Towards a Unified Authentication and Authorization Infrastructure for

“Towards a Unified Authentication and Authorization Infrastructure for Grid Services: Implementing an Enhanced OCSP Service Provider into GT 4” Jesús Luna G. Manel Medina L. Oscar Manso C. Universitat Politècnica de Catalunya Departament d’Arquitectura de Computadors Euro. PKI 2005 June 30 th, 2005

Agenda – Motivation – Background – Objective – Proof of concept – Related work – Future work Euro. PKI 2005 June 30 th, 2005

Motivation Euro. PKI 2005 June 30 th, 2005

Grid Services • Open Grid Services Architecture (OGSA): Service orientation to virtualize resources -> everything is a service. • A standard substrate: the Grid service. • Standard interfaces (OGSI) and behaviors that address key distributed system issues: naming, service state, lifetime, notification. • Grid service = Web service + OGSA + OGSI • Grid services are moving from e. Science to e. Business. Euro. PKI 2005 June 30 th, 2005

Oracle’s Use of Grid Technology* • Use Grid technology to build better products – Oracle Database 10 g • Enhanced scalability, relocation, & distributed SQL • Max database size -> 8 exabytes – Oracle Application Server 10 g • Already based on J 2 EE/Web Services • Extending to include OGSI yields powerful capabilities • Improves scalability and flexibility • Increases in both scalability and efficiency • Improves competitiveness of existing products “Open Grid Services Architecture: A tutorial”. Foster, Ian. www. mcs. anl. gov/~foster Euro. PKI 2005 June 30 th, 2005

Oracle Grid Product Offerings • Oracle Database 10 g – Transportables – Distributed SQL – Managed using OGSIcompliant interfaces(? ) • Oracle Application Server 10 g – Hosting for OGSI-compliant Grid services – Development environment – Application Server can be managed and configured using OGSI-compliant interfaces(? ) Euro. PKI 2005 June 30 th, 2005

Performance & Security …. but Is the traditional Grid Security Infrastructure (GSI) framework ready for Grid Services? Euro. PKI 2005 June 30 th, 2005

Background Euro. PKI 2005 June 30 th, 2005

Globus Toolkit G T 4 G T 3 G T 2 G T 3 G T 4 Community Scheduler Framework [contribution] Delegation Service Python WS Core [contribution] C WS Core CAS OGSA-DAI [Tech Preview] WS Authentication Authorization Reliable File Transfer (RFT) Grid Resource Allocation Mgmt (WS GRAM) Monitoring & Discovery System (MDS 4) Java WS Core Grid. FTP Grid Resource Allocation Mgmt (Pre-WS GRAM) Monitoring & Discovery System (MDS 2) C Common Libraries Pre-WS Authentication Authorization Replica Location Service (RLS) Web Services Components Non-WS Components XIO Credential Management Security Data Management Execution Management Euro. PKI 2005 Information Services Common Runtime June 30 th, 2005

GT 4 Container • Open Source implementation of Grid Services through a WSRF Container: Custom GT 4 WSRF Web Custom Services Web WS-Addressing, WSRF, Services WS-Notification WSDL, SOAP, WS-Security Euro. PKI 2005 Registry Administration GT 4 Container User Applications June 30 th, 2005

GT 4’s Use of Security Standards Euro. PKI 2005 June 30 th, 2005

GT 4: AA Framework Service or Resource Auth. N Source 3. Authentication Request 3 a. Authentication Decision 4. Authentication Response Auth. N SOA 2. Service Request Grid Services WSRF Container Delegated Proxy 7. Service Response 8. Proxy Destruction 1. Proxy Initialization Subject 5. Authorization Request 6. Authorization Response Container or Service Auth. Z PDPs Euro. PKI 2005 Auth. Z SOAs 5 a. Authorization Decision June 30 th, 2005

Conceptual Grid Authorization Framework* – Trust Management. – Privilege Management. – Attribute Authorities. – Privilege Assignment. – Attribute Assertions Management. – Policy Management. – Authorization Context. – Authorization Server. – Enforcement Mechanisms. “Conceptual Grid Authorization Framework and Classification”, R. Baker, L. Gommans, A. Mc. Nab, M. Lorch, L. Ramakrishnan, K. Sarkar, and M. R. Thompson Global Grid Forum Working Group on Authorization Frameworks and Mechanisms. February 2003, http: //www. ggf. org/Meetings/ggf 7/drafts/authz 01. pdf Euro. PKI 2005 June 30 th, 2005

Objective • Improve GT 4 Container’s security and performance through the integration of common Auth. N and Auth. Z features into a Unified Authentication and Authorization Infrastructure (AAI). Euro. PKI 2005 June 30 th, 2005

AA Performance and Security Service or Resource Auth. N Source 3. Authentication Request 3 a. Authentication Decision 4. Authentication Response Auth. N SOA 2. Service Request Grid Services WSRF Container Delegated Proxy 7. Service Response 8. Proxy Destruction 1. Proxy Initialization Subject 5. Authorization Request 6. Authorization Response Container or Service Auth. Z PDPs Euro. PKI 2005 Auth. Z SOAs 5 a. Authorization Decision June 30 th, 2005

Proposed Unified AAI Delegated Proxy Grid Services WSRF Container SOAs Subject Unified AAI Euro. PKI 2005 June 30 th, 2005

