Grid Security I CMSC 818S David Wang University of Maryland Presentation is based on 1 Chapter 21 of Grid 2 Security for Virtual Organization Federating Trust and Policy Domains 2 Security for Grid Services Welch et al 3 A Security Architecture for Computational Grids Foster et al What Are Classical Security Concerns C confidentiality privacy Is message data only read by intended recipients Encryption I Integrity Is message data only written by trusted parties MAC Non repudiation of origin A Availability Are resources available at all times Redundancy of resources DoS attacks But Grids are so untraditional Grid Security Concerns The Grid security must support Virtual Organizations but VO s create challenges for the design of security policy implementation VO s can be long lived or ephemeral VO s come in different sizes and may have different membership at different times VO s are across different administrative domains which have their own security policies implementations Deployment of resources in a VO is also dynamic Each VO is treated as a Policy Domain Overlay Taken from Figure 21 1 in 1 Policy Domain Overlay Traditional resources organizations outsource certain policy controls to the VO Individuals in the organizations can then share resources via VO s coordination Grid Security Model Three key functions of the model Multiple Security Mechanism Interoperate with traditional organization security infrastructure Dynamic Creation of Services Without administration Delegation of privileges Dynamic Establishment of Trust Domains Resource to Resource trust Traditional means of setting up the security mechanism does not meet these requirements To Design a Grid Security System I Requirements Single sign on Protection of credentials Interoperability with existing local security solutions Exportability Uniform credential certification infrastructure Support for group communication Support for multiple implementations To Design a Grid Security System II Policy Formulation definitions Subject participant in a security operation Ex users processes Credential proof of a subject s identity Authentication act of proving someone s identity to the requestor Object a resource that is being protected by the security policy Authorization process determining whether a subject is allowed to access or use an object Trust Domain a logical administrative structure where a single consistent local security policy holds To Design a Grid Security System III Policy Formulation axioms Grid consists of multiple trust domains Operations that are confined to a single trust domain are subject to local security policy only Both global and local subject exist Provision of conversion between local global subject names is needed But they are site specific Operations between entities located indifferent trust domains require mutual authentication continues To Design a Grid Security System IV Authenticated global subject mapped into a local subject is assumed to be equivalent of being locally authenticated as that local subject All access control decisions are made locally on the basis of the local subject A program or process is allowed to act on behalf of a user and be delegated a subset of the user s rights Processes running on behalf of the same subject within the same trust domain may share a single set of credentials A Grid Architecture I Definitions User Proxy a session manager process given permission to act on behalf of a user for a limited period of time Resource Proxy an agent used to translate between interdomain security operations and local intradomain mechanisms U R P UP RP C x sign x text User Resource Process User Proxy Resource Proxy Credential of subject x text signed by subject x A Grid Architecture II Taken from 3 Protocol 1 to create a user proxy UP resides in local host UP has its own credential and also a validity interval This will allow single sign on and delegation A Grid Architecture III Taken from 3 Protocol 2 to allocate resources from a UP Resource proxy enforces local authorization requirements Newly created process has its own credential to authenticate itself and remembers its user A Grid Architecture III Taken from 3 Protocol 3 to allocate resource from a process Simple but not so scalable relies on 1 UP Compromise on remote site won t result in fraudulent resource allocation on unsuspecting user consider accounting Delegation behavior is achieved via this protocol A Grid Architecture IV Taken from 3 Protocol 4 to map global subject to local subject Requires user and user proxy to assert identities Only as secure as local authentication Survey of current technologies What technologies are out there I Emerging technologies XML based technologies Signatures encryption equivalent to X 509 PKIX Agnostic to actual mechanism advantage over X 509 PKIX WS Security XML key markup specification Message Level security End to end message protection over a route that traversese one or more intermediate components WS Security addresses this in the context of SOAP messages What technologies are out there II Group authentication and key exchange Shared key is needed by individuals in a group But groups members may not access group data before joining the group or after their departure depending on policy Need ways to manage these issues with dynamic groups X 509 PKIX enhancements and alternatives Slow adoption and support Attempting to make extensions to X 509 certs format for dynamic issuance of identities and delegation of rights What technologies are out there III Identity and credential federation Identity mapping required to evaluate policy rules Microsoft Passport Security Assertion Markup Language SAML Assertion style authorization ACL s capability lists are not expressive enough to deal with complex authorization policies SAML etc allow for fine grained policy assertions OGSA security Service based abstracted from applications More in depth later Implementation GSI Globus Security Infrastructure Provides support for User proxies Resource proxies Globus Resource Allocation Manager GRAM Certification authorities Implementation of the above 4 protocols Implemented on top of Generic Security Services API GSS API Allows constructing of GSI by transcribing Grid security protocols into GSS calls GSS API Transport independent GSS API does not depend on a specific communication method or library Its tokens can be transported via any communication methods uses TCP sockets initially Mechanism