Upload
dalton-johnes
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
MyProxy: A Multi-Purpose
Grid Authentication Service
Jim BasneySenior Research Scientist
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 2
What is MyProxy? A service for managing X.509 PKI credentials
A credential repository and certificate authority An Online Credential Repository
Issues short-lived X.509 Proxy Certificates Long-lived private keys never leave the server
An Online Certificate Authority Issues short-lived X.509 End Entity Certificates
Supporting multiple authentication methods Passphrase, Certificate, PAM, SASL, Kerberos
Open Source Software Included in Globus Toolkit, VDT, and CoG Kits C, Java, Python, and Perl clients available Contributions from EDG, UVA, LBNL, and others
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 3
MyProxy Logon
Authenticate to retrieve PKI credentials End Entity or Proxy Certificate Trusted CA Certificates Certificate Revocation Lists (CRLs)
MyProxy maintains the user’s PKI context Users don’t need to manage long-lived credentials Enables server-side monitoring and policy
enforcement (ex. passphrase quality checks) CA certificates & CRLs updated automatically at
login
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 4
MyProxy Authentication
Key Passphrase X.509 Certificate
Used for credential renewal
Pluggable Authentication Modules (PAM) Kerberos password One Time Password (OTP) Lightweight Directory Access Protocol (LDAP)
password
Simple Authentication and Security Layer (SASL) Kerberos ticket (SASL GSSAPI)
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 5
MyProxy Online Certificate Authority
Issues short-lived X.509 End Entity Certificates Leverages MyProxy authentication mechanisms Compatible with existing MyProxy clients
Ties in to site authentication and accounting Using PAM and/or Kerberos authentication Map username to certificate subject via “gridmap” file or LDAP query
Avoid need for long-lived user keys Server can function as both CA and
repository Issues certificate if no credentials for user are stored
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 6
MyProxy Online Credential Repository
Stores X.509 End Entity and Proxy credentials Private keys encrypted with user-chosen passphrases Credentials may be stored directly or via proxy
delegation Users can store multiple credentials from different CAs
Access to credentials controlled by user and administrator policies
Set authentication requirements Control whether credentials can be retrieved directly or
if only proxy delegation is allowed Restrict lifetime of retrieved proxy credentials
Can be deployed for a single user, a site, a virtual organization, a resource provider, a CA, etc.
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 7
Talk Outline
MyProxy Introduction PKI Introduction and MyProxy CA Proxy Certificates and MyProxy Repository MyProxy Scenarios
Administratively Loaded Credentials Registration Portals Web Portal Authentication and Delegation Password-based Delegation Credential Renewal Web Single Sign-On (SSO)
Demos Conclusion
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 8
PKI Overview
Public Key Cryptography Sign with private key,
verify signature with public key Encrypt with public key,
decrypt with private key
Key Distribution Who does a public key belong to? Certification Authority (CA)
verifies user’s identity and signs certificate
Certificate is a document that binds the user’s identity to a public key
Authentication Signature [ h ( random, … ) ]
Subject: CA
signs
Issuer: CA
Subject: Jim
Issuer: CA
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 9
certificatec + { secret }pubkeys
+ signaturec[ h( randomc, randoms, … ) ]
PKI Authentication
Client Server
randomc
certificates + randoms
{ h( secret ) }secret
Standard SSL/TLS Protocol
(summarized)
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 10
PKI Enrollment
CA
Sign new end entity certificate
User
Certificate request
User
2
3
4
CA
Applicant
Generate new key pair
CA
1
User
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 11
gridmap
CA keykeypair
MyProxy CA with PAM
Client
MyProxyServerpassword
PAM
KerberosKDC
RADIUSServer
LDAPServer
password
password
TGT
certificate requestcertificateTLS handshake
GridService
X.509
DN lookup
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 12
CA key
gridmap
keypair
MyProxy CA with Kerberos
Client
MyProxyServer
SASL
KerberosKDC
LDAPServer
TLS handshake
GridService
X.509
DN lookup
SASL
ticket
SASL/GSSAPI/Kerberoscertificate requestcertificate
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 13
PAM/SASL Issues
PAM Conversation PAM modules can require multiple rounds of user interaction
No standard protocol SASL/PLAIN doesn’t support multiple rounds Need something like SSH keyboard-interactive protocol
SASL client-side setup Requires SASL library and configuration of SASL mechanisms
Alternative: native Kerberos protocol support
