EGEE is a project funded by the European Union under contract IST EGEE Security Åke Edlund Security Head EU IST-FP6 Concertation, 17 th September

EU IST-FP6 Concertation, 17 th September Contents EGEE security plans Identified problems/challenges Some words on Trust EUGridPMA

EU IST-FP6 Concertation, 17 th September EGEE security plans (1/2) Security Requirements - Horizontal activity, managed through central groups  Lesson learned: reused and updated requirements from earlier projects  Collecting (continuous process) the requirements from the activities - Middleware, Sites, Applications.  Share the requirements with other grid activities and get feedback, e.g. in the US  Prioritization set in the security groups, with representatives from all involved activities.  Defining what security modules to deliver when. Product - leverage on the biomed requirements  To keep the industry focus we put extra effort, from day one, in supporting biomed applications, being a security demanding application. Middleware - Security is not an add-on, has to be there from start  From start, and ‘all over the place’: All JRA3 members are also part of the Middleware development.  Active in the architecture and design of the middleware Middleware, JRA1 Security, JRA3

EU IST-FP6 Concertation, 17 th September EGEE security plans (2/2) Security Architecture - Modular, Agnostic, Standard, Interoperable  Modular – add new modules later  Agnostic – modules will evolve  Standard – start with transport-level security but intend to move to WS-Security when it matures  Interoperable - at least for AuthN & AuthZ  Applied to Web-services hosted in containers and applications (Apache Axis & Tomcat) as additional modules Worldwide solution - Involve non-European partners at an early stage  Bob Cowles (SLAC, OSG) and Dane Skow (Fermilab, OSG) members of the MWSG  Establish contact through hands-on activities. Example: EGEE and OSG to define common operational security procedures, by contributing to/working out common documents, mostly by reusing OSG work already in place.

EU IST-FP6 Concertation, 17 th September Identified problems/challenges IssueCurrent solution Get focus on SecurityActive security work from start, security groups, driving/guiding documents Get involvement from GGF, OSG,..Middleware Security Group (MWSG) Avoid gaps in the security work Security Architect for the MW, Security Head overall responsible Lagging standardization work, e.g. Writing initial recommendations OGSA (Open Grid Services Architecture)for reengineering focusing on ordinary WS now, OGSA later Coordinating operational sec workJoint Security Group (JSG, SA1), guided by JRA3 documents (created together with SA1, OSG)

EU IST-FP6 Concertation, 17 th September Global security architecture (1/4) ServiceDescriptionTime frame Logging and AuditingEnsures monitoring of system activities, and accountability in case of a security event Now AuthenticationCredential storage ensures proper security of (user-held) credentials Now Proxy certificates enable single sign-on TLS, GSI, WS-Security and possibly other X.509 based transport or message-level security protocols ensure integrity, authenticity and (optionally) confidentiality Now EU GridPMA establishes a common set of trust anchor for the authentication infrastructure Now Pseudonymity services addresses anonymity and privacy concerns Mid-term Overview of the security architecture services.

EU IST-FP6 Concertation, 17 th September Global security architecture (2/4) ServiceDescriptionTime frame AuthorizationAttribute authorities enable VO managed access control Policy assertion services enable the consolidation and central administration of common policy Authorization framework enables for local collection, arbitration, customisation and reasoning of policies from different administrative domains, as well as integration with service containers and legacy services Now Future Now DelegationAllows for an entity (user or resource) to empower another entity (local or remote) with the necessary permissions to act on its behalf Now Overview of the security architecture services.

EU IST-FP6 Concertation, 17 th September Global security architecture (3/4) Overview of the security architecture services. ServiceDescriptionTime frame Data key managementEnables long-term distributed storage of data for applications with privacy or confidentiality concerns Mid-term SandboxingIsolates a resource from the local site infrastructure hosting the resource, mitigating attacks and malicious/wrongful use Mid-term Site proxyEnables applications to communicate despite heterogenous and non-transparent network access Mid-term

EU IST-FP6 Concertation, 17 th September Global security architecture (4/4) RequirementFulfilledSolution/Technology/ServiceTime frame Single sign-onYesProxy certificates and a global authentication infrastructure Now User PrivacyPartiallyPseudonymity servicesMid-term Data PrivacyPartiallyEncrypted data storageMid-term Audit abilityPartiallyMeaningful log informationNow AccountabilityYesAll system interactions can be traced back to a user Now VO managed access controlYesVOMSNow Support for legacy and non- WS based software components YesModular authentication and authorization software suitable for integration Now Timely revocation delaysYesGradual transition from CRL based revocation to OCSP based revocation Mid-term Non-homogenous network accessYesSite ProxyFuture High-level requirements and how the architecture address them

