request authorized by the capability? local policy information 3. Resource request, authenticated with capability 4. Resource reply capability
David Groep – GSI and EU DataGrid Authentication – Community Authorization Service u CAS provides user community with information needed to authenticate resources n Sent with capability credential, used on connection with resource n Resource identity (DN), CA u This allows new resources/users (and their CAs) to be made available to a community through the CAS without action on the other user’s/resource’s part
David Groep – GSI and EU DataGrid Authentication – The EU DataGrid (EDG) Project u DataGrid: generic Grid middleware and test bed for n High Energy Physics n Earth Observation and ozone modelling n Bio-informatics & bio-medicine u Middleware components (on top of Globus): n scheduling and accounting n data replication and management n monitoring n data storage n fabric and farm management
David Groep – GSI and EU DataGrid Authentication – EDG Work Package Overview HEP Apps (WP8)EO Apps (WP9)Bio Apps (WP10) Workload Management (WP1) Data Management (WP2)Monitoring Services (WP3) Globus Middleware Fabric Manage- ment (WP4) Networking (WP7) Mass Storage Management (WP5) Applications Data Grid Services Core Middleware Physical Fabric
David Groep – GSI and EU DataGrid Authentication – The EDG Test Bed u Started end 2000 – beginning 2001 with “Test Bed 0” n Globus installations in several countries n Implement core infrastructure to get this to work u Test Bed 1, deployed Nov 2001, successful demo in March 1 st u Continuous upgrades till December 2003
David Groep – GSI and EU DataGrid Authentication – The first Grid CA’s u The Globus Project has been running a “worthless” CA n authentication based on non-bouncing address only n not accepted by many of the participating sites u For EDG “production” test bed need for just a bit stronger auth n grass-roots effort by volunteers in various countries n policies and practices all different n various degrees of subject authentication n a (very) few CA’s are still in need of a written policy
David Groep – GSI and EU DataGrid Authentication – Current EDG Certification Authorities u CERN (HEP-only, Grid-only) u Czech Republic (CESNET) u France (CNRS) u Spain (IFCA, HEP-only, Grid-only) u Netherlands (NIKHEF/DutchGrid, Grid-only) u Italy (INFN, HEP-only, Grid-only) u Portugal (LIP, HEP-only, Grid-only) u Nordic Countries (NBI, Grid-only) u Russia (Moscow State Uni, HEP-only, Grid-only) u GridPP/UKHEP (CLRC/RAL, Grid-only) u DoESG CA (ESnet, Grid-only) u Germany (FZK, Grid-only) some EDG CA stats: u 11 CAs u 1 year in operation u ~ 1000 certs issued u potential community: 10000–40000–???
David Groep – GSI and EU DataGrid Authentication – EDG CA “Minimum Requirements” (1) u Still largely defined by common practice … “An acceptable procedure for confirming the identity of the requestor […] e.g. by personal contact or some other rigorous method” n One CA per country → basic trust in personal authentication by CA/RA n Subject name includes full given name and affiliation n Specific nameforms per CA (but all different) n Most use personal voice recognition of known persons, or check official ID papers via an RA n RA-to-CA communications by integrity-protected n Affiliation usually checked by looking in “public” directories n “Host certificates” introduced by a pre-certified administrator
David Groep – GSI and EU DataGrid Authentication – EDG CA “Minimum Requirements” (2) u Technical controls better specified n machine with CA private key not connected to any network n CA RSA key length 2048 bits → lifetime 5 years n Subscriber key length > 1024 bits → 1 year n All CA’s issue a CRL with a 30-day lifetime (updated ~ weekly) n Relying parties must update every 24 hrs n Audit logs must be kept n but no auditing is done! (no funding) u Strongly recommends running a directory service
David Groep – GSI and EU DataGrid Authentication – EDG CA CP/CPS and the Matrices u Every EDG CA must provide a CP/CPS (combined) n RFC2527 preferred n a per-CA “feature matrix” is made u Cross-evaluation of CP/CPS by every CA Manager n tries to make up for lack of auditing n provide trust guidelines for “local” site administrators n Every CA Manager should inspect all other CP/CPSs n Yields the Acceptance Matrix
David Groep – GSI and EU DataGrid Authentication – CA Feature Matrix by Brian Coghlan, TCD, Ireland
David Groep – GSI and EU DataGrid Authentication – CA Acceptance Matrix The Acceptance Matrix Problem: This does not scale u Already 12 CA’s u Numbers growing rapidly u CrossGrid Project: + 7 countries u CERN/LHC: +120 countries u.... u Automate the evaluation u move work to proper forums
David Groep – GSI and EU DataGrid Authentication – Grid CA Standardization Efforts u Global Grid Forum (GGF) n standardization body modeled like IETF/IRTF n 2 working groups in security area: n Grid Security Infrastructure wg n GridCP wg n u GridCP working group n define a reference CP (with four? levels) n every compliant CA should add own appendix with CPS (few pages) n not clear on: cross-certifying, root, or bridge CA
David Groep – GSI and EU DataGrid Authentication – EDG and GGF CA References u The EU DataGridhttp:// u The Globus Projecthttp:// u EDG CACG sitehttp://marianne.in2p3.fr/datagrid/ca/ u GGF GridCP wghttp:// u DoESG sitehttp://envisage.es.net/