Grid Authentication the EUGrid PMA EIROforum GG

Grid Authentication & the EUGrid. PMA EIROforum GG Meeting David Groep, Chair, 2005. 09. 14

Outline · Grid Security Infrastructure · Virtual Organisations · Authentication vs. Authorisation · · Authentication Federation: EUGrid. PMA Trusting trust anchors: TACAR International Grid Trust Federation e-IRG Roadmap and the i 2010 agenda · Discussion… David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 2

A brief summary: Grid characteristics · Resource sharing across different administrative domains · … using open and generic protocols · … resulting in enhanced qualities of service David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 3

Grid Security Requirements · Control access to shared services · Address autonomous management different policies in different working groups · Support multi-user collaborations · Federate through mutually trusted services · Local policy always prevails · Allow users and application communities to set up dynamic trust domains · Both personal and VO-based aggregation of resources, based on personal or VO-mediated trust · Easy to use: user single sing-on David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 4

Virtual Organisations · Resource sharing and coordinated problem solving in dynamic multi-institutional virtual organisations David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 5

Source of Authority The Resource Owner Always Stays In Control (and it’s worth dedicating an entire slide to this!) David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 6

Virtual vs. Organic structure Virtual Com unity C m File server F 1 (disk A) Person B (Administrator) Compute Server C 1' Person A (Principal Investigator) Person D (Researcher) Person B (Staff) Compute Server C 2 Compute Server C 1 Person A (Faculty) Person C (Student) Organization A Person E (Researcher) Person D File server F 1 (Staff) (disks A and B) Person E (Faculty) Person F (Faculty) Compute Server C 3 Organization B Graphic by Frank Siebenlist, ANL & Globus Alliance David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 7

Stakeholders in Grid Security · Conceptually, all members of a VO are equal · Users can provide their own services · Resource provider organisations may or may not have personal members (they can just sell resources to a VO) · No a priori trust relationship between members · VO lifetime can vary from hours to decades · People (and resources) usually are members of more than one VO · … but an established relation is required · for traceability and liability · for incident handling, accounting and support David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 8

VO environment · VOs today are rather long-lived · part of a Grid ‘ecosystem’: · Middleware · User support · `Infrastructure’ (a collective of Resource Centres) or · a single VO per project · Implicit sharing agreement between users and centres David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 9

Many Grid Infrastructures Need Interoperation · In Europe · Enabling Grid for E-scienc. E (EGEE) · Distributed European Infrastructure for Supercomputer Applications (DEISA) · South East European Grid (SEE-GRID) · many national projects (VL-e, D-Grid, UK e-Science) · In the US · Open Science Grid (OSG) · Tera. Grid · also many others, like NEESGRID, NASA IPG, … · Asia-Pacific · AP Grid · Pacific Rim Applications and Grid Middleware Assembly · EGEE participation · LHC Computing Grid Project (global) David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 10

Many different organisations · LCG Computing Grid ~140 sites (with LCG-2 m/w) · DEISA ~ 15 sites · OSG ~ 40 sites David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 11

Separating. Auth. N from Auth. Z · Single Authentication token (“passport”) · · · issued by a trustworthy third party, recognised by many resource providers, users, and VOs Satisfies traceability requirement In itself does not grant any access But only provides unique binding between a identifier and the subject* · Authorisation (“visa”) · · Access is granted by the resource owner Based directly on the Auth. N identifier, or Indirectly via VO membership Providers define their lists of authorised users & VOs, but can still ban individual users within a VO David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 12

Authentication · Based on Trusted Third Parties in an X. 509 PKI · Bind identifiers to identities · Assert that via immutable tokens (“certificates”) · Using cryptographically sound methods (asymmetric cryptography using public-private key pairs) Cert Authority certify user service user ‘common. Name=Pietje Puk’ ‘common. Name=ce. grid. nu’ David Groep – davidg@nikhef. nl trust Relying Party (user) (resource centre) Relying Party (service provider) (resource centre) Relying Party (resource centre) EIROforum GG meeting – Sept 2005 - 13

Authorization · Variety of mechanisms · Per-resource list of authorized users (“grid-mapfile”) · Directories of authorized users (VO-LDAP) · Embedded assertions (VOMS, CAS) · Leverage Auth. N identifiers provided by PKI · Identity management decoupled from access control · Renewable identity tokens · Single sign-on across multiple resources · Short-lived “proxy” credentials for users David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 14

Hybrid ways to AA · Pervasive in legacy applications (like ssh) · Many times originate in organisation-focussed applications · Bridging efforts · gsissh · minimalist changes to allow remote access based on user proxy credentials · Grid. Shib · use of a Shibboleth attribute authority as a source of authorization, based on X. 509 user proxy credential · … David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 15

Authentication Infrastructure

Why PKI? · Uniformity of credentials and interoperability (X. 509 and it’s use in SSL/TLS is common) · Tamper resistant credentials · One-to-many mechanism (instead of many-to-many) · Mobility (floppy disk, flash memory, smart card) · Scalability · Off-line authentication of users, · limited real-time interaction (status checks only) David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 17

