Title: Grid Security: What is it? Where is it going? Why?
1Grid SecurityWhat is it?Where is it going?Why?
- Von Welch
- vwelch_at_ncsa.uiuc.edu
- National Center for Supercomputing Applications
- Globus Alliance
2Outline
- Some quick terminology
- What is Grid Security?
- Current State of the Art
- OGSA Grid Evolution
- OGSA Security and Web Services Security
- Globus Toolkit Implementation and Futures
3Authentication, Authorization, Delegation
4Public Key Infrastructure
- Used in almost all Grids today
- Allows for two entities to authenticate with
minimal cross-organizational supprt - Based on asymmetric cryptography
- Private and Public Key
- Public key is encoded in a Certificate by a
Certificate Authority (CA) - Certificate and Private key are used to establish
identity
5Certificates
- Allow for binding of an Identity (John Doe) to a
key or person
6Outline
- Some quick terminology
- What is Grid Security?
- Current State of the Art
- OGSA Grid Evolution
- OGSA Security and Web Services Security
- Globus Toolkit Implementation and Futures
7Grid Securitys goal is to support the virtual
organization.
Site D
Site A
Site C
Site B
8Example NSF TeraGrid
9Instrumented Structures and Sites
Remote Users
Simulation Tools Repository
High-Performance Network(s)
Laboratory Equipment
Field Equipment
Curated Data Repository
Leading Edge Computation
Global Connections (FY 2005 FY 2014)
Remote Users (K-12 Faculty and Students)
Laboratory Equipment
10Controlled Resource Sharing
- Globally
- User must agreeto AUP
- User must use strong authentication
ComputeCenter
20 Mbytes/sec max
BIO VO
5pm-9amonly
HEP VO
100 Tbytes max
20 Tflops per month max
Chem EngVO
11Grid Authorization Flow
VO
User
Resource
Process
12So, what are the challenges?
- Resources being used may be valuable the
problems being solved sensitive - Both users and resources need to be careful
- VOs arent static
- Large, dynamic, unpredictable
- VO Resources and users are often located in
distinct administrative domains - Cant assume cross-organizational trust
agreements - Different mechanisms, trust roots credentials
- X.509 vs Kerberos
- Different CAs
- X.509 attribute certs vs SAML assertions
13More challenges
- Interactions are not just client/server, but
service-to-service on behalf of the user - Requires delegation of rights by user to service
- Services may be dynamically instantiated
- Standardization of interfaces to allow for
discovery, negotiation and use - Implementation must be broadly available
applicable - Standard, well-tested, well-understood protocols
integrated with wide variety of tools - Policy from sites, VO, users need to be combined
- Varying formats SAML, XACML, local custom, etc.
- Want to hide as much as possible from
applications!
14Outline
- Some quick terminology
- What is Grid Security?
- Current State of the Art
- OGSA Grid Evolution
- OGSA Security and Web Services Security
- Globus Toolkit Implementation and Futures
15Grid Security Infrastructure (GSI)
- Open source libraries, tools and standards which
provide security functionality of the Globus
Toolkit - Provides for cross-organizational
- Authentication
- Message protection
- Authorization
- Single sign-on
16GSI Stack
- GSI uses a standard PKI for identity
certificates. - Each entity (user, service) has an X.509
certificate from a CA that uniquely names it.
PKI (Certs, CAs)
17GSI Stack
- SSL, using the certificates, is used as the
network protocol - Performs authentication, like in the web, but
client as well as server - Also provides message protection as needed
(integrity, encryption)
SSL
PKI (Certs, CAs)
18GSI Stack
- X.509 Proxy Certificates are our extension
- Standardized in IETF (pkix)
- Allow for dynamic delegation
X.509 Proxy Certificates
SSL
PKI (Certs, CAs)
19GSI Stack
- Grid-Mapfile maps Grid users (identified by
certificates) to local users (e.g. Unix account) - Allows authorization using normal local methods
(e.g. filesystem perms, quotas)
Grid-Mapfile
X.509 Proxy Certificates
SSL
PKI (Certs, CAs)
20GSI-Enabled Coordination
Site B
Site C
Proxy Certificate
Allows for delegation to allow for coordinated
resource Usage.
Allows for standard authentication method
Site A
21Grid Security Services
- How does a site with an existing sophisticated
security infrastructure leverage that for Grids? - E.g. Kerberos
- How do I carry X.509 credentials around with me?
How do I use with non-GSI aware applications? - E.g. Web portals?
- How does a VO manage the resources contributed to
it?