Proposed Validation Policy VO Distributed Validation Policy Grid Services WSRF Container Delegated Proxy Resource + VO AA Rules SOAs Unified AAI Subject + HO AA Rules Euro. PKI 2005 June 30 th, 2005

Proposed Trust Engine VO Distributed Validation Policy Delegated Proxy Grid Services WSRF Container Subject Unified AAI Euro. PKI 2005 Trust Engine SOAs June 30 th, 2005

Unified AAI Proposal 4. Service Request Grid Services WSRF Container Delegated Proxy 7. Service Response 3. Proxy Initialization 5. Accreditation Request 6. Accreditation Response SOAs 1. Validaton and Accreditation Request Subject Unified AAI 2. Validation and Accreditation Response Euro. PKI 2005 5 a. Accreditation Decision Trust Engine 8. Proxy Destruction June 30 th, 2005

Grid Services Authentication Challenges – – – X. 509 Credentials life-cycle management. Single Sign-On. Delegation. Identity Federation. Trust conditions. Privacy and anonymity. Interoperability and extensibility. Authentication Architecture. Subject and Resource Authentication Policies. Use of formal methods. Authentication traffic. Euro. PKI 2005 June 30 th, 2005

Grid Services Authorization Challenges – – – – – Interoperability and extensibility. Use of formal methods. Policy writing. Distributed Policy Management. Subject-side and Resource-side Authorization Rules. Authorization Architecture and Performance. Authorization Assertion's security. Fine grain Authorization for Grid Services Operations (port. Types) and Service Data Elements (SDE). Session-based Authorization. Conditional Replies. Euro. PKI 2005 June 30 th, 2005

Proof of concept: An Enhanced OCSP Service Provider for GT 4 Euro. PKI 2005 June 30 th, 2005

Why OCSP in Grids? • Used to provide near real-time certificate status for Grid relying parties. • Avoid burden of managing local CRLs at Grid clients. • May allow support for Proxy Certificates revocation. • OCSP Service requirements for Grids: discoverable, fault tolerant and low latency. • OCSP support not implemented into GT 4. • Grids need to define an OCSP Policy (GGF CAOPS-WG). Euro. PKI 2005 June 30 th, 2005

Certi. Ve. R Enhanced OCSP Service Provider • Distributed architecture. • May work as Trusted or Authorized Responder. • Able to parse customized OCSP Response Extensions, which may include Auth. Z related information. • Supports Proxy Certificate Revocation Euro. PKI 2005 June 30 th, 2005

Adding OCSP support to GT 4 • Certi. Ve. R OCSP Java API integrated into Co. G’s Proxy. Path. Validator class. • Same Co. G class used into Java WS Core. • First the EEC chain is built by the client… • …then is sent to validation in a single OCSP Request and… • Finally is received again in a single OCSP Response. • Fully compliant with RFC 2560. Euro. PKI 2005 June 30 th, 2005

Euro. PKI 2005 June 30 th, 2005

Related Work Euro. PKI 2005 June 30 th, 2005

• Akenti (Berkeley Lab): – Not exactly an AAI. – Manages distributed Auth. Z. – Pre-WS Grid integration in progress. • PERMIS (UE Funded Project): – Auth. Z based on Attributes Certificates. – Auth. N agnostic. – Recently integrating with GT 4 and SAML. • Shibboleth (Internet 2/IBM): – – • Designed for Web Services. Supports interinstitutional AA based on existing security schemes. Delivers user’s privacy through anonymity. Grid. Shib in progress (NSF). Cardea (NASA): – Designed for NASA’s Information Power Grid. – Uses XACML. – Manages distributed Auth. Z. • VOMS: – Auth. Z is established by enforcing agreements between Resource Providers (RP) and VOs. – Information about user rights at a RP is defined in Extended ACL and depends on his VO membership. – Uses GSI Auth. N and delegation mechanisms. – Based on Data. Grid and Data. TAG frameworks. Euro. PKI 2005 June 30 th, 2005

Future Work and Conclusions Euro. PKI 2005 June 30 th, 2005

OCSP and GT 4 • • OCSP Policy fine-tuning to balance Security and Performance (signed Responses, use of nonces, etc. ). Enable full Proxy Certificate Revocation support with any of two mechanisms: 1. Sending the Proxy Cert into the OCSP Request ->Depends on OCSP Service Provider. 2. Without sending the Proxy Cert into the OCSP Request -> Any OCSP Service Provider. • • To be included into next release of GT 4. Work in Progress: “OCSP Requirements for Grids” with CAOPS-WG into GGF. Euro. PKI 2005 June 30 th, 2005

Unified AAI: next steps • Validation Policy: – Full definition based on Unified AA Framework. – Move to XACML? – Build upon ETSI’s Signature Policy concept? • Unified AAI: – SAML adoption for GT 4 interoperability (callouts). – Fault tolerant architecture. • Trust Engine: – Distributed Validation Policy evaluation and management (maybe with a parallel paradigm? ). – Use Certi. Ve. R’s enhanced Responses to convey signed evidence and thus optimize evaluation process. • Traditional Web Services (non WSRF-based) can also make use of the Unified AAI. Euro. PKI 2005 June 30 th, 2005

Moltes mercès! Euro. PKI 2005 June 30 th, 2005