Grid Security: What is it? Where is it going? Why? Von Welch [email protected] National Center for Supercomputing Applications Globus Alliance

Grid Security:What is it?

Where is it going?Why?

Von [email protected]

National Center for Supercomputing Applications

Globus Alliance

ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 2

Outline

Some quick terminology What is Grid Security? Current State of the Art OGSA Grid Evolution OGSA Security and Web Services Security Globus Toolkit Implementation and Futures


Authentication, Authorization, Delegation

Authentication: Provingwho you are.

John Doe @ NCSA

Authorization:What are youare allowed todo?

Delegation:Granting aright to anotherentity.


Public Key Infrastructure

Used in almost all Grids today Allows for two entities to authenticate with minimal cross-organizational supprt

Based on asymmetric cryptography Private and Public Key

Public key is encoded in a Certificate by a Certificate Authority (CA) Certificate and Private key are used to establish identity


John Doe755 E. WoodlawnUrbana IL 61801

BD 08-06-65Male 6’0” 200lbsGRN Eyes

State ofIllinois

Seal

Certificates

Allow for binding of an Identity (John Doe) to a key or person

NameIssuerPublic KeySignature


Outline



Grid Security’s goal is to support the virtual organization.

Site A

Site BSite C

Site D

VirtualOrganization

(VO)


Example: NSF TeraGrid


Field Equipment

Laboratory Equipment

Remote Users

Remote Users: (K-12 Faculty and Students)

High-Performance Network(s)

Instrumented Structures and Sites

Leading Edge Computation

Curated Data Repository

Laboratory Equipment

Global Connections

(FY 2005 – FY 2014)

Simulation Tools Repository


Controlled Resource Sharing

ComputeCenter

HEP VO

Chem EngVO

BIO VO

5pm-9amonly

20 Tflops permonth max

100 Tbytesmax

20 Mbytes/secmax

Globally:• User must agree

to AUP• User must use

strong authentication


Grid Authorization “Flow”VO

User

Process

Resource

Delegate:VO may use

50% of cyclesDelegate:

Jane may use1000 cycles

Delegate:Job X may

use 100 cycles


So, what are the challenges? Resources being used may be valuable & the problems

being solved sensitive Both users and resources need to be careful

VOs aren’t static Large, dynamic, unpredictable…

VO Resources and users are often located in distinct administrative domains Can’t assume cross-organizational trust agreements Different mechanisms, trust roots & credentials

X.509 vs Kerberos Different CAs X.509 attribute certs vs SAML assertions


More challenges… Interactions are not just client/server,

but service-to-service on behalf of the user Requires delegation of rights by user to service Services may be dynamically instantiated

Standardization of interfaces to allow for discovery, negotiation and use

Implementation must be broadly available & applicable Standard, well-tested, well-understood protocols;

integrated with wide variety of tools Policy from sites, VO, users need to be combined

Varying formats: SAML, XACML, local custom, etc. Want to hide as much as possible from applications!


Outline



Grid Security Infrastructure (GSI) Open source libraries, tools and standards

which provide security functionality of the Globus Toolkit

Provides for cross-organizational: Authentication Message protection Authorization Single sign-on


GSI Stack

PKI (Certs, CAs)

• GSI uses a standard PKI for identity certificates.

• Each entity (user, service) has an X.509 certificate from a CA that uniquely names it.


GSI Stack

PKI (Certs, CAs)

SSL

• SSL, using the certificates, is used as the network protocol

• Performs authentication, like in the web, but client as well as server

• Also provides message protection as needed (integrity, encryption)


GSI Stack

PKI (Certs, CAs)

SSL

X.509 Proxy Certificates

• X.509 Proxy Certificates are our extension

• Standardized in IETF (pkix)

• Allow for dynamic delegation


GSI Stack

PKI (Certs, CAs)

SSL

X.509 Proxy Certificates

Grid-Mapfile

• Grid-Mapfile maps Grid users (identified by certificates) to local users (e.g. Unix account)

• Allows authorization using normal local methods (e.g. filesystem perms, quotas)


GSI-Enabled Coordination

Site A

Site B Site C

Allows forstandard

authenticationmethod

Allows for delegationto allow for

coordinated resourceUsage.

ProxyCertificate


Grid Security Services

How does a site with an existing sophisticated security infrastructure leverage that for Grids? E.g. Kerberos

How do I carry X.509 credentials around with me? How do I use with non-GSI aware applications? E.g. Web portals?

How does a VO manage the resources contributed to it?


