Embed Size (px)
Citation preview
GSI – Grid Security Infrastructureand the
EU DataGrid Authentication Infrastructure
For the EDG CACG: David Groep
David Groep – GSI and EU DataGrid Authentication – 2002.03.13 - 2
Outline
The Grid in one line
The Grid Security Infrastructure (from Globus)
EU DataGrid (EDG)
The EDG CA Coordination Group (CACG)
David Groep – GSI and EU DataGrid Authentication – 2002.03.13 - 3
The Grid:
coordinated resource sharing and problem solving
in dynamic, multi institutional virtual organizationsCarl Kesselman, Ian Foster, The Anatomy of the Grid
Extension of “meta-computing” to ubiquitous resources
Pioneered by the I-WAY, GUSTO and the Globus Project
Vision: getting resources like you get electricity nowadays
David Groep – GSI and EU DataGrid Authentication – 2002.03.13 - 4
A Quick Refresher
Grid Security Infrastructure (GSI) =
X.509 (PKI certificate format)*
+ proxy certificates (single sign-on & delegation)
+ TLS/SSL (authentication & msg protection)*
+ delegation protocol (remote delegation)
+ GSS-API (standard API)*
+ GSS-API Extensions (better Grid support)
* = Existing IETF standards• Others are GGF & IETF drafts
David Groep – GSI and EU DataGrid Authentication – 2002.03.13 - 5
X.509 Proxy Certificates Work
Defines how a short term, restricted credential can be created from a normal, long-term X.509 credential
A “proxy certificate” is a special type of X.509 certificate that is signed by the normal end entity cert, or by another proxy
Supports single sign-on & delegation through “impersonation”
ANL, ISI, LBNL
David Groep – GSI and EU DataGrid Authentication – 2002.03.13 - 6
Restricted Proxies
Q: How to restrict rights of delegated proxy to a subset of those associated with the issuer?
A: Embed restriction policy in proxy cert Policy is evaluated by resource upon proxy use
Reduces rights available to the proxy to a subset of those held by the user
But how to avoid policy language wars? Proxy cert just contains a container for a policy specification, without
defining the language Container = OID + blob
Can evolve policy languages over time
David Groep – GSI and EU DataGrid Authentication – 2002.03.13 - 7
Delegation Tracing
Often want to know through what entities a proxy certificate has been delegated
Audit (retrace footsteps)
Authorization (deny from bad entities)
Solved by adding information to the signed proxy certificate about each entity to which a proxy is delegated.
Does NOT guarantee proper use of proxy
Just tells you which entities were purposely involved in a delegation
David Groep – GSI and EU DataGrid Authentication – 2002.03.13 - 8
Proxy Certificate Standards Work
“Internet Public Key Infrastructure X.509 Proxy Certificate Profile”
draft-ietf-pkix-proxy-00.txt Draft being considered by IETF PKIX working group, and by GGF GSI
working group
Defines proxy certificate format, including restricted rights and delegation tracing
LBNL student is implementing into OpenSSL
Demonstrated a prototype of restricted proxies at HPDC as part of CAS demo
David Groep – GSI and EU DataGrid Authentication – 2002.03.13 - 9
Delegation Protocol Work
“TLS Delegation Protocol” draft-ietf-tls-delegation-01.txt
Draft being considered by IETF TLS working group, and by GGF GSI working group
Defines how to remotely delegate an X.509 Proxy Certificate using extensions to the TLS (SSL) protocol
David Groep – GSI and EU DataGrid Authentication – 2002.03.13 - 10
Community Authorization Service
Question: How does a large community grant its users access to a large set of resources?
Should minimize burden on both the users and resource providers
Solution: Community Authorization Service (CAS) Community negotiates access to resources
Resource outsources fine-grain authorization to CAS
Resource only needs to know about “CAS user” credential CAS handles user registration, group membership…
User who wants access to resource asks CAS for a capability credential
Restricted proxy of the “CAS user” credential, checked by resource
David Groep – GSI and EU DataGrid Authentication – 2002.03.13 - 11
CAS Operation
2. CAS reply, with and resource CA info
user/group membership
resource/collective membership
collective policy information
CAS
Does the collective policy authorize this
request for this user?
User
1. CAS request, with resource names and operations
Resource
Is this request authorized for
the CAS?
