X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.

Slides:

Advertisements

Similar presentations

Proxy Certificate Profile Douglas E. Engert Argonne National Laboratory 12/14/2001 COPYRIGHT STATUS: Documents authored by Argonne National.

Advertisements

Introduction of Grid Security

The Community Authorization Service: Status and Future Ian Foster 1,2, Carl Kesselman 3, Laura Pearlman 3, Steven Tuecke 1, Von Welch 2 1 Argonne National.

GT 4 Security Goals & Plans Sam Meder

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Chapter 14 – Authentication Applications

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

MyProxy: A Multi-Purpose Grid Authentication Service

A responsibility based model EDG CA Managers Meeting June 13, 2003.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

Lecture 23 Internet Authentication Applications

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Grid Security. Typical Grid Scenario Users Resources.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

Abdelilah Essiari Gary Hoo Keith Jackson William Johnston Srilekha Mudumbai Mary Thompson Akenti - Certificate-based Access Control for Widely Distributed.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Security Management.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Digital Signatures A Brief Overview by Tim Sigmon April, 2001.

Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.

© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.

Manish Mehta, CS 590L Authentication Services in Open Grid Services by Manish Mehta April 27, 2004.

Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

Grid Authorization Landscape and Futures Von Welch NCSA

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

Fermilab CA Infrastructure EDG CA Managers Mtg June 13, 2003.

Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.

Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.

Globus and PlanetLab Resource Management Solutions Compared M. Ripeanu, M. Bowman, J. Chase, I. Foster, M. Milenkovic Presented by Dionysis Logothetis.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan1 Certificates for DataGrid Testbed0 David Kelsey CLRC/RAL, UK

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

VOMS Attribute Authorities Michael Helm ESnet/LBNL 23 Feb 2007.

1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI TF.

Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.

EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.

Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010.

APNIC Trial of Certification of IP Addresses and ASes

Resource Certificate Profile

Grid Security: What is it? Where is it going? Why?

Presentation transcript:

X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven Tuecke, Von Welch (Presenter:

PKI '04 April 12Proxy Certificates2 Outline Problem Statement, Motivations, Approach Proxy Certificate Solution –What are they? –What can they do? Status: Standardization, Implementation, Deployment

PKI '04 April 12Proxy Certificates3 Use Case Job Data Store Job Broker Doman A Domain B Domain C Domain D

PKI '04 April 12Proxy Certificates4 Motivation Dynamic Delegation –Run-time decision on who and what –Support late binding of jobs to resources Dynamic Entities –Entities (e.g. Jobs) created at same time Single Sign On –Avoid repeated manual authentication Easy (user-driven) cross-domain use

PKI '04 April 12Proxy Certificates5 Approach Start with PKI –Aids cross-domain trust issues since trust relationships can be set up by individual Build off of existing standards –Needs to be easily understood by security folks at many sites Ease of implementation –Use with existing PKI libraries as much as possible –Start with identity-based authz systems

PKI '04 April 12Proxy Certificates6 Our solution: Proxy Certificates Allow users to delegate on the fly by granting other entities the right to use their name Prototypes in ’98 Standardized in IETF/PKIX 2004 Fully implemented, deployed and widely used

PKI '04 April 12Proxy Certificates7 Same format as X.509 Public Key Identify Certificate, but signed by user (or another proxy certificate) Name scoped to issuer’s name Support restricted delegation from issuer to bearer Includes critical extension to identify as Proxy and express delegation

PKI '04 April 12Proxy Certificates8 Certificate attribute X.509 Public key certificate X.509 Proxy Certificates Issuer/ Signer A certification authorityA public key certificate or another Proxy Certificate NameAny as allowed by issuer’s policy Unique, scoped to namespace defined by issuer’s name Delegation from Issuer NoneAllows for arbitrary delegation policies Key pairsUses unique key pair

PKI '04 April 12Proxy Certificates9 ProxyCertInfo Extension Critical X.509 Extension Identifies a certificate as a Proxy Cert Allows issuer to express delegation intentions

PKI '04 April 12Proxy Certificates10 ProxyCertInfo Delegation Policy Does not specify any method of expression –No language will be right for everyone all the time Instead OID to identify language and language-specific field –Any language can be used as long as understood by relying party Two methods defined: All and none

PKI '04 April 12Proxy Certificates11 Single Sign On User creates key pair locally Signs new public key with identity private key Gives short life span –E.g. 8 hours Probably all rights Allows for weak (filesystem) protection of private key and easy use

PKI '04 April 12Proxy Certificates12 Delegation

PKI '04 April 12Proxy Certificates13 Performance and Security Issues Proxy generate requires key pair generation Those accepting delegation must take care to prevent DoS –Validate delegation request before generating key pair

PKI '04 April 12Proxy Certificates14 Authorization Methods All rights/impersonation –Works great if you don’t mind ignoring least privilege Delegation with restrictions –Issue: How does authentication mechanisms know restrictions will be enforced? Identity from Proxy Certificate plus addition assertions to grant rights

PKI '04 April 12Proxy Certificates15 Standardization Status Proxy certificates have passed PKIX and IETF last calls Awaiting editorial process to become RFC Latest version is draft-ietf-pkix-proxy-10: – –Defines specifics of Proxy certificate creation and path validation

PKI '04 April 12Proxy Certificates16 Implementation Fully implemented in Globus Toolkit’s Grid Security Infrastructure (GSI) – Build on OpenSSL –Changes are additions to handle Proxy Cert path validation as error handlers to normal path validation Similar Java implementation GSSAPI-based library –Also integrated with SSH, FTP, CVS

PKI '04 April 12Proxy Certificates17 Deployment Many CAs issuing certificates for use with Proxy certificates for production Grids around the world –Master CA list at –Two dozen plus CAs, including DOE, NSF, NASA Old Globus CA with 5k+ certs

PKI '04 April 12Proxy Certificates18 Future Work One-time passwords/Two-factor authentication –Lot of recent attacks using keyboard sniffing –Service that hands out proxies authenticating with OTP Poor man’s hardware tokens Reasonable Restrictions –Where from? Intended use? –IP addresses too fragile (NAT, mobility, multi-homed) –Allow for late binding to resources Revocation –Even with short lifetime, interest in revocation

PKI '04 April 12Proxy Certificates19 Summary Proxy Certificates are extension to X.509 identify certificates to allow for real-time delegation and naming Implemented with minimal changes to existing PKI libraries In production use in Grids world-wide Implementation available as part of Globus Toolkit (

PKI '04 April 12Proxy Certificates20 Acknowledgements DOE – SciDAC “Security for Group Collaboration” Many colleagues in Global Grid Forum and IETF for ideas and discussions Questions?