1. Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois jbasney@ncsa.uiuc.edu

2. GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/2 What is MyProxy? l Independent Globus Toolkit add-on since 2000 u To be included in Globus Toolkit 4.0 l A service for securing private keys u Keys stored encrypted with user-chosen password u Keys never leave the MyProxy server l A service for retrieving proxy credentials l A commonly-used service for grid portal security u Integrated with OGCE, GridSphere, and GridPort

3. GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/3 PKI Overview l Public Key Cryptography u Sign with private key, verify signature with public key u Encrypt with public key, decrypt with private key l Key Distribution u Who does a public key belong to? u Certification Authority (CA) verifies user’s identity and signs certificate u Certificate is a document that binds the user’s identity to a public key l Authentication u Signature [ h ( random, … ) ] Subject: CA signs Issuer: CA Subject: Jim Issuer: CA

4. GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/4 Proxy Credentials l RFC 3820: Proxy Certificate Profile l Associate a new private key and certificate with existing credentials l Short-lived, unencrypted credentials for multiple authentications in a session u Restricted lifetime in certificate limits vulnerability of unencrypted key l Credential delegation (forwarding) without transferring private keys CAUser Proxy A signs Proxy B signs

5. GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/5 Proxy Delegation DelegatorDelegatee Generate new key pair Sign new proxy certificate Proxy Proxy certificate request Proxy 1 2 3 4

6. GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/6 MyProxy System Architecture MyProxy server Credential repository Retrieve proxy Store proxy Proxy delegation over private TLS channel MyProxy client

7. GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/7 MyProxy: Credential Mobility myproxy.teragrid.org tg-login.uc.teragrid.org tg-login.caltech.teragrid.org tg-login.sdsc.teragrid.org tg-login.ncsa.teragrid.orgca.ncsa.uiuc.edu Obtain certificate Store proxy Retrieve proxy

8. GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/8 MyProxy and Grid Portals Portal MyProxy server GridFTP server Login Fetch proxy Access data

9. GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/9 MyProxy: User Registration MyProxy server Registration portal Certificate authority Request account Obtain user certificate Load user’s credentials Retrieve proxy Grid portal Login with username/password Set username/password ESG PURSE: Portal-based User Registration Service

10. GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/10 MyProxy Security l Keys encrypted with user-chosen passwords u Server enforces password quality u Passwords are not stored l Dedicated server less vulnerable than desktop and general-purpose systems u Professionally managed, monitored, locked down l Users retrieve short-lived credentials u Generating new proxy keys for every session l All server operations logged to syslog l Caveat: Private key database is an attack target u Compare with status quo

11. GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/11 Hardware-Secured MyProxy M. Lorch, J. Basney, and D. Kafura, "A Hardware-secured Credential Repository for Grid PKIs," 4th IEEE/ACM International Symposium on Cluster Computing and the Grid (CCGrid), April 2004. IBM 4758 MyProxy Server Retrieve proxy Proxy request Proxy certificate l Protect keys in tamper-resistant cryptographic hardware

12. GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/12 GlobusWORLD 2003 Flashback

13. GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/13 Credential Renewal l Long-lived jobs or services need credentials u Task lifetime is difficult to predict l Don’t want to delegate long-lived credentials u Fear of compromise l Instead, renew credentials as needed during the job’s lifetime u Renewal service provides a single point of monitoring and control l Renewal policy can be modified at any time u Disable renewals if compromise is detected or suspected u Disable renewals when jobs complete

14. GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/14 MyProxy: Credential Renewal MyProxy server Condor-G Submit job Globus gatekeeper Submit job Fetch proxy Refresh proxy

15. GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/15 MyProxy Installation (Unix) l Included in GT 4.0 l As an add-on component to GT 3.x $ gpt-build myproxy*.tar.gz l Set $MYPROXY_SERVER environment variable to myproxy-server hostname $ export MYPROXY_SERVER=myproxy.ncsa.uiuc.edu l Set Globus Toolkit environment $. $GLOBUS_LOCATION/etc/globus-user-env.sh l Client installation/configuration complete!

16. GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/16 MyProxy CoG Clients l Commodity Grid (CoG) Kits u Provide portable (Java and Python) MyProxy client tools & APIs u Windows support l For more information: u http://www.cogkit.org/

17. GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/17 MyProxy Commands l myproxy-init: store proxy l myproxy-get-delegation: retrieve proxy l myproxy-info: query stored credentials l myproxy-destroy: remove credential l myproxy-change-pass-phrase: change password encrypting private key

18. GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/18 MyProxy Server Administration l Install server certificate and CA certificate(s) l Configure /etc/myproxy-server.config policy u Template provided with examples l Optionally: u Configure password quality enforcement u Install cron script to delete expired credentials l Install boot script and start server u Example boot script provided l Use myproxy-admin commands to manage server u Reset passwords, query repository, lock credentials

19. GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/19 MyProxy Server Policies l Who can store credentials? u Restrict to specific users or CAs u Restrict to administrator only l Who can retrieve credentials? u Allow anyone with correct password u Allow only trusted services / portals l Maximum lifetime of retrieved credentials server-wide and per-credential

20. GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/20 MyProxy and SASL l MyProxy supports additional authentication mechanisms via SASL (RFC 2222) l One Time Passwords (SASL PLAIN with PAM) u Protect against stolen passwords u Hardware token generates OTP u Authenticate with OTP plus MyProxy password u Tested with CryptoCard tokens l Kerberos (SASL GSSAPI) u Authenticate with Kerberos ticket plus MyProxy password

21. GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/21 Related Work l GT4 Delegation Service u Protocol based on WS-Trust and WSRF l SACRED (RFC 3767) Credential Repository u http://sacred.sf.net/ l Kerberized Online CA (KX.509/KCA) u Kerberos -> PKI l PKINIT for Heimdal Kerberos u PKI -> Kerberos

22. GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/22 GridLogon l Work in progress l Inspired by Peter Gutmann’s PKIBoot u “Plug-and-Play PKI: A PKI your Mother can Use” l Password-based authentication to initialize user’s security environment u Install identity/attribute/authorization credentials u Install CA certificates and CRLs u Install additional security configurations

23. GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/23 MyProxy Community l myproxy-users@ncsa.uiuc.edu mailing list l Bug tracking: http://bugzilla.ncsa.uiuc.edu/ l Anonymous CVS access :pserver:anonymous@cvs.ncsa.uiuc.edu:/CVS/myproxy l Contributions welcome! u Feature requests, bug reports, patches, etc.

24. GlobusWORLD 2005http://myproxy.ncsa.uiuc.edu/24 Thank you! Questions/Comments? Contact: jbasney@ncsa.uiuc.edu