Is this request authorized by
the capability? local policy
information
3. Resource request, authenticated with
capability
4. Resource reply
capability
David Groep – GSI and EU DataGrid Authentication – 2002.03.13 - 12
Community Authorization Service
CAS provides user community with information needed to authenticate resources
Sent with capability credential, used on connection with resource
Resource identity (DN), CA
This allows new resources/users (and their CAs) to be made available to a community through the CAS without action on the other user’s/resource’s part
David Groep – GSI and EU DataGrid Authentication – 2002.03.13 - 13
The EU DataGrid (EDG) Project
DataGrid: generic Grid middleware and test bed for High Energy Physics
Earth Observation and ozone modelling
Bio-informatics & bio-medicine
Middleware components (on top of Globus): scheduling and accounting
data replication and management
monitoring
data storage
fabric and farm management
David Groep – GSI and EU DataGrid Authentication – 2002.03.13 - 15
The EDG Test Bed
Started end 2000 – beginning 2001 with “Test Bed 0” Globus installations in several countries
Implement core infrastructure to get this to work
Test Bed 1, deployed Nov 2001, successful demo in March 1st
Continuous upgrades till December 2003
David Groep – GSI and EU DataGrid Authentication – 2002.03.13 - 16
The first Grid CA’s
The Globus Project has been running a “worthless” CA authentication based on non-bouncing e-mail address only
not accepted by many of the participating sites
For EDG “production” test bed need for just a bit stronger auth grass-roots effort by volunteers in various countries
policies and practices all different
various degrees of subject authentication
a (very) few CA’s are still in need of a written policy
David Groep – GSI and EU DataGrid Authentication – 2002.03.13 - 17
Current EDG Certification Authorities
CERN (HEP-only, Grid-only)
Czech Republic (CESNET)
France (CNRS)
Spain (IFCA, HEP-only, Grid-only)
Netherlands (NIKHEF/DutchGrid, Grid-only)
Italy (INFN, HEP-only, Grid-only)
Portugal (LIP, HEP-only, Grid-only)
Nordic Countries (NBI, Grid-only)
Russia (Moscow State Uni, HEP-only, Grid-only)
GridPP/UKHEP (CLRC/RAL, Grid-only)
DoESG CA (ESnet, Grid-only)
Germany (FZK, Grid-only)
some EDG CA stats:
11 CAs
1 year in operation
~ 1000 certs issued
potential community: 10000–40000–???
David Groep – GSI and EU DataGrid Authentication – 2002.03.13 - 18
EDG CA “Minimum Requirements” (1)
Still largely defined by common practice …
“An acceptable procedure for confirming the identity of the requestor […] e.g. by personal contact or some other rigorous method”
One CA per country → basic trust in personal authentication by CA/RA
Subject name includes full given name and affiliation
Specific nameforms per CA (but all different)
Most use personal voice recognition of known persons, or check official ID papers via an RA
RA-to-CA communications by integrity-protected e-mail
Affiliation usually checked by looking in “public” directories
“Host certificates” introduced by a pre-certified administrator
David Groep – GSI and EU DataGrid Authentication – 2002.03.13 - 19
EDG CA “Minimum Requirements” (2)
Technical controls better specified machine with CA private key not connected to any network CA RSA key length 2048 bits → lifetime 5 years Subscriber key length > 1024 bits → 1 year
All CA’s issue a CRL with a 30-day lifetime (updated ~ weekly) Relying parties must update every 24 hrs
Audit logs must be kept but no auditing is done! (no funding)
Strongly recommends running a directory service
David Groep – GSI and EU DataGrid Authentication – 2002.03.13 - 20
EDG CA CP/CPS and the Matrices
Every EDG CA must provide a CP/CPS (combined) RFC2527 preferred
a per-CA “feature matrix” is made
Cross-evaluation of CP/CPS by every CA Manager tries to make up for lack of auditing
provide trust guidelines for “local” site administrators
Every CA Manager should inspect all other CP/CPSs
Yields the Acceptance Matrix
David Groep – GSI and EU DataGrid Authentication – 2002.03.13 - 21
CA Feature Matrix
by Brian Coghlan, TCD, Ireland
David Groep – GSI and EU DataGrid Authentication – 2002.03.13 - 22
CA Acceptance Matrix
The Acceptance Matrix Problem:
This does not scale
Already 12 CA’s
Numbers growing rapidly
CrossGrid Project: + 7 countries
CERN/LHC: +120 countries
....
Automate the evaluation
move work to proper forums
David Groep – GSI and EU DataGrid Authentication – 2002.03.13 - 23
Grid CA Standardization Efforts
Global Grid Forum (GGF) standardization body modeled like IETF/IRTF
2 working groups in security area:
Grid Security Infrastructure wg
GridCP wg
http://www.globalgridforum.org/
GridCP working group define a reference CP (with four? levels)
every compliant CA should add own appendix with CPS (few pages)
not clear on: cross-certifying, root, or bridge CA
David Groep – GSI and EU DataGrid Authentication – 2002.03.13 - 24
EDG and GGF CA References
The EU DataGridhttp://www.eu-datagrid.org/
The Globus Project http://www.globus.org/security/
EDG CACG site http://marianne.in2p3.fr/datagrid/ca/
GGF GridCP wg http://www.gridcp.es.net/
DoESG site http://envisage.es.net/
