Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

Similar documents
Deploying the TeraGrid PKI

Using the MyProxy Online Credential Repository

GSI Online Credential Retrieval Requirements. Jim Basney

Network Security Essentials

A Roadmap for Integration of Grid Security with One-Time Passwords

KEY DISTRIBUTION AND USER AUTHENTICATION

Managing Grid Credentials

J. Basney, NCSA Category: Experimental October 10, MyProxy Protocol

1. Federation Participant Information DRAFT

Grids and Security. Ian Neilson Grid Deployment Group CERN. TF-CSIRT London 27 Jan

TFS WorkstationControl White Paper

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Leveraging the InCommon Federation to access the NSF TeraGrid

User Authentication Principles and Methods

Apple Inc. Certification Authority Certification Practice Statement

GLOBUS TOOLKIT SECURITY

Server-based Certificate Validation Protocol

Federated Services for Scientists Thursday, December 9, p.m. EST

SLCS and VASH Service Interoperability of Shibboleth and glite

Apple Inc. Certification Authority Certification Practice Statement

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

ECA Trusted Agent Handbook

Credentials Management for Authentication in a Grid-Based E-Learning Platform

Credential Wallets: A Classification of Credential Repositories Highlighting MyProxy

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

Cryptography and Network Security

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

Managing AON Security

CERN Certification Authority

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

CERTIFICATE POLICY CIGNA PKI Certificates

Integrating AirWatch and VMware Identity Manager

(1) Jisc (Company Registration Number ) whose registered office is at One Castlepark, Tower Hill, Bristol, BS2 0JA ( JISC ); and

A VO-friendly, Community-based Authorization Framework

VMware vcloud Air SOC 1 Control Matrix

Authentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005

SSL Certificates Certificate Policy (CP)

A Hardware-secured Credential Repository for Grid PKIs

INDIGO AAI An overview and status update!

Ten Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier

Certification Authority

MU2b Authentication, Authorization and Accounting Questions Set 2

}w!"#$%&'()+,-./012345<ya

INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT

Single Secure Credential to Access Facilities and IT Resources

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations

Grid Computing Security

EXPERIENCE WITH PKI IN A LARGE-SCALE DISTRIBUTED ENVIRONMENT

CS530 Authentication

CA-based Trust Issues for Grid Authentication and Identity Delegation

Smart Grid Security. Selected Principles and Components. Tony Metke Distinguished Member of the Technical Staff

Building on existing security

FPKIPA CPWG Antecedent, In-Person Task Group

Overview of Authentication Systems

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

The SafeNet Security System Version 3 Overview

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

VMware AirWatch Integration with SecureAuth PKI Guide

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure

Troubleshooting Grid authentication from the client side

A privacy-preserving authentication service using mobile devices

Some Lessons Learned from Designing the Resource PKI

The Match On Card Technology

Grid Security Infrastructure

Apple Inc. Certification Authority Certification Practice Statement. Apple Application Integration Sub-CA Apple Application Integration 2 Sub-CA

Securing MQTT. #javaland

Cloud Access Manager Overview

Canadian Access Federation: Trust Assertion Document (TAD)

PKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures

Salesforce1 Mobile Security White Paper. Revised: April 2014

Configuring SSH with x509 authentication on IOS devices

Thebes, WS SAML, and Federation

The SciTokens Authorization Model: JSON Web Tokens & OAuth

Public Key Infrastructure

Network Working Group Request for Comments: 3820 Category: Standards Track. NCSA D. Engert ANL. L. Pearlman USC/ISI M. Thompson LBNL June 2004

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Odette CA Help File and User Manual

Canadian Access Federation: Trust Assertion Document (TAD)

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Certificate Enrollment for the Atlas Platform

CILogon Project

Grid Computing Fall 2005 Lecture 16: Grid Security. Gabrielle Allen

Cryptographic Protocols 1

Canadian Access Federation: Trust Assertion Document (TAD)

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

Managing Certificates

Pulseway Security White Paper

This help covers the ordering, download and installation procedure for Odette Digital Certificates.

Canadian Access Federation: Trust Assertion Document (TAD)

Single Sign-On Architectures. Jan De Clercq Senior Member of Technical Staff Technology Leadership Group Hewlett-Packard

Using existing security infrastructures

Security and Certificates

Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

Public Key Infrastructure Configuration Guide, Cisco IOS XE Release 2

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

SAML-Based SSO Solution

Transcription:

Credential Management in the Grid Security Infrastructure GlobusWorld Security Workshop January 16, 2003 Jim Basney jbasney@ncsa.uiuc.edu http://www.ncsa.uiuc.edu/~jbasney/

Credential Management Enrollment: Initially obtaining credentials Retrieval: Getting credentials when and where they re needed Renewal: Handling credential expiration Translation: Using existing credentials to obtain credentials for a new mechanism or realm Delegation: Granting specific rights to others Control: Monitoring and auditing credential use Revocation: Handling credential National compromise Computational Science We need tools to cope with the complexity of credential management on the Grid.