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 14
Proxy Credentials
RFC 3820: Proxy Certificate Profile Associate a new private key and
certificate with existing credentials Short-lived, unencrypted credentials
for multiple authentications in a session
Restricted lifetime in certificate limits vulnerability of unencrypted key
Credential delegation (forwarding) without transferring private keys
CA
User
ProxyA
signs
signs
ProxyB
signs
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 15
Proxy Delegation
Delegator Delegatee
Generate new key pair
Sign new proxy
certificate
Proxy
Proxy certificate
request
ProxyProxy
12
3
4
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 16
keypair
MyProxy Put
Client
MyProxyServer certificate
private key
certificate requestproxy certificate chainusername password policy
private key
cert chain
TLS handshake
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 17
private key
MyProxy Get
Client
MyProxyServer certificate requestproxy certificate chainusername password
private key
cert chain
TLS handshake
GridService
X.509
cert chain
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 18
MyProxy Store
Client
MyProxyServer certificate
private key
certificateusername policy
private key
certificate
TLS handshakeprivate key
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 19
MyProxy Retrieve
Client
MyProxyServer certificate chainusername password
private key
cert chain
TLS handshake
GridService
X.509
private key
private key
cert chain
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 20
Administratively Loaded Creds
Client
MyProxyServer
GridService
CertificateAuthority
certificateprivate key
private key
certificate
private key
TLS handshakecertificate requestproxy certificate chainusername password
X.509
cert chain
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 21
User Registration Portal
Client
MyProxyServer
GridService
CertificateAuthority
certificate
private key
certificate
private key
TLS handshakecertificate requestproxy certificate chainusername password
X.509
cert chain
RegistrationPortal
certificate
private key
TLS handshakeusername password
UserDB
username
Browser
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 22
Gateway Portal
Browser
Portal
UserDB
cert
key
GridService
X.509
passwordusernameTLS handshake
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 23
Trusted Portal
Browser
Portal
UserDB
cert
key
GridService
X.509
passwordusernameTLS handshake
MyProxyX.509
cert
key
cert
cert requestusername
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 24
Password-based Portal Auth
BrowserPortal
cert
key
GridService
X.509
passwordusernameTLS handshake
MyProxyX.509
cert
key
cert
cert request
password
username
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 25
Password-based Delegation
MyProxy
DelegateeDelegator
certificate
private key
passwordrandomusername
private key
private key
certificate
certificate
certificate
certificatecertificate
username
TLS handshakepasswordrandom
certificatecertificate request
certificate username
passwordrandom
TLS handshake
certificate request
certificate
certificate
certificate
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 26
Password-based Renewal
MyProxy
Condor-G GRAM Gatekeeper
Client
proxy
job
password
password
proxy job
Job
proxy
password
proxyproxy
proxy
proxy
proxy
proxyproxy
proxy
proxy
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 27
Certificate-based Renewal
MyProxy
Condor-G GRAM Gatekeeper
Client
proxy
job
policy
proxy job
Job
proxy
X.509
proxy
proxy
proxy
proxy
proxy
proxy
proxy
proxy
proxy
Workload ManagementService
RenewalService
keycert
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 28
MyProxy and Web SSO
PURSE
MyProxyBrowser
Portal A
Portal B
PubcookieLogin Server
passwordpassword
cert
cookie
cookie
passwordpassword
cookie
cookiecert
cert
passwordGrid
Service
cookie
X.509
X.509
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 29
SSO for Browser and Application
Portal
MyProxyServer
Browser
Application
Authenticatecookie
cookie
JWScert
cert
GridService
X.509
X.509
cookie
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 30
SSO for Browser and Application
Portal
MyProxyServer
Browser
Application
Authenticatepasswordrandom
passwordrandom
JWS
cert
cert
GridService
X.509
passwordrandom
passwordrandom
cert
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 31
Demonstrations
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 32
Conclusion MyProxy: A Multi-Purpose Grid Authentication
Service Used in many delegation and single sign-on scenarios
MyProxy provides practical authentication solutions Minimize changes to existing software and protocols
Leverage community standards PAM, SASL, Kerberos, LDAP, Pubcookie, Shibboleth
Active MyProxy open source community Deploy new developments via MyProxy Benefit from the work of others
WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 33
Thank you! Obrigado!