Frank Siebenlist, Argonne National Laboratory, franks@mcs.anl

Click here to load reader

  • date post

    19-Mar-2016
  • Category

    Documents

  • view

    38
  • download

    3

Embed Size (px)

description

Discussion about: * Security Provisioning and Validation * * Policy Enforcement Complexity * * Data Integrity Verification * 11th Middleware Security Group Meeting San Diego, CA - March 1-2, 2007. Frank Siebenlist, Argonne National Laboratory, franks@mcs.anl.gov - PowerPoint PPT Presentation

Transcript of Frank Siebenlist, Argonne National Laboratory, franks@mcs.anl

  • Certificate Validation Profile Support Locally Stored Locally Validated Profile (LSLV)Supported by Globus 4.0.3Directory of Trusted CertificatesCertificate Validation against certificates in directory of Trusted Certificates

    Remotely Retrieved Locally Validated Profile (RRLV)Use trust service to obtain trusted CA certificates and CRLS and store them in the Globus Trusted Certificate directory.Trust Service client manages the Globus Trusted Certificate directory for Globus, keeping it up to date. Only minor changes to Globus required.

    Supporting Remotely Stored Remotely Validated Profile (RSRV) Globus contacts Trust Service during authentication to determine if the credentials in question are signed by a Trusted CATrust Service performs all validation and enforces revocation lists.Support requires SIGNIFICANT changes to the Globus Toolkit

    Trust-Root Provisioning and Assertion Validation Facilities

  • Grid Trust Service (GTS)

    Grid Trust Service (GTS)WSRF Grid ServiceDefine and manage levels of assurance. Provides Support for Managing Trusted Certificate AuthoritiesAdministrator register/manage certificate authorities and CRLS with GTSClient tools synchronize Globus Trust Framework with GTSRemotely Retrieved Locally Validated Profile (RRLV)Globus is authenticating against the current trust fabricDistributed GTS, Enabling the creation of a scalable trust fabric.

    Trust-Root Provisioning and Assertion Validation Facilities

  • Grid Trust Service (GTS)

    Trusted AuthoritiesGTS manages a set of certificate authorities that are trusted in the grid to sign grid credentials. Trusted Authority A certificate authority trusted by the GTS.Name (Subject of the CA Certificate)Trust Level (s) The level(s) of Trust associated with the CA.Status The current status of the CA (Trusted or Suspended)Certificate The ca certificate that corresponds to the private key that is used by the ca to sign certificates. (credentials).Certificate Revocation List (CRL) CA signed list of revoked credentials.Is Authority Specifies whether or not the GTS listing this Trusted Authority is the authority for it.Authority GTS The authoritative GTS for the Trusted AuthoritySource GTS The GTS from where the current GTS obtained the Trusted Authority from.Expiration The date at which after this Trusted Authority should no longer be trusted.

    Trust-Root Provisioning and Assertion Validation Facilities

  • SyncGTS

    Toolkit used for synchronizing client and service containers with the GTSTakes a set of GTS Queries and executes them on a GTS, synchronizing the results of the queries with the Globus Trusted Certificates Directory.Supports multiple execution mechanisms.Grid Service in a grid service containerEmbedded in a client or serviceCommand Line

    Trust-Root Provisioning and Assertion Validation Facilities

  • Grid Trust Service (GTS) Federation

    GTS FederationA GTS can inherit Trusted Authorities and Trust Levels from other Grid Trust ServicesAllows one to build a scalable Trust Fabric.Allows institutions to stand up their own GTS, inheriting all the trusted authorities in the wider grid, yet being to add their own authorities that might not yet be trusted by the wider grid.A GTS can also be used to join the trust fabrics of two or more grids.

    Trust-Root Provisioning and Assertion Validation Facilities

  • OTP & Trust-Root ProvisioningOTP AuthN Server +users security config user-workstation(initially not configured)Secure mutual OTP-Authentication and Key-ExchangeShort-Lived Cert + Provisioning ofCAs, AuthZ/Attr AuthoritiesOTPEnhanced MyProxy/GridLogon Svc Bootstrap Users Trust-Root Config from Secure OTP Authentication

    Trust-Root Provisioning and Assertion Validation Facilities

    *

    MyProxy and Grid Trust ServiceMyProxy (creds swiss-army knife)(optionally) provisions clients with CA Certificates and CRLsOnly C-clients and no webservice protocolGrid Trust Service (GTS)provisions clients with CA certificates and CRLsOnly Java-clients and webservice protocolHierarchical centralized admin modelFunctionality insufficient but is on the right path forward

    Trust-Root Provisioning and Assertion Validation Facilities

    *

    Status QuoTrust-Root provisioning is static or very limitedClients and service configuration changes requires real effortEvery new collaboration requires manual provisioning of participating entitiesOut-of-date, i.e. incorrect, configurations lead to security exposuresAssertion revocation and signing policy validation is primitive or non-existingInability to validate signing-policy in real-time requires overly-strict CA-agreementsOut-of-date revocation information leads to security exposureAssertion validation not centralizedComplex validation code needs to be up-to-date on each client and serviceBridge CA deployment too complex for current middleware