Kerberos CA: Grid access from Krb5

GSI

KCA

KRB5Resources

• Allows use of Kerberos credentials to geton the Grid• In use at FNAL, USC

Kerberos User Grid Site

Krb5 Ticket

X509 Certificate

Krb5 toGrid ID

Mappings


• Allows users to acquire Grid credentials from Username/Password• Enables mobility anduse of non-GSI awareapplications

MyProxy Credential WalletMyProxy

The GridThe Grid

UsernamePassword

UsernamePassword

WebServer

UsernamePassword


Community Authorization Service (CAS)Resources are

Contributed to VOFrom a number of sites

VO decideshow its usersCan use those

resources.

CASVO Userrequestsaccess

CASGives userAssertionGrantingaccess

User presentsassertion to resource

to gain access

CAS: Allows VO to setFine-grain accesspolicy on its resources


Outline



Grid Evolution:Open Grid Services Architecture

Goals Refactor Globus protocol suite to enable common base

and expose key capabilities Service orientation to virtualize resources and unify

resources/services/information Embrace key Web services technologies for standard

IDL, leverage commercial efforts Result = standard interfaces & behaviors for

distributed system mgmt: the Grid service Standardization within Global Grid Forum and OASIS Open source & commercial implementations


The Grid Service

Application

• Use WSDLto advertiseinterface• WS-Policyto advertisesecurityrequirements(Krb5, GSI,etc.)• Allow forautomateddiscoveryand binding

Inte

rface

• Hostingenvironmenthandles msgsincludingauthentication,msg protection,authorization,etc.• Allows appdeveloper tofocus on app-specific logic.Hosting Environment


Based on Standards

Web Services SOAP WSDL

Extensions (follow-on to OGSI) WSRF

Lifetime control

WS-ResourceProperties Expose state

WS-Notification WS-ServiceGroup WS-RenewableReference


Outline

Some quick terminology What is Grid Security? Current State of the Art OGSA Grid Evolution OGSA Security and Web Services

Security Globus Toolkit Implementation and Futures


Leverage existing/emerging Security Standards

WS-Security/Policy/Trust/Federation/Authorization/SecureConversation/Privacy

XKMS, XML-Signature/Encryption, SAML, XACML, XrML

But… Need to OGSA’fy Need to define Profile/Mechanisms Need to define Naming conventions Need to address late/missing specs Support for delegation, transient services


WS SecurityCurrent/proposed WSS-specs

proposedproposedSOAP FoundationSOAP Foundation

WS-SecurityWS-Security

WS-PolicyWS-Policy WS-TrustWS-Trust WS-PrivacyWS-Privacy

WS-SecureWS-SecureConversationConversation WS-AuthorizationWS-Authorization

In progressIn progress

promisedpromised

WS-FederationWS-Federation


Current/proposed specs Building on the SOAP Foundation

TodayToday:: describes describes SOAP extensions for SOAP extensions for secure messaging, secure messaging, provides foundation provides foundation

for other building for other building blocksblocksSOAP FoundationSOAP Foundation




TodayToday::how to express how to express capabilities and capabilities and constraints of constraints of

security policies. security policies. Along with WS-Along with WS-

SecurityPolicy, WS-SecurityPolicy, WS-PolicyAsserts, WS-PolicyAsserts, WS-PolicyAttachmentPolicyAttachment

SOAP FoundationSOAP Foundation


WS-PolicyWS-Policy



TodayToday:: describes describes the model for the model for

establishing both establishing both direct and brokered direct and brokered trust relationships trust relationships

(including third (including third parties and parties and

intermediaries)intermediaries)



WS-PolicyWS-Policy WS-TrustWS-Trust



TodayToday:: how to how to manage and manage and authenticate authenticate

message message exchanges exchanges

between parties between parties including security including security context exchange context exchange and establishing and establishing

and deriving and deriving session keyssession keys



WS-PolicyWS-Policy WS-TrustWS-Trust

WS-SecureWS-SecureConversationConversation



Planned:Planned: will be a will be a model for how model for how

users state users state privacy privacy

preferences, and preferences, and for how Web for how Web

Services state Services state and implement and implement

privacy practicesprivacy practices




WS-SecureWS-SecureConversationConversation



PlannedPlanned:: will will describe how to describe how to

manage and broker manage and broker the trust relationships the trust relationships in a heterogeneous in a heterogeneous

federated federated environment environment

including support for including support for federated identitiesfederated identities




WS-SecureWS-SecureConversationConversation WS-FederationWS-Federation



PlannedPlanned:: will will define how Web define how Web services manage services manage

authorization authorization data and policiesdata and policies




WS-SecureWS-SecureConversationConversation WS-FederationWS-Federation WS-AuthorizationWS-Authorization


WS SecurityCurrent/proposed WSS-specs






promisedpromised



Other Standards

SAML looks good for assertions XACML as language for policy exchange?