22Kerberos CA Grid access from Krb5
KCA
Krb5 to Grid ID Mappings
Krb5 Ticket
X509 Certificate
GSI
Kerberos User
Grid Site
- Allows use of Kerberos credentials to geton the
Grid - In use at FNAL, USC
KRB5 Resources
23MyProxy Credential Wallet
MyProxy
Username Password
Web Server
Username Password
Username Password
- Allows users to acquire Grid credentials from
Username/Password - Enables mobility anduse of non-GSI
awareapplications
The Grid
24Community Authorization Service (CAS)
VO decides how its users Can use those resources.
Resources are Contributed to VO From a number of
sites
CAS
CAS Gives user Assertion Granting access
VO User requests access
User presents assertion to resource to gain access
CAS Allows VO to set Fine-grain access policy on
its resources
25Outline
- Some quick terminology
- What is Grid Security?
- Current State of the Art
- OGSA Grid Evolution
- OGSA Security and Web Services Security
- Globus Toolkit Implementation and Futures
26Grid EvolutionOpen Grid Services Architecture
- Goals
- Refactor Globus protocol suite to enable common
base and expose key capabilities - Service orientation to virtualize resources and
unify resources/services/information - Embrace key Web services technologies for
standard IDL, leverage commercial efforts - Result standard interfaces behaviors for
distributed system mgmt the Grid service - Standardization within Global Grid Forum and
OASIS - Open source commercial implementations
27The Grid Service
- Use WSDLto advertiseinterface
- WS-Policyto advertisesecurityrequirements(Krb
5, GSI,etc.) - Allow forautomateddiscoveryand binding
- Hostingenvironmenthandles msgsincludingauthen
tication,msg protection,authorization,etc. - Allows appdeveloper tofocus on app-specific
logic.
Application
Interface
Hosting Environment
28Based on Standards
- Web Services
- SOAP
- WSDL
- Extensions (follow-on to OGSI)
- WSRF
- Lifetime control
- WS-ResourceProperties
- Expose state
- WS-Notification
- WS-ServiceGroup
- WS-RenewableReference
29Outline
- Some quick terminology
- What is Grid Security?
- Current State of the Art
- OGSA Grid Evolution
- OGSA Security and Web Services Security
- Globus Toolkit Implementation and Futures
30Leverage existing/emerging Security Standards
- WS-Security/Policy/Trust/Federation/Authorization
/SecureConversation/Privacy - XKMS, XML-Signature/Encryption, SAML, XACML, XrML
- But
- Need to OGSAfy
- Need to define Profile/Mechanisms
- Need to define Naming conventions
- Need to address late/missing specs
- Support for delegation, transient services
31WS SecurityCurrent/proposed WSS-specs
WS-Secure Conversation
WS-Authorization
WS-Federation
WS-Policy
WS-Trust
WS-Privacy
WS-Security
In progress
SOAP Foundation
proposed
promised
32Current/proposed specs Building on the SOAP
Foundation
Today describes SOAP extensions for secure
messaging, provides foundation for other building
blocks
WS-Security
SOAP Foundation
33Current/proposed specs Building on the SOAP
Foundation
Today how to express capabilities and
constraints of security policies. Along with
WS-SecurityPolicy, WS-PolicyAsserts,
WS-PolicyAttachment
WS-Policy
WS-Security
SOAP Foundation
34Current/proposed specs Building on the SOAP
Foundation
Today describes the model for establishing both
direct and brokered trust relationships
(including third parties and intermediaries)
WS-Policy
WS-Trust
WS-Security
SOAP Foundation
35Current/proposed specs Building on the SOAP
Foundation
Today how to manage and authenticate message
exchanges between parties including security
context exchange and establishing and deriving
session keys
WS-Secure Conversation
WS-Policy
WS-Trust
WS-Security
SOAP Foundation
36Current/proposed specs Building on the SOAP
Foundation
WS-Secure Conversation
Planned will be a model for how users state
privacy preferences, and for how Web Services
state and implement privacy practices
WS-Policy
WS-Trust
WS-Privacy
WS-Security
SOAP Foundation
37Current/proposed specs Building on the SOAP
Foundation
WS-Secure Conversation
WS-Federation
Planned will describe how to manage and broker
the trust relationships in a heterogeneous
federated environment including support for
federated identities
WS-Policy
WS-Trust
WS-Privacy
WS-Security
SOAP Foundation
38Current/proposed specs Building on the SOAP
Foundation
WS-Secure Conversation
WS-Federation
WS-Authorization
Planned will define how Web services manage
authorization data and policies
WS-Policy
WS-Trust
WS-Privacy
WS-Security
SOAP Foundation
39WS SecurityCurrent/proposed WSS-specs
WS-Secure Conversation
WS-Authorization
WS-Federation
WS-Policy
WS-Trust
WS-Privacy
WS-Security
In progress
SOAP Foundation
proposed
promised
40Other Standards
- SAML looks good for assertions
- XACML as language for policy exchange?
