VOMS Attribute Authorities Michael Helm ESnet/LBNL 23 Feb 2007.

Slides:

Advertisements

Similar presentations

Building Secure Mashups D. K. Smetters PARC Usable.

Advertisements

Introduction of Grid Security

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

A responsibility based model EDG CA Managers Meeting June 13, 2003.

Security Q&A OSG Site Administrators workshop Indianapolis August Doug Olson LBNL.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Lecture 23 Internet Authentication Applications

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Grid Security. Typical Grid Scenario Users Resources.

Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April

Levels of Assurance OGF Activity Michael Helm ESnet/LBNL 27 Feb 2007.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Security Issues in Physics Grid Computing Ian Stokes-Rees OeSC Security Working Group 14 June 2005.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mechanisms to Secure x.509 Grid Certificates Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

WebFTS as a first WLCG/HEP FIM pilot

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Unit 1: Protection and Security for Grid Computing Part 2

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

King Mongkut’s University of Technology Faculty of Information Technology Network Security Prof. Reuven Aviv 6. Public Key Infrastructure Prof. R. Aviv,

Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization and Delegation ADINA RIPOSAN Applied Information Technology.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Building Security into Your System Bill Major Gregory Ponto.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

CSE 543 Computer Security: Risks of PKI - Josh Schiffman & Archana Viswanath Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure.

Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.

ESnet RAF and eduroam ™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory.

Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Using Public Key Cryptography Key management and public key infrastructures.

Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.

X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.

1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.

12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.

Security Bob Cowles

Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010.

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.

DOEGrids Audit Report Michael Helm 1 Networking for the Future of Science Energy Sciences Network Lawrence Berkeley National Laboratory 10 May 2009.

PRACE user authentication and vetting Vincent RIBAILLIER, 29 th EUGridPMA meeting, Bucharest, September 9 th, 2013.

Third Party Transfers & Attribute URI ideas

Levels of Assurance OGF Activity

Grid Security M. Jouvin / C. Loomis (LAL-Orsay)

Install AD Certificate Services

Presentation transcript:

VOMS Attribute Authorities Michael Helm ESnet/LBNL 23 Feb 2007

Middleware Security WG2 Goals Better understanding Support authorization services Exchange information Discuss questions about security, trust, and basic assumptions Source of Authority and management Clarify / rework existing practices

23 Feb 2007Middleware Security WG3 Recap VOMS AA server – surprise! In Dec 06 learned several interesting things…. 1.OSG very interested in VOMS as focus of attribute/role/authorization information 2.Proposal to make widespread use of VOMS AA, like in EU 3.Proposal to deprecate other types of proxy certs, use only VOMS-based proxies Very important activity – shows maturation of authorization efforts? Knew little about this activity Puzzled by Attribute Authorities themselves – what are they & how are they trusted?

23 Feb 2007Middleware Security WG4 How Does It Work? VOMS as Attribute Authority 1.User authenticates to VOMS server, over a TLS-(or GSS-) secured connection 2.VOMS server finds appropriate attributes for this user 3.(Inner transaction) VOMS server private key signs these attributes (creating an attribute cert (VOMS AC)) 4.User generates new key pair (proxy key pair) 5.(Outer transaction) User (software) bundles public key, authentication cert attributes, and VOMS AC, and signs the bundle, creating proxy cert 6.New proxy private key & cert moved to wherever needed 7.Combines some of the better features of delegation and a bearer credential What could be bad about this?

23 Feb 2007Middleware Security WG5 Red Flags VOMS as Attribute Authority What is the Attribute Authority? Ans: It’s the VOMS server, specifically the host or service certificate key pair. How do relying parties & users trust this AA? Ans: It’s the IGTF cert chain – the VOMS server is signed by an IGTF CA, so the trust works both paths – for the authentication cert, and for the AC How are is the information about attribute authorities managed? Ans: A configuration file is distributed to relying parties, with the certificate of the AA (VOMS host cert). But this is awkward, so it is proposed to drop the certificate distribution, and only distribute the subject name (DN) of the AA. How are the configurations managed? How do AAs get listed/delisted? Ans: …. When a security incident happens, where do the trust paths terminate, and who gets the blame? Ans: (Me) In OSG, that’s going to be DOEGrids CA How is the scope/value of VOMS attributes controlled? [From VOMS worker] Ans: …

23 Feb 2007Middleware Security WG6 Work Through Problem Areas Server certificate is not appropriate for an AA –AAs are a type of CA –IGTF CAs have issues with host and service identification –IGTF CAs do not guarantee unique host certs –The identification is wrong – the host is an object, not the authority The trust answer, is the answer to a different question –The trust should be about the AA, and the organization behind it, not the IGTF CA –Inappropriate trust relationships endanger Grid security (& the PKI) –Source of Authority (SOA)? Management of AA information looks vulnerable to various kinds of attacks –Configuration files can be changed in transit or in place –Inappropriate services on same host can steal AA ID –Single point of failure (host cert)

23 Feb 2007Middleware Security WG7 What Can Be Done? Better understanding of VOMS, particularly security constraints –Some issues may have acceptable risks, constraints I don’t know about &c –What is acceptable to security workers?  AC's must point to responsible party – not IGTF CA –Must be clear to naïve user/adminstrator/relying party –See “VOMS Attribute Certificate Format”, Ciaschini &al, OGSA- AUTHZ WG in OGF Maybe it is time to specify how abstract services can be “identified” and certified –AA is not the only service of this type –Perhaps only security-related services need this much attention? Software engineering –Hosts as SPF –Security of configurations / distributions

23 Feb 2007Middleware Security WG8 Discussion Some references: 1.RFC 3281 (Attribute Certificate format) 2.VOMS Attribute Certificate Format”, Ciaschini &al, OGSA-AUTHZ WG in OGF 3.X.509 (as part of “The Directory”); in particular section 3, chapter 13 (on which RFC 3281 is based, in part) 4.Appendix: Short version of these slides, at EUGridPMA 9 (RAL, Jan 2007)

23 Feb 2007Middleware Security WG9 VOMS Attribute Authority Michael Helm / ESnet / 17 Jan 2007 Proposal in OSG to replace conventional proxy cert use with voms-proxy-init Technology: signed attributes (another kind of certificate) embedded in user’s proxy cert Attribute authorities: voms server – host cert signs Trust anchors are Grid ID certification authorities

23 Feb 2007Middleware Security WG10 VOMS AA’s Trust – accountability terminates at Grid ID CA This means, in OSG, both the user & attribute trust is DOEGrids. We don’t certify “attribute authorities”. We certify something like SSL servers. CA identifies hosts or services. We don’t identify AA’s. We could do this. But we don’t have a category like this. Relying parties are asked to trust the wrong thing Imagine we ran our id CAs this way – we would sign id assertions with the SSL server certs that the portals use for CSR submission &c. Controls to prevent duplicate certificates for hosts don’t take this scenario into account How easy is it to create an illegitimate AA? How to distribute the ID’s of the AA’s What if a host cert needs to be replaced, a new one added to the infrastructure What mechanisms exist to persuade people to trust these AA’s? VOMS attributes Are the attributes signed consistently understood? VOMS developers not sure. Why do you care? What I do with my cert is none of your business. That may be true in some hypothetical PKI, but of course there are usages we can’t support. Obviously illegal activity is one of these. But more realistically, things like encryption have to be disclaimed, because the proper controls aren’t in place. Why is identity over-engineered (our process), and authorization under engineered (above process)? From security point of view isn’t the balance wrong?