EU IST-FP6 Concertation, 17 th September Status - EGEE Security - Global Security Architecture - Security requirements - Incident response capability PM4PM5PM6 MWSG3 August 25 JRA1 All-hands meeting June Security requirement doc MJRA3.1 (PM3) completed Recurrent tasks: - JRA1 design team, integration, testing - EUGridPMA, QAG - Software maintenance and development Taxonomy document on Incident handling and Security operational procedures; definition of a common Grid incident format. (PM6+) In cooperation with JSG and OSG Phase1 OGSA doc MJRA3.3 (PM4) completed DJRA3.1 Security Architecture doc (PM5) delivery date: Sept. 17 Software maintenance and development PM5: SOAP over HTTPS 80% PM6: Delegation 45%, AuthZ framework 70%, Mutual AuthZ 10%, VOMS admin & parser (ongoing) PM7: Message level security 70% PM9: Resource access control 10%, Grid enhancements for OpenSSL Started PM11: Site Proxy for GRID cluster Started September 13

EU IST-FP6 Concertation, 17 th September Some words on Trust(1/2) The authentication model for EGEE is based on the concept of trusted third parties (TTPs): entities that are not related to any relying party except through a trust relationship. Underlying the trust relationship is the digital signature of the TTP, based on standard asymmetric cryptography. The TTP will bind the cryptographic key pair to one or more identifiers that represent the entity. Although theoretically a single TTP could service the entire community, in practice a mesh of TTPs exists. One can thus define a set of resources, users and services that agree to use a common set of TTPs for authentication. Such a common authentication domain does not imply common rights of access or constitute an “infrastructure” of sorts. In the context of the EGEE project, it is assumed that a common set of TTPs exists. It is not assumed that all entities accept all TTPs: This introduces an additional failure mode that higher-level services should cover for.

EU IST-FP6 Concertation, 17 th September Some words on Trust (2/2) For the EGEE project, management of the common authentication domain based on TTPs is delegated to the EUGridPMA and the LCG/SA1 Joint Security Group

EU IST-FP6 Concertation, 17 th September EGEE Authentication Scope CA coordination is an activity of EGEE JRA3 establish a CA trust domain for EGEE coordination of existing national initiatives Milestone in PM3, reached as of April 1 st : the EUGridPMA … and even with a much larger community appeal

EU IST-FP6 Concertation, 17 th September The EUGridPMA European Grid Authentication Policy Management Authority for e-Science Coordinates authentication for people and services for European and related Grid projects EGEE, DEISA, SEEGRID, LCG, … ‘PMA’ manages authentication guidelines policy Trust domain for research and academic purposes

EU IST-FP6 Concertation, 17 th September Certificate Authority Coordination Evolved from the CA Coordination Group in DataGrid, CrossGrid, LCG, … collection of national or regional CAs  better identity vetting  national legislation all meet or exceed minimum requirements  identity checking (in-person, photo-ID)  physical security (off-line signing key, storage)  naming (unique certificate names)  revocation (updated lists, retrieval) Clearly defined accreditation procedure

EU IST-FP6 Concertation, 17 th September Where to go for a certificate? Everyone (almost) in Europe has a national CA (April data)  Green: CA Accredited  Yellow: being discussed Other Accredited CAs:  DoEGrids (US)  GridCanada  ASCCG (Taiwan)  ArmeSFO (Armenia)  CERN  Russia (HEP)  FNAL Service CA (US)  Israel  Pakistan

EU IST-FP6 Concertation, 17 th September The Catch-All CAs For those left out of the rain in EGEE  CNRS “catch-all”  coverage for all EGEE partners  you should agree on a local Registration Authority For the South-East European Region  regional catch-all is being established (SEE-GRID) For LCG physicists world-wide  DoeGrids CA (ESnet)  Registration Authorities through SA1

EU IST-FP6 Concertation, 17 th September A European Authentication Solution Common services to all European eInfrastructure  EUGridPMA: All EU Grid infrastructure FP6 programmes CAs also cover inter-organisational national projects  TERENA TACAR provides more than Grid CAs: e.g. NREN CAs for access to wireless networks root of trust for any other Authentication and Authorisation Infrastructure (AAI’s) library access, scientific journals, etc. EUGridPMA collaborates in gridpma.org  International Grid Federation (IGF) with US & AP  en route to a federation covering the world