- But dont fit nicely together (NASA work).
- SAML 2.0 will hopefully help.
- XACML delegation of rights?
- XrML
- Another policy language
- Liberty Alliance
- Federated Identity like WS-Federation
41WS Security(Confusing Picture)
Liberty Alliance
XrML
WS-Secure Conversation
WS-Authorization
WS-Federation
XACML
WS-Policy
WS-Trust
WS-Privacy
SAML
WS-Security
In progress
SOAP Foundation
proposed
promised
42How does all this fit into Grids?
- WS-Policy/XACML/XrML for expressing security
constraints - What credentials (Kebreros, GSI) are accepted and
preferred - Encryption supported? Required? Rejected?
- WS-Authorization/XACML/XrML for managing
authorization data - e.g. in CAS
- WS-Privacy (?) for managing privacy
43OGSA Security Roadmap Goal
- Address the Grid Security Architecture
Requirements - Make Implementations Possible
- Address Interoperability
- Address Pluggability/Replaceability
- Address missing/late/insufficient Standards
- OGSA Security Roadmap
- submitted to GGF co-authored with IBM
44OGSA Security
- Security implemented by pluggable security
services - Usable by clients and services
- Allow for more agnostic approach to security
mechanisms - As implementations are created for a mechanism
they can be plugged into existing tools to enable
use. - Applications and services can examine published
security policies and convert/acquire credentials
as needed
45Remove Security from Applications
- Allow deployment-time selection of supported
mechanisms and policies - OGSA resource virtualization allows for policy on
application-independent operation invocation - Place as much security functionality as possible
into sophisticated hosting environments
46Transparent Call-outs from WS-Stubs
47Outline
- Some quick terminology
- What is Grid Security?
- Current State of the Art
- OGSA Grid Evolution
- OGSA Security and Web Services Security
- Globus Toolkit Implementation and Futures
48Whats actually in GT3?
- SOAP-based wire protocol
- WS-Security (XML-Signature, XML-Encryption) for
authentication, message protection - GSI-SecureConversation
- Based on GT2s TLS/GSSAPI implementation
- Based on a poor-mans interpretation of
WS-Trust/WS-SecureConversation specs plus
XML-Signature/XML-Encryption/WS-Security - Waiting for WS-Trust WS-SecureConversation
WS-Kerberos specs to be submitted to standards
body
49Whats Actually in GT3?
- SAML assertions in Community Authorization
Service (GT 3.2) - Allow VOs to set and distribute policy on file
access - Standardized Proxy Certificates
- Java and C implementations
- Java based on Axis with security implemented in
handlers
50GT Security Futures (1)
- Authorization is KEY for the coming year
- Includes communicating/sharing/matching of
authz-policies and capabilities - Profiles for Attributes
- Standards for authorization services
- GGF OGSA Authorization WG
- Restricted Delegation
- By service and operation
- By domains
51GT Security Futures (2)
- Securely route through firewalls/network-hurdles
- Tackle the firewall/NAT traversal issues
transparently in the runtime - Integration of Group authentication/key-exchange
protocols - Going from 2 parties to N parties should be
seamless - Secure Logging and Audit
- Another undefined, unstandardized missing link
while the requirements are there!
52Conclusion
- Grids requirements maybe few years ahead, but
industry will face same challenges soon - Few new distributed computing requirements
- Our security requirements are conceptually 1-2
levels above what is available now as
specifications, standards and open source - Ideally, we want to be end-users of WSS not
plumbers - The standards circus is very worrisome
- And distracting and time consuming
- Come help us at the Global Grid Forum
- Exciting security stuff!
- We need your help (www.ggf.org)
- Play with the Globus Toolkit (GT3.2)
- Downloaded 100k times already (www.globus.org)
53Thanks
- Many colleagues at Argonne, NCSA, ISI PDC
- Frank Siebenlist, Sam Meder, Olle Mulmo, Leaur
Pearlman, Jarek Garow, Jim Basney, Steve Tuecke,
Ian Foster, Carl Kesselman, Rachana
Ananthakrishnan and many others. - Funding from DOE, NSF and IBM
- Questions?