Well known X. 509 PKIs · Secure web servers (‘https’) based on PKI · Various commercial providers · Entrust, Thawte, Verisign, Swiss. Sign, … · Usually expensive but don’t actually subsume liability … … a rogue cracker obtained a certificate from Verisign asserting he was from Microsoft … · Are implicitly trusted by many, since web browsers pre-install the roots of trust … did you ever check the policies of all those CAs? … can you even find them? David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 18

Hierarchical PKI · “hierarchies” are the traditional method of organising trust · A Relying Party that trust a top-level policy can implicitly trust all subordinates Top-level CA Intemediate CA 1 End-entity issuing CA 1 Intermediate CA 2 Intemediate CA 3 EE issuer 2 · But… · By signing a subordinate the CA assumes liability · It requires hierarchical control by the top-level CA on the subordinates (so that it en ensure policy compliance) · It implies a dependency relationship (not very well suited to a multi-national trust relationship) David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 19

The Federated PKI CA 1 CA 2 charter CA n CA 3 guidelines acceptance process relying party n relying party 1 · Federation consists of many independent CAs · · Common minimum requirements Solid acceptance process “reasonable” trust level, as required by relying parties no ‘hierarchical top’ to make hard guarantees (more like “EU-style” cooperation) · no single point of failure David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 20

Building the federation · PKI providers (‘CAs’) and Relying Parties (‘sites’) together shape the minimum requirements · Authorities testify compliance with these guidelines · Peer-review process within the federation to (re) evaluate members on entry & periodically · Reduce effort on the relying parties: single document to review and assess · Reduce cost on the CAs: no audit statement needed by certified accountants ($$$) · Requires that the federation remains manageable in size David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 21

History Origins of the Federation: the EDG CACG The EU Data. Grid needed a PKI for the test bed CACG had the task of creating this PKI Single CA not acceptable Single point of attack or failure One CA per country, large region or international organization for Grid Authentication only no support for long-term encryption or digital signatures CA must have strong relationship with RAs Some pre-existing CAs A single hierarchy would have excluded existing CAs and was not convenient to support with existing software Coordinated group of peer CAs was most suitable choice David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 22

History ‘Reasonable procedure … acceptable methods’ · Requirements and Best Practices for an “acceptable and trustworthy” Grid CA Minimum requirements for RA - Testbed 1 -------------------An acceptable procedure for confirming the identity of the requestor and the right to ask for a certificate e. g. by personal contact or some other rigorous method The RA should be the appropriate person to make decisions on the right to ask for a certificate and must follow the CP. Communication between RA and CA ---------------Either by signed e-mail or some other acceptable method, e. g. personal (phone) contact with known person Minimum requirements for CA - Testbed 1 -------------------The issuing machine must be: a dedicated machine located in a secure environment be managed in an appropriately secure way by a trained person the private key (and copies) should be locked in a safe or other secure place the private keu must be encrypted with a pass phrase having at least 15 characters the pass phrase must only be known by the Certificate issuer(s) not be connected to any network minimum length of user private keys must be 1024 min length of CA private key must be 2048 requests for machine certificates must be signed by personal certificates or verified by other appropriate means. . . David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 23

History Five years of growth December 2000: First CA coordination meeting for EDG March 2001: First version of the minimum requirements 5 CAs: France (CNRS), Portugal (LIP), Netherlands (NIKHEF), CERN, Italy (INFN), UK (UK e. Science) December 2002: Extension to other projects: EU-Cross. Grid … April 2004: Establishment of the EUGrid. PMA Formal charter and guidelines documents … Fall 2005: International Grid Trust Federation … David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 24

The EUGrid. PMA “constitution” The European Policy Management Authority for Grid Authentication in e-Science (hereafter called EUGrid. PMA) is a body • to establish requirements and best practices for grid identity providers • to enable a common trust domain applicable to authentication of end-entities in inter-organisational access to distributed resources. As its main activity the EUGrid. PMA • coordinates a Public Key Infrastructure (PKI) for use with Grid authentication middleware. The EUGrid. PMA itself does not provide identity assertions, but instead asserts that - within the scope of this charter – the certificates issued by the Accredited Authorities meet or exceed the relevant guidelines. David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 25

EUGrid. PMA Membership EUGrid. PMA membership for classic CAs: · A single Certification Authority (CA) · per country, · large region (e. g. the Nordic Countries), or · international treaty organization. · The goal is to serve the largest possible community with a small number of stable CAs · operated as a long-term commitment Many CAs are operated by the (national) NREN (CESNET, ESnet, Belnet, NIIF, EEnet, SWITCH, DFN, … ) or by the e-Science programme/Science Foundation (UK e. Science, VL-e, CNRS, … ) David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 26

History Growth of the CACG & EUGrid. PMA David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 27

Coverage of the EUGrid. PMA · Green: CA Accredited · Yellow: being discussed (Baltic. Grid, Turkey/ULAKBIM, Red. IRIS) Other Accredited CAs: · · · · · Do. EGrids (US) Grid. Canada ASCCG (Taiwan) Arme. SFO (Armenia) CERN Russia (“Data. Grid”) Israel (IUCC) Pakistan IHEP (China) and can we leverage of other (national) Auth. N infrastructures? David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 28