    Trust-Root Provisioning and Assertion Validation Facilities

    *

    Path ForwardEnhance MyProxy/GTS to provision all trust roots required for organization, VO, and/or collaboratoryCentralized admin of clients and services security-configurationEnhance Grid-middleware to transparentlyEnable real-time, dynamic configuration provisioningValidate signing policy Maintain client and service security-config up-to-dateCentralize processing of complex validationEnhance Grid-middleware to optionally deploy and leverage centralized assertion-validation services

    Trust-Root Provisioning and Assertion Validation Facilities

    *

    ContentsTrust Provisioning & Validation

    Policy Enforcement Complexity

    Data Integrity Verification Facilities

    Trust-Root Provisioning and Assertion Validation Facilities

    *

    Access Policy Taxonomy (1)Physical User, AuthN-ID, DN, UsernameOperation/ActionIdentity-based, ACL-like, most simple policy statementPermissionPermit | Deny | NotApplicablePhysical Resource, FileName, URL, FQNPUser | Op | Perm | PRsrc

    Trust-Root Provisioning and Assertion Validation Facilities

    *

    Access Policy Taxonomy (2)Physical User, AuthN-ID, DN, UsernameGrouping Abstractionspolicy (mostly) defined on groupsResource Group, ClassificationPhysical Resource, FileName, URL, FQNUGroup | Op | Perm | RGroupRGroup | PRsrcUser Group, Attribute, RolePUser | UGroup

    Trust-Root Provisioning and Assertion Validation Facilities

    *

    Access Policy Taxonomy (3)Physical User, AuthN-ID, DN, UsernameLogical Abstractionssupport multiple authN-mechs resource location transparenciesLogical Resource, Lfile, URNPhysical Resource, PFile, URL, FQNUGroup | Op | Perm | RGroupRGroup | LRsrcLogical Username, Access-IDLUser | UGroup PUser | LUser LRsrc | PRsrc

    Trust-Root Provisioning and Assertion Validation Facilities

    *

    Access Policy Taxonomy (4)Puser/Luser/UGroup/Role | Op | Perm | Rgroup/LRsrc/PRsrcRGroup | LRsrcLUser | UGroup PUser | LUser LRsrc | PRsrcLuser/UGroup | Role Policy on physical, logical, roles and groupsplus hierarchical groups/roles, etc., etc

    Trust-Root Provisioning and Assertion Validation Facilities

    *

    Access Policy Taxonomy (5)Meta-Data Catalog Integrationallows for secure-browsingMeta-Data Catalogintegrated with access policyUGroup | Op | Perm | RGroupRGroup | LRsrcLUser | UGroup PUser | LUser LRsrc | PRsrcRGroup | Meta-DataLRsrc | Meta-DataPRsrc | Meta-Data

    Trust-Root Provisioning and Assertion Validation Facilities

    *

    Access Determination (1)??Permission??Requested operationAuthenticated User-IDCan Subject invoke Operation on Resource?Can AuthN-ID invoke Operation on Physical-Resource?Physical Resource to accessUGroup | Op | Perm | RGroupRGroup | LRsrcLUser | UGroup PUser | LUser LRsrc | PRsrc

    Trust-Root Provisioning and Assertion Validation Facilities

    *

    Policy Assertions from Everywhere

    Trust-Root Provisioning and Assertion Validation Facilities

    *

    Access Determination (2)VOMSRS/VOMSSAZ/PRIMA/GUMSMyProxy AuthN Svc - Username=> DN mappingPuser/Luser/UGroup/Role | Op | Perm | Rgroup/LRsrc/PRsrcRGroup | LRsrcLUser | UGroup PUser | LUser LRsrc | PRsrcLuser/UGroup | Role Policy components distributed

    Meta-data catalogData-Service(after staging)

    Trust-Root Provisioning and Assertion Validation Facilities

    *

    Policy Assertions from EverywhereCASShibLDAPHandleVOMSPERMISXACMLSAMLSAZPRIMAGridmapXACML???

    Trust-Root Provisioning and Assertion Validation Facilities

    *

    Policy Evaluation ComplexitySingle Domain & Centralized Policy Database/ServiceMeta-Data Groups/Roles membership maintained with RulesOnly Pull/push of AuthZ-assertions

    Challenge is to find right balance(driven by use casesnot by fad/fashion ;-) )

    Split Policy & Distribute EverythingSeparate DBs for meta-data, rules & attribute mappingsDeploy MyProxy, LDAP,VOMS, Shib, CAS, PRIMA, XACML, PRIMA, GUMS, PERMIS, ???

    Trust-Root Provisioning and Assertion Validation Facilities

    *

    AuthZ & Attr Svcs TopologyPolicy Enforcement Use Cases determine optimal AuthZ & Attr Svc TopologyClient pull-push versus Server pullNetwork-hurdles/firewallsCrossing of admin domainsSeparate Attributes from Rules (VOMS/Shib) or Separate Policies from Enforcement Point (CAS)Separation of duty - delegation of adminReplicating of Policy-DB or Call-OutNetwork overhead versus sync-mgmt overhead

    !!! Choose Most Simple Deployment Option !!! (ideally, services and middleware should allow all options)

    Trust-Root Provisioning and Assertion Validation Facilities

    *

    ContentsTrust Provisioning & Validation

    Policy Enforcement Complexity

    Data Integrity Verification Facilities

    Trust-Root Provisioning and Assertion Validation Facilities

    *

    Data Integrity ProtectionData CorruptionMany, many copies of the original