But don’t fit nicely together (NASA work). SAML 2.0 will hopefully help.

XACML delegation of rights? XrML

Another policy language Liberty Alliance

Federated Identity like WS-Federation


WS Security(Confusing Picture)






promisedpromised


Liberty AllianceLiberty Alliance

SAMLSAML

XACMLXACML

XrMLXrML


How does all this fit into Grids?

WS-Policy/XACML/XrML for expressing security constraints What credentials (Kebreros, GSI) are

accepted and preferred Encryption supported? Required? Rejected?

WS-Authorization/XACML/XrML for managing authorization data e.g. in CAS

WS-Privacy (?) for managing privacy


OGSA Security Roadmap Goal Address the Grid Security Architecture

Requirements

Make Implementations Possible

Address Interoperability Address Pluggability/Replaceability Address missing/late/insufficient Standards

“OGSA Security Roadmap”submitted to GGF – co-authored with IBM


OGSA Security

Security implemented by pluggable security services Usable by clients and services

Allow for more agnostic approach to security mechanisms As implementations are created for a mechanism

they can be plugged into existing tools to enable use.

Applications and services can examine published security policies and convert/acquire credentials as needed


Remove Security from Applications

Allow deployment-time selection of supported mechanisms and policies

OGSA resource virtualization allows for policy on application-independent operation invocation

Place as much security functionality as possible into sophisticated hosting environments


Transparent Call-outs from WS-Stubs

RequestorApplication

VODomain

CredentialValidation

Service

AuthorizationService

Requestor'sDomain

Service Provider'sDomain

Audit/Secure-Logging

Service

AttributeService

TrustService

ServiceProvider

Application

Bridge/Translation

Service

PrivacyService


Service


Audit/Secure-Logging

Service

AttributeService

TrustService

PrivacyService


Service


AttributeService

TrustService


Service


AttributeService

TrustService

WS-StubWS-Stub Secure Conversation


Outline

Some quick terminology What is Grid Security? Current State of the Art OGSA Grid Evolution OGSA Security and Web Services Security Globus Toolkit Implementation and

Futures


What’s actually in GT3?

SOAP-based wire protocol WS-Security (XML-Signature, XML-Encryption) for

authentication, message protection GSI-SecureConversation

Based on GT2’s TLS/GSSAPI implementation Based on a poor-man’s “interpretation” of

WS-Trust/WS-SecureConversation specs plus XML-Signature/XML-Encryption/WS-Security

Waiting for WS-Trust & WS-SecureConversation & WS-Kerberos specs to be submitted to standards body


What’s Actually in GT3?

SAML assertions in Community Authorization Service (GT 3.2) Allow VOs to set and distribute policy on file

access Standardized Proxy Certificates Java and C implementations Java based on Axis with security

implemented in handlers


GT Security Futures (1)

Authorization is “KEY” for the coming year Includes communicating/sharing/matching of

authz-policies and capabilities Profiles for Attributes Standards for authorization services GGF OGSA Authorization WG

Restricted Delegation By service and operation By “domains”


GT Security Futures (2)

Securely route through firewalls/network-hurdles Tackle the firewall/NAT traversal issues

transparently in the runtime Integration of Group authentication/key-

exchange protocols Going from 2 parties to N parties should be

“seamless” Secure Logging and Audit

Another undefined, unstandardized missing link… while the requirements are there!


Conclusion Grid’s requirements maybe few years ahead,

but industry will face same challenges soon Few “new” distributed computing requirements…

Our security requirements are conceptually 1-2 levels above what is available now as specifications, standards and open source Ideally, we want to be end-users of WSS not plumbers…

The standards circus is very worrisome And distracting and time consuming…

Come help us at the Global Grid Forum Exciting security stuff! We need your help… (www.ggf.org)

Play with the Globus Toolkit (GT3.2) Downloaded 100k+ times already (www.globus.org)


Thanks

Many colleagues at Argonne, NCSA, ISI & PDC: Frank Siebenlist, Sam Meder, Olle Mulmo,

Leaur Pearlman, Jarek Garow, Jim Basney, Steve Tuecke, Ian Foster, Carl Kesselman, Rachana Ananthakrishnan and many others.

Funding from DOE, NSF and IBM

Questions?

Documents

Grid Security: What is it? Where is it going? Why? Von Welch [email protected] National Center for Supercomputing Applications Globus Alliance