Establishing trust · · · Explicit requirements on identity providers Open-ness to peer review and audits Based on community standards (GGF) Close involvement of major relying parties Pan-European scope · Requirements coded in ‘guidelines’ · Specific guidelines for different technologies (“Authentication Profiles”) David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 29

RPs: the issues to be addressed Relying Party requests: 1) standard accreditation profiles sufficient to assure approximate parity in CAs 2) monitor [] signing namespaces for name overlaps 3) a forum [to] participate and raise issues 4) [operation of] a secure collection point for information about CAs which you accredit 5) common practices where possible [list courtesy of the Open Science Grid] David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 30

Guidelines: common elements · Coordinated namespace · Subject names refer to a unique entity (person, host) · Basis for authorization decisions · Common Naming · One-stop shopping for all trust anchors in the federation · Trusted, redundant, download sources · Concerns and ‘incident’ handling · Guaranteed point of contact · Forum to raise issues and concerns · Requirement for documentation of processes · Detailed policy and practice statement · Open to auditing by federation peers David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 31

Guidelines: secured X. 509 CAs · Identity vetting procedures · Based on (national) photo ID’s · Face-to-face verification of applicants via a network of Registration Authorities · Periodic renewal (once every year) · Secure operation · off-line signing key or special (FIPS-140 -3) hardware · Response to incidents · Timely revocation of compromised certificates David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 32

Guidelines: short-lived credential service · Issue short-lived credentials (for grid: proxies) based on another authentication system · e. g. Kerberos CA based on existing administration · Same common guidelines apply · documented policies and processes · a reliable identity vetting mechanism · Same X. 509 format, but no user-held secrets · A new profile pioneered by CAs in the Americas David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 33

TACAR A trusted repository which can contain verified root-CA certificates The certificates to be collected are those directly managed by the member NRENs, or belonging either to a National Academic PKI in the TERENA member countries (NPKIs), or to non-profit research projects directly involving the academic community. · Authoritative source for validation of trust anchors · independent web administration makes for stronger trust · TACAR certificate itself published in paper/journals · over 20 CA root certificates collected (not only for grid use!) David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 34

EUGrid. PMA and TACAR David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 35

Along the e-IRG Roadmap e-IRG: e-Infrastructure Reflection Group Roadmap for i 2010: · commitment to the federated approach · vision of an integrated AA infrastructure for e. Europe Towards an integrated AAI for academia in Europe and beyond · The e-IRG notes the timely operation of the EUGrid. PMA in conjunction with the TACAR CA Repository and it expresses its satisfaction for a European initiative that serves e-Science Grid projects. […] The e-IRG strongly encourages the EUGrid. PMA / TACAR to continue their valuable work […] (Dublin, 2004) · The e-IRG encourages work towards a common federation for academia and research institutes that ensures mutual recognition of the strength and validity of their authorization assertions. (The Hague, 2005) David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 36

Extending Trust: IGTF – the International Grid Trust Federation · common, global best practices for trust establishment · better manageability and response of the PMAs APGrid. PMA TAGPMA The America’s Grid PMA David Groep – davidg@nikhef. nl European Grid PMA Asia-Pacific Grid PMA EIROforum GG meeting – Sept 2005 - 37

APGrid. PMA · 13 members from the Asia-Pacific Region, chaired by Yoshio Tanaka (AIST) • AIST (. jp) • APAC (. au) • BMG (. sg) • CMSD (. in) • HKU CS SRG (. hk) • KISTI (. kr) • NCHC (. tw) • NPACI (. us) • Osaka U. (. jp) • SDG (. cn) • USM (. my) • IHEP Beijing (. cn) • ASGCC (. tw) · Launched June 1 st, 2004 · 4 ‘production-quality’ CAs · Pioneered ‘experimental’ profile David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 38

TAGPMA · 10 members to date, chaired by Darcy Quesnel (Canarie) • Canarie (. ca) • OSG (. us) • TERAGRID (. us) • Texas H. E. Grid (. us) • DOEGrids (. us) · Launched June 28 th, 2005 · Pioneered new “SLCGS” (Kerberos CA & al. ) David Groep – davidg@nikhef. nl • SDSC (. us) • FNAL (. us) • Dartmouth (. us) • Umich (. us) • Brazil (. br) EIROforum GG meeting – Sept 2005 - 39

Relationships: IGTF, PMAs, TACAR and GGF David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 40

Common Guidelines managed by the federation (collective responsibility) Federation Document • Namespace assignments • Distribution layout Classic X. 509 CAs with secured infrastructure management assigned to the EUGrid. PMA Short-lived Credential Services management assigned to the TAGPMA ‘experimental’ CAs management assigned to the APGrid. PMA … David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 41

Conclusions · A Common, Global, Trust Domain Exists Today · Recognised by many projects & the e-IRG · a solid basis (“classic X. 509 CAs”), and · room for innovation (“SLCGS”, experimental CAs) · Authorisation Federations are the next big challenge for Grid an e. Europe David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 42

http: //www. eugridpma. org / David Groep – davidg@nikhef. nl EIROforum GG meeting – Sept 2005 - 43