National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.

Slides:



Advertisements
Similar presentations
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Advertisements

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
GT 4 Security Goals & Plans Sam Meder
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Network Security Essentials Chapter 4
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Access Control Methodologies
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications
Jim Basney GSI Credential Management with MyProxy GGF8 Production Grid Management RG Workshop June.
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Deploying the TeraGrid PKI Grid Forum Korea Winter Workshop December 1, 2003 Jim Basney Senior Research Scientist National Center for Supercomputing Applications.
National Center for Supercomputing Applications PKI and CKM ® Scaling Study NCASSR Kick-off Meeting June 11-12, 2003 Jim Basney
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Chapter 11: Active Directory Certificate Services
Security Management.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
National Computational Science National Center for Supercomputing Applications National Computational Science Alliance Setup Package Requirements Jim Basney.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.
ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Managing Credentials with MyProxy Jim Basney National Center for Supercomputing Applications University of Illinois
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
Compliance Defects in Public- key Cryptography “ A public-key security system trusts its users to validate each others’s public keys rigorously and to.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
An OGSI CredentialManager Service Jim Basney, Shiva Shankar Chetan, Feng Qin, Sumin Song, Xiao Tu National Center for Supercomputing Applications, University.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Grid technology Security issues Andrey Nifatov A hacker.
Module 13: Enterprise PKI Active Directory Certificate Services (AD CS)
Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.
National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.
X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.
Grid Security.
Presentation transcript:

National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security Infrastructure GlobusWorld Security Workshop January 16, 2003 Jim Basney

National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Credential Management Enrollment: Initially obtaining credentials Retrieval: Getting credentials when and where they’re needed Renewal: Handling credential expiration Translation: Using existing credentials to obtain credentials for a new mechanism or realm Delegation: Granting specific rights to others Control: Monitoring and auditing credential use Revocation: Handling credential compromise We need tools to cope with the complexity of credential management on the Grid.

National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Grid Credentials Identity credentials –Different mechanisms (X.509, Kerberos,.NET) –Different authorities (CAs, KDCs) –Different purposes (authentication, signing, encryption) –Different roles (project-based, security levels) Authorization credentials –X.509 attribute certificates –SAML/XACML/XrML assertions Trusted credentials –CA certificates and policies –Other certificates and public keys (SSH, PGP)

National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Accessing Credentials Ubiquitous access to the Grid –Initiate secure Grid sessions from desktops, kiosks, PDAs, cell phones, etc. –Requires access to needed credentials, including trusted credentials (CA certificates, etc.) –Bootstrap from password Delegating credentials to transient services –May need to retrieve additional credentials and/or renew existing credentials at run-time –Need access to trusted credentials and policy information

National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Traditional PKI Enrollment 1.End entity generates public/private key pair & submits certificate request to CA 2.CA approves/denies certificate request & signs certificate if request is approved 3.End entity retrieves signed certificate from the CA

National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Traditional PKI Enrollment Can be cumbersome for users and CA operators –May require a trip to a Registration Authority or some other out-of-band identity verification –CA operators must examine each request and sometimes investigate further before deciding to approve or deny –Process may take hours or days to complete

National Computational Science National Center for Supercomputing ApplicationsNational Computational Science End Entity Key Management Typical practice in GSI is to store private keys in files encrypted by a passphrase –Security depends on well-chosen passphrases and well-secured filesystems Users copy private keys to the different systems they use to access the Grid Not all Grid users are PKI experts –Just want to do their computing securely –Can we improve usability and security of end entity key management on the Grid? Alternatives: Smart Cards, Online CAs, Online Credential Repositories

National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Smart Cards User-managed, portable credential storage Security analogous to car keys or credit cards Private keys stay in hardware Card standards are mature Costs are decreasing but still significant –$20 readers, $2 cards –Government ID card deployments Can pre-load credentials on the card before distributing it Some support already in GSI libraries

National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Online CA User authenticates to CA to obtain credentials immediately Leverage existing authentication mechanisms (password, Kerberos, etc.) Identity mapping: –Simple transformation (i.e., include Kerberos principle name in X.509 certificate subject) or administrator- managed mapping Signs long-term and/or short-term credentials –If long-term, then credentials are user-managed –If short-term, credentials retrieved on demand, without need for user key management

National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Online CA Security CA machine must be well-secured Signing key must be well-protected (i.e., stored in hardware crypto module) Key compromise allows attacker to create arbitrary credentials CA compromise may allow attacker to manipulate user authentication or identity mapping info If compromised, must revoke CA certificate and change CA signing key Short-term credentials don’t need to be revoked

National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Online Credential Repository Store encrypted credentials and access policy in an online repository –Repository may be mechanism-aware or may simply hold opaque credentials Authenticate to repository to retrieve opaque or delegated credentials Separates credential creation from credential management Can be deployed by individuals, small groups, VO managers, or CA operators Credentials can be pre-loaded to leverage existing authentication mechanisms

National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Credential Repository Security Credentials individually encrypted with user’s passphrase Compromise requires offline attack on each credential Centralized storage of credentials may violate policies (CA CP/CPS) If compromised, credentials in repository must be revoked

National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Who Holds The Keys? Viewpoint #1: End entities should have sole possession of their long-term keys –Administrator access to end entity keys voids non-repudiation Viewpoint #2: End entities can’t be trusted to secure their long-term keys –Centralized key distribution enforces password policies and credential lifetime limits Will this issue hinder cross-site collaboration?

National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Credential Renewal Long-lived tasks or services need credentials –Task lifetime is difficult to predict Don’t want to delegate long-lived credentials –Fear of compromise Instead, renew credentials as needed during the task’s lifetime –Renewal service provides a single point of monitoring and control –Renewal policy can be modified at any time –For example, disable renewals if compromise is detected or suspected

National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Credential Renewal Job Broker Credential Service Resource Manager Job HomeRemote Submit Jobs Enable Renewal Launch Job Retrieve Credentials Refresh Credentials

National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Multiple Credentials Will a single identity credential per user suffice? –A lot of work is being done to vet and/or cross- certify Grid CAs –How is that different from Kerberos cross-realm authentication? Alternative: Provide tools to manage multiple credentials –Single sign-on unlocks all credentials –Grid protocols negotiate for required credentials (WS-SecurityPolicy) –Authorization decision between individual and resource provider, rather than between realms

National Computational Science National Center for Supercomputing ApplicationsNational Computational Science Credential Wallet Consolidated view of my credentials Credential management interface –Add, remove, or modify credentials –Associate policies with credentials –Create authorization credentials One-stop credential access point –Single sign-on unlocks credentials for a session –Contains pointers to available credential services Manage credentials on my behalf –Example: renew credentials as needed Notify when events occur or action is required