Grid Credentials Identity credentials Different mechanisms (X.509, Kerberos,.NET) Different authorities (CAs, KDCs) Different purposes (authentication, signing, encryption) Different roles (project-based, security levels) Authorization credentials X.509 attribute certificates SAML/XACML/XrML assertions Trusted credentials CA certificates and policies Other certificates and public keys (SSH, PGP)

Accessing Credentials Ubiquitous access to the Grid Initiate secure Grid sessions from desktops, kiosks, PDAs, cell phones, etc. Requires access to needed credentials, including trusted credentials (CA certificates, etc.) Bootstrap from password Delegating credentials to transient services May need to retrieve additional credentials and/or renew existing credentials at run-time Need access to trusted credentials and policy information

Traditional PKI Enrollment 1. End entity generates public/private key pair & submits certificate request to CA 2. CA approves/denies certificate request & signs certificate if request is approved 3. End entity retrieves signed certificate from the CA

Traditional PKI Enrollment Can be cumbersome for users and CA operators May require a trip to a Registration Authority or some other out-of-band identity verification CA operators must examine each request and sometimes investigate further before deciding to approve or deny Process may take hours or days to complete

End Entity Key Management Typical practice in GSI is to store private keys in files encrypted by a passphrase Security depends on well-chosen passphrases and well-secured filesystems Users copy private keys to the different systems they use to access the Grid Not all Grid users are PKI experts Just want to do their computing securely Can we improve usability and security of end entity key management on the Grid? Alternatives: Smart Cards, Online CAs, Online Credential Repositories

Smart Cards User-managed, portable credential storage Security analogous to car keys or credit cards Private keys stay in hardware Card standards are mature Costs are decreasing but still significant $20 readers, $2 cards Government ID card deployments Can pre-load credentials on the National card Computational before Science distributing it Some support already in GSI libraries

Online CA User authenticates to CA to obtain credentials immediately Leverage existing authentication mechanisms (password, Kerberos, etc.) Identity mapping: Simple transformation (i.e., include Kerberos principle name in X.509 certificate subject) or administratormanaged mapping Signs long-term and/or short-term credentials If long-term, then credentials are user-managed If short-term, credentials retrieved on demand, without need for user key management

Online CA Security CA machine must be well-secured Signing key must be well-protected (i.e., stored in hardware crypto module) Key compromise allows attacker to create arbitrary credentials CA compromise may allow attacker to manipulate user authentication or identity mapping info If compromised, must revoke CA certificate and change CA signing key Short-term credentials don t need to be revoked

Online Credential Repository Store encrypted credentials and access policy in an online repository Repository may be mechanism-aware or may simply hold opaque credentials Authenticate to repository to retrieve opaque or delegated credentials Separates credential creation from credential management Can be deployed by individuals, small groups, VO managers, or CA operators Credentials can be pre-loaded to leverage existing authentication mechanisms

Credential Repository Security Credentials individually encrypted with user s passphrase Compromise requires offline attack on each credential Centralized storage of credentials may violate policies (CA CP/CPS) If compromised, credentials in repository must be revoked

Who Holds The Keys? Viewpoint #1: End entities should have sole possession of their long-term keys Administrator access to end entity keys voids non-repudiation Viewpoint #2: End entities can t be trusted to secure their long-term keys Centralized key distribution enforces password policies and credential lifetime limits Will this issue hinder cross-site collaboration?

Credential Renewal Long-lived tasks or services need credentials Task lifetime is difficult to predict Don t want to delegate long-lived credentials Fear of compromise Instead, renew credentials as needed during the task s lifetime Renewal service provides a single point of monitoring and control Renewal policy can be modified at National any Computational time Science For example, disable renewals if compromise is detected or suspected

Credential Renewal Home Remote Submit Jobs Job Broker Launch Job Refresh Credentials Resource Manager Retrieve Credentials Refresh Credentials Enable Renewal Credential Service Job

Multiple Credentials Will a single identity credential per user suffice? A lot of work is being done to vet and/or crosscertify Grid CAs How is that different from Kerberos cross-realm authentication? Alternative: Provide tools to manage multiple credentials Single sign-on unlocks all credentials Grid protocols negotiate for required credentials (WS-SecurityPolicy) Authorization decision between individual and resource provider, rather than between realms

Credential Wallet Consolidated view of my credentials Credential management interface Add, remove, or modify credentials Associate policies with credentials Create authorization credentials One-stop credential access point Single sign-on unlocks credentials for a session Contains pointers to available credential services Manage credentials on my behalf Example: renew credentials as needed Notify when events occur